Beruflich Dokumente
Kultur Dokumente
2. What are the user_agents being used for HTTP 2. Are there any sessions with self-signed certificates or
transactions? Are any being spoofed? sessions that do not have a validation status of OK?
3. Do all HTTP transactions use DNS (i.e., are there any 3. Which ciphers are used for key exchanges?
HTTP connections to IP addresses as the URL?) 4. Are there known-bad JA3 or JA3S fingerprints?
4. Are any HTTP connections proxied? 5. Are there sessions with certificates issued by suspect CAs?
5. Is there any HTTP traffic not on port 80? Is there any 6. Are there any server names that are suspect,
traffic on port 80 that is not HTTP? or weak signing algorithms used?
6. Are any files exchanged with HTTP that have a 7. Are there certificates set to expire or that use
potentially dangerous mime_type? keys that are short?
7. What is the most commonly visited site or user agent?
Hunting theories
What is the most rarely visited?
1. A wave of DNS hijacking has affected dozens of
8. What can be learned from the HTTP session?
domains belonging to government, telecommunications,
a. 404 status returned with a large response_body_length
and internet infrastructure entities across the Middle
b. 500 status messages
East, North Africa, Europe, and North America.
This was identified by FireEye’s Mandiant IR and
Intelligence teams.2
1 ICS is a general term that includes: supervisory control and data acquisition (SCADA) and distributed control systems (DCS), industrial automation and control
systems (IACS), and programmable logic controllers (PLCs).
2 https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
2
Corelight’s introductory guide to threat hunting with Zeek (Bro) logs.
a. An emergency directive was issued by DHS CISA in 3. Are unknown protocols in use?
January 2019 for organizations hosting DNS (https://cyber. 4. Are any hosts starving servers for resources?
dhs.gov/ed/19-01/) to mitigate this type of vulnerability.
Use this report as a guide to develop searches to look Suspect encrypted traffic
historically through logs to determine if anyone in your
1. Is there traffic to/from the server farm that does
enterprise was affected by this attack.
not belong?
2. Is any DNS tunneling present? Bad actors can exfiltrate all a. SSH, TLS using a certificate issued by an outside CA?
types of sensitive data including financial records, social
security numbers, and intellectual property. The data Files
can be obfuscated using various techniques and then 1. Which files have been up/downloaded between servers
transmitted to avoid detection (i.e., slow drip, IP spoofing, and clients?
domain generation algorithms (DGAs), and fast flux).
2. Has the same file been transferred multiple times?
a. Exfiltration Over Alternative Protocol (T1048)
3. Is there a method to check all files against a watch list?
Server farm egress
DCOM
Server farms are often where the most valuable data in 1. Is there any DCE_RPC traffic between servers and
an organization resides. Instrumenting the enterprise to external devices?
have NSM at server farm egress points provides visibility
2. Is there any suspect DCE_RPC traffic between servers
for internal and external network communications.
and internal devices?
Observations a. Scheduled Tasks, PSExec, WMI
The following questions, plus those identified for 3. Are any shares being created and/or removed remotely?
network egress, can lead to theories for hunting in
MS protocols
server farm egress data:
1. Is there SMB traffic between servers and
•• What volume of data is being transferred between
external devices?
individual servers and client(s)?
2. Is SMB traffic permitted between servers and
•• Are any hosts starving servers for resources?
internal devices?
•• Is there any encrypted traffic that does not belong? a. Which shares are accessed?
•• Is there a history of files transferred? b. Who is performing the access, and when?
•• Is there any suspect DCOM or RPC traffic 3. Are any hidden shares accessed by internal devices?
between servers and hosts? 4. Are all shares actively used?
•• Which MS protocols are being used between 5. Is share enumeration occurring from internal or
servers and internal hosts? external devices?
•• Are any prohibited protocols traversing the network? 6. Is any Kerberos being used between internal or
•• What insight do you have into encrypted sessions external devices and servers?
entering/leaving the network?
Hunting theories
Volume 1. Look for odd Kerberos ticket traffic with the additional
1. Which internal or external clients communicate Zeek package that extends the kerberos.log with auth_
with servers most often? ticket, new_ticket, client_cert, client_cert_sub, client_
a. Do communications happen at odd hours? cert_fuid, server_cert, server_cert_sub, server_cert_fuid.
a. Lateral Movement Pass the Ticket (T1097)
2. Which internal or external clients transfer
b. Credential Access Kerberoasting (T1208)
the most data to/from servers?
a. Which protocols are used? 2. RDP sessions with odd keyboard layouts
b. Do communications happen at odd hours? a. Lateral Movement RDP (T1076)
3
Corelight’s introductory guide to threat hunting with Zeek (Bro) logs.
•• Which software applications are installed? 2. Are there hosts with a changing producer to consumer
Is this in agreement with the enterprise inventory? ratio (PCR)?
•• Are administrative tasks occurring from the user 3. Are there unknown protocols?
area of the network? 4. Are there hosts communicating to new hosts
•• Are any users connecting to hidden or within the data center?
administrative shares? 5. Why are hosts communicating?
•• Which user agents are in use? 6. Are one or more workstations probing,
looking for services?
File
1. Which files have been uploaded/downloaded
between servers?
2. Has the same file been transferred multiple times?
4
Corelight’s introductory guide to threat hunting with Zeek (Bro) logs.
Observations 5. Are there any new SSH sessions that do not match
existing HASSH fingerprints?
The following questions, plus earlier questions, can lead
to theories for intra workstation hunting: Volume
•• Are any prohibited protocols traversing the network? 1. What volume of data is transferred via SSH
•• Which users/hosts are authenticating? Among which workstations?
•• Are there hosts that switch from producing data to 2. Are there hosts that have the PCR changing?
consuming it? 3. Are there unknown protocols?
•• Are any unknown protocols in use? 4. Are there hosts communicating to new hosts
•• Are you performing file extraction and analysis? within the data center?
•• Why are two end points communicating? 5. Why are hosts communicating?
•• Are any endpoints performing reconnaissance? 6. Are one or more workstations probing,
looking for services?
•• Which software applications are installed?
Is this in agreement with the enterprise inventory?
•• Are administrative tasks occurring from the user area of
the network?
•• Are any users connecting to hidden or
administrative shares?
•• Which user agents are in use?
5
Files
1. Which files have been up/downloaded between servers?
2. Has the same file been transferred multiple times?
Misc.
1. Are shares being created and/or removed remotely?
2. Are all shares actively being used?
3. Are there new hidden shares?
4. Is remote administration occurring?
From which workstations?
5. Is there another data center egress?
6. What user agents are being used?
Are any being spoofed?