** Note:
Be careful about sending targeted files, URLs, etc to some of these tools as it can tip off the attackers
– Whois:
Determine ownership of an IP address or domain name (Who owns it, for how long, hosting, subnets, etc)
– DNS
Look at DNS records for an IP address or domain name (MX records, Nameservers, SOA, IP addresses, etc)
– IOC Lookup
Lookup artifacts and IOCs (IP, domain, hash, etc) in open source tools to determine validity and magnitude, and build context
– Reputation
Lookup reputation information on IPs and domains to see if there is historical/recent malicious activity reported
– Botnet/C2 Info
Check potential Botnet/C2 IPs against lists of knowns
– Threat Lookup
Look up details about suspected threats to build context and determine additional artifacts to look for
– Phishing
Examine emails to determine if they are legitimate or part of phishing campaigns
– URL Scanning
Online scanners for validating/inspecting URLs without visiting them locally
– Sandboxes
Run files/visit websites in sandboxed environments to gain information on possible malware/threats
– Tools
Add’l tools to assist in investigations as needed