Trail classes - stamparm/maltrail GitHub Wiki

APT unclassified high

A special class of trails, containing addresses known to be used for Advanced Persistent Threat (APT) attacks, where threat actor is currently unknown.

Bad history medium

Domains having a bad history because of known usage for malicious purposes in past.

Bad reputation medium

IP addresses that are known to be used for perpetrating brute force attacks, web attacks and any other form of unwanted behavior toward Internet exposed services.

Bad service medium

A special class of trails, containing addresses for malicious web-pages which provide various services, tools, malware collections (etc.), that can be used to compromise the local system(s).

Bad WPAD medium

Web Proxy Autodiscovery Protocol (WPAD) is a system that allows computers to automatically discover Web proxy configurations inside the corporate environment. The .company.example domain is private to the organization's network and DNS lookups for *.company.example domains are supposed to be answered by the organization's own DNS servers. If attackers are able to purchase the domain name .company.example they could put up a website at wpad.company.example and publish their own PAC-file that tells browsers to use the attacker’s proxy server. Bad WPAD trails are used to detect related attempts from local networks toward one of such "bad" domains.

References:

Blockchain DNS medium

Detect DNS query resolutions through decentralized blockchain name system web APIs. This same mechanism is known to be abused by various malware families.

References:

Browser locker medium

Malicious JavaScript that disrupts regular web-browser work, such as preventing tab switching, closing of tabs, playing uncomfortable sounds, etc.

Config file access medium

A special case of Potential directory traversal heuristics, that detects attacker's attempts to read configuration files on the target system.

Consonant threshold no such domain medium

Contacted non-existing domain name having an unusually high ratio of consonants, characteristics found in malicious (e.g. DGA) domains.

Domain shadowing medium

Domain shadowing is a subcategory of DNS hijacking attack, where attackers attempt to stay unnoticed. Cybercriminals stealthily insert subdomains under the compromised domain name. Also they keep existing records to allow the normal operation of services (websites, email servers, etc) using the compromised domain. By ensuring the undisturbed operation of existing services, the criminals make the compromise inconspicuous to the domain owners and the cleanup of malicious entries unlikely. As a result, domain shadowing provides attackers access to virtually unlimited subdomains inheriting the compromised domain’s benign reputation.

References:

Entropy threshold no such domain medium

Contacted non-existing domain name having an unusually high entropy, characteristics found in malicious (e.g. DGA) domains.

Excessive no such domain medium

Contacted non-existing domain name having an unusually high number of queries.

Exploit kit medium

An exploit kit (synonym: exploit pack) is a type of toolkit, that cybercriminals use to attack vulnerabilities in web client systems. Their most common purpose is the (unwilling) installation of malware or potentially unwanted software.

References:

IPinfo medium

A special class of Internet services known to be (ab)used by malware for geolocating the infected victims.

References:

Known attacker medium

A number of organizations maintain reputation lists of IP addresses operated by known attackers, such as spammers, malware distributors, and botnets. Maltrail leverages this kind of information from multiple reputation lists to help you identify requests from such malicious IP addresses.

References:

Long domain medium

Heuristic detection, that tracks attempts of DNS query requests for long-named domains. This behavior could be an early sign of suspicious behavior, such as DNS tunneling, malware C&C communication, etc.

Mass scanner medium

Mass scanners are special services for periodical scanning of various Internet resources. In the general case, they allow public access to the list of Internet exposed services, automatic checking service versions to known vulnerabilities, and identification of those that could be used for distributed denial of service attacks. It should be noted that such services usually have their own public web-pages, where organizations can apply for exclusion from the scanning process.

Parking site medium

Domain parking services offer a simple solution for domain owners to monetize their sites’ traffic through third-party advertisements. While domain parking might appear harmless at first glance, parked domains pose a significant threat, as they can redirect visitors to malicious or unwanted landing pages or turn entirely malicious at any point in time. Additionally, periodic visits to such domains could be a late sign of malware infection.

References:

Port proxy medium

Port proxing (synonyms: port forwarding, port mapping) is a technique used for allowing external devices access to computer services inside private networks. It does this by mapping an external (service) IP address and port to an internal IP address and port. Besides their legal usage, this type of service is very popular in usage by some specific types of malware.

References:

Potential data leakage medium

Heuristic detection that tracks attempts of sensitive data leakage, where unauthorized transmission of data occurs from within an organization to an external destination or recipient.

References:

Potential directory traversal medium

Heuristic detection that tracks attacker's attempt to read arbitrary server files, stored outside the web root folder on the server, via (unknown) web security vulnerabilities. See also Config File Access chapter.

References:

Potential DNS changer medium

Heuristic detection that tracks attempts to substitute DNS-server settings in routers, vulnerable to DNS Hijacking attacks via HTTP-requests.

See also Rogue DNS description.

References:

Potential infection medium

Heuristic detection, that tracks attempts of multiple simultaneous connections to target IP address(-es) via specific TCP ports, which were met in security reports on various malware (e.g. worm) infections, via vulnerabilities in system service ports.

The most famous case was in April 2017, when Shadow Brokers hacker group released an SMB vulnerability named “EternalBlue”, described in Microsoft Security Bulletin MS17-010.

References:

Potential iot-malware download high

Heuristic detection, that tracks attempts to download malicious files for Internet-of-Things (IOT) operation systems.

image

References:

Potential LDAP injection medium

Heuristic detection that tracks attempts of LDAP injection attacks.

LDAP Injection is an attack used to exploit web-based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP injection.

References:

Potential proxy probe medium

Heuristic detection that tracks scanning attempts for finding open proxy servers.

Proxy medium

Detection of open proxy access, based on public lists of open proxy servers. An open proxy is that configured so that anyone can use it. Such proxy servers are widely used by spammers to send spam because the proxy hides the spammer's IP address from recipients.

References:

Potential PHP injection medium

Heuristic detection that tracks attempts of PHP injection attacks.

PHP injection is the general term for attack types which consists of injecting arbitrary PHP code that should be executed by the vulnerable application. This type of attack exploits the poor handling of untrusted data.

References:

Potential port scanning medium

Heuristic detection that tracks attempts of port scanning execution.

Port scanning is one of the most popular forms of remote reconnaissance, helping attackers determine which server ports are available for potential compromise.

References:

Potential remote code execution medium

Heuristic detection that tracks attempts of remote code execution attacks.

Remote Code Execution (RCE) is the general term for attack type which consists of injecting arbitrary OS code that should be executed by the vulnerable application. In case of success, it can lead to a full compromise of the vulnerable web application, web server, or even entire target system.

References:

Potential SQL injection medium

Heuristic detection that tracks attempts of SQL injection attacks.

SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploitation can lead to compromise of sensitive data from the database, modification of database data, execution of administration operations on the database, etc.

References:

Potential SSTI injection medium

Heuristic detection that tracks attempts of SSTI injection attacks.

Server-side template injection (SSTI) is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web-pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.

References:

Potential web scan medium

Heuristic detection that tracks attempts of web scanning attempts.

Web scan represents the initial phase of an attack on web applications. During this phase, the attacker gathers information about the site's structure (pages, parameters, etc.) and the supporting infrastructure (operating system, databases, etc.) Additionally, target sites are scanned for known vulnerabilities in infrastructure software based on gathered information.

References:

Potential XML injection medium

Heuristic detection that tracks attempts of XML attack execution.

XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of the application.

References:

Potential XSS injection medium

Heuristic detection that tracks attempts of XSS attack execution.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end-user. A successful attack can lead to session hijacking, execution of arbitrary actions without the user's knowledge and/or stealing of any other sensitive information retained from the browser.

References:

Potential XXE injection medium

Heuristic detection that tracks attempts of XXE attacks execution.

XML External Entity (XXE) attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

References:

Rogue DNS medium

Detection of requests to attacker's DNS server infrastructure, imposed through the compromised network configuration (e.g. via DNS-Hijacking), redirecting regular user's network traffic to malicious sites.

See also Potential DNS Changer description.

References:

SDrop high

Generic detection (SDrop ==> script dropper) for cases, when downloaded script payload drops another malicious file(-s) from its body.

SLoad high

Generic detection (SLoad ==> script loader) for cases, when script payload is downloaded from some resource (compromised legit site or explcit malcious site).

Sinkhole high

Sinkhole is a name for a server used by anti-malware researchers to collect information about a botnet. It masquerades as one of the C2 (command-and-control) servers in the botnet so that DNS requests (from compromised computers in the botnet) for the related domain are re-directed to the sinkhole, where they can be further analyzed by researchers.

References:

Spamtool (e.g. Alexus or XSender) medium

Sofware toolkit or online service that is used to massively send email spam or messages to social media sites.

TDS (e.g. BlackTDS, ParrotTDS or SutraTDS) medium

TDS (Traffic Direction System) is a specialized system used for directing victim's traffic to cash in on referrals. Problem is that those systems are often abused for malicious purposes, such as redirecting users to exploit kits (EK) or drive-by download sites.

References:

Tor exit node medium

The Tor network provides adversaries with a multitude of source locations from which to conduct malicious activities against targets. By ensuring that different Tor exit nodes are used, adversaries are able to make it more difficult for defenders to correlate activities, block malicious attempts and make attribution more difficult. Maltrail detects related connection attempts based on the public Tor exit/relay list.

References: