Process

  1. Persistent connection?
  2. Abnormal protocol behaviour?
    1. Using port 80/443 but not HTTP(S) traffic (e.g. no TLS handshake)
  3. Reputation check of external IP
    1. Large number of FQDNs for a domain (check DNS)
    2. Geolocation
    3. Who manages ASN?
  4. Investigation of internal IP
    1. Unique HTTP user agents
    2. Which process is making the network connection?
  5. Disposition (score 0~100 based on above)

C2

Pcaps

tshark for automation (cmd line wireshark - faster)

$ tshark -q -z conv,ip -r <file>.pcapng | tr -s ' ' | cut -d " " -f 1,2,3,10 | sort -k 4 -rn | head

$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | cut -d '.' -f 1-2 | rev | sort | uniq -c | sort -rn | head -10
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | head -4
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | head -4
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | cut -d '.' -f 1-2 | rev | head -10

tcpdump and windump

Zeek logs

# Strange services/ports [image]
$ cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service orig_ip_bytes resp_ip_bytes

# Unique user agents
$ cat <log>.log | zeek-cut user_agent | sort | uniq -c | sort

# Self signed certs
$ cat ssl* | zeek-cut id.orig_h id.resp_h id.resp_p validation_status | grep 'self signed' | sort | uniq

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/783ac853-8dcb-4c8b-add1-f400ee7969cd/Untitled.png

Analysis

R-base

Datamash