5B. Network-related IoCs obj 4.3 Flashcards
Network flows
Information gathered from capturing traffic data that passes through inline devices.
Netflow
A standard for monitoring traffic flows. They collect metadata about traffic at network device interfaces and then send the info to flow collectors for analysis.
Active monitoring
techniques that reach out to remote systems/devices to gather data. Collects data about:
- availability
- routes
- packet delay/loss
- bandwidth
e.g., Pings
Passive monitoring
relies on capturing information as traffic passes a location and uses a tap to send a copy of the traffic between two endpoints.
Network Monitoring tools
SNMP
- protocol for sending information and events as SNMP traps
WMI
DRDoS
Distributed Reflection DoS
- network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor
Beaconing
- activity that is sent to a C2 over HTTP/S.
- Difficult to spot as it blends in with other traffic + encrypted.
- IPS/IDS to detect
Indicators of DoS
- traffic spike
- excessive number of TIME_WAIT connections
- high number of HTTP 503 errors
Beaconing detection
- capture metadata about all sessions established or attempted and analyse for patterns the indicate suspicious activity
Internet Replay Chat (IRC) (C2)
Communication protocol commonly used by adversaries for C2 communication.
- Easy to detect and often blocked by orgs
HTTP and HTTPS (C2)
Cannot be blocked by orgs as it is a necessity.
- hard to distinguish C2 traffic from normal traffic
- encrypted
Can be mitigated by using proxy that intercepts, decrypts and inspects traffic, and re-encrypt only legitimate traffic
Domain Name Systen (DNS) (C2)
- DNS not inspected/filtered in private networks
- Commands are sent via request or response queuries
How to detect DNS (C2)
Adversaries will break their control msgs into several query chunks to avoid detection.
- lookout for long, complicated queries
- lookout for repeated queries
Social Media Websites (C2)
- issue commands via messaging functionality or account profiles
Cloud services (C2)
- scalable and reliable cloud structures are attractive to adversaries
- can be free to use
Irregular peer-to-peer communications
- indicates hosts within a network that have established a connection over unauthorised ports or data transfers
- Server Message Block (SMB)
ARP spoofing/poisoning
attacker redirects an IP address to a MAC address that was not its intended destination
Rogue devices and mitigation
An unauthorised device on a private network (e.g., WAP, DHCP) that allows someone to connect to the network.
- Mitigate by using digital certificates on endpoints and servers to authenticate and encrypt traffic using IPSec or HTTPS
Examples of Rogue systems
- network taps
- WAPs
- Servers
- software
- wired/wireless clients
- VMs
- smart appliances
Techniques to perform Rogue Machine Detection
- Visual inspection of ports/switches
- network mapping/host discovery
- wireless monitoring (i.e., observing for unknown SSIDs)
- packet sniffing/traffic flow (observing use of unauthorised protocols and unusual peer-to-peer comm flows
- NAC/intrusion detection
Fingerprinting
identifying type/version of OS (or server application) by analysing its responses to network scans
Sweep
scan directed at multiple IP addresses to discover whether a host responds to connection requests to certain ports
Footprinting
Phase of attack where information about the target is gathered before attacking
mismatched port
Communicating non-standard traffic over a well-known or registered port
Well-known Ports are in what range?
0-1023
Registered Ports are in what range?
1024-49151
Dynamic Ports are in what range?
49152-65535 (regular use of these ports may indicate malicious activity)
Non-standard port
Communicating TCP/IP traffic over a port that is not intended for that protocol
IoCs (Non-standard port)
- use of a non-standard port when a well-known port is already established for that protocol
- malware might use a non-standard port other than 53 for DNS traffic
- mismatched port
Mitigation (Non-standard port)
- configure firewall to allow only whitelisted ports to communicate on ingress/egrees interfaces
- configuration documentation should show which server ports are allowed on any given host type
- configure detection rules to detect mismatched protocol usage over a standard port
shell vs reverse shell
A shell is where an attacker opens a listening port that exposes the Cmd prompt on the local host and connects to that port from the remote host, while a reverse shell is where the attacker opens a listening port on the remote host and forces the local host to connect to it
Netcat (nc)
Utility for reading and writing raw data over a network connection that is often
used as a listener for remote shells
- setup listener: nc -l -p 443 -e cmd.exe
- connect to listener: nc 10.1.0.1 443
Data Exfiltration IoCs
- HTTP(S) channel with public storage services (e.g., adversary may exfiltrate data to OneDrive)
- Web app attacks (e.g., SQLi)
- DNS as a data exfiltration or C2 channel (server log growth, increased use of certain queries)
- IM, P2P, email, FTP
- Encrypted tunnels (IPsec, SSL, active VPN sessions)
Covert channel for data exfiltration (IoCs)
- take advantage of a lack of egress filtering to transmit data over nonstandard port
- data encoded into protocol headers
- fragmenting (breaking data into multiple packets to evade signature analysis and DLP)
- steganography to obfuscate data
- encryption of data that cannot be inspected as it leaves network
