Understanding and Using Finished Threat Intelligence


Threat intelligence is the data organizations need to map threats to the enterprise and enable the best possible decision-making related to risk. Microsoft Threat Intelligence ( TI) serves as a valuable source of threat intelligence on global, industry, and local threats, with content from hundreds of OSINT sources complementing original research, shared from Microsoft's own Defender, MSTIC, and Section52 research groups. As an analyst working with threat intelligence, it's easy to become overwhelmed by the volume of data out there. Still, within the Defender TI portal, the ability to quickly find data relevant to your needs is kept top of mind.

Before we drill into the Defender TI Threat Intelligence portal, take a look at this blog post for a deep dive into the types and benefits of threat intelligence and the threat intelligence lifecycle.


Defender TI may include live, real-time observations and threat indicators, including malicious infrastructure and adversary-threat tooling. Any IP, domain, and host searches within our Defender TI platform are safe to search. Microsoft will share online resources (e.g., IP addresses, domain names) that should be considered real threats posing a clear and present danger. We ask that users use their best judgment and minimize unnecessary risk while interacting with malicious systems when performing exercises provided in this module. Please note that Microsoft has worked to reduce risk by defanging malicious IP addresses, hosts, and domains.


The content in the Defender TI portal sources hundreds of OSINT as well as original Microsoft Defender Threat Intelligence research articles enriched with indicators from the Defender TI global collection . For more information, see What is Microsoft Defender Threat Intelligence (Defender TI)? and review the Articles sections.


Figure 1 – Defender TI Articles

Finding New Connections from Previously Published Articles

Original research published by Microsoft's internal research teams is especially valuable to review to better understand how the various datasets within Defender TI can be woven together to profile complex threat actor activity.

As an example, review the article ToddyCat: A Guided Journey through the Attacker's Infrastructure to observe how Microsoft Defender Threat Intelligence researchers were able to start with work performed by other community researchers and build upon it to illuminate threat actor infrastructure even further by pivoting through Defender TI.

Suppose you spot a detection linked to a Defender TI article. In that case, it's important to understand when it was published to then identify new infrastructure you may want to block and monitor across your . That's a massive value-add of our Defender TI platform – the ability to identify previously recognized threats and new infrastructure related to those threats. Threat actor infrastructure changes over time, especially when it's been published. They know they need to change their infrastructure to try and mitigate being detected in future campaigns.

As of the time of writing this module, the ToddyCat article had been published for two months. Here are some techniques I took to identify new infrastructure associated with the already published Public indicators related to the article.

  1. Searched Certificate, 94130bf60597277fec30b3d25d65199ad329015a.

Are there any new IP addresses that have observed this Certificate Sha-1?


  • No new IPs were identified observing this Certificate.
  • Observed what SSL Certificate components, such as ‘”Internet Widget Pty Ltd”‘ as the certificate's organization subject and issuer names, were used to identify if related IPs observed new SSL Certificates with similar components.
  1. Searched those IPs that had observed the SSL Certificate in step 1.

Are there any new A record resolutions associated with these IP addresses?



3. Reviewed time.pornhumen[.]com and ca3jfa.whatsupman[.]net.

What IP addresses are these hosts actively resolving to?

What components are running on these IP addresses?


4. Reviewed pornhumen[.]com and whatsupman[.]net subdomains (other than the ones noted in step 3).

What IP addresses are these subdomain hosts resolving to?


5. Reviewed the rest of the domains and hosts identified previously in the ToddyCat article.

Do any of them have new subdomains that follow ToddyCat TTPs and are actively or not actively resolving to IPs?


  • fopingu[.]com – No A record observations
  • facebuk[.]org – Multiple historical A record observations. No active A record observations.
  • rtmcsync[.]com – New active A record observation, 58.158.177[.]102. This IP is located in Japan, and the ASN is AS17506 – UCOM, which isn't associated with the previously reported ToddyCat TTPs.
  • windowshost[.]us – A few historical A record observations. No active A record observations
  • youtubuy[.]org – Multiple historical A record observations. No active A record observations.
  • ns247[.]one – Still actively resolving to 185.224.129[.]13. 1 historical A record observation.
  • ns247[.]top – No active or historical A record observations. No subdomains.
  • wikipedi[.]net – No active A record observations. Multiple historical A record observations.
  • temdiever[.]com – No active A record observations. 1 historical A record observation. No subdomains.
  • tiktocek[.]net – No active or historical A record observations.
    • logs.tiktocek[.]net
      • Host observed actively resolving to new IP address, 141.164.44[.]49. This IP is located in South Korea and the ASN was the previous ASN observed used by ToddyCat, AS20473 – AS-CHOOPA. However, this IP was not listed as an indicator in the ToddyCat article.
  • twiteer[.]org – No active A record observations. 2 historical A record observations. No subdomains.

6. Reviewed IPs, 58.158.177[.]102 and 141.164.44[.]49 in gold text in step 5.

What is the reputation for each of these IPs?


Are these IPs listed as indicators in any intelligence articles?



7. Searched hxxp://time.pornhumen[.]com and hxxp://ca3jfa.whatsupman[.]net as URLs in VirusTotal.

Have any security vendors detected that this URL is associated with malware?



  • time.pornhumen[.]com: Fortinet found that this URL was linked to malware.

What sha-256 hashes are related to these newly discovered hosts?



  • time.pornhumen[.]com:
  • ca3jfa.whatsupman[.]net:

8. Searched both sha-256 hashes discovered in step 7 in Defender TI to see if they appeared in any articles.


  • These sha-256 hashes do not appear in any existing Defender TI articles.

9. On your own: Review the Data tab and datasets for the two IPs noted in step 6 as well as those that the domains and subdomains were actively resolving to in step 5.

Is there any data overlap in ToddyCat's TTPs previously reported?

Are there any new hosts resolving to these IPs that are associated with ToddyCat that were not previously reported?

10. On your own: Search both sha-256 hashes discovered in step 7 in VirusTotal and review the Relations tab. Search related IPs, hosts, and domains in Defender TI. Review the Summary and Data tab results to identify additional pivot points to find related indicators of compromise.

Are there any related indicators that have overlap with ToddyCat infrastructure?

Do any of these indicators appear in any articles?

What is the reputation for these indicators?

11. On your own: Repeat step 6 for other newly observed subdomains and IPs that have overlap in TTPs. Query those indicators as URLs in VirusTotal.

Have any security vendors flagged this indicator for malware?

12. On your own: Continue to iterate through steps 8 through 11.

What additional related indicators of compromise can you find?

This was a large campaign, and there are more techniques I could have taken to broaden the scope of IOCs identified.

What additional techniques would you have taken?


What was the one initial seed that led to the identification of additional indicators of compromise?

How many additional indicators of compromise were identified at the time of this writing?

What SSL certificate component serves as a pivot point to identify additional actor infrastructure?


What ASN was used by the IP addresses associated with this campaign?


What nameservers were observed by the IP addresses?

Where can server banner response data be found within the Defender TI platform?

Vulnerability Articles

Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles.

Vulnerability Articles provide critical context behind CVEs of interest. Each article contains a description of the CVE, a list of affected components, tailored mitigation procedures and strategies, related intelligence articles, references in Deep & Dark Web chatter, and other key observations. These articles provide deeper context and actionable insights behind each CVE, enabling users to understand these vulnerabilities more quickly and quickly mitigate them. For more information, see What is Microsoft Defender Threat Intelligence (Defender TI)? and reference the Vulnerability Articles section.


Figure 2 – Vulnerability Article Description


Figure 3 – Vulnerability Article Affected Components


Figure 4 – Vulnerability Article Related Articles


For tutorials referencing our articles, vulnerability articles, search, and dataset features see Gathering threat intelligence and infrastructure chaining and Gathering vulnerability intelligence tutorial articles.


This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.