Skip to content

Convert DNSTwist Results to MDE IOCs and TenantAllowBlockLists

License

Notifications You must be signed in to change notification settings

jkerai1/DNSTwistToMDEIOC

Repository files navigation

GitHub stars GitHub forks GitHub issues GitHub pulls

DNSTwistToMDEIOC

Convert DNSTwist Results to MDE IOCs then turn them into TenantAllowBlockLists ! This should run along aside Domain impersonation protection inside of Defender for Office (MDO).

Can block typosquatters, phishing attacks, fraud, and brand impersonation!

image

Result - (note needs xn-- encoding):

image

KQL

DeviceEvents  
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| extend URL = replace_string(RemoteUrl,'.','[.]')  
| summarize by URL, DeviceName,AccountName,InitiatingProcessAccountName  

image

How To install DNSTwist in Python

Install DNSTwist using

pip install dnstwist

Reference: https://github.com/elceef/dnstwist

How to Import

image

image

File naming convention is DNSTwist+{thedate}.csv

General Usage

No duplication checks between runs :) however MDE natively handles duplicates

Do not blindly upload, validate results before uploading

Domains can be whitelisted by adding to the whitelist variable

Extra domains to be twisted can be added to the domainsToTwist List

Whats Next?

Block The Domain in Tenant Allow Block List using the powershell script (sender domain and URL)

TABL does not support punycode (xn--) and MDE support for punycode is limited. Defender for Office's impersonation list is hidden but TABL blocks will verify explictly domain is blocked.

Misc

A good online punycode converter: https://www.punycoder.com/

See also MDE IOC/TABL Repos for

JoeSandBox: https://github.com/jkerai1/JoeSandBoxToMDEBlockList
TLD: https://github.com/jkerai1/TLD-TABL-Block
Ransomwatch: https://github.com/jkerai1/RansomWatchToMDEIoC/tree/main