...
Id | Description |
|---|---|
Policy_AbusedTLD | A Top Level Domain (.com, .org, etc.) reported as frequently used by cybercriminals for threat activity. |
Policy_Bitcoin | Bitcoin is an online payment network. Bitcoins are frequently the currency of choice for criminal activity because currency exchange does not require a third party like a financial institution. Thus, tracking of Bitcoin related data is desirable due to the correlation between Bitcoin and potentially fraudulent activity. |
Policy_BogonRFC1122 | RFC 1122, specialized address block which refer to source hosts, on 'this' network. Broadcast for 'own' network. |
Policy_BogonRFC1918 | RFC 1918, Address Allocation for Private Internets |
Policy_BogonRFC2544 | RFC 2544, Benchmarking Methodology for Network Interconnect Devices. |
Policy_BogonRFC3927 | RFC 3927, Dynamic Configuration of IPv4 Link-Local Addresses |
Policy_BogonRFC5736 | RFC 5736, IANA IPv4 Special Purpose Address Block to support IETF protocol assignments. |
Policy_BogonRFC5737 | RFC 5737, IPv4 Address Blocks Reserved for Documentation. |
Policy_BogonRFC6598 | RFC 6598, IANA Reserved IPv4 Prefix for Shared Address Space for Carrier Grade NAT (CGN) devices. Used to number interfaces which connect CGN devices to Customer Premises Equipment (CPE) |
Policy_ChatServer | Collection of data relating to known servers/hosts related to ChatServer(s) or Room(s) where suspicious, fraudulent and often criminal activity occurs. |
Policy_CountryBlock | Policy based feed that contains IP’s of countries in Eastern Europe and China. These countries are often found in cyber-attacks seeking intellectual property or other sensitive or classified data and stealing credit card or financial information. |
Policy_DHCP | A host on the Internet observed running Dynamic Host Configuration Protocol (DHCP) services. DHCP a network protocol that allows an IP address to be automatically assigned by a server. |
Policy_DynamicDNS | A method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames, addresses or other information. |
Policy_ForumUserBitTorrentContent | Indicators associated with a user participating in BitTorrent content distribution. |
Policy_ForumUserCybercrimeHacker | Indicators associated with a user participating in Cybercrime Hacker forums. |
Policy_Gambling | Collection of data relating to known servers/hosts related to online gambling. |
Policy_Generic | Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for Policy. |
Policy_IDNHomograph | An internationalized domain name (IDN) homograph (a.k.a homoglyph) is a domain easily confused with a target domain. Attackers abuse IDNs by using Unicode characters to create domain names that look similar to the targeted domain. Homograph domains damage the targeted domain's reputation and pose a threat to users that visit them. Source: https://resources.infosecinstitute.com/a-quick-guide-to-the-idn-homograph-attack/ |
Policy_IPCheckServices | These services enable the user to obtain information about a particular IP address including the assigned owner; internet service provider; geographic location; and websites, domains or other systems hosted at the IP address. They can provide the real Internet address for users without a direct Internet connection, like those behind a router or NAT. Source: http://www.dnsbl-check.info/ |
Policy_IRCServer | A host on the Internet observed running Internet Relay Chat (IRC) services. IRC is a protocol for real-time Internet text messaging (chat) or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file sharing. |
Policy_LookalikeDomains | contains domains that are found to be visually similar (look-alike) with other domains. These domains are composed using methods such as replacing letters with visually confusion ones (e.g. o to 0, l to 1, w to vv), switching to different top level domains (e.g. .com to .cc), among others. These domains are often found in cyber attacks seeking brandjacking, traffic redirection and phishing. |
Policy_NCCICwatchlist | Indicator appears on the watchlist from the National Cybersecurity & Communications Integration. Center (NCCIC). Source: https://www.us-cert.gov/nccic |
Policy_NewlyObservedDomains | Non-threat indicators for domains which have appeared for the first time in Passive DNS monitoring. |
Policy_NewlyObservedHostname | Non-threat indicators for hostnames which have appeared for the first time in in Passive DNS monitoring. |
Policy_OFACSanction | Policy based feed that contains IP’s of United States sanctioned countries listed by US Treasury Office of Foreign Assets Control (OFAC). The Treasury Department's Office of Foreign Asset Control (OFAC) administers and enforces economic sanctions imposed by the United States against foreign countries. Source: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx |
Policy_ParkedDomain | A domain that has been parked for future use without having to host specific content. The domain owner and/or registrar may choose to use the parked domain to generate ad revenue through click traffic. |
Policy_Privacy | Non-threat indicators disclosing private information about the device or end user, either in the clear or lightly obfuscated. This is often an application or software that the user knows they are using, but may not be aware that it transmits some potentially private information. This behavior is sometimes referred to as data leakage. This data set is not intended to be exhaustive. |
Policy_RansomwarePayment | This domain or IP is used to process payments for Ransomware decryptions. While not inherently infectious, connecting to a Ransomware Payment site is usually the result of a Ransomware infection. Alerting on this property may give IT a way to detect a ransomware infection on their network. This property is included in 'Policy' category because IOCs in the Malware or C2 categories are often blocked, and the payment site may be the only way to recover the files. While Infoblox generally recommends against paying ransom, we believe the customer is the best judge of what course of action is appropriate in dealing with this situation. |
Policy Rebind Attack (DNS | DNS rebinding is a technique used by threat actors to compromise the way domain names are resolved. In this type of attack, a malicious website tricks users into running a client-side script that targets other devices within the network. Traditionally, browsers enforce a same-origin policy (SOP) to prevent such attacks, ensuring that websites from different origins cannot freely interact with each other. However, DNS rebinding techniques allow attackers to bypass SOP, turning browsers into unwitting proxies. |
Policy_RemoteAccess | Allows remote access from one computer or network to another over a LAN or the Internet. |
Policy_ServingExecutables | The identification of servers/hosts that are engaged in the activity of serving executables. |
Policy_SittingDucks | Domain has a lame name server delegation. This domain may be susceptible to a Sitting Ducks DNS hijacking attack. |
Policy_SkypeInfrastructure | Skype is a peer-to-peer Internet telephony network owned by Microsoft. |
Policy_SuspiciousSSL | Secured Sockets Layer (SSL) encrypts communication between a server and client. When a web server and browser make a secure connection, private data can be transmitted securely online. |
Policy_Tracker | Tracker domains allow others to track individual devices on the Internet, by recording their interaction with websites or reading of email. We are including cookies, advertising, email, and other trackers in this property. Cookies are files that save user information, often by the websites visited. Advertising cookies allow companies to track a device and some are established to circumvent ad blockers. Adware indicators are aligned with a piece of software that has been placed on someone’s machine to deliver ads without informed consent, and serves cookies and ads that slow the user’s machine. We may also include dual use domains such as gstatic[.]com. This data set is not intended to be an exhaustive list of trackers, but to provide context for certain domains that may appear suspicious within a network. |
Policy_UnsolictedBulkEmail | Non-threat indicators associated with SPAM distribution. |
Policy_UnwantedContent | Indicators which do not constitute a threat under typical circumstance, but may be undesirable and not permitted by policy. |
Policy_VirtualPrivateNetworking | A Virtual Private Network allows a user to access an organization's private network via a public network. |
...