Which domains are used by Cyber Crucible?
- Dennis Underwood
- Noah Greenberg
- Kyle Nehman
Domain | Port | Protocol | Component | Producers of Traffic | Purpose | Certificate Validation/Revocation Domains (as of 1 May 2024) |
|---|---|---|---|---|---|---|
dashboard.cybercrucible.com | 443 | HTTPS | Web Application | Users, typically assigned members of the IT, Security, and Compliance teams, who manage Cyber Crucible software. This web application is built on ReactJS. | This domain is tied to the administration panel for Cyber Crucible software. This admin panel is used to manage all licenses, and software agents. It is used to investigate and observe potential data or identity extortion incidents. | OCSP URL: http://r3.o.lencr.org |
agent.tasking.rpp.cybercrucible.com | 443 | HTTPS | Windows Service | Cyber Crucible software agents use this domain. Users do not interact with this server, and this server is managed by a separate Federated ID allocation. | Cyber Crucible software agents use this domain to receive tasking, and submit data to the agent-specific REST server. | OCSP URL: http://r3.o.lencr.org |
cognito-idp.us-west-2.amazonaws.com | 443 | HTTPS | Web Application | Users of the web application, or custom REST API calls by a client will produce traffic to the AWS Cognito service during login. | Cyber Crucible currently uses AWS Cognito for user pool and Federated Identity services, in support of software, REST API, and user oAuth 2.0 protected communications and user management. | CRL distribution URL: http://crl.r2m03.amazontrust.com/r2m03.crl |
ransomwarerewind.auth.us-west-2.amazoncognito.com | 443 | HTTPS | Web Application | Users of the web application, or custom REST API calls by a client will produce traffic to the AWS Cognito service during login. | Cyber Crucible currently uses AWS Cognito for user pool and Federated Identity services, in support of software, REST API, and user oAuth 2.0 protected communications and user management. | CRL distribution URL: http://crl.r2m03.amazontrust.com/r2m03.crl |
ransomwarerewind-agents.auth.us-west-2.amazoncognito.com | 443 | HTTPS | Windows Service | Cyber Crucible software agents use this domain. Users do not use this domain. | Cyber Crucible software agents use this domain, which is AWS Cognito, for user pool and Federated Identity services, in support of their oAuth 2.0 protected communications and software management. | CRL distribution URL: http://crl.r2m03.amazontrust.com/r2m03.crl |
installerfiles.rpp.cybercrucible.com | 443 | HTTPS | HTTPS File Server | Cyber Crucible installation and update files (drivers, services, etc.) | Cyber Crucible’s installation and update files are stored in this website. It is used to do initial agent installation as well as fetch files for any required updates. | OCSP URL: http://r3.o.lencr.org |
ipv4.icanhazip.com | 443 | HTTPS | Windows Service | Cyber Crucible software agents use this domain. | Cyber Crucible software agents query this domain to correlate the IPv4 WAN address for an agent. | OCSP URL: http://r3.o.lencr.org |
ipv6.icanhazip.com | 443 | HTTPS | Windows Service | Cyber Crucible software agents use this domain. | Cyber Crucible software agents query this domain to correlate the IPv6 WAN address for an agent. | OCSP URL: http://r3.o.lencr.org |
r3.o.lencr.org | 80 | OCSP | Windows Service | Web application users and Cyber Crucible software agents both use this domain. | This domain is the Let’s Encrypt TLS certificate validation and revocation check (OCSP) check server. Without access to this server, agents and the web application communications may not work. |  |
rs.i.lencr.org | 80 | HTTP | Windows Service | Web application users and Cyber Crucible software agents both use this domain. | This domain is the Let’s Encrypt TLS Certificate Authority (CA) server, that is used by validate TLS certificates. Without access to this server, agents and the web application communications may not work. |  |
crl.r2m03.amazontrust.com | 80 | HTTP | Windows Service | Web application users and Cyber Crucible software agents both use this domain. | This domain is the Amazon Web Services (AWS) certificate validation and revocation check (CRL) server. Without access to this server, agents and web application users cannot gain validated credentials, to then access secured Cyber Crucible resources. | Â |
crl.r2m02.amazontrust.com | 80 | HTTP | Windows Service | Web application users and Cyber Crucible software agents both use this domain. | This domain is the Amazon Web Services (AWS) certificate validation and revocation check (CRL) server. Without access to this server, agents and web application users cannot gain validated credentials, to then access secured Cyber Crucible resources. | Â |
ocsp.r2m03.amazontrust.com | 80 | OCSP | Windows Service | Web application users and Cyber Crucible software agents both use this domain. | This domain is the Amazon Web Services (AWS) certificate validation and revocation check (OCSP) server. Without access to this server, agents and web application users cannot gain validated credentials, to then access secured Cyber Crucible resources. | Â |
ocsp.r2.m02.amazontrust.com | 80 | OCSP | Windows Service | Web application users and Cyber Crucible software agents both use this domain. | This domain is the Amazon Web Services (AWS) certificate validation and revocation check (OCSP) server. Without access to this server, agents and web application users cannot gain validated credentials, to then access secured Cyber Crucible resources. | Â |
crt.r2m03.amazontrust.com | 80 | HTTP | Windows Service | Web application users and Cyber Crucible software agents both use this domain. | This domain is the Amazon Web Services (AWS) TLS Certificate Authority (CA) server, that is used by validate TLS certificates. Without access to this server, agents and the web application cannot gain validated credentials, to then access secured Cyber Crucible resources. | Â |
crt.r2m02.amazontrust.com | 80 | HTTP | Windows Service | Web application users and Cyber Crucible software agents both use this domain. | This domain is the Amazon Web Services (AWS) TLS Certificate Authority (CA) server, that is used by validate TLS certificates. Without access to this server, agents and the web application cannot gain validated credentials, to then access secured Cyber Crucible resources. | Â |
v2-agent.tasking.ransomwarerewind.com (deprecated) | 443 | HTTPS | Windows Service | Cyber Crucible software agents use this domain. Users do not interact with this server, and this server is managed by a separate Federated ID allocation. | Cyber Crucible software agents use this domain to receive tasking, and submit data to the agent-specific REST server. | OCSP URL: http://r3.o.lencr.org |
ransomware-rewind-installation-files-64.s3.us-west-2.amazonaws.com (deprecated) | 443 | HTTPS | AWS S3 File Server | Cyber Crucible installer file location | Cyber Crucible’s installer exe is located in an S3 bucket hosted at this domain. This domain is likely only accessed if using the script installer. | CRL distribution URL: http://crl.r2m03.amazontrust.com/r2m03.crl |
installerfiles.ransomwarerewind.com (deprecated) | 443 | HTTPS | AWS S3 File Server | Cyber Crucible download and installers | Cyber Crucible’s installation and update files are stored in this S3 bucket. It is used to do initial agent installation as well as fetch files for any required updates. | CRL distribution URL: http://crl.r2m03.amazontrust.com/r2m03.crl |
v2-web.tasking.ransomwarerewind.com (deprecated) | 443 | HTTPS | Web Application | Users, typically assigned members of the IT, Security, and Compliance teams, who manage Cyber Crucible software. Custom REST API programs developed by customers will also use this domain. | This domain is the REST server which the ReactJS dashboard uses to dynamically create, retrieve, update, and delete relevant data from the web application. | OCSP URL: http://r3.o.lencr.org |