Threat Hunting Shorts – External Target Investigation – Video Blogs
Video – Threat Hunting Shorts – External Target Investigation
Video Transcript
Chris (00:00):
Hey folks, I’m Chris Brenton in today’s threat hunting short, we’re going to talk about external target investigation. So what do I mean by external target investigation? I mean that we’ve gone through, we’ve done our threat hunt. We’ve identified some form of persistency, right? We’re seeing our internal system is talking to one or multiple other hosts. And they’re doing in a persistent fashion, meaning it’s happening regularly throughout the day. So we’re looking at that and saying, Hmm, that’s interesting. We want to try to identify, is there a business need behind it? So we want to go in and do some investigation on that end point to see if we can identify, you know, does this make sense from a business perspective or not? First rule is don’t do anything detectable by the adversary. In other words, don’t go onto that system and start poking for Bing areas or doing queries or stuff like that.
Chris (00:47):
Because if the, if that system is compromised, the attacker may see that they may immediately change their tactics, install other root kits. Things can go downhill really quickly. So my number one rule with threat hunting is everything we do needs to be passive. Everything we do needs to be undetectable before we do something that’s detectable, like let’s say isolating the system, right? Move. You know, let’s say we think the system’s compromised. We want to move it to an isolated subnet before we even do that. We need to be in instant response mode. Why? Because that’s when lots of smart people are going to come in to make sure that we don’t do anything bad. You know, by mistake, for example, I mentioned that isolating a system. Well, as soon as you isolate that system, that’s detectable to the attacker. If they’ve compromised 16 systems, not just one.
Chris (01:35):
And you’ve only found the one, they may start doing additional bad things through the other 15 systems, they still have access to. So again, nothing detectable until we’re in, into incident response mode, but there’s a couple of ways we can go about learning more about that external system. Sometimes it may be things that we have available to us in our own local logs, you know, data collection. We’ll talk about that a little bit more. And sometimes it’s just leveraging external security sites and what type of information they provide. For example, let’s start with the internal detection. So we’re going to start off using Zeek. You know, one of my favorite tools and, you know, Zeek, if you’re not familiar with it goes through, it makes a record of all the network connections that go by. So if we put this on a perimeter someplace, let’s say internal interface of the firewall, it’s going to see all the traffic going in and out the Internet link.
Chris (02:24):
This is probably where we went through and detected that persistency and connection in the first place. But Zeek gives us some really good information that we can work with. On one of my personal favorites is this one right here, DNS dot log, DNS dot log goes through and records all the DNS queries that your users have been doing. You know, what, what were they trying to get to that caused them to go to that IP address? Knowing the answer to that could be super helpful. And you can write little scripts around this stuff too. So for example, one of the ones I wrote up, this is a really simple script. Is this one called FQ? So what FQ does is it
Chris (02:58):
Just simply says, Hey, list out the contents of the DNS log file. That’s in the local directory. And if there’s more than one it’ll list, all of them, and then it uses Z cut to go in and pull out, what did they ask for? Right. What were they trying to get to? And what was the answer that came back? And the reason I switched them, right? Why isn’t it say query and then answer? Why did I do answer than query it’s so that the Matt date is going to match up better with the second line? You’ll see what I mean. When we go through an example, then I’m just going through this section here is just getting rid of any duplicate entries we may have done multiple queries, got the same answer back multiple times. We don’t need to see that 50 times once is fine.
Chris (03:36):
And then I’m using the grip command to go in and target a specific IP address. I don’t want to see all the results, just the one associated with the IP that I’m investigating. The second line is doing a little bit similar with the SSL. Do log files. This time. What we’re looking at is the IP address of the remote server, the name that’s associated with that system and did the digital certificate for that system. Validate. In other words, you can tell Ze, Hey, anytime you see a digital certificate, try and validate that for me. And now you can see were people talking to valid digital certificates or not, by the way, this is only useful if SSL TLS is being used, but that’s the majority of the traffic that we’re seeing today. So thus, I just went in and automatically included in this script. We’re then going in getting rid of duplicates.
Chris (04:23):
And again, we’re using gr to go in and target a specific IP. So how does this work? So imagine I had two IP addresses that, you know, came up as being persistent, and I want to do additional resource on research on, I can just go in and I can say FQ, and then I can go in and type in each of the IP addresses that I want to go through and investigate. So the first one I’m going to investigate is this 65 52 1 0 8, 2 33 address. So this came, comes back and tells me that from the DNS entry, that’s always going to be the first line. This is what the user was trying to get to when they got back this IP address. So why are we seeing persistency to this IP will the user was trying to get to this resource? What is this resource? Well, it’s a windows notification server windows 10 loves to call home and it loves to hit the windows notification service.
Chris (05:12):
So this may just be a window system doing its normal windowy type things. But how do we know for sure that’s a window system, right? How do we know this is in fact a real legitimate windows notification server? Well, that’s where this second line comes in. Cuz the second line is telling me is that the system at that IP address has this server name. He looks that exactly matches DNS and Zeek was able to validate the dis digital certificate as being okay, so I can feel pretty certain. This was in fact a connection to a Microsoft managed server, a windows notification server. So I’d probably look at this and say, yeah, it’s just my window system calling home. That’s not a big deal. That’s something I’ll probably just go through and add into my safe list. Cool. All right. Let’s look at one more example.
Chris (05:59):
So we’re going to look at 69, 1 72, 2 16 55 and let’s see what comes back off of that. Well, this time I’m seeing the user was trying to get to pixel.safe safe, protected.com. Oh well yeah, this is going to be a fun one. Right? I got back some additional record information including this IP address. So why did the user, why is the user doing persistent connections to this IP address? Because they were trying to get to pixel dot, add safe, protected.com. Oh, I just, I love that domain name. Okay. Let’s look at the SSL information. We have at least one instance where the digital certificate did didn’t check up, right? It wasn’t not valid. It just didn’t have the information it needed. That’s what the dash means. We probably caught half of the, of a session, right. We may like right at the very beginning of our capture right at the end was when this communication was taking place.
Chris (06:59):
So we didn’t see all the data we needed. So that might be why this first line shows up. So we’re not going to worry too much about that because we’ve got this line here saying yep. Okay. This is in fact what the user was trying to get to. They were trying to get to pixel.ad safe, protected.com. Now I know nothing about this domain, but I look at that fully qualified domain name and that just screams to me, pixel tracking, right? Someone’s doing ad tracking off of people’s browsers and they’re doing the, you know, proverbial one pixel by one pixel image file that the user doesn’t see, but Hey, that allows them to track you everywhere. You’re going, oh boy. So this may be one. We actually don’t want people going to, but I don’t know any of that for sure. How can I figure out more about this IP address in this fully qualified domain name to see if this is something I actually want my users connecting to or not, while there’s a ton of external security sites I can leverage to go through and figure that out.
Chris (08:00):
This might be a good time to pause the video just so you can kind of note what’s on each of these lines here. This is certainly not all of them. These are the ones that I like to use. You know, your mileage may vary and I tried to give you a fairly extensive list. So you could go through and pick and choose the ones you like. But what I like about each of these sites is that my URL includes the information I want to research. So I would replace, let’s say, so that last example, right? Let’s say I wanted to check and see what security trails knows about it. I could just have this go into my plug into my browser, this URL SL you know, IP slash 6, 9 1 7 2 2 1 6 5 hit enter. And it’s immediately going to pull up the data that I need off of this. Well, this is cool because I could probably throw some variables in and even script this. If I wanted to right virus total, there’s
Chris (08:54):
A bunch, bunch of them in here. You can go through and use. But this will give you some really good information about that external site, whether it should be considered trustworthy or not. And Hey, if you have fun doing this type of thing, like I do we offer a free threat hunting class. It’s six hours about half lecture, about hands-on labs. We have virtual machine that you can download and do the labs yourself. We give you time for that during the class. Basically what I do is I kind of talk you through, this is how to do threat hunting and now, Hey, you do some threat hunting and follow that process to see how this whole thing works. The next class we’re doing is next week. If you want to sign up for that, here’s the link forward at the bottom. So thanks. Hope you enjoyed the video. I will see you in the next one.
More Threat Hunting Shorts
Malware Command and Control – How it Works
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.