Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform
This article explains how to read and interpretate Maltrail's verdicts on Validin Threat Hunting and DNS Enrichment Platform.
Also, please, take a couple of minutes to learn Maltrail detection nuances before reading current article.
- Example 1:
This example is based on paragraph 1 of Maltrail detection nuances.
How to read/interpretate: there are two detections in Maltrail: explicit for cdn.sovber.shop and for its parent domain sovber.shop .
In case of detection for cdn. subdomain is missed, hence one single for parent domain would be present:
- Example 2:
Maltrail IP:port detection for various types of malware on one single IP:
- Example 3:
In case of http:// detection Validin would display it as Scheme: http:
- Example 4: This example shows how Validin Threat Hunting and DNS Enrichment Platform displays Maltrail full-path detections for legit compromised sites.
Let's see the https://x.com/1ZRR4H/status/1797809897800687796. As one can see, there are legit compromised domains are listed. And detection just for domain is incorrect by default, because domain is not malicious itself. Full-path detection is the single way how to keep suchlike cases.
Validin Threat Hunting and DNS Enrichment Platform uses Path sign to display respective Maltrail detections for legit compromised sites:
How to read/interpretate: dsestimation.com domain is a clean/legit one, but path dsestimation.com/wp-content/uploads/2015/10/ was in use by malware attack.