Suspicious Domain Playbook

Purpose and Scope

When analysts encounter an unfamiliar domain in alerts, logs, or threat hunting, a structured investigation determines whether it is malicious, benign, or requires further monitoring. This playbook provides a repeatable workflow for domain investigation.

Prerequisites

• WHOIS lookup tools: Command line whois or web services
• DNS investigation tools: dig, nslookup, or online DNS tools
• Passive DNS access: Services like PassiveTotal, VirusTotal, SecurityTrails
• URL scanning: urlscan.io for safe page inspection
• Threat intelligence: VirusTotal, OTX, or commercial TI platforms
• Internal logs: DNS, proxy, firewall logs for organizational context

Investigation Workflow

1. Initial Context Gathering

Before investigating the domain, document how it was encountered:

• Which alert, log, or hunt surfaced this domain?
• What was the context (phishing link, C2 candidate, ad network)?
• Which internal hosts or users accessed it?
• What protocol and port were used?

2. Domain Registration (WHOIS)

Check WHOIS data for registration details:

• Creation date: Domains registered in the last 30 days are higher risk
• Registrar: Some registrars are favored by attackers
• Registrant: Privacy protected vs. named entity
• Name servers: Shared with other suspicious domains?

Command: whois example.com

3. DNS Resolution

Resolve the domain and examine records:

• A records: What IPs does it resolve to?
• MX records: Does it have mail infrastructure?
• TXT records: SPF, verification, or suspicious data?
• NS records: What name servers are authoritative?

Commands:

dig example.com A
dig example.com MX
dig example.com TXT
dig example.com NS

4. IP Address Investigation

For each IP the domain resolves to:

• Check geolocation and hosting provider
• Look for other domains hosted on the same IP
• Check IP reputation in threat intelligence
• Determine if it is shared hosting, cloud, or dedicated

5. Passive DNS History

Query passive DNS for historical data:

• What IPs has the domain resolved to over time?
• Has it changed hosting frequently (fast flux)?
• Are there related subdomains?
• When was the domain first observed in DNS?

6. Threat Intelligence Lookup

Check the domain against threat intelligence sources:

• VirusTotal: Community votes and vendor detections
• OTX: Pulses containing the domain
• URLhaus: Known malware distribution
• PhishTank: Reported phishing sites
• Commercial TI: Recorded Future, Mandiant, CrowdStrike

7. Website Analysis

If the domain hosts a website, analyze safely:

• Use urlscan.io to view the page without visiting
• Check for credential harvesting forms
• Look for brand impersonation
• Examine scripts and external resources
• Note the page title, content, and purpose

Do not visit suspicious domains directly from your workstation.

8. Certificate Analysis

If HTTPS is used, examine the certificate:

• Is it a free certificate (Let's Encrypt) or paid CA?
• What is the certificate subject and SAN (Subject Alternative Names)?
• When was it issued? Very recent certificates on suspicious domains are concerning.
• Are other domains on the same certificate?

9. Internal Exposure Assessment

Search your logs to understand organizational exposure:

• How many hosts or users accessed this domain?
• When did access start and how often?
• What content was transferred (request/response sizes)?
• Were there successful connections or blocks?

Investigation Queries

Internal DNS Queries for Domain

index=dns query=*example.com*
| stats count, dc(src_ip) as unique_sources, min(_time) as first_seen, max(_time) as last_seen by query
| sort -count

Proxy Traffic to Domain

index=proxy dest_host=*example.com*
| stats count, sum(bytes_in) as downloaded, sum(bytes_out) as uploaded by src_ip, user, dest_host, uri_path
| sort -count

Firewall Connections

index=firewall dest=*example.com* OR dest_ip IN (1.2.3.4)
| stats count, values(dest_port) as ports by src_ip, dest, action
| sort -count

Risk Indicators

High Risk Signals

• Domain registered in last 7 days
• Detected as malicious by multiple TI sources
• Hosts credential harvesting page
• Impersonates known brand
• Associated with known malware family
• Uses fast flux DNS
• DGA (domain generation algorithm) characteristics

Medium Risk Signals

• Domain registered in last 30 days
• Privacy protected registration
• Hosted on bulletproof or low reputation hosting
• No clear business purpose
• Single vendor detection in TI

Lower Risk Signals

• Established domain with history
• Clear business purpose and content
• No TI detections
• Expected traffic patterns in logs

Domain Categories

Classify investigated domains:

• Confirmed malicious: Block and add to threat intel
• Suspicious: Increase monitoring, consider blocking
• Likely benign: Document findings for future reference
• Confirmed benign: Add to allowlist if needed
• Unknown: Monitor and reinvestigate if activity increases

Response Actions

Based on findings:

• Block: Add to proxy/firewall blocklist
• Sinkhole: Redirect DNS to internal sinkhole for monitoring
• Alert: Create detection rule for future access
• Investigate endpoints: If hosts accessed confirmed malicious domain
• Share intelligence: Report to TI platforms and community

Documentation Template

Record investigation findings:

• Domain investigated
• Investigation trigger (alert, hunt, user report)
• Registration date and registrar
• Resolved IPs and hosting
• TI results summary
• Website content summary
• Internal exposure (hosts, users, timeframe)
• Classification and confidence
• Actions taken

References

• MITRE ATT&CK: Command and Control (TA0011)
• MITRE D3FEND: Domain Name Analysis
• urlscan.io documentation
• VirusTotal API documentation
• PassiveTotal/RiskIQ documentation
• SANS: Domain Reputation Investigation