Malicious Processes Creating Network Traffic-

Hunting Strategies and Techniques of Malicious Processes Creating Network Traffic

Project Name: Hunting Strategies and Techniques of Malicious Processes Creating Network Traffic

Hunting malicious processes generating network traffic using Wireshark involves tracking abnormal traffic patterns initiated by suspicious processes like PowerShell or cmd.exe. By applying specific filters, such as for non-standard ports or unusual DNS queries, Wireshark helps identify command-and-control (C2) traffic, data exfiltration, and other malicious network activities. This process involves correlating process creation events with the generated traffic to detect potential threats.

Author: Rohit D Sadgune

FAQ:

  1. How to use wireshark for threat hunting ?
  2. How to hunt for Malicious Processes Creating Network Traffic ?
  3. Wireshark filter for process to network traffic ?
  4. What are the common Wireshark filters for detecting suspicious network traffic?
  5. What are the most common protocols used by malicious processes?
  6. How do I correlate process creation with network traffic in Wireshark?

Malicious Processes Creating Network Traffic

A malicious process creating network traffic refers to a process, typically initiated by malware or a compromised system, that communicates with external servers over a network. This traffic may be used to establish command-and-control (C2) connections, allowing attackers to control the infected machine remotely. The process may also be used for data exfiltration, sending sensitive information to the attacker’s server. Common tools and various malicious scripts, which generate outbound traffic, often disguised as legitimate communications. Attackers frequently use encrypted traffic (SSL/TLS) or non-standard ports to evade detection. Effective detection strategies involve correlating process creation events (e.g., Windows Event ID 4688) with network traffic logs using tools like Wireshark or EDR solutions. A malicious process creating network traffic refers to a compromised or unauthorized process on a system that initiates communication over the network, typically to perform harmful actions such as exfiltrating data or downloading additional malware payloads. These processes can blend into normal traffic, making detection challenging.

Common scenarios of malicious process generating network traffic

  1. Command-and-Control (C2) Communication
  2. Data Exfiltration
  3. Remote Access and Control
  4. Download of Additional Payloads
  5. Lateral Movement via SMB
  6. Reverse Shells
  7. Malicious Proxy Traffic
  8. Credential Theft via FTP

Wireshark Filter to Hunt Malicious Processes Creating Network Traffic

#Wireshark FilterPurposeDetection Focus
1ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 135 && tcp.flags == 0x12 && dcerpc && rpc && process.name == “svchost.exe”Detect process creation and remote RPC calls related to lateral movementCapture RPC traffic used by the “svchost.exe” process during remote execution or process creation.
2ip.src == <internal_IP> && ip.dst == <external_IP> && smb && process.name == “lsass.exe” && smb2.write == 1 && tcp.port == 445Monitor SMB traffic initiated by suspicious process creation such as lsass.exeTrack file write operations over SMB from potentially malicious processes like lsass.exe
3ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 5985 && process.name == “powershell.exe” && winrm && tcp.flags == 0x18Capture WinRM traffic initiated by PowerShell process creationDetect remote PowerShell execution over WinRM protocol via TCP port 5985 for remote command execution
4ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 139 && smb && process.name == “explorer.exe” && tcp.flags == 0x18Monitor SMB traffic initiated by explorer.exe process creationTrack network file operations or data movement initiated by Windows Explorer via SMB
5ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 22 && ssh && process.name == “sshd” && tcp.seq == 1 && tcp.ack == 1Capture SSH traffic generated from remote SSH sessions leading to process creationDetect remote SSH sessions that initiate new processes on the destination machine
6ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns && process.name == “chrome.exe” && dns.qry.name contains “sync”Monitor DNS traffic related to browser process creationIdentify suspicious DNS queries generated from web browsers like Chrome after process creation
7ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 8443 && tls && process.name == “notepad.exe” && tls.record.content_type == 22Capture encrypted traffic initiated by processes like notepad.exeMonitor encrypted outbound traffic (TLS) initiated by non-standard processes like notepad.exe
8ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns.qry.name contains “control” && dns.flags.response == 0 && process.name == “powershell.exe”Detect DNS tunneling associated with PowerShell process creationTrack DNS queries initiated by PowerShell processes involved in DNS-based C2 communication
9ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 443 && tls && process.name == “svchost.exe” && tls.handshake.extensions_server_name matches “.*cdn.*”Monitor encrypted C2 traffic from svchost.exe process creationIdentify encrypted TLS-based communication initiated by svchost.exe with CDN domains potentially used for C2
10ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 5985 && process.name == “cmd.exe” && winrm && tcp.flags == 0x18 && tcp.seq == 1Detect remote command execution over WinRM initiated by cmd.exeCapture WinRM remote command execution via cmd.exe using TCP port 5985
11ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 22 && ssh && process.name == “python” && tcp.seq > 10000 && length > 1000 && ssh.payload > 500Monitor SSH traffic initiated by Python-based process creationDetect Python-based script execution over SSH sessions involving potentially malicious activity
12ip.src == <internal_IP> && ip.dst == <external_IP> && smb && process.name == “powershell.exe” && smb2.write == 1 && tcp.port == 445 && length > 500Capture SMB write operations initiated by PowerShell processTrack SMB data transfers initiated by PowerShell processes writing data to remote file shares
13ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 80 && http.request.method == “POST” && process.name == “cmd.exe” && http.content_length > 500Detect HTTP POST traffic initiated by cmd.exe processMonitor HTTP POST requests potentially used by cmd.exe for exfiltration or beaconing activity
14ip.src == <internal_IP> && ip.dst == <external_IP> && dns && process.name == “explorer.exe” && dns.qry.name contains “check-in” && udp.port == 53 && length < 300Monitor DNS queries from explorer.exe for C2 beaconingIdentify small DNS queries from explorer.exe process containing beaconing-related terms like “check-in”
15ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 135 && process.name == “svchost.exe” && rpc && dcerpc && process.cmdline contains “svchost -k DcomLaunch”Capture RPC traffic related to svchost.exe DCOM serviceMonitor DCOM and RPC communication from svchost.exe involved in remote execution or lateral movement
16ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 139 && smb && process.name == “taskhostw.exe” && tcp.flags == 0x18 && smb2.write == 1 && length > 1000Monitor SMB file write traffic initiated by taskhostw.exe processTrack SMB data transfers initiated by taskhostw.exe, potentially related to lateral movement or data exfiltration
17ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns.qry.name contains “beacon” && process.name == “lsass.exe” && dns.flags.response == 0 && length > 400Capture DNS queries initiated by lsass.exe indicating C2 activityTrack DNS queries initiated by lsass.exe, which may be used for C2 beaconing traffic
18ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 443 && tls && process.name == “chrome.exe” && tls.handshake.extensions_server_name matches “.*control.*”Monitor Chrome-based TLS traffic related to C2 communicationsIdentify encrypted outbound traffic initiated by Chrome processes involving potential C2 communication
19ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 8443 && tls && process.name == “python.exe” && tls.record.content_type == 22 && length > 1000Capture encrypted C2 traffic over non-standard ports initiated by Python-based processesMonitor TLS-based communication over port 8443 involving Python-based scripts used for C2 traffic
20ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 443 && tls.handshake.type == 1 && ssl.record.content_type == 22 && process.name == “winword.exe” && tls.handshake.ciphersuite == 0x0035Monitor encrypted traffic related to Word document executionIdentify TLS-based C2 traffic initiated by Word documents that may execute remote commands
21ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns.qry.name contains “session” && dns.flags.response == 0 && process.name == “powershell.exe” && dns.qry.type == TXTCapture DNS queries related to session data exfiltration from PowerShellTrack DNS queries initiated by PowerShell process involving session token exfiltration or C2 communication
22ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 8443 && tls.handshake.extensions_server_name matches “.*cloud.*” && process.name == “svchost.exe” && tls.record.content_type == 22Detect C2 traffic using non-standard HTTPS ports and svchost.exeIdentify encrypted communication initiated by svchost.exe using cloud services over non-standard ports
23ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 22 && ssh && process.name == “bash” && tcp.seq == 1 && tcp.ack == 1 && ssh.payload > 500 && length > 1000Capture SSH traffic initiated by Bash scripts related to lateral movementMonitor SSH traffic related to Bash script execution that may be involved in lateral movement or data exfiltration
24ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 139 && smb && process.name == “wmiprvse.exe” && smb2.write == 1 && length > 500 && tcp.flags == 0x18Monitor SMB traffic initiated by WMI provider host serviceCapture WMI-related lateral movement involving file transfers over SMB initiated by wmiprvse.exe
25ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 135 && rpc && process.name == “explorer.exe” && dcerpc && tcp.flags == 0x18 && tcp.seq == 1Capture RPC traffic related to explorer.exe and remote executionIdentify RPC-based communication involving explorer.exe during remote procedure calls
26ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns.qry.name contains “update” && dns.flags.response == 0 && process.name == “chrome.exe” && dns.qry.type == A && length > 300Monitor DNS queries initiated by Chrome processes related to updatesTrack DNS queries related to software update checks initiated by Chrome processes for C2 or malicious activity
27ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 445 && smb && process.name == “cmd.exe” && smb2.write == 1 && length > 1000 && tcp.flags == 0x18Capture SMB traffic related to cmd.exe used for file transfersMonitor file transfers initiated by cmd.exe using SMB that may be related to lateral movement or exfiltration
28ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 443 && tls && process.name == “python.exe” && tls.record.content_type == 22 && length > 2000 && tls.handshake.extensions_server_name matches “.*cdn.*”Detect encrypted traffic initiated by Python scripts involving C2 communicationsMonitor large encrypted TLS traffic initiated by Python-based scripts communicating with CDN-based services
29ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 8443 && tls && process.name == “powershell.exe” && tls.handshake.ciphersuite == 0x0035 && ssl.record.version == 0x0301Capture encrypted C2 traffic initiated by PowerShell over non-standard portsMonitor PowerShell-related encrypted communication using non-standard ports like 8443
30ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 5985 && process.name == “explorer.exe” && winrm && tcp.seq == 1 && tcp.ack == 1 && length > 1000 && winrm.payload > 500Capture remote command execution over WinRM initiated by explorer.exeIdentify remote execution over WinRM involving explorer.exe for lateral movement or remote process creation

Description
1. RPC, SMB, and WMI Traffic (Filters 1, 2, 15, 24): These filters focus on capturing SMB, RPC, and WMI traffic initiated by processes like svchost.exe or explorer.exe, which attackers often use for lateral movement or remote process creation.

2. PowerShell and Command Execution (Filters 3, 8, 21, 29): Focus on detecting remote command execution initiated by PowerShell, cmd.exe, and other critical processes.

3. TLS/SSH Encryption (Filters 7, 9, 12, 19): These filters monitor TLS/SSL and SSH-based traffic used for C2 communication and exfiltration by processes like python.exe or bash.

These filters help to do threat hunting for suspicious process creating network traffic, providing visibility into potential threats involving remote execution, file transfers, and C2 communication within a network.

Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image