Project Name: Hunting Strategies and Techniques of Malicious Processes Creating Network Traffic
Hunting malicious processes generating network traffic using Wireshark involves tracking abnormal traffic patterns initiated by suspicious processes like PowerShell or cmd.exe. By applying specific filters, such as for non-standard ports or unusual DNS queries, Wireshark helps identify command-and-control (C2) traffic, data exfiltration, and other malicious network activities. This process involves correlating process creation events with the generated traffic to detect potential threats.
Author: Rohit D Sadgune
FAQ:
- How to use wireshark for threat hunting ?
- How to hunt for Malicious Processes Creating Network Traffic ?
- Wireshark filter for process to network traffic ?
- What are the common Wireshark filters for detecting suspicious network traffic?
- What are the most common protocols used by malicious processes?
- How do I correlate process creation with network traffic in Wireshark?
Malicious Processes Creating Network Traffic
A malicious process creating network traffic refers to a process, typically initiated by malware or a compromised system, that communicates with external servers over a network. This traffic may be used to establish command-and-control (C2) connections, allowing attackers to control the infected machine remotely. The process may also be used for data exfiltration, sending sensitive information to the attacker’s server. Common tools and various malicious scripts, which generate outbound traffic, often disguised as legitimate communications. Attackers frequently use encrypted traffic (SSL/TLS) or non-standard ports to evade detection. Effective detection strategies involve correlating process creation events (e.g., Windows Event ID 4688) with network traffic logs using tools like Wireshark or EDR solutions. A malicious process creating network traffic refers to a compromised or unauthorized process on a system that initiates communication over the network, typically to perform harmful actions such as exfiltrating data or downloading additional malware payloads. These processes can blend into normal traffic, making detection challenging.
Common scenarios of malicious process generating network traffic
- Command-and-Control (C2) Communication
- Data Exfiltration
- Remote Access and Control
- Download of Additional Payloads
- Lateral Movement via SMB
- Reverse Shells
- Malicious Proxy Traffic
- Credential Theft via FTP
Wireshark Filter to Hunt Malicious Processes Creating Network Traffic
# | Wireshark Filter | Purpose | Detection Focus |
1 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 135 && tcp.flags == 0x12 && dcerpc && rpc && process.name == “svchost.exe” | Detect process creation and remote RPC calls related to lateral movement | Capture RPC traffic used by the “svchost.exe” process during remote execution or process creation. |
2 | ip.src == <internal_IP> && ip.dst == <external_IP> && smb && process.name == “lsass.exe” && smb2.write == 1 && tcp.port == 445 | Monitor SMB traffic initiated by suspicious process creation such as lsass.exe | Track file write operations over SMB from potentially malicious processes like lsass.exe |
3 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 5985 && process.name == “powershell.exe” && winrm && tcp.flags == 0x18 | Capture WinRM traffic initiated by PowerShell process creation | Detect remote PowerShell execution over WinRM protocol via TCP port 5985 for remote command execution |
4 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 139 && smb && process.name == “explorer.exe” && tcp.flags == 0x18 | Monitor SMB traffic initiated by explorer.exe process creation | Track network file operations or data movement initiated by Windows Explorer via SMB |
5 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 22 && ssh && process.name == “sshd” && tcp.seq == 1 && tcp.ack == 1 | Capture SSH traffic generated from remote SSH sessions leading to process creation | Detect remote SSH sessions that initiate new processes on the destination machine |
6 | ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns && process.name == “chrome.exe” && dns.qry.name contains “sync” | Monitor DNS traffic related to browser process creation | Identify suspicious DNS queries generated from web browsers like Chrome after process creation |
7 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 8443 && tls && process.name == “notepad.exe” && tls.record.content_type == 22 | Capture encrypted traffic initiated by processes like notepad.exe | Monitor encrypted outbound traffic (TLS) initiated by non-standard processes like notepad.exe |
8 | ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns.qry.name contains “control” && dns.flags.response == 0 && process.name == “powershell.exe” | Detect DNS tunneling associated with PowerShell process creation | Track DNS queries initiated by PowerShell processes involved in DNS-based C2 communication |
9 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 443 && tls && process.name == “svchost.exe” && tls.handshake.extensions_server_name matches “.*cdn.*” | Monitor encrypted C2 traffic from svchost.exe process creation | Identify encrypted TLS-based communication initiated by svchost.exe with CDN domains potentially used for C2 |
10 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 5985 && process.name == “cmd.exe” && winrm && tcp.flags == 0x18 && tcp.seq == 1 | Detect remote command execution over WinRM initiated by cmd.exe | Capture WinRM remote command execution via cmd.exe using TCP port 5985 |
11 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 22 && ssh && process.name == “python” && tcp.seq > 10000 && length > 1000 && ssh.payload > 500 | Monitor SSH traffic initiated by Python-based process creation | Detect Python-based script execution over SSH sessions involving potentially malicious activity |
12 | ip.src == <internal_IP> && ip.dst == <external_IP> && smb && process.name == “powershell.exe” && smb2.write == 1 && tcp.port == 445 && length > 500 | Capture SMB write operations initiated by PowerShell process | Track SMB data transfers initiated by PowerShell processes writing data to remote file shares |
13 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 80 && http.request.method == “POST” && process.name == “cmd.exe” && http.content_length > 500 | Detect HTTP POST traffic initiated by cmd.exe process | Monitor HTTP POST requests potentially used by cmd.exe for exfiltration or beaconing activity |
14 | ip.src == <internal_IP> && ip.dst == <external_IP> && dns && process.name == “explorer.exe” && dns.qry.name contains “check-in” && udp.port == 53 && length < 300 | Monitor DNS queries from explorer.exe for C2 beaconing | Identify small DNS queries from explorer.exe process containing beaconing-related terms like “check-in” |
15 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 135 && process.name == “svchost.exe” && rpc && dcerpc && process.cmdline contains “svchost -k DcomLaunch” | Capture RPC traffic related to svchost.exe DCOM service | Monitor DCOM and RPC communication from svchost.exe involved in remote execution or lateral movement |
16 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 139 && smb && process.name == “taskhostw.exe” && tcp.flags == 0x18 && smb2.write == 1 && length > 1000 | Monitor SMB file write traffic initiated by taskhostw.exe process | Track SMB data transfers initiated by taskhostw.exe, potentially related to lateral movement or data exfiltration |
17 | ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns.qry.name contains “beacon” && process.name == “lsass.exe” && dns.flags.response == 0 && length > 400 | Capture DNS queries initiated by lsass.exe indicating C2 activity | Track DNS queries initiated by lsass.exe, which may be used for C2 beaconing traffic |
18 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 443 && tls && process.name == “chrome.exe” && tls.handshake.extensions_server_name matches “.*control.*” | Monitor Chrome-based TLS traffic related to C2 communications | Identify encrypted outbound traffic initiated by Chrome processes involving potential C2 communication |
19 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 8443 && tls && process.name == “python.exe” && tls.record.content_type == 22 && length > 1000 | Capture encrypted C2 traffic over non-standard ports initiated by Python-based processes | Monitor TLS-based communication over port 8443 involving Python-based scripts used for C2 traffic |
20 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 443 && tls.handshake.type == 1 && ssl.record.content_type == 22 && process.name == “winword.exe” && tls.handshake.ciphersuite == 0x0035 | Monitor encrypted traffic related to Word document execution | Identify TLS-based C2 traffic initiated by Word documents that may execute remote commands |
21 | ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns.qry.name contains “session” && dns.flags.response == 0 && process.name == “powershell.exe” && dns.qry.type == TXT | Capture DNS queries related to session data exfiltration from PowerShell | Track DNS queries initiated by PowerShell process involving session token exfiltration or C2 communication |
22 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 8443 && tls.handshake.extensions_server_name matches “.*cloud.*” && process.name == “svchost.exe” && tls.record.content_type == 22 | Detect C2 traffic using non-standard HTTPS ports and svchost.exe | Identify encrypted communication initiated by svchost.exe using cloud services over non-standard ports |
23 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 22 && ssh && process.name == “bash” && tcp.seq == 1 && tcp.ack == 1 && ssh.payload > 500 && length > 1000 | Capture SSH traffic initiated by Bash scripts related to lateral movement | Monitor SSH traffic related to Bash script execution that may be involved in lateral movement or data exfiltration |
24 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 139 && smb && process.name == “wmiprvse.exe” && smb2.write == 1 && length > 500 && tcp.flags == 0x18 | Monitor SMB traffic initiated by WMI provider host service | Capture WMI-related lateral movement involving file transfers over SMB initiated by wmiprvse.exe |
25 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 135 && rpc && process.name == “explorer.exe” && dcerpc && tcp.flags == 0x18 && tcp.seq == 1 | Capture RPC traffic related to explorer.exe and remote execution | Identify RPC-based communication involving explorer.exe during remote procedure calls |
26 | ip.src == <internal_IP> && ip.dst == <external_IP> && udp.port == 53 && dns.qry.name contains “update” && dns.flags.response == 0 && process.name == “chrome.exe” && dns.qry.type == A && length > 300 | Monitor DNS queries initiated by Chrome processes related to updates | Track DNS queries related to software update checks initiated by Chrome processes for C2 or malicious activity |
27 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 445 && smb && process.name == “cmd.exe” && smb2.write == 1 && length > 1000 && tcp.flags == 0x18 | Capture SMB traffic related to cmd.exe used for file transfers | Monitor file transfers initiated by cmd.exe using SMB that may be related to lateral movement or exfiltration |
28 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 443 && tls && process.name == “python.exe” && tls.record.content_type == 22 && length > 2000 && tls.handshake.extensions_server_name matches “.*cdn.*” | Detect encrypted traffic initiated by Python scripts involving C2 communications | Monitor large encrypted TLS traffic initiated by Python-based scripts communicating with CDN-based services |
29 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 8443 && tls && process.name == “powershell.exe” && tls.handshake.ciphersuite == 0x0035 && ssl.record.version == 0x0301 | Capture encrypted C2 traffic initiated by PowerShell over non-standard ports | Monitor PowerShell-related encrypted communication using non-standard ports like 8443 |
30 | ip.src == <internal_IP> && ip.dst == <external_IP> && tcp.port == 5985 && process.name == “explorer.exe” && winrm && tcp.seq == 1 && tcp.ack == 1 && length > 1000 && winrm.payload > 500 | Capture remote command execution over WinRM initiated by explorer.exe | Identify remote execution over WinRM involving explorer.exe for lateral movement or remote process creation |
Description
1. RPC, SMB, and WMI Traffic (Filters 1, 2, 15, 24): These filters focus on capturing SMB, RPC, and WMI traffic initiated by processes like svchost.exe or explorer.exe, which attackers often use for lateral movement or remote process creation.
2. PowerShell and Command Execution (Filters 3, 8, 21, 29): Focus on detecting remote command execution initiated by PowerShell, cmd.exe, and other critical processes.
3. TLS/SSH Encryption (Filters 7, 9, 12, 19): These filters monitor TLS/SSL and SSH-based traffic used for C2 communication and exfiltration by processes like python.exe or bash.
These filters help to do threat hunting for suspicious process creating network traffic, providing visibility into potential threats involving remote execution, file transfers, and C2 communication within a network.