Threat Hunting Shorts – FQDN Beacons – Video Blog
Video – Threat Hunting – FQDN Beacons
Hey folks, I’m Chris Brenton and in a previous threat hunting video, we talked about beacons and all the different types that we’re, uh, that we may run into. And we talked specifically about how attackers are starting to take their command and control servers and hide them behind a content delivery network. And of course, one of the challenges you run into there is that our beacons are not going out to a single IP address, but potentially multiple IP addresses. Well, this means that we can’t look for a beacon going to a target IP. We’ve got to look for going to a target, uh, fully qualified domain name question, of course then becomes how do we go through and do that? So let’s take a look at some apples. So I’m going to be working with Zeek in these examples. And one of the cool things about Zeek is that it records a bit of everything.
Everything about our connections that are going by, we can go through and we can, um, get a, a history of all that information. So the first thing I’m going to go through and do is I’m going to work with Zeek’s DNS log files, and I’m just going to go in and I’m going to extract out what was the user trying to get to and what IP addresses associated with that. And then I’m just sorting it, running it through unique, uh, just to try and limit, uh, how many answers we get back to each question, actually. Yeah, we don’t need head. There we go. So what is this telling me? Here’s my fully qualified domain name here is all the I P V six addresses that were associated with that. So if I had a beacon going out to multiple IP addresses, I could tie them all back to that same fully qualified domain name.
Notice these two entries here, or actually there’s three, right? There’s this one for repo.mongodb.org here and here. Why is there two? Well, we’ve actually got some different IP addresses that are getting listed a little hard to see cuz it’s IPV six and there’s a lot of hex in there. And then of course the third one is showing me my IPV four addresses. Uh, but that’s why we’ve got three, but I could have a beacon going out to multiple IP addresses here that all resolve back to repo.mongodb.org. And so long as I’m targeting the fully qualified domain name, as opposed to, um, just the IP address, I’m still going to be able to go in and get some valid beacon data. All right, let’s look at another example.
So here, what I’m going to do is I’m going to go through and I’m going to use the HTTP log information. In other words, let’s say they’re going through a content delivery network via HTTP. So we’re connecting to multiple IPs and it’s this content delivery network, a CDN that then forwards the traffic back to the legitimate, you know, well Oreg, legitimate command and control server on the other side. So I’ve got that same problem where I’ve got multiple IPS that I’m connecting to. How do I extract that information out while Zeek within its HTTP dot log file stores? The host name that the server responds back to? So part of my HTTP spec is I need to identify the fully qualified domain name of the server. I want to connect to if I don’t, the CDN doesn’t know how to fall with that information through. So what’s cool about this is let’s say, um, you know, I, I, so you can see I’ve got multiple entries here for, uh, Diane OMI dot com you know, www there’s multiple IP addresses that get listed out.
So imagine I had a beacon going out to all those IPS using the fully qualified domain name. This will let me tie it together. Well, that’s fine for HTTP, but what about HTTPS Chris? That’s encrypted? You know, I can’t do that there. Well actually, yeah, I can, because as part of that encrypted connection, the server’s going to hand out the dig hand back its digital certificate. And one of the things that’s going to identify on that digital certificate is what is its name? So I can go through and I can look at what’s coming back as part of that. So we’ve got a couple of similar entries up here. Um, so these systems we’re obviously talking to with P HTTP and HTTPS as well, but we’ve got some new ones down here, right? So this is right within the digital certificate. So again, I’ve got multiple IP addresses that get listed here.
If I had a beacon going out to those multiple IP addresses, I’d be able to map that, you know, I’d be able to say these two IPS are actually the same system, any traffic going to them collapse ’em together, analyze the collective as if it’s about IP based beacon, go through and look at it that way to make it a whole lot easier. Cool. All right. So we’ve talked about pulling all this stuff together, but how do I actually do that? Right? Well, one of the ways is with our open source tool Rita. So with Rita, I can go in and say, show me fully qualified domain names based, or show me beacons based on their fully qualified domain name, based on the IP address that they were resolving to. And when I go through, when I run that it prompts me for my password and then it’ll go through and show me notice we get a lot of a, on my edges entries here. We’ve got for St. James church.org. Um, so this is showing me my score. Notice these
Are multiple internal systems that are all going out to that same Akamai edge system. Well it’s Akamai edge Akamai edge is handing me is going to ha have, will have handed me back multiple IP addresses associated with it. So Rita will automatically go through and actually take care of, uh, associating the connection with each of the IPS that are associated with that name and then generating a score like reader is good at doing, telling us what’s the likelihood of this being persistence that you need to make yourself aware of. Okay. So that’s for fully qualified domain names. What about those host that host parameter for HTTP or the server name field within the digital certificate? Can Rita go in and analyze those? Yeah, actually it can I just say Rita show, beacons, SNI, whatever my test data set is, and Rita will happily go through and extract out those values and then use that to map it in, uh, uh, to use that, to collapse the endpoint down to a single point that you can then go in and map your IPS against.
So again, I’ve got my, so there’s so what do I need to do, you know, as a threat hunter, what do I need to do to do it differently for a fully qualified domain name versus doing it based on IP? And the answer really is nothing. Just run reader again, Zeek, same as you always have and re is going to do what it always has. It’s going to give you a score that you can then go in and take a look at to see, okay, is this something I need to pay attention to or not now, along with Rita, I could also do this with AC hunter. So AC hunter is our inexpensive commercial solution. And here we can see it’s taking, uh, it’s, I’m looking at my internal systems, who are they talking to out in the internet and this case here, it’s that Akamai edge system that we were looking at earlier notice AC hunters automatically gone through and said, Hey, that this resolves to all of these different IP addresses.
So when we see that server name within the, uh, application field, we’ll go through and we’ll, we’ll map this out, actually in this case here, we’re using the DNS records. So for this one it’ll go through and it’ll map it based on DNS and we can see, yeah, we’ve got a nice little plot, even though it’s probably going out to multiple IP addresses. Now, if I wanna do it based on the application layer, I can go in and I can take a look at it this way. So here we’re looking at traffic going to, you know, content, uh, CDN dot content, blah, blah, blah, msn.com. So this Microsoft traffic it’s HTTP based notice it had a bunch of IP addresses that resolved to that fully qualified domain name. So again, AC hunter is just simply going through and saying, oh, Hey, I see this host parameter in date, in the HTTP data, going to all these different IP addresses.
I’m going to collapse those down to a single end point when I then go in and look at my beacon signal. So even, so this is showing two connections per hour. This may have been one connection to I address taking place, you know, but it still will collapse. ’em all down together, which makes a whole lot easier if I’m dealing with HTTPS traffic at crypto traffic, same thing. In fact, it comes outta that same screen. So this is looking at OneNote traffic, here’s all the IP addresses that we saw HTTPS traffic going to that had this name as the server name as part of the digital certificate. And we’re identifying that, yep. This was going to TCP 4 43 it’s SSL traffic. Um, you know, here’s who the digital certificate was issued to. And, you know, here’s what our plot looks like over time. So again, AC hunter goes through and just takes care of all of that for you.
If all this sounds cool and you’d like to learn more, we have a free six hour threat hunting class coming up. Uh, we’ve had over 20,000 people go through this. About half of it is lecture time. Half of it is hands on labs. Uh, we’ve got a couple of virtual machines that you can download and, you know, we start off kind of handholding, Hey, try this, Hey, try that. And then we just try to quickly kind of push you towards, Hey, go in and solve this problem. You know, we’re trying to push you towards being able to be an effective threat hunter. Uh, next class is October 4th. There’s the link to go sign up for that training. Hope you found this content useful. I’ll see you in the next video.
More Threat Hunting Shorts
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.