1 / 28

Hands-on Lab Review

In this hands-on lab review, we will analyze the Thunt-Lab.pcapng file, identify potential C2 traffic, and discuss the use of Sysmon. We will also explore Suricata with Emerging Threats rules, investigate possible beacons with Zeek, and demonstrate AI-Hunter for threat analysis. Join us tomorrow for a sneak peek of Sysmon and Applocker. Slides, video, and additional resources will be provided. Email us with any questions or feedback.

ebyrnes
Download Presentation

Hands-on Lab Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hands-on Lab Review

  2. What we will cover • Quick review • Analysis of thunt-lab.pcapng • Sysmon webcast sneak peek

  3. Quick review • You had homework! • Review the thunt-lab.pcapng file • Identify any potential C2 traffic • Use to create and vet your own threat hunting process https://drive.google.com/open?id=1f-ebgU4ZNID3I1ojrnMOxU9w3OxRB-nX

  4. Suricata w/Emerging Threats rules Will signature based IDS reveal C2 channels?

  5. Suricata's view of the data

  6. Where to start? • Remember the threat hunting steps • Identify persistent connections • Protocol analysis • Endpoint reputation • We will want to ID tools/processes for each • Will start manual, but will want automation

  7. Possible beacons with Zeek Careful, beacons can jump ports/protocols! Note: This is number of connections per day, not a real beacon calculation.

  8. Long connections with Zeek 86,400 seconds = 24 hours

  9. Long connections limitations • Can show longest single connection • More work to derivecumulative time • Example: • Beacons once per hour • Hold the connection open for one hour each time • Only 24 beacons in a day • Each session is only one hour • Would need to sum all connections to detect it's a 24 hour long connection

  10. Investigate possible DNS beacons 108,858 connections in 24 hours. FQDNs look like C2!

  11. Second possible beacon 64,285 connections in 24 hours. FQDNs look pretty normal.

  12. Long conn TCP/443 traffic No certificate exchanged! 1st on long conn list This looks normal 10th on long conn list

  13. What about endpoint reputation? • Can verify certs • Dhcp.log (if in same collision domain) • Can augment with other tools

  14. Import Zeek logs into RITA

  15. IDentifying beacons with RITA

  16. Long conns with RITA Protocol should be SSL!

  17. Checking DNS C2 with RITA

  18. Shameless plug alert • Let's look at the data via AI-Hunter • ACM's commercial offering • We'll keep the commercial short and sweet

  19. Score increases after compromise

  20. AI-hunter dashboard Action item list

  21. Beacon analysis

  22. C2 channel was activated! Heartbeat C2 activation

  23. Long connection analysis

  24. Cumulative connect time analysis

  25. DNS analysis

  26. Want to see more? • Type "demo" into the chat channel • Drop me an email • chris@activecountermeasures.com

  27. Sysmon • We run lots of cool webcasts • Tomorrow's topic: Sysmon & Applocker • John will give us a sneak peek • Feel free to register: https://attendee.gotowebinar.com/register/3286972819851696909

  28. Wrap Up • Slides and video will be made available • https://acm.re/thunt • Questions? • Content feedback? • Please email: courses@activecountermeasures.com • chris@activecountermeasures.com

More Related