Threat Hunting Shorts – Long Connection Detection – Video Blog
Video – Threat Hunting – Long Connection Detection
Video Transcript
Chris (00:00):
Hey folks, this is Chris Brenton. And in a previous video, I talked about command and control channels. I wanna start getting into the different types of signaling that can be used in command and control, starting with long connections. What’s a long connection? The long connection is just simply when the compromised system calls out to the command and control server and just leaves that connection open indefinitely. So as long as the attacker needs to, you know, be able to come in and control that compromise system, that connection will stay in place. So this connection is running all the time and it, while that seems like it should be easy to detect, it’s actually a lot harder than you realize. Not many things will actually record the session time. How long has that session been going for. There’s some network statistic tools that might be able to help you out here, end top and stuff like that.
Chris (00:49):
A lot of folks think maybe their firewall will keep it track of that. Most don’t, most firewalls will keep track of the last time they saw a packet that was part of the session, not when it actually launched off. So typically you want to go through and you want to use a dedicated tool. My personal favorite is Zeek. So Zeek is the network recorder. Think of it as being like making a PCAP of the files going by, but all that stuff we don’t care about is security people. It throws all that away, like ethernet, headers and stuff like that, who cares, you know, we want to see what’s in the payload. We wanna see what ports, you know, is the application make sense for the port it’s on Zeek takes care of all of that for us. And it’ll go through and store it into a format that’s fairly easy to go through and read, you know, so this is my conduct log file within Zeek.
Chris (01:34):
This is a summary of all my connections, timestamp for the connection you can identifier, what was the source IP address, whether it was IPV four or IPV six, the port numbers involved. And the one that we’re gonna want to talk about is part of, um, this here is the duration we can go through and we keep track of, or Zeek will keep track of how long was that connection actually running for. So that allows me to go through and, um, do something like this. So here I’m just going through and saying display the log file. I’m using a special tool, Zeek cut to say the only things in that file, I care about a IP address, destination IP address, and the duration of the connection. Then I’m saying sort those connections based on the duration time, highest to lowest. And then I’m pumping that through head and that’ll show me my first 10 entries.
Chris (02:24):
So I’ll end up getting something that looks, something like this, pretty straightforward, easy to read. I can easily see that two of my connections here have been running for a pretty extended period of time. Now I probably wanna look at these in 24-hour chunks, right? Cuz if something’s been running for like 20 minutes, who cares, but if it’s been running for like five, six hours or more, that’s when it really starts to get interesting. 86,400 seconds is 24 hours. So if I’m looking at a capture of traffic from a 24-hour period of time, and I’m seeing connections that have been running for almost that full 86,400 Seconds,
Chris (02:58):
that’s worth going in and taking a look at there’s a couple other ways I could go through and carve this up as well. For example, we have an open source tool named RITA that we, created that you can also use for going in and looking for long connections. So here, what I’m gonna do is I’m gonna just say RITA, show me the long connections that are part of this particular data set. And the dash H just makes it, gives it some pretty formatting. And here I can see kind of similar output to what I had with just looking at the raw Zeek output, except I’ve got, you know, pretty little boxes around it. And the timeframes are a little bit easier to understand, right? Instead of seeing 86,387 seconds, how much is that? I need to convert it in my head. I get to see 23 hours, 59 minutes, 47 seconds.
Chris (03:41):
Okay. That’s a whole lot clear, uh, notice also RITA goes through and lists the state. What’s the state of the connection. What does this mean? Zeek does have a little problem when it comes to keeping track of long connections in that it doesn’t write out data until the connection actually closes. So if you have a, an attacker that’s compromised an internal system and they hold that connection open for three months, you’re not gonna get a log entry outta Zeek. That’s gonna let you see that that connection has been in place for three months until the attacker eventually closes it. You don’t go, don’t get any visibility over, that period of time. Zeek will keep track of it and its stay table, but it won’t actually write it out to a log file. Uh, one of the cool things we’ve done with RITA is we’ve gone in and we’ve said, oh, uh, we’ve gone in and we actually start logging what’s in that state table.
Chris (04:29):
So for example, this command here show open connections. What this does is this looks at a new log file that RITA creates and it compares what’s in the state table versus what got written to the logs and anything not written to the logs yet. We’ll go through and display that. So in the example of that three month connection using RITA, I would see, you know, after the first day, I’d see, Hey, it’s been running for a day after seven days. I’d see, Hey, it’s been running for seven days after a month. I’d see, Hey, it’s been running for a month. So there’s no surprise when the connection gets closed. You get visibility of that the whole time through, uh, which is kind of cool. Along with RITA. We also have a commercial tool called AC-Hunter where we’ll actually display, both opened enclosed connections all on the same screen.
Chris (05:13):
And we try to give you some additional information to be able to run this down. So for example, here, I can see this longest connection that’s taking place. That’s going back into the Microsoft network. Um, it’s going into Hong Kong, which is a little weird if I’m in the United States, but it’s Microsoft. So that may mean this is actually just one of my systems calling home to check out windows, notification services, patches, whatever the case may be. If you wanna learn more about long connections and threat hunting in general. Um, I’ve got links here to both our open source tool, RITA as well as our inexpensive commercial tool AC-Hunter. Uh, we also offer a free threat hunting class. It’s six hours long. It’s free of charge. Uh, there’s some lecture up front. There’s a lot of hands-on labs for the second half of it. Uh, we’ve had a little over 20,000, 25,000 students go through that so far. I gave you a link for that information as well. Hopefully, you found this video useful talk to you on the other side.
More Threat Hunting Shorts
Malware Command and Control – How it Works
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.