Threat Hunting Snippets for the Network

Posted on by Marcus Edmondson

So in this blog post I wanted to talk about my approach to hunting on the network. I won’t delve into collection of the data, but instead this will be a situation where you have a packet capture already and you don’t know where to start. So depending on the size of the packet capture you can load it straight into Wireshark but if it is too large and Wireshark is having trouble opening it you can run it through Snort, Bro or SiLK.

Snort

Using the Snort way I usually fire up my Ubuntu sensor that I have installed Snort, Bro and SiLK on and use an application like TCPReplay to feed it through my sensor. If any alerts of interest pop, I will then use TCPDump to carve out the IP addresses of interest from the alert into another pcap file. Then I will load that up into Wireshark to get a deeper dive to see what is going on by following the TCP stream depending on the protocols available to me. You can carve out any files of interest by going to File -> Export Objects -> HTTP. Get file hashes of interesting artifacts and depending on your security teams setup either use VirusTotal, roll your own sandbox like Cuckoo or hand those files over to a dedicated malware analyst to extract indicators to sweep your environment with. Thats just a quick snippet of one way to approach it with Snort.

Bro

Next up is the Bro way. Again I will fire up my sensor and run my pcap file through my sensor. Once all the Bro files are created I will look in the notice.log or weird.log, those logs contain what you think they would contain based off their names. I also like to look in the conn.log for large byte transfers or long duration conversations. Another technique I like to look at is sorting and uniquing the user agents and do some stack counting on them. Then carving out the IP’s of interest like I did in the Snort section using TCPDump. Another technique I have been playing around with using Bro is using a Python library called Bro Analysis Tools (bat). I won’t get into detail about it but they are doing some cool machine learning techniques using Bro files to implement clustering algorithms to have the outliers rise to the top. It’s cool stuff and here is a link to their github https://github.com/Kitware/bat. Of course that is just scratching the surface of what Bro is capable of, it is definitely one of my favorite tools.

SiLK

So SiLK is a tool I have just started to play around with. It is a platform that extracts Netflow from the network or from a pcap using rwp2yaf2silk which is a tool in the suite. It is definitely a monster to get up and running so be prepared to lock yourself away with an internet connection to get it configured. You can do some really cool statistical analysis with it by looking for long duration conservations, large byte transfers or even top and bottom talkers by protocol. Definitely give it a look it’s a pretty cool tool.

So I hope you were able to get something useful from this blog post and until next time…

Happy Hunting,

Marcus

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Published by Marcus Edmondson

DFIR and threat hunting with PowerShell and Python are my passion. I love learning and researching new ways to find the adversary.