Download
hands on lab review n.
Skip this Video
Loading SlideShow in 5 Seconds..
Hands-on Lab Review PowerPoint Presentation
Download Presentation
Hands-on Lab Review

Hands-on Lab Review

1 Vues Download Presentation
Télécharger la présentation

Hands-on Lab Review

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Hands-on Lab Review

  2. What we will cover • Quick review • Analysis of thunt-lab.pcapng • Sysmon webcast sneak peek

  3. Quick review • You had homework! • Review the thunt-lab.pcapng file • Identify any potential C2 traffic • Use to create and vet your own threat hunting process https://drive.google.com/open?id=1f-ebgU4ZNID3I1ojrnMOxU9w3OxRB-nX

  4. Suricata w/Emerging Threats rules Will signature based IDS reveal C2 channels?

  5. Suricata's view of the data

  6. Where to start? • Remember the threat hunting steps • Identify persistent connections • Protocol analysis • Endpoint reputation • We will want to ID tools/processes for each • Will start manual, but will want automation

  7. Possible beacons with Zeek Careful, beacons can jump ports/protocols! Note: This is number of connections per day, not a real beacon calculation.

  8. Long connections with Zeek 86,400 seconds = 24 hours

  9. Long connections limitations • Can show longest single connection • More work to derivecumulative time • Example: • Beacons once per hour • Hold the connection open for one hour each time • Only 24 beacons in a day • Each session is only one hour • Would need to sum all connections to detect it's a 24 hour long connection

  10. Investigate possible DNS beacons 108,858 connections in 24 hours. FQDNs look like C2!

  11. Second possible beacon 64,285 connections in 24 hours. FQDNs look pretty normal.

  12. Long conn TCP/443 traffic No certificate exchanged! 1st on long conn list This looks normal 10th on long conn list

  13. What about endpoint reputation? • Can verify certs • Dhcp.log (if in same collision domain) • Can augment with other tools

  14. Import Zeek logs into RITA

  15. IDentifying beacons with RITA

  16. Long conns with RITA Protocol should be SSL!

  17. Checking DNS C2 with RITA

  18. Shameless plug alert • Let's look at the data via AI-Hunter • ACM's commercial offering • We'll keep the commercial short and sweet

  19. Score increases after compromise

  20. AI-hunter dashboard Action item list

  21. Beacon analysis

  22. C2 channel was activated! Heartbeat C2 activation

  23. Long connection analysis

  24. Cumulative connect time analysis

  25. DNS analysis

  26. Want to see more? • Type "demo" into the chat channel • Drop me an email • chris@activecountermeasures.com

  27. Sysmon • We run lots of cool webcasts • Tomorrow's topic: Sysmon & Applocker • John will give us a sneak peek • Feel free to register: https://attendee.gotowebinar.com/register/3286972819851696909

  28. Wrap Up • Slides and video will be made available • https://acm.re/thunt • Questions? • Content feedback? • Please email: courses@activecountermeasures.com • chris@activecountermeasures.com