Process

1. Persistent connection?
2. Abnormal protocol behaviour?
   1. Using port 80/443 but not HTTP(S) traffic (e.g. no TLS handshake)
3. Reputation check of external IP
   1. Large number of FQDNs for a domain (check DNS)
   2. Geolocation
   3. Who manages ASN?
4. Investigation of internal IP
   1. Unique HTTP user agents
   2. Which process is making the network connection?
5. Disposition (score 0~100 based on above)

C2

• Beacon every 30~90s (unless red ream) [range and cumulative time]
  • False positives: NTP, chat, security updates
• Long connections (5.5hrs)
  • False positives: BGP, chat, dynamic web pages

Pcaps

tshark for automation (cmd line wireshark - faster)

$ tshark -q -z conv,ip -r <file>.pcapng | tr -s ' ' | cut -d " " -f 1,2,3,10 | sort -k 4 -rn | head

$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | cut -d '.' -f 1-2 | rev | sort | uniq -c | sort -rn | head -10
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | head -4
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | head -4
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | cut -d '.' -f 1-2 | rev | head -10

tcpdump and windump

Zeek logs

# Strange services/ports [image]
$ cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service orig_ip_bytes resp_ip_bytes

# Unique user agents
$ cat <log>.log | zeek-cut user_agent | sort | uniq -c | sort

# Self signed certs
$ cat ssl* | zeek-cut id.orig_h id.resp_h id.resp_p validation_status | grep 'self signed' | sort | uniq

Analysis

R-base

Datamash