https://feed.craftedsignal.io/tags/network-traffic/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 02 May 2024 10:00:00 +0000https://feed.craftedsignal.io/briefs/2024-05-data-exfiltration-unusual-region/Thu, 02 May 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-data-exfiltration-unusual-region/A machine learning job has detected potential data exfiltration activity to an unusual geographical region, specifically by region name, indicating exfiltration over command and control channels.This alert is triggered by a machine learning job, ded_high_sent_bytes_destination_region_name_ea, that detects data exfiltration to unusual geographical regions based on network traffic patterns. The Data Exfiltration Detection integration, including Elastic Defend and Network Packet Capture, is required for this detection to function. This integration analyzes network and file events to identify abnormalities in data transfer volumes to different geographical locations, specifically by region name. Anomalous traffic patterns, particularly those involving high volumes of data being sent to regions outside the organization’s typical network activity, could indicate malicious actors attempting to exfiltrate sensitive data via command and control channels. This detection provides defenders with an early warning of potential data breaches. Version requirements: Elastic Stack version 9.4.0 or later is required to leverage the Entity Analytics (EA) fields.

Attack Chain

1. Initial Access: An attacker gains initial access to a system within the network through various means, such as exploiting a vulnerability or using compromised credentials.
2. Command and Control: The attacker establishes a command and control (C2) channel to communicate with the compromised system.
3. Data Collection: The attacker identifies and collects sensitive data from various sources within the network.
4. Staging: The collected data is staged in a temporary location, compressed, and potentially encrypted for exfiltration.
5. Exfiltration: The attacker uses the C2 channel to transfer the staged data to an external location in an unusual geographic region.
6. Evasion: The attacker may attempt to obfuscate the data transfer by using techniques such as tunneling or encryption to avoid detection.
7. Cleanup: The attacker may attempt to remove traces of their activity, such as deleting logs or files, to hinder investigation.

Impact

A successful data exfiltration attack can result in the loss of sensitive information, including intellectual property, customer data, and financial records. The risk score for this rule is 21, which indicates a moderate level of risk. Detection of this activity allows security teams to quickly respond and mitigate the potential damage. Early detection helps prevent large-scale data breaches and minimizes the impact on the organization.

Recommendation

• Ensure that the Data Exfiltration Detection integration assets are installed and properly configured, including Elastic Defend and Network Packet Capture (see Setup instructions in content).
• Review the geo-location details flagged by the alert to determine if the region is indeed unusual for the organization’s typical network traffic patterns (see Triage and Analysis in content).
• Analyze the network traffic logs associated with the alert to identify the volume and type of data being transferred to the unusual region (see Triage and Analysis in content).
• Implement geo-blocking measures to restrict data transfers to the identified unusual region, ensuring that only approved regions can communicate with the network (see Response and Remediation in content).
• Deploy the Sigma rule below to detect processes initiating network connections to unusual regions based on the DestinationGeoRegion field.

]]>lowadvisorydata-exfiltrationmachine-learningnetwork-traffichttps://feed.craftedsignal.io/briefs/2024-01-rpc-internet-access/Wed, 03 Jan 2024 14:27:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rpc-internet-access/This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.The Remote Procedure Call (RPC) protocol, while essential for legitimate system administration tasks such as remote maintenance and resource sharing within internal networks, poses a significant security risk when exposed to the internet. Threat actors frequently target and exploit RPC services as an initial access vector or to establish backdoors within compromised systems. This exposure allows attackers to remotely execute commands, move laterally within the network, and potentially exfiltrate sensitive data. This brief provides detection strategies to identify such anomalous RPC traffic, enabling security teams to proactively mitigate potential threats. The detection focuses on identifying TCP traffic to port 135 from internal IP ranges to external IP addresses.

Attack Chain

1. The attacker compromises a host within the internal network, potentially through phishing or exploiting a vulnerability.
2. The compromised host initiates an RPC connection to an external IP address on TCP port 135.
3. The attacker uses the RPC connection to enumerate network resources and identify potential targets for lateral movement.
4. Using the RPC connection, the attacker attempts to authenticate to other systems within the network.
5. Upon successful authentication, the attacker remotely executes commands on the target system via RPC.
6. The attacker installs malware or a backdoor on the target system for persistence.
7. The attacker leverages the established foothold to further propagate within the network, compromising additional systems.

Impact

Successful exploitation of RPC services exposed to the internet can lead to a complete compromise of the internal network. Attackers can gain initial access, move laterally, exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations. A single exposed RPC service can serve as a gateway for widespread damage.

Recommendation

• Implement the provided Sigma rule to detect RPC traffic from internal IP ranges to external destinations on TCP port 135, focusing on network traffic logs.
• Investigate any alerts generated by the Sigma rule, prioritizing systems exhibiting suspicious RPC activity (Sigma rule, logsource: network_connection).
• Ensure that RPC services are not directly exposed to the internet. Implement firewall rules to restrict access to authorized internal IP ranges only.
• Continuously monitor network traffic for anomalous RPC activity and correlate with other security events (logsource: network_connection).
• Review and update firewall configurations to block unauthorized outbound connections on port 135 (logsource: firewall).

]]>highadvisorynetwork-trafficinitial-accesslateral-movementrpchttps://feed.craftedsignal.io/briefs/2024-01-03-smtp-port-26/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-smtp-port-26/This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.This detection rule identifies suspicious SMTP activity occurring over TCP port 26. While standard SMTP traffic typically uses port 25, port 26 is sometimes used as an alternative to avoid conflicts or restrictions. The BadPatch malware family has been known to leverage port 26 for command and control (C2) communications with compromised Windows systems. This activity is considered suspicious because legitimate uses of SMTP on port 26 are less common and can indicate malicious activity, such as covert C2 channels used by malware like BadPatch. The rule analyzes network traffic to detect SMTP communication occurring on this non-standard port, helping to identify potential infections or unauthorized network activity.

Attack Chain

1. Initial infection occurs via an unspecified method (e.g., phishing, exploit).
2. Malware establishes a foothold on the compromised system.
3. Malware configures itself to use SMTP on port 26 for C2 communications.
4. The infected host initiates a TCP connection to a remote server on port 26.
5. The malware sends commands to the infected host over the SMTP connection on port 26.
6. The infected host executes the received commands.
7. The malware may exfiltrate data to the remote server over the SMTP connection on port 26.

Impact

Compromised systems may be remotely controlled by attackers, leading to data theft, malware propagation, or further malicious activities. The use of non-standard ports like 26 can help attackers evade detection. If successful, an attacker can maintain persistence and control over the compromised system.

Recommendation

• Deploy the Sigma rule Detect SMTP Traffic on TCP Port 26 to your SIEM and tune for your environment to detect potential command and control activity.
• Investigate any network connections on TCP port 26 to identify potentially malicious SMTP traffic.
• Review network traffic logs focusing on network_traffic.flow or zeek.smtp events to detect unusual patterns associated with TCP port 26.
• Implement firewall rules to block unauthorized SMTP traffic on port 26.
• Examine source and destination IP addresses of traffic on port 26, and correlate with threat intelligence sources to identify known malicious actors as per the references.

]]>lowthreatcommand-and-controlexfiltrationnetwork-traffichttps://feed.craftedsignal.io/briefs/2024-01-large-icmp-traffic/Tue, 02 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-large-icmp-traffic/This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.This detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.

Attack Chain

1. An attacker compromises a host within the network.
2. The compromised host initiates ICMP traffic to an external IP address.
3. The ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.
4. The attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.
5. The compromised host uses ICMP for command and control, receiving instructions from the external attacker.
6. The attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.
7. Sensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.

Impact

Successful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.

Recommendation

• Deploy the Sigma rule Detect Large ICMP Traffic to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.
• Investigate any alerts generated by the Detect Large ICMP Traffic rule, focusing on the source and destination IPs involved.
• Examine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.
• Utilize the provided search View the detection results to review related events and potential lateral movement.
• Implement the provided search View risk events to look at risk factors for the involved assets.

]]>mediumadvisorynetwork-trafficcommand-and-controldata-exfiltration