Skip to main content

Microsoft Sentinel: Using Custom Logs and DNSTwist to Monitor Malicious Similar Domains

In this article, we are going to explore how to monitor similar domains to yours, in order to protect your users from being victims of social engineering attacks.

When performing computer-based social engineering attacks such as phishing, attackers buy similar domains to yours in order to trick your users. This is why keeping an eye on similar domains is essential to avoid such attacks.

First we need to find these domains. One of the tools that helps you to generate similar domains is "DNS Twist". You can find it here: https://github.com/elceef/dnstwist

According to DNS Twist developers:

"DNS fuzzing is an automated workflow for discovering potentially malicious domains targeting your organisation. This tool works by generating a large list of permutations based on a domain name you provide and then checking if any of those permutations are in use. Additionally, it can generate fuzzy hashes of the web pages to see if they are part of an ongoing phishing attack or brand impersonation, and much more!"

You can even try to generate some domains online here: https://dnstwist.it

In this demonstration, we are going to use python on Windows to generate similar domains:

Type the following command to install the python module:

py -m pip install dnstwist

To generate similar domains, open python terminal and type:

import dnstwist 
fuzz = dnstwist.DomainFuzz(“<YOUR DOMAIN HERE>”)
fuzz.generate()
fuzz.domains

For example these are some similar domains to "google.com" after parsing only the domain names:

You can also use this API: https://dnstwister.report/api/

To store the similar domains you can build a small script to achieve that. For example the following snippet stores similar domains in a file called "Similar-Domains.txt"

Once, we have a file that contains the similar domains, now we need to send them to sentinel so later we can create rules based on them.

Go to "Custom logs" sections and upload a log sample (a snippet from your similar domains file)

Select the limit delimiter: New Line

Add the file path. In my case "C:\Users\Computer\Similar-Domains.txt". If you have many log files you can use regular expression such as * eg: C:\Users\Computer*.txt

Add a name and description to your custom log source

Voila! Your custom log is created successfully

Go to Sentinel log section and you will find it under Custom Logs

To query it, simply select its name as follows:

Finally, now you can create a rule to detect if a user visited one of the similar domains. For example, you can use the JOIN function with DNSevents source.