Kostas Profile picture
May 8 10 tweets 2 min read Twitter logo Read on Twitter
Many security teams scrutinize inbound connections, but they tend to overlook traffic leaving the network. Here are a couple of things I consider when #Threat_hunting for ExMatter or similar tools: 🧵👇

1⃣Create your baseline:
It is difficult to find anomalous activity if...
...you don't know what normal looks like.
🔹Gather historical network data of outbound connections. The longer the baseline, the better the results.

....⤵️
2⃣Initial Analysis
🔹Query for outbound connections towards protocols that are used for transferring files and data over a network, e.g. SSH, FTP, TELNET, SFTP etc.
🔹Filter out expected traffic with the help of your baseline.
🔹Checkout the most & least frequent conn occurrence
❓Questions to Consider While Analyzing Suspicious Connections❓

🔹Is that server part of our business daily operations?
🔹What was the date and time of the initial connection (conn attempt)?
🔹How long did the session last?
🔹What was the bytes sent/received ratio?

....⤵️
🔹Is the traffic encrypted or decrypted?(depends on the protocol) Can I see the content?(If you can get PCAPs, you're awesome😅)

If the low-hanging fruit from the initial analysis didn't provide any wins, we gotta try harder.

3⃣Trying Harder Analysis

....⤵️
🔹Let's go back to the baseline data. After figuring out the metrics you want to include in your analysis, sort the data based on that. Such metrics could be:

- Top Destinations
- Top Sources
- Average Session Duration
- Average Data Sent/Received

Choosing what data you....⤵️
...want to concentrate should match the intent of your threat hunt. (Are you looking for data exfil or reverse proxy using SSH?)

🔹Establish the average for each metric and assign
a threshold for each, focusing on the outbound connections that exceed this threshold.
🔹You can now start looking into spikes based on the average number of your chosen metrics and their assigned max threshold.
🔹At this point, creating visualizations can help you quickly identify suspicious activities and generate investigation leads....
...You can use your favourite tool to create an overlay chart based on your baseline and your collected data.

The above was an insight into what goes through my head when I hunt for suspicious outbound traffic. It is not complete, just rough notes.....⤵️
...I might follow up with a blog when I find the time 😊 There are many threat-hunting avenues one could take with outbound connections as your main data point.

I made this thread to give you an idea of what you can do to combat tools such as ExMatter. I hope this was helpful!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kostas

Kostas Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Kostastsale

Apr 12
Threat actors have started leveraging a new RMM platform called Action1. This RMM has useful features. Let's take a look at what these are and how they use them🧵:

👀Console visibility:
➡️Missing Updates view
➡️Apps installed
➡️Detail info about the OS & Hardware of the host ImageImageImage
Using Action1, they are seen executing commands, scripts and binaries. To do that, they must first create a "policy" or an "app". The name of those will show up in the command line during execution:

⚙️App Deployment:
➡️action1_agent.exe -> <binary running as system> Image
⚙️Command/Script execution:
➡️action1_agent.exe -> powershell.exe/cmd.exe
💡The action1_agent.exe cmdline contains the name of the policy set by the TAs.(see screenshot for details)
💡Command/Script will run with SYSTEM privs Image
Read 6 tweets
Jan 18
1/x
For the past couple of weeks, #IcedID has been hitting hard, with post-exploitation activities beginning within ~1 hour from the initial infection.

Here are some TTPs and IOCs from these post-exploitation activities that will keep defenders ready.
🧵👇
2/x
🎯TTPs
➡️IcedID use of VNC
💡Over port 8080
➡️Multiple Cobalt Strike DLLs on disk
💡Overused directories - "C:\Windows\Tasks" & - "%user%\AppData\Local\Temp"
➡️Heavy use of PowerShell
💡Downloading payloads, exec PowerShell Cobalt Strike Loaders & other processes
3/x
➡️Used multiple privilege escalation methods
💡zerologon, Invoke-Kerberoast, Invoke-EnvBypass
➡️Reverse proxy via Cobalt Strike and then RDPing into the network
➡️Invoke-BloodHound & Invoke-ShareFinder for network and open-shares discovery
Read 8 tweets
Sep 29, 2022
#BruteRatel is difficult to detect without having access to WinAPI, NTAPI, and Syscalls as everything is done in memory. This hurts our efforts to hunt across behaviors upon executing the BRC4 payload.

Although all hope is not lost,there are some good indicators in the wires🧵👇
Looking into the unencrypted network traffic, there are some indicators we can hunt for and create detections based on the default BRC4 profile:

➡️Multiple POST requests against certain destinations
➡️All responses (apart from initial check-in) have 0 content with 200 status👇
➡️Base64 encoded body and encrypted upon deobfuscation
➡️Default user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Read 5 tweets
May 16, 2022
As a defender, I read reports to stay up to date with recent threats reported by others in the industry. It also helps me generate ideas for future research, threat hunting, detection, or a deeper dive into TA's infra.

This is what I am looking for when I read them🧵
1/11
I'll use a couple of good and one not-so-good report example from this week's awesome collection of reports from thisweekin4n6.com.

🔥Useful reports🔥

- Bitter APT adds Bangladesh to their targets (@TalosSecurity)
- Cozy Smuggled Into The Box (@cluster25_io)
2/11
The above reports are jam-packed with tactical and operationally actionable threat intelligence. They both provide a solid description of the threat actor's activities as well as how the intrusion unfolded. Finally, they feature detections in the form of Yara/Sigma rules.
3/11
Read 11 tweets
Mar 14, 2022
Last week, @TheDFIRReport received a MS-themed phishing email with an HTML attachment. The email made a significant effort to appear legitimate. 

When we open the file, the code renders into what appears to be an HTML page mirroring the official MS account login page.
1/🧵
@TheDFIRReport Looking into the code of the HTML file, we notice a couple of layers of obfuscation. Without much effort, we decoded the content. The script element contains URL and Base64 encoded code that will be executed by the browser.
2/
@TheDFIRReport When the user opens the HTML file, the browser will initiate a GET request to alufohaicement[.]com/monochrome.js containing the victim's and attacker's email addresses passed as base64 encoded parameters to a PHP script configured by the attacker. 
3/
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(