# How to Find Out What Suspicious Connections Your Computer Makes When Going to a Website.

## Метаданные

- **Канал:** Cyberspatial
- **YouTube:** https://www.youtube.com/watch?v=T2DUrNFZJV8

## Содержание

### [0:00](https://www.youtube.com/watch?v=T2DUrNFZJV8) Segment 1 (00:00 - 05:00)

Every day, people browse hundreds of web pages on their phones and computers. But some of those web pages might load malicious links and content, which could infect your device. That's because modern web apps actually load scripts, images, and media from all kinds of sources before rendering them together as one complete picture. And if even one of those resources is malicious, your browser is going to get hacked. So how can you see what connections your computer makes when going to a website, and how to find out if those URLs loaded could be malicious or not? To do this, I'm going to show you how to use the developer tools feature commonly found in modern web browsers to pull out the domains loaded by a web page, extract them with the PowerShell script, and then analyze suspicious domains using VirusTotal. So let's go ahead and jump in and collect some data. I'm going to go ahead and open up Microsoft Edge, navigate to AccuWeather, a popular website where you can look up weather information about your location. Now in order to collect the logs from this website, we're going to open up this "Settings and more" shortcut. Then we're going to go to "More tools", go to "Developer tools". We've got some different tabs here, I'm going to be working with the network tab. You're going to enable this "Domain" column, and the other setting is your "Preserve log" checkbox. This is going to allow us to accumulate those logs, be able to download and see things happening in the browser. So I'm going to go ahead and start to just interact with this website, and you can see right now there's some things happening down here in the log. So these are individualconnections that are emanating from my location and going out into the internet and pulling things into my browser. You might be thinking, "Hey, isn'tthere just one connection just to AccuWeather? " No, back in the '90s that's how things worked, but now in modern web applications, there's dozens if not hundreds of connections for any given web page that they're going to go out and get things like images, videos. A lot of them are sending information about you to some server that's trying to figure out what you're interested in and give you that sort of next ad or the next image. Solet's take a look at one of these. I click this first one; it brings up this properties inset, allows me to see exactly what happened. So this was a GET request went out to get, in this case a JPEG, so one of these thunderstorm risk pictures on this page. You get some more information about the response headers, payload, and we got a nice preview of the image that came back. So somewhere on this web page is that image. So I went to AccuWeather one time; it's already pulled down 16 more connections worth of data. "Hey, give me the weather in New York. " As soon as I do that, you'll notice my request information just opens up, and I'm now already at 200 requests, getting up to 300 almost. You know what's happening here, Does it take that much? Are the New York weather patterns so complex that it's requiring that much information? So let's take a look at one of these. Let's say this one. I can see that it's connatix. com. I'm going to go ahead and open up a tool called VirusTotal, and I'm going to copy the URL. I'm going to go ahead and paste that here it's going to run this URL through various scanners to tell you if it's good or bad. I can see that it is an advertisement, social networking related, information technology. It gives you the history; it'll give you some of the information about where it's hosted, registered, who is information. You can go to graph, there's some other tools. If you don't have an account, you can set one up, it's free. That's one URL. We're at 545 requests and growing. Yeah we can see here cut and paste individual ones to find out what's happening, but we need something maybe a little bit more expedient. So download this traffic. So when I hover over this download button, it's going to download an HAR file. So an HAR file is nothing more than a resource file about what's happening in the browser. I'm going to go ahead and just save that as accu. har. Let's just open this up and see what it looks like. You can see that it has information about those various connections. Here's a connection went to 3lift, it was an image. with the same information that we have down here in this table stored as a file. So this is a log file, and I can start to use other tools to analyze and parse. We're going to use a PowerShell script, we're going to go ahead and pull out all of the URLs in here so we can analyze them. Go up to github. com/cyberspatiallabs. I'm going to go to idle computer. I am going to go to Windows. Go ahead and pull up the PowerShell command here, going to copy this, open up PowerShell, CD into downloads, LS right-click paste that PowerShell command in and just hit enter. It's going to go ahead and look for all those domains. It's going to group them, the domain, and how many times they saw it. Let's go ahead and grab maybe another one of these and see what's going on. I like to go to the low-density stuff, the stuff that doesn't show up very often, that can often be an indicator of something an adversary is trying to hide. Maybe this right here. Go back to VirusTotal, search, paste this in. So this is looking pretty clean, maybe this is new hasn't been noticed by VirusTotal too much. There's a lot of community traffic here, these are other people on VirusTotal that have seen this domain in their

### [5:00](https://www.youtube.com/watch?v=T2DUrNFZJV8&t=300s) Segment 2 (05:00 - 08:00)

research and have made it publicly available. This is unvetted information, this is open source, it's not necessarily true. A lot of times adversaries will camp out on VirusTotal, to throw a lot of deception. It is interesting to see kind of where else this same connection that's part of AccuWeather has been involved with a Highly Targeted Cyber attack on Spotify artists and Gamers. This is kind of analysis you can do with available tools, doesn't require any special permissions, pretty easy to do. It's very manual. You can automate this, there is an API key you can use some Go code or some Python code and write an automated script that would take each one of these URLs and run it against VirusTotal, get the information, and you could screen and filter by high-risk URLs or domains that had a large number of malicious indicators. But let's take a step back and ask ourselves, what are the upsides of this technique and really when am I going to use it? So it's a fast, highly portable, and completely free technique. It doesn't require any special permissions, you can use it anywhere, you don't need any extra tools, it'll literally run in any browser, almost every browser that I know of has some sort of developer console, and it really is going to be an ideal technique when you come across a suspicious URL, maybe from a potential phishing page, phishing email, or you have a sketchy website you just want to check it out. But what are the downsides of this approach? First it's really difficult to scale manually. You saw how I was cutting and pasting URLs into VirusTotal, it's a very manual process, and the API is going to be very helpful to achieve some level of scalability, but even with the use of the API, you will face some scaling limitations because most APIs they have something called rate limiting, so you can only process so many of these domains per minute and also so many per day. So it turns out that bulk enrichment or bulk detection is actually a pretty expensive proposition, and there are a lot of websites that offer this kind of intelligence, you know, where you upload IP's and indicators, domains, IP's and such in bulk and you check all them at once. Shodan is another fantastic high-quality example of this. The problem is most of these higher value bulk Enrichment Services are going to be paid. In order to do any kind of real volume. Second of all, this is just one tab in one website inside of your web browser. What if you need to analyze multiple websites at the same time? Or maybe you have multiple applications on your computer that are all connecting to different websites, and you need to sort of analyze all of them at the same time? Or you know worst-case scenario, what if you have to analyze multiple websites on multiple web applications on multiple computers all across your network? In order to answer this question, we're going to explore a lot of other tools in the next few videos that capture connection information from multiple applications on your Network all at the same time. This is going to let you see a lot of visibility into network connections and check suspicious applications throughout all your computers and network, by analyzing the traffic. But for now, thanks for watching. Check out the description of this video for additional information and links, and feel free to sound off in the comments section. We absolutely love hearing from you, hearing about your techniques, your experiences, what you think about our tools. And if you do like this content, please like, share, and subscribe, and we'll keep making more videos like this one. Take care, we'll see you soon.

---
*Источник: https://ekstraktznaniy.ru/video/38762*