Costa Kavidas | Your Friend In Infosec
PostsCategoriesAbout|
Costa Kavidas | Your Friend In Infosec

Threat Hunting Workshop 1/18/2020

Costa   included in Workshops
  about 873 words  5 min   views  

Contents

Banner

Intro

Hello Friends and Happy New Year!

On Saturday January 18th 2020 I participated in a threat hunting workshop run by Black Hills Information Security.

One of the infosec topics that I am interested in is threat hunting. The idea of searching for “suspicious activity” or indicators of compromise proactively. I was excited to find out that BHIS and Active Countermeasures were running a threat hunting training event for free. The course focuses primarily on network traffic analysis which is great for me because I am currently in a course focused on intrusion detection where packet analysis is important.

Review

My experience was great!

I appreciated that @Chris_Brenton focused a lot on process. A lot of times when there is a webinar the hosts focus extensibly on how the task is done from a technical standpoint without explaining what we are trying to do and why we are doing it. The tools change from workplace to workplace but the process almost always stays the same. There were technical difficulties and at one point the stream died but at the end of the day we all survived. They are running the same workshop in April and I recommend everyone check twitter and participate.

Lessons Learned:

  • A practical process flow of network based threat hunting (looking for persistent connections, automated beacons etc.)
  • Detecting DNS tunneling / DNS C2 traffic
  • SSL Fingerprinting with JA3
  • How to analyze zeek capture files from the linux command line.
  • How to analyze zeek capture files using rita.

Example Lab Exercises:

Finding Long Connections:

  • The first step is to find out how long the capture file is. You can either use the capinfos command or in the event that you do not have the package the same can be acheived using tcpdump and awk.
1
2

capinfos -ae example.pcap
tcpdump -tttt -n -r example.pcap | awk 'NR==1; END{PRINT}'
  • The second step is to use bro-cut to extract the source and destination IPs as well as the duration. In a zeek log those fields are id.orig_h, id.resp_h and duration. Once you have extracted these fields you can pipe the output into sort and grab the first 10 lines using head.
1

cat conn.log | bro-cut id.orig_h id.resp_h duration | sort -k3rn | head

Grab the longest 10 connections

Finding Potential Beacons

  • A beacon is a host machine reaching out to a command and control server. A good first step in trying to find potential beacons is to look for source/destination IP pairs and get a count of how many packets were sent. The relevant fields for this would be source IP and destination IP but you should also consider size. A beacon will have a lot of packets but not a lot of bytes being transmitted (most of the packets will just be heartbeat). The first command I would use is to find the largest counts:
1

cat conn.log | bro-cut id.orig_h id.resp_h | sort | uniq -c | head

Find the largest counts

  • This will tell us how many connections were made for each pair. The top 3 results are the ones that need more investigation so I will check the size. For example lets use that first conversation with 192.168.88.2 and 165.227.88.15. We need to use datamash to perform aggregate functions so we need to use grep -v to remove lines that are empty as well as lines that have a - for data size.
1

cat conn.log | bro-cut id.orig_h id.resp_h orig_bytes | grep 192.168.88.2 | grep 165.227.88.15 | sort | grep -v '^$' | grep -v '-' | datamash -g 1,2 max 3

Investigating the connection between 192.168.88.2 and 165.227.88.15

  • As we can see 165.227.88.15 has sent 3673 bytes and 192.168.88.2 has only sent 262 bytes. When a pair of hosts send 108858 packets but only 3935 bytes of total data that leads me to beleive that these may be beacons which require additional investigation.

Searching for command and control over DNS using RITA.

  • RITA (Real Intelligence Threat Analytics) is an open source framework for network traffic analysis from Active Countermeasures. RITA reads Bro/Zeek logs and has built in functions to do some of the tasks we worked on in the workshop (searching for beacons, dns tunneling etc.) RITA is much easier to use than the linux commands we were gluing together.
  • For example here is how you would search for DNS command and control or DNS tunneling using RITA. Finding the domains with the most requests
  • Lets drill down and see what some of these requests are going to r-1x.com DNS requests going to r-1x.com
  • As we can see the domain names being resolved are garbage, most likely command and control traffic.
  • One added benefit of using RITA to analyze your Zeek logs is that it stores the Zeek logs in a database (mongodb) as opposed to reading the Zeek logs.

Future works / ideas I would like to explore:

  • Since the workshop focuses on network based threat hunting, I would like to explore EDR based threat hunting in the future.
  • I would like to learn more about RITA, for example is it possible to build your own functions.

Closing Remarks

I would like to thank the group over at Black Hills Information Security for putting this workshop together. I highly recommend anyone interested in cybersecurity take a look at their youtube channel.

The article was updated on 2020-01-18
 WorkshopsThreat HuntingBroZeekRITABHIS
Back | Home