Conducting a domain analysis is a complex task for any analyst, as it requires a meticulous examination of historical and current DNS resolution, and the assessment of the domain's potential threat. Fortunately, Malcore offers an all-inclusive solution, providing the capability to perform domain analysis and verify URL authenticity. Although presently these functions are available through separate endpoints, there are plans in progress to integrate them into a single endpoint for greater ease of use. The domain analysis endpoint is a comprehensive tool that not only identifies all IP addresses associated with the specified domain but also conducts an in-depth analysis of their historical DNS records, known malware DNS, and the nsglue of the domain. On the other hand, the URL check endpoint offers a preliminary assessment of the potential threat level associated with the passed URL. These two endpoints offer significant benefits to analysts engaged in domain analysis. Not only do they allow for a swift and comprehensive review of the domain in question, but they also empower analysts to make more accurate assumptions based on a thorough examination of factual evidence.
The first step in leveraging the power of these two endpoints is to create a scan, as illustrated in the usage of Malcore article. Once you have initiated the scan, you can access the URL check function by entering the full URL of interest. To perform a more in-depth analysis, you can also select the domain analysis option located under the "advanced scans" tab and input the domain name associated with the URL you wish to examine.
To initiate the scan, simply start it and patiently wait for the analysis to finish. Once the URL checking is complete, you'll receive a "defanged" URL along with a corresponding threat level assessment.
Upon initiating the domain analysis, you will be directed to a comprehensive summary view, where Malcore will furnish an overview of the recon request it has carried out. This summary will encompass pertinent details such as the returned headers, along with any CSS and Javascript scripts discovered within the HTML of the request.
In addition, under the "domain information" section, you'll have access to a comprehensive list of all IP addresses that have been linked to this domain since 2012, as well as a detailed breakdown of the full subdomain count (with the most recent 50 displayed). Furthermore, you'll be able to access historical DNS information of the most recent IP addresses that have been associated with the domain.
Additionally, an extensive intelligence report will be at your disposal, providing in-depth analysis of any references to this domain, as well as any instances of it appearing in leaked information. Please note that the length of this report may vary based on the domain being analyzed, so a momentary delay while it loads may be necessary.