Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform - stamparm/maltrail GitHub Wiki

This article explains how to read and interpretate Maltrail's verdicts on Validin Threat Hunting and DNS Enrichment Platform.

Also, please, take a couple of minutes to learn Maltrail detection nuances before reading current article.

• Example 1:

This example is based on paragraph 1 of Maltrail detection nuances.

How to read/interpretate: there are two detections in Maltrail: explicit for cdn.sovber.shop and for its parent domain sovber.shop .

In case of detection for cdn. subdomain is missed, hence one single for parent domain would be present:

• Example 2:

Maltrail IP:port detection for various types of malware on one single IP:

• Example 3:

In case of http:// detection Validin would display it as Scheme: http:

• Example 4: This example shows how Validin Threat Hunting and DNS Enrichment Platform displays Maltrail full-path detections for legit compromised sites.

Let's see the https://x.com/1ZRR4H/status/1797809897800687796. As one can see, there are legit compromised domains are listed. And detection just for domain is incorrect by default, because domain is not malicious itself. Full-path detection is the single way how to keep suchlike cases.

Validin Threat Hunting and DNS Enrichment Platform uses Path sign to display respective Maltrail detections for legit compromised sites:

How to read/interpretate: dsestimation.com domain is a clean/legit one, but path dsestimation.com/wp-content/uploads/2015/10/ was in use by malware attack.