Skip to content

Domains

Jump to bottom
Mike Goffin edited this page Jun 4, 2014 · 1 revision

CRITs helps you track Domains which can then be leveraged by other tools on your network.

Let's walk through an example of uploading a Domain to CRITs.

  • You wish to add bad.evil.com to your Domains collection.
  • You open the modal form for adding a new domain and enter bad.evil.com for the Domain name.
  • You don't have any Campaign attribution yet, and you don't know of any IPs that have been used by this Domain.
  • You check the Add Indicator? box because you know that if someone sees this Domain anywhere in their network (logs, proxy, etc.) it's bad news.
  • You click New Domain

CRITs will then analyze the Domain Name you provided. In this case it will notice that bad.evil.com has a root domain of evil.com. It will check to see if you already have evil.com as a Domain and if not, it will automatically add it. Then it will add bad.evil.com and it will automatically relate it to the root domain. Then it will generate your bad.evil.com Indicator and automatically relate that back to the domain.

As you can see CRITs attempts to do as much work for you as possible. You can imagine what will happen in this scenario if you were to also add an IP Address to the mix!

Domains also get automatically added when you add them as Indicators. If you had a new Domain you wanted to add as an Indicator, you could just upload it as an Indicator. When you choose the type of URI - Domain Name CRITs will automatically detect that it is a Domain, add it for you, and relate it back to the Indicator. Again, if it's an FQDN it will also attempt to determine the root domain and perform the relationship additions.

Domains can also be added when you add CybOX Objects to top-level objects. For example, say you are analyzing a binary and you find that it contains a Domain in the strings output. You might add a new Object to that Sample. You'd select the URI - Domain Name object type, and add the domain. At upload time you have the option to add it as an Indicator as well. If you forget this step or wish to do it later, there will be a + sign next to the Object's value that will allow you to add it as an Indicator. In both of these scenarios, the Indicator will get added and CRITs will attempt to add the Domains.

Domains can also be uploaded in Bulk through the Navigation Menu. This will allow you to fill out a spreadsheet containing many domains (one per row), validate the contents, and upload them en mass.

Another feature of Domains is the Whois information. You can upload Whois information for that Domain over time and then get a diff right from the UI to see how the Whois data has changed over time!

Clone this wiki locally