Open Cyb3rWard0g opened 4 years ago
All of my analytics are using this tool set (https://github.com/idaholab/Malcolm)
Can I detect a C2 connection in my traffic over HTTPS (with such a small data its hard to show the items that stand out)
Query I start with protocols == tls && protocols != https && tags == cert:self-signed (the driving factor behind this is if the communication is TLS encrypted but not using HTTPs it then becomes suspsect for being on ports that https would use. Add in a self-signed cert its highly likely a piece of malware)
We use SPI VIEW to quickly see all the IPs both src and dst
we can also see the Cert information for each item and a count next to them. (Use these items for OSINT sites like (shodan and censys.io)
We can also see the large databytes present during exfil, Timestamps also to correlate host logs
yep, there are known JA3 and JA3S hashes of Kali and Metasploit.
72a589da586844d7f0818ce684948eea
72a589da586844d7f0818ce684948eea
althought, before people say "Nate SIGMA IS MUCH MORE THAN FOR IOC's..." yeah I know ;)
here is quick rule for sigma, I didn't grab all the JA3's in there (working on few other things), but whichever are deemed known malicious add them to the list below in the placeholders ReplaceMeWithKnownBadJA3
title: Known Bad JA3 Hash for attack tool
status: experimental
description: JA3 SSL/TLS hashes for known bad attack/pentesting tools
references:
- "https://github.com/OTRF/detection-hackathon-apt29/issues/4"
author: '@neu5ron Nate Guagenti, OTRF Community'
date: 2020/05/03
modified: 2020/05/03
logsource:
product: zeek
service: ssl
detection:
ja3_hashes:
ja3:
- '72a589da586844d7f0818ce684948eea'
- $ReplaceMeWithKnownBadJA3
- $ReplaceMeWithKnownBadJA3
- $ReplaceMeWithKnownBadJA3
condition: ja3_hash
falsepositives:
- Always worth looking into known attack tool usage, however you may have people just trying to test a tool and it not be a full blown incident
level: medium
Hey @neu5ron , would it be good to tag those JA3 sigs for each C2? Like
72a589da586844d7f0818ce684948eea #Metasploit
Also, if the JA3 query is done. Would you mind moving it to https://github.com/OTRF/detection-hackathon-apt29/tree/master/rules and then push a PR? Thank you man I appreciate all the help! 👍
Procedure: Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) Criteria: The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Description
The file is then exfiltrated over the existing C2 connection (T1041).
[pupy] > download "C:\Users\pbeesly\AppData\Roaming\Draft.Zip" .