Splunk Search

Search for regimented connections

AaronMoorcroft
Communicator

Hey Guys,

So i'm looking at multiple methods for detecting command and control connections, obviously 1 method alone will not give the entire picture and could raise multiple false positives.

So I have a few different ideas in mind but what I also need is a search that would show / alert say a connection from the user Administrator to whatever IP when a connection is made every 5 seconds for example.

In my lab I have a Cobalt Strike running and a Becon on the victim system checking in every 5 seconds, yes I know this can be changed and also randomised but like I say this along with multiple other detection methods this could help build a clear picture.

Any help would be fantastic

Thanks

Tags (1)
0 Karma

adonio
Ultra Champion

can you please elaborate on the goals?
what is it exactly that you want to see /capture? how you envision the results? can you share sample data from Cobalt Strike that you are using?

0 Karma

AaronMoorcroft
Communicator

Sure,

So as in the example above if the Administrator account was making a connection out the proxy every 5 seconds then I want to see results for that ( I would also build an alert of the search )

I guess the results would show 1000s of lines looking exactly the same with a time stamp each one being 5 seconds apart and the event being somthing like - GET http://somesite.com/ blah blah SomeDomain\Administrator blah blah xxx.xxx.xxx.xxx (Unknown Attackers IP)

You wouldn't normally expect to see a connection to the internet from your Administrator account so this would be strange behavior, my goal would be that if this was to happen and the connection was up and down constantly with the same values of every 5 seconds or 10 or whatever we would want to be notified, we would want to know the system that its originating from and we could then go off and complete investigation / remediation be it terminating the connection or whatever was warranted.

I guess for context maybe one of the other searches and or investigations we would do is check if the originating IP is a users workstation or back end system etc etc just to build up a picture of whats going on.

Again if the system was a sales rep, you would expect the admin account to be pinging out

There's nothing I can really share with you from Cobalt Strike as that's just the tool that would send the attacks from an off site location.

0 Karma