Network Traffic

Protocols & Procedures to look out for:

1. Abnormal TTLs not usual in your enterprise environment

2. "Dictionary" Directory Queries

3. Huge Volume of 404 code Not Found Replies

4. Abnormal packets with patterns of port scanning/IP scanning

5. TCP SYN + SYN/ACK + ACK --> initiation of connection

6. Unusual ports having traffic (etc. 10535)

7. Excessive Data

8. DNS with

   • unusual domain names lookups --> DNS exfiltration

     1. hackersden.uk & hackersden.jp (multiple geolocation)

     2. akjdkskdhsaj.kakdj.com

   • Large DNS packets for sustained periods

9. Outbound SYN/ACK replies (SYN from OUTSIDE)

10. Brute force behaviour (FTP, SSH, RDP, HTTP)

11. Reverse shell behaviour (port 4444, 1234)

12. Extractable objects & files in traffic

Spotting Shell Traffic

• many SSH connections (failed logins)

• context (Why is the secretary using SSH?)

• Ports 22 (SSH), 43, 3389 (RDP)

Spotting Reverse Shell Traffic

Victim initiates the connection; Outbound back to external attacker

• Listening dest_Port is designated by attacker (default 4444, 1234, 1337, 5555, high number port)

• GeoIP of Location

• Outbound TCP SYN's from server

Botnet Traffic

Attacker use a group of bots to do bidding of atacker

• Strange Domain names

• Strange file, POST, user agent

• GeoIP of servers

• C2 traffic (sometimes over HTTP)

• Some bots become allocated to be SPAM BOT (SMTP Server to forward spam; ports 25, 587)

Data Exfiltration

• Have a baseline of traffic of client; traffic exceeding baseline (Cobalt Strike/Machete)

• Lots of suspect DNS/ICMP Messages (Helminth/Kessel)

• Outbound FTP (CosmicDuke)

• Suspect SMTP/SMB/HTTP(S) Behaviors or Web Services (Dropbox & Facebook)