Module 4: Hunting With Network Data

Network Data for Threat Hunters

Network IoCs

Discussing fidelity for the most part. Using threat intell to gather info for attribution. A bit about using IDS/IPS for global traffic views rather than a host for their network traffic.

Sources of Network IoCs

Exactly what the title of the section is. IDS, IPS, etc.

Practical Network Data Analysis

The Lockbit Ransomware

Using Splunk to search for the top 20 destination IPs that CLIENT2 communicated with:

index="*" SourceHostname="CLIENT2.megacorpone.com" | top limit=20 DestinationIp

Now that we've found a sus IP, narrow down the searches to communication to that IP involving e.taylor -- the user who supposedly clicked the suspicious link. Change the output into a table of time the request occured, the file involved in the request, and the PID of the process:

index="*" DestinationIp="192.229.211.108" User="MEGACORPONE\\e.taylor" | table _time,Image,ProcessId

Full Packet Capture Analysis

Wireshark filter to filter on our previously sus IP and CLIENT2:

ip.addr == 192.229.211.108 and ip.addr == 10.25.25.101

Gathering arp activity or smb:

(arp.src.proto_ipv4 == 10.25.25.101) or smb

Using NetWitness to dig deeper via Suricata captures.

Launching NetWitness

Inspecting email data

Inspecting emails on the second pcap session

Searching for the mail attachment

If we click the lockbit.exe, it asks if we want to run it. This looks terrifying but follows up with a question on actual actions to take:

Saving the attachment

Getting the hash of the lockbit.exe for additional digging:

PS C:\Resources> Get-FileHash -Algorithm SHA256 .\533-0-4_attach.1.lockbit.exe

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          B240B6861889734EEE778D92BC1E2930E10570FE41D84A1A79CC518DC93F4E09       C:\Resources\533-0-4_attach.1.lockbit.exe

Confirming the Lockbit sample in VirusTotal