- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search for regimented connections
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search for regimented connections
Hey Guys,
So i'm looking at multiple methods for detecting command and control connections, obviously 1 method alone will not give the entire picture and could raise multiple false positives.
So I have a few different ideas in mind but what I also need is a search that would show / alert say a connection from the user Administrator to whatever IP when a connection is made every 5 seconds for example.
In my lab I have a Cobalt Strike running and a Becon on the victim system checking in every 5 seconds, yes I know this can be changed and also randomised but like I say this along with multiple other detection methods this could help build a clear picture.
Any help would be fantastic
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you please elaborate on the goals?
what is it exactly that you want to see /capture? how you envision the results? can you share sample data from Cobalt Strike that you are using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure,
So as in the example above if the Administrator account was making a connection out the proxy every 5 seconds then I want to see results for that ( I would also build an alert of the search )
I guess the results would show 1000s of lines looking exactly the same with a time stamp each one being 5 seconds apart and the event being somthing like - GET http://somesite.com/ blah blah SomeDomain\Administrator blah blah xxx.xxx.xxx.xxx (Unknown Attackers IP)
You wouldn't normally expect to see a connection to the internet from your Administrator account so this would be strange behavior, my goal would be that if this was to happen and the connection was up and down constantly with the same values of every 5 seconds or 10 or whatever we would want to be notified, we would want to know the system that its originating from and we could then go off and complete investigation / remediation be it terminating the connection or whatever was warranted.
I guess for context maybe one of the other searches and or investigations we would do is check if the originating IP is a users workstation or back end system etc etc just to build up a picture of whats going on.
Again if the system was a sales rep, you would expect the admin account to be pinging out
There's nothing I can really share with you from Cobalt Strike as that's just the tool that would send the attacks from an off site location.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
