Malicious actors often use tactics such as domain hopping or domain fronting to evade detection and propagate malicious activity. By changing the nameservers associated with a domain, threat groups are able toy evade detection and continue their activities under a different set of infrastructure.
By monitoring changes to nameservers associated with a domain, security teams can pinpoint connections between different domains and nameservers, and identify previously unknown threat actors or infrastructure based on different patterns of behaviour.
Additionaly, if a domain is repeatedly changing nameservers or associated infrastructure, it may be an indication that the domain's security controls or practices are inadequate, and that the domain is vulnerable to attack.
Silent Push allows you to search for all nameserver changes associated with a specfic domain:
-
Navigate to
Advanced Query Builder > Domain Queries > Nameserver Changes -
Specify a
Domain -
(Optional) Click
Summaryto return a set of summarized results -
Click
Search -
(Optional) Click
Explore Table Viewto visualise the results and lookup passive DNS data for returned nameservers
Saving queries
Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.
-
Specify the query parameters
-
Click
Save Query -
Give your query a
Name -
Specify a
Descriptionto add more context -
Click
Save