Threat Hunters Corner: Network TTP Hunting with EDR Data

by Josh Shepard on 2024 | 10

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >Threat Hunters Corner: Network TTP Hunting with EDR Data</span>

Welcome 

Welcome back to the Threat Hunters Corner! I’m Josh Shepard, principal threat hunter at RADICL, and in this second episode, we’re shifting our focus from host-based hunting to network tactics, techniques, and procedures (TTPs).  

 

RadBot Generated Text Summary 

The Challenge: Network TTP Hunting with EDR Data 

In this episode, we’ll explore how to conduct threat hunts for network focused TTP using only Endpoint Detection and Response (EDR) data. This approach is particularly beneficial for organizations that may not have access to a Security Information and Event Management (SIEM) system or extensive network data. 

You might be wondering how we can effectively hunt for network-related techniques using EDR data. While EDR solutions may not capture all the detailed network data that firewalls do, they typically log essential information such as DNS queries and remote IP connections. This data can provide valuable insights for threat hunting. 

Identifying Command and Control (C2) Behavior 

One effective method for detecting C2 behavior is to analyze non-browser processes reaching out to unusual IP space. Since unusual is a pretty broad term, you can start out by looking into connections to uncommon geo-ip spaces or ASNs. By establishing a baseline of normal network behavior in your environment, you can filter out common processes that regularly connect to known IP spaces. 

For instance, if you notice a non-browser process reaching out to an IP address that is not part of your established baseline—such as a connection to a Russian IP or a Digital Ocean ASN—this could indicate suspicious activity. This method not only helps identify potential threat actors but can also reveal unsafe applications within your environment. 

A Real-World Example 

During one of our hunts, we discovered a client had downloaded a screen capture tool that, while not inherently malicious, posed a significant privacy risk. The tool uploaded captured images to a cloud service based in Russia. To make matters worse, there was a bad design decision by the creators of this tool that made ALL uploaded screenshots globally searchable using a 6-8 digit ID. Given that the client handled sensitive information, this discovery highlighted the importance of threat hunting beyond just identifying malicious actors. 

Additional Hunting Techniques 

Beyond monitoring non-browser processes, consider looking for internal devices making external connections where the local port is a well-known service ports (those below 1024). Such connections could indicate that a threat actor has spun up a service for re-attack purposes or that there is a misconfiguration in your IT infrastructure exposing services to the internet. 

Leveraging DNS Queries 

When it comes to DNS queries, there’s a wealth of information to be gleaned. Instead of merely looking for unusual top-level domains, you can analyze high-entropy domain names, which may indicate the use of domain generation algorithms for C2 communications. 

Additionally, monitoring TXT record lookups can reveal potential command and control activities, as threat actors can use these records to execute commands on compromised systems. 

Conclusion 

This episode has aimed to broaden your understanding of how to leverage EDR data for effective threat hunting against more network oriented TTPs. By focusing on non-browser processes, unusual IP connections, and DNS queries, you can uncover potential threats and misconfigurations that could jeopardize your organization’s security. 

As always, I welcome your questions, comments, and suggestions for future topics. Let’s continue the conversation and keep our organizations safe. Until next time, stay safe out there! 

 

Get Email Notifications

No Comments Yet

Let us know what you think