Squatting And Impersonation Domains Related To Crowdstrike Outage, Newly Registered And Older Domains

    Sunday, July 28, 2024 In: Threat Research Print

    Date: 07/25/2024

    Severity: High

    Summary

    The report on "Squatting and Impersonation Domains Related to CrowdStrike Outage" examines the registration of domains associated with CrowdStrike during recent and historical outages. It highlights the prevalence of domain squatting and impersonation tactics aimed at exploiting vulnerabilities during service disruptions, emphasizing the ongoing need for vigilance in monitoring and securing domain names to mitigate potential cyber threats.

    Indicators of Compromise (IOC) List

    URL/Domain

    Query 1

    bsodcrowdstrike.com

    bsododge.xyz

    crashstrike.com

    crowdstrike-apocalypse.com

    crowdstrike-bluescreen.com

    crowdstrike-falcon.com

    crowdstrike-fix.com

    crowdstrike-fix.zip

    crowdstrike-out.com

    crowdstrike-staging.com

    Crowdstrike.blue

    crowdstrike.bot

    crowdstrike.bsod.com

    crowdstrike.buzz

    Crowdstrike.cam

    crowdstrike.com.vc

    crowdstrike.ee

    crowdstrike.es

    crowdstrike.help

    crowdstrike.live

    crowdstrike.us.org

    crowdstrike.woccpa.com

    crowdstrikebit.com

    crowdstrikebluefix.com

    crowdstrikeblueteam.com

    crowdstrikebsodfix.blob.core.windows.net

    crowdstrikebsodguard.com

    crowdstrikebugfix.com

    crowdstrikebugfixpro.com

    crowdstrikebugguard.com

    crowdstrikebugmender.com

    crowdstrikebugmendpro.com

    crowdstrikebugpatchpro.com

    crowdstrikebugrepairhub.com

    crowdstrikebugrepairpro.com

    crowdstrikebugrestorer.com

    crowdstrikeclaims.com

    URL/Domain

    Query 2

    crowdstrikeclassaction.com

    crowdstrikeclassaction.com.au

    crowdstrikecommuication.app

    crowdstrikecommunication.app

    crowdstrikeerrorfix.com

    crowdstrikeerrorguard.com

    crowdstrikeerrormender.com

    crowdstrikeerrorpatch.com

    crowdstrikeerrorrecoveryhub.com

    crowdstrikeerrorrepair.com

    crowdstrikefailfix.com

    crowdstrikefailguard.com

    crowdstrikefailmend.com

    crowdstrikefailmendpro.com

    crowdstrikefailpatch.com

    crowdstrikefailrepairhub.com

    crowdstrikefailsafe.com

    crowdstrikefailupdaterpro.com

    crowdstrikefix.net

    crowdstrikefixer.com

    crowdstrikeforhome.net

    crowdstrikeglitch.com

    crowdstrikehealthcare.com

    crowdstrikehelp.com

    crowdstrikekernelcare.com

    crowdstrikekernelguard.com

    crowdstrikekernelrecoveryhub.com

    crowdstrikekernelshield.com

    crowdstrikekernelupdaterpro.com

    crowdstrikelab.com

    URL/Domain

    Query 3

    crowdstrikelawsuit.com

    crowdstrikemdr.com

    crowdstrikemend.com

    crowdstrikeold.com

    crowdstrikeoopsies.com

    crowdstrikeoptimizer.com

    crowdstrikeout.com

    crowdstrikepatchguard.com

    crowdstrikepatchpro.com

    crowdstrikeplatform.com

    crowdstrikeplatform.info

    crowdstrikerecovery.com

    crowdstrikerepair.com

    crowdstrikerescue.com

    crowdstrikerescue.org

    crowdstrikerestore.com

    crowdstrikerevamp.com

    crowdstrikesucks.com

    crowdstrikesuporte.com

    crowdstrikesupport.info

    crowdstrikesysguard.com

    crowdstrikesysmendpro.com

    crowdstrikesyspatch.com

    crowdstrikesyspatchpro.com

    crowdstrikesysrepairhub.com

    crowdstrikesysrepairpro.com

    crowdstrikesysrescue.com

    crowdstrikesysshield.com

    crowdstrikesysupdaterpro.com

    crowdstrikeupdate.us

    URL/Domain

    Query 4

    crowdstrikewhisper.com

    crowdstrikewindowsoutage.com

    crowdstrikexdr.cn

    crowdstrikeyou.xyz

    crowdstrikezeroday.com

    crowdstuck.org

    demo-crowdstrike.com

    falcon-crowdstrike.com

    falcon.eu-1.crowdstrike.cg

    fix-crowdstrike-apocalypse.com

    fixcrowdstrike.com

    fixcrowdstrike.com.au

    fuckingcrowdstrike.com

    kernelcrowdstrike.com

    microsoftoutagescrowdstrike.com

    okta-crowdstrike.com

    outagecrowdstrike.com

    pay.isitcrowdstrike.com

    strikefaststudio.com

    suportecrowdstrike.com

    crowdstrikereport.com

    crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com

    crowdstrike.orora.group

    sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com

    crowdstrike-falcon.online

    crowdstrikerecovery1.blob.core.windows.net

    crowdstrikeoutage.com

    isitcrowdstrike.com

    crowdstrike.black

    crowdstrikefix.zip

    crowdstrikeoops.com

    crowdstrike.phpartners.org

    URL/Domain

    Query 5

    systemcrowdstrike.com

    us2-crowdstrike.com

    winsstrike.com

    www.thecrowdstrike.com

    ztna.crowdstrike-us-gov.com

    crowdstrike-helpdesk.com

    crowdstrikebluescreen.com

    crowdstrike-bsod.com

    crowdstrikedown.site

    crowdstrike0day.com

    crowdstrikedoomsday.com

    crowdstrikefix.com

    crowdstriketoken.com

    fix-crowdstrike-bsod.com

    bsodsm8rLIxamzgjedu.com

    crowdstrikeoutage.info

    clownstrike.co.uk

    whatiscrowdstrike.com

    clownstrike.co

    microsoftcrowdstrike.com

    crowdfalcon-immed-update.com

    failstrike.com

    supportfalconcrowdstrikel.com

    crowdstrikeclaim.com

    crowdstrikebug.com

    crowdstrikeupdate.com

    crowdstrikefail.com

    crowdstrikeoopsie.com

    crowdstrike.fail

    Hash

    96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8

4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    Query 1

    userdomainname like "crowdstrike.blue" or url like "crowdstrike.blue" or userdomainname like "crowdstrike-fix.com" or url like "crowdstrike-fix.com" or userdomainname like "crowdstrike-staging.com" or url like "crowdstrike-staging.com" or userdomainname like "crowdstrike-bluescreen.com" or url like "crowdstrike-bluescreen.com" or userdomainname like "crowdstrike-apocalypse.com" or url like "crowdstrike-apocalypse.com" or userdomainname like "crowdstrike-fix.zip" or url like "crowdstrike-fix.zip" or userdomainname like "crashstrike.com" or url like "crashstrike.com" or userdomainname like "bsododge.xyz" or url like "bsododge.xyz" or userdomainname like "bsodcrowdstrike.com" or url like "bsodcrowdstrike.com" or userdomainname like "crowdstrike-falcon.com" or url like "crowdstrike-falcon.com" or userdomainname like "crowdstrike-out.com" or url like "crowdstrike-out.com" or userdomainname like "crowdstrike.bot" or url like "crowdstrike.bot" or userdomainname like "crowdstrikebugfixpro.com" or url like "crowdstrikebugfixpro.com" or userdomainname like "crowdstrikebsodguard.com" or url like "crowdstrikebsodguard.com" or userdomainname like "crowdstrike.ee" or url like "crowdstrike.ee" or userdomainname like "crowdstrikebit.com" or url like "crowdstrikebit.com" or userdomainname like "crowdstrike.buzz" or url like "crowdstrike.buzz" or userdomainname like "crowdstrike.es" or url like "crowdstrike.es" or userdomainname like "crowdstrikebugrepairhub.com" or url like "crowdstrikebugrepairhub.com" or userdomainname like "crowdstrikebugmender.com" or url like "crowdstrikebugmender.com" or userdomainname like "crowdstrike.help" or url like "crowdstrike.help" or userdomainname like "crowdstrike.bsod.com" or url like "crowdstrike.bsod.com" or userdomainname like "crowdstrike.live" or url like "crowdstrike.live" or userdomainname like "crowdstrikebsodfix.blob.core.windows.net" or url like "crowdstrikebsodfix.blob.core.windows.net" or userdomainname like "crowdstrikebugrepairpro.com" or url like "crowdstrikebugrepairpro.com" or userdomainname like "crowdstrikebluefix.com" or url like "crowdstrikebluefix.com" or userdomainname like "crowdstrikebugfix.com" or url like "crowdstrikebugfix.com" or userdomainname like "crowdstrikeclaims.com" or url like "crowdstrikeclaims.com" or userdomainname like "crowdstrike.woccpa.com" or url like "crowdstrike.woccpa.com" or userdomainname like "crowdstrike.com.vc" or url like "crowdstrike.com.vc" or userdomainname like "Crowdstrike.cam" or url like "Crowdstrike.cam" or userdomainname like "crowdstrikebugpatchpro.com" or url like "crowdstrikebugpatchpro.com" or userdomainname like "crowdstrikeblueteam.com" or url like "crowdstrikeblueteam.com" or userdomainname like "crowdstrikebugmendpro.com" or url like "crowdstrikebugmendpro.com" or userdomainname like "crowdstrikebugrestorer.com" or url like "crowdstrikebugrestorer.com" or userdomainname like "crowdstrike.us.org" or url like "crowdstrike.us.org" or userdomainname like "crowdstrikebugguard.com" or url like "crowdstrikebugguard.com"

    URL/Domain

    Query 2

    userdomainname like "crowdstrikekernelcare.com" or url like "crowdstrikekernelcare.com" or userdomainname like "crowdstrikefailupdaterpro.com" or url like "crowdstrikefailupdaterpro.com" or userdomainname like "crowdstrikekernelrecoveryhub.com" or url like "crowdstrikekernelrecoveryhub.com" or userdomainname like "crowdstrikeclassaction.com" or url like "crowdstrikeclassaction.com" or userdomainname like "crowdstrikeerrorguard.com" or url like "crowdstrikeerrorguard.com" or userdomainname like "crowdstrikeerrorfix.com" or url like "crowdstrikeerrorfix.com" or userdomainname like "crowdstrikefailfix.com" or url like "crowdstrikefailfix.com" or userdomainname like "crowdstrikeerrormender.com" or url like "crowdstrikeerrormender.com" or userdomainname like "crowdstrikefailmend.com" or url like "crowdstrikefailmend.com" or userdomainname like "crowdstrikeforhome.net" or url like "crowdstrikeforhome.net" or userdomainname like "crowdstrikeglitch.com" or url like "crowdstrikeglitch.com" or userdomainname like "crowdstrikefailguard.com" or url like "crowdstrikefailguard.com" or userdomainname like "crowdstrikehealthcare.com" or url like "crowdstrikehealthcare.com" or userdomainname like "crowdstrikefailsafe.com" or url like "crowdstrikefailsafe.com" or userdomainname like "crowdstrikefix.net" or url like "crowdstrikefix.net" or userdomainname like "crowdstrikehelp.com" or url like "crowdstrikehelp.com" or userdomainname like "crowdstrikefailrepairhub.com" or url like "crowdstrikefailrepairhub.com" or userdomainname like "crowdstrikefailpatch.com" or url like "crowdstrikefailpatch.com" or userdomainname like "crowdstrikekernelshield.com" or url like "crowdstrikekernelshield.com" or userdomainname like "crowdstrikekernelupdaterpro.com" or url like "crowdstrikekernelupdaterpro.com" or userdomainname like "crowdstrikecommuication.app" or url like "crowdstrikecommuication.app" or userdomainname like "crowdstrikeerrorrepair.com" or url like "crowdstrikeerrorrepair.com" or userdomainname like "crowdstrikelab.com" or url like "crowdstrikelab.com" or userdomainname like "crowdstrikeerrorpatch.com" or url like "crowdstrikeerrorpatch.com" or userdomainname like "crowdstrikefixer.com" or url like "crowdstrikefixer.com" or userdomainname like "crowdstrikefailmendpro.com" or url like "crowdstrikefailmendpro.com" or userdomainname like "crowdstrikekernelguard.com" or url like "crowdstrikekernelguard.com" or userdomainname like "crowdstrikeclassaction.com.au" or url like "crowdstrikeclassaction.com.au" or userdomainname like "crowdstrikeerrorrecoveryhub.com" or url like "crowdstrikeerrorrecoveryhub.com" or userdomainname like "crowdstrikecommunication.app" or url like "crowdstrikecommunication.app"

    URL/Domain

    Query 3

    userdomainname like "crowdstrikelawsuit.com" or url like "crowdstrikelawsuit.com" or userdomainname like "crowdstrikesysrepairhub.com" or url like "crowdstrikesysrepairhub.com" or userdomainname like "crowdstrikepatchpro.com" or url like "crowdstrikepatchpro.com" or userdomainname like "crowdstrikesysmendpro.com" or url like "crowdstrikesysmendpro.com" or userdomainname like "crowdstrikerevamp.com" or url like "crowdstrikerevamp.com" or userdomainname like "crowdstrikerecovery.com" or url like "crowdstrikerecovery.com" or userdomainname like "crowdstrikepatchguard.com" or url like "crowdstrikepatchguard.com" or userdomainname like "crowdstrikemdr.com" or url like "crowdstrikemdr.com" or userdomainname like "crowdstrikesyspatch.com" or url like "crowdstrikesyspatch.com" or userdomainname like "crowdstrikesysrescue.com" or url like "crowdstrikesysrescue.com" or userdomainname like "crowdstrikeupdate.us" or url like "crowdstrikeupdate.us" or userdomainname like "crowdstrikesysrepairpro.com" or url like "crowdstrikesysrepairpro.com" or userdomainname like "crowdstrikesysshield.com" or url like "crowdstrikesysshield.com" or userdomainname like "crowdstrikesysguard.com" or url like "crowdstrikesysguard.com" or userdomainname like "crowdstrikesysupdaterpro.com" or url like "crowdstrikesysupdaterpro.com" or userdomainname like "crowdstrikemend.com" or url like "crowdstrikemend.com" or userdomainname like "crowdstrikerepair.com" or url like "crowdstrikerepair.com" or userdomainname like "crowdstrikerescue.org" or url like "crowdstrikerescue.org" or userdomainname like "crowdstrikeplatform.info" or url like "crowdstrikeplatform.info" or userdomainname like "crowdstrikesupport.info" or url like "crowdstrikesupport.info" or userdomainname like "crowdstrikeoptimizer.com" or url like "crowdstrikeoptimizer.com" or userdomainname like "crowdstrikerescue.com" or url like "crowdstrikerescue.com" or userdomainname like "crowdstrikesuporte.com" or url like "crowdstrikesuporte.com" or userdomainname like "crowdstrikeold.com" or url like "crowdstrikeold.com" or userdomainname like "crowdstrikesucks.com" or url like "crowdstrikesucks.com" or userdomainname like "crowdstrikesyspatchpro.com" or url like "crowdstrikesyspatchpro.com" or userdomainname like "crowdstrikeout.com" or url like "crowdstrikeout.com" or userdomainname like "crowdstrikerestore.com" or url like "crowdstrikerestore.com" or userdomainname like "crowdstrikeplatform.com" or url like "crowdstrikeplatform.com" or userdomainname like "crowdstrikeoopsies.com" or url like "crowdstrikeoopsies.com"

    URL/Domain

    Query 4

    userdomainname like "demo-crowdstrike.com" or url like "demo-crowdstrike.com" or userdomainname like "strikefaststudio.com" or url like "strikefaststudio.com" or userdomainname like "suportecrowdstrike.com" or url like "suportecrowdstrike.com" or userdomainname like "crowdstrikeyou.xyz" or url like "crowdstrikeyou.xyz" or userdomainname like "fuckingcrowdstrike.com" or url like "fuckingcrowdstrike.com" or userdomainname like "crowdstrikexdr.cn" or url like "crowdstrikexdr.cn" or userdomainname like "fixcrowdstrike.com.au" or url like "fixcrowdstrike.com.au" or userdomainname like "microsoftoutagescrowdstrike.com" or url like "microsoftoutagescrowdstrike.com" or userdomainname like "crowdstrikewindowsoutage.com" or url like "crowdstrikewindowsoutage.com" or userdomainname like "outagecrowdstrike.com" or url like "outagecrowdstrike.com" or userdomainname like "pay.isitcrowdstrike.com" or url like "pay.isitcrowdstrike.com" or userdomainname like "kernelcrowdstrike.com" or url like "kernelcrowdstrike.com" or userdomainname like "okta-crowdstrike.com" or url like "okta-crowdstrike.com" or userdomainname like "fix-crowdstrike-apocalypse.com" or url like "fix-crowdstrike-apocalypse.com" or userdomainname like "falcon.eu-1.crowdstrike.cg" or url like "falcon.eu-1.crowdstrike.cg" or userdomainname like "crowdstrikezeroday.com" or url like "crowdstrikezeroday.com" or userdomainname like "fixcrowdstrike.com" or url like "fixcrowdstrike.com" or userdomainname like "crowdstrikewhisper.com" or url like "crowdstrikewhisper.com" or userdomainname like "crowdstuck.org" or url like "crowdstuck.org" or userdomainname like "falcon-crowdstrike.com" or url like "falcon-crowdstrike.com" or userdomainname like "crowdstrike.phpartners.org" or url like "crowdstrike.phpartners.org" or userdomainname like "crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" or url like "crowdstrike-cloudtrail-storage-bb-126d5e.s3.us-west-1.amazonaws.com" or userdomainname like "crowdstrike.black" or url like "crowdstrike.black" or userdomainname like "isitcrowdstrike.com" or url like "isitcrowdstrike.com" or userdomainname like "crowdstrikeoops.com" or url like "crowdstrikeoops.com" or userdomainname like "crowdstrikereport.com" or url like "crowdstrikereport.com" or userdomainname like "crowdstrikefix.zip" or url like "crowdstrikefix.zip" or userdomainname like "sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com" or url like "sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com" or userdomainname like "crowdstrikerecovery1.blob.core.windows.net" or url like "crowdstrikerecovery1.blob.core.windows.net" or userdomainname like "crowdstrikeoutage.com" or url like "crowdstrikeoutage.com" or userdomainname like "crowdstrike-falcon.online" or url like "crowdstrike-falcon.online" or userdomainname like "crowdstrike.orora.group" or url like "crowdstrike.orora.group"

    URL/Domain

    Query 5

    userdomainname like "supportfalconcrowdstrikel.com" or url like "supportfalconcrowdstrikel.com" or userdomainname like "microsoftcrowdstrike.com" or url like "microsoftcrowdstrike.com" or userdomainname like "clownstrike.co.uk" or url like "clownstrike.co.uk" or userdomainname like "crowdstrikedoomsday.com" or url like "crowdstrikedoomsday.com" or userdomainname like "crowdstrike.fail" or url like "crowdstrike.fail" or userdomainname like "clownstrike.co" or url like "clownstrike.co" or userdomainname like "crowdstriketoken.com" or url like "crowdstriketoken.com" or userdomainname like "crowdfalcon-immed-update.com" or url like "crowdfalcon-immed-update.com" or userdomainname like "crowdstrike0day.com" or url like "crowdstrike0day.com" or userdomainname like "winsstrike.com" or url like "winsstrike.com" or userdomainname like "crowdstrikeoopsie.com" or url like "crowdstrikeoopsie.com" or userdomainname like "bsodsm8rLIxamzgjedu.com" or url like "bsodsm8rLIxamzgjedu.com" or userdomainname like "whatiscrowdstrike.com" or url like "whatiscrowdstrike.com" or userdomainname like "us2-crowdstrike.com" or url like "us2-crowdstrike.com" or userdomainname like "systemcrowdstrike.com" or url like "systemcrowdstrike.com" or userdomainname like "crowdstrikeclaim.com" or url like "crowdstrikeclaim.com" or userdomainname like "crowdstrikebluescreen.com" or url like "crowdstrikebluescreen.com" or userdomainname like "crowdstrike-helpdesk.com" or url like "crowdstrike-helpdesk.com" or userdomainname like "www.thecrowdstrike.com" or url like "www.thecrowdstrike.com" or userdomainname like "failstrike.com" or url like "failstrike.com" or userdomainname like "crowdstrikedown.site" or url like "crowdstrikedown.site" or userdomainname like "fix-crowdstrike-bsod.com" or url like "fix-crowdstrike-bsod.com" or userdomainname like "crowdstrikefix.com" or url like "crowdstrikefix.com" or userdomainname like "ztna.crowdstrike-us-gov.com" or url like "ztna.crowdstrike-us-gov.com" or userdomainname like "crowdstrikefail.com" or url like "crowdstrikefail.com" or userdomainname like "crowdstrikeupdate.com" or url like "crowdstrikeupdate.com" or userdomainname like "crowdstrikebug.com" or url like "crowdstrikebug.com" or userdomainname like "crowdstrike-bsod.com" or url like "crowdstrike-bsod.com" or userdomainname like "crowdstrikeoutage.info" or url like "crowdstrikeoutage.info"

    Hash

    sha256hash IN ("96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8","4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-20-squatting-and-improsonation-domains.txt

    https://socradar.io/suspicious-domains-exploiting-the-recent-crowdstrike-outage/

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.