TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Let’s Go Hunting! How to Hunt Command & Control Channels Using Bro IDS and RITA

BHIS · 2017-09-13 · Read original ↗

ATT&CK techniques detected

9 predictions
T1040Network Sniffing
99%
“$ path alternatively, i ’ ve put together an installation script for debian based systems which will compile bro ids from source with all of its optional dependencies. understanding the tracks bro ids may be used to directly analyze a tapped network ; however, bro is also able to…”
T1572Protocol Tunneling
96%
“s dns. log in order to view the file. the - s option prevents word wrapping. upon opening the file, you will notice that all of the requests share a common “ super ” domain : sirknightthe. chickenkiller. com my command and control server is the authoritative name server for this …”
T1572Protocol Tunneling
90%
“the top level directory should yield something similar to this : once the files are in their individual folders, we need to run bro. in each of the individual folders, run bro - c - r [ sample. pcap ] local “ site : : local _ nets + = { 10. 0. 0. 0 / 8 } this will produce a numbe…”
T1059.001PowerShell
84%
“d powershell - empire rita import - i [ dnscat2 folder ] - d dnscat2 - analyze the ingested data rita analyze - create the report rita html - report - finally, open the file in a web browser rita - html - report / index. html you should see the following display : to begin with, …”
T1572Protocol Tunneling
65%
“out mx, cname, and txt record queries. while cname queries will appear in almost every network environment, mx and txt queries are somewhat rare. an abnormal influx of mx, cname, or txt records may indicate that a dns tunnel is operating on your network. upping the difficulty : p…”
T1654Log Enumeration
62%
“##ep out the full connection details. for me, the top connection is labeled cfruw5gjrbiroiyz4 and i run grep cfruw5gjrbiroiyz4 conn. log your uid may be different. after running a whois search on the destination, we see that the ip address is part of the amazon ec2 cloud. while i…”
T1573Encrypted Channel
57%
“. log while ssl and tls secure most of our data, bro ids is able to get around this by harvesting unencrypted connection metadata and logging it to the ssl log. in this capture, almost every connection was made over tls. you can prove this to yourself by comparing the connection …”
T1041Exfiltration Over C2 Channel
50%
“this beaconing behavior. alternatively, we can simply look for hosts which have made a large number of connections to a single external host over the course of a day. unfortunately, this beaconing behavior is not so readily apparent in real - world packet captures. connections fr…”
T1654Log Enumeration
31%
“. 200. 201. 29 ran several versions of apt in addition to the elinks web browser. over time, the known _ hosts log and known _ services log can be used in conjunction with the software log in order to build up an inventory of a tapped network. beyond these files, bro ids offers a…”

Summary

Logan Lembke// Here at BHIS, we ♥ Bro IDS. Imagine… Bro IDS Everywhere! If you haven’t encountered Bro IDS before, checkout this webcast on John’s Youtube channel discussing the need for Bro […]

The post Let’s Go Hunting! How to Hunt Command & Control Channels Using Bro IDS and RITA appeared first on Black Hills Information Security, Inc..