AI-Hunter v3.3 Has Been Released!
In this release we’ve done extensive updating to our whitelisting capability. A feature that many of our customers have asked for is the ability to whitelist specific IP pairs. For example, I may want to trust an external IP address, but only when a specific internal IP is communicating with it. You now have that option when creating entries.
We’ve also added whitelisting to every module! Next to each connection you’ll see the whitelisting icon. Simply click it to create a new entry.
We’ve also updated the long connection module to analyze total connection time. You can still look at longest single connections, but by switching to View 2 you can look at totals.
Imagine an attacker creates a command and control channel that is a mixture of a beacon and a long connection. They have their malware call home, but tear down the connection and recreate it every few hours. By looking at cumulative connection time, View 2 would still show that these systems are communicating all day long.
OK, this one is my favorite. It’s yet another way to catch DNS being used for command and control communications. If my local DNS server is looking up multiple hosts in a remote domain, I would expect to see internal systems connecting to these hosts, right? Here’s an example:
In the above figure our DNS servers resolved 154 unique hosts within akamaiedge.net, and 10 different internal systems then visited those hosts. This is expected behaviour. Now, check out this screen capture:
Our DNS server looked up 62,468 unique hosts within the remote domain, but the DNS server is the only system that ever connected to the domain. That’s a pretty clear indication that DNS is being used for command and control!
Two errants with this release. We had to change the way we save whitelist entries on the backend. This means that exported whitelists will not be compatible with older versions of AI-Hunter. Also, adding a whitelist entry does not immediately update the score on the dashboard if the whitelisted entry was modifying it. We’ll address that in the next release.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.