Welcome back to the Threat Hunters Corner! I’m Josh Shepard, principal threat hunter at Radical, and in this second episode, we’re shifting our focus from host-based hunting to network tactics, techniques, and procedures (TTPs).
The Challenge: Network TTP Hunting with EDR Data
In this episode, we’ll explore how to conduct threat hunts for network focused TTP using only Endpoint Detection and Response (EDR) data. This approach is particularly beneficial for organizations that may not have access to a Security Information and Event Management (SIEM) system or extensive network data.
You might be wondering how we can effectively hunt for network-related techniques using EDR data. While EDR solutions may not capture all the detailed network data that firewalls do, they typically log essential information such as DNS queries and remote IP connections. This data can provide valuable insights for threat hunting.
Identifying Command and Control (C2) Behavior
One effective method for detecting C2 behavior is to analyze non-browser processes reaching out to unusual IP space. Since unusual is a pretty broad term, you can start out by looking into connections to uncommon geo-ip spaces or ASNs. By establishing a baseline of normal network behavior in your environment, you can filter out common processes that regularly connect to known IP spaces.
For instance, if you notice a non-browser process reaching out to an IP address that is not part of your established baseline—such as a connection to a Russian IP or a Digital Ocean ASN—this could indicate suspicious activity. This method not only helps identify potential threat actors but can also reveal unsafe applications within your environment.
A Real-World Example
During one of our hunts, we discovered a client had downloaded a screen capture tool that, while not inherently malicious, posed a significant privacy risk. The tool uploaded captured images to a cloud service based in Russia. To make matters worse, there was a bad design decision by the creators of this tool that made ALL uploaded screenshots globally searchable using a 6-8 digit ID. Given that the client handled sensitive information, this discovery highlighted the importance of threat hunting beyond just identifying malicious actors.
Additional Hunting Techniques
Beyond monitoring non-browser processes, consider looking for internal devices making external connections where the local port is a well-known service ports (those below 1024). Such connections could indicate that a threat actor has spun up a service for re-attack purposes or that there is a misconfiguration in your IT infrastructure exposing services to the internet.
Leveraging DNS Queries
When it comes to DNS queries, there’s a wealth of information to be gleaned. Instead of merely looking for unusual top-level domains, you can analyze high-entropy domain names, which may indicate the use of domain generation algorithms for C2 communications.
Additionally, monitoring TXT record lookups can reveal potential command and control activities, as threat actors can use these records to execute commands on compromised systems.
Conclusion
This episode has aimed to broaden your understanding of how to leverage EDR data for effective threat hunting against more network oriented TTPs. By focusing on non-browser processes, unusual IP connections, and DNS queries, you can uncover potential threats and misconfigurations that could jeopardize your organization’s security.
As always, I welcome your questions, comments, and suggestions for future topics. Let’s continue the conversation and keep our organizations safe. Until next time, stay safe out there!