cancel
Showing results for 
Search instead for 
Did you mean: 

Use Case - Detecting C2/Backdoor Activity

Purpose:

This use case demonstrates using McAfee Active Response to investigate suspicious activity on an endpoint that is potentially related to Command & Control (C2) behavior.


1. This e-mail has provided an initial IoC “IP-0A00778E” which is the Hostname. This initial breadcrumb will be the start of the investigation.

Picture7.png

2. Navigate to Active Response’s Search Engine and use the initial IoC “IP-0A00778E


[Processes where Hostname hostname equals “IP-0A00778E]


“Processes” collector shows the current processes that are active on the host “IP-0A00778E” What stands out? Note the process “ncat.exe” and the cmdline “ncat.exe 10.0.119.143

Ncat is a common tool used to establish rudimentary backdoor connections between Host & Targets.

Picture8.jpg

3. Use the “CurrentFlow” collector which is a real time look at an endpoint’s NetFlow traffic vs. the “NetworkFlow” collector which is a historical look into an endpoint’s NetFlow.


[CurrentFlow where CurrentFlow process contains “ncat” ]


"Ncat" is the next IoC that can be leveraged from the previous search that used the “Processes” collector. Note the process “ncat.exe” that is running on two endpoints: 10.0.119.143 on port 31337 and 10.0.119.142 on port 51790. This pair of results shows there is an active or “Established” connection between the two endpoints.

What else could be used as an IoC for further investigation?

Picture9.jpg

4. Next use the NetworkFlow collector to look at the historical netflow data between the two endpoints in question.

[NetworkFlow where NetworkFlow src_port equals 31337 or NetworkFlow src_port equals 51790]


Picture10.jpg

5. This is a screenshot of the endpoints in question. 10.0.119.143 is on the left, and currently set to “—listen” which means it is waiting for commands to be sent from the C2 server. 10.0.119.142 is on the right, and has established the connection to 10.0.119.143 and is currently communicating.

Picture18.jpg

6. Using the “NetworkFlow” collector, investigate if there were any prior connections between “10.0.119.42” and “10.0.119.143”


[NetworkFlow where NetworkFlow dst_ip equals 10.0.119.142 and NetworkFlow src_ip equals 10.0.119.143]


Note in Red – This is the established connection between the two endpoints that are currently being investigated, “Connected” shows there is an active connection between them, and what ports are being used. Each time the src port is “31337”, which leads to the next step of the investigation. Determining if there are any other endpoints currently using “31337”.

Picture12.jpg

7. Using the “NetworkFlow” collector and the newfound IoC of the src_port that “ncat.exe” is currently using for communication, enables searching across the entire network environment. In this case, it is still only the two endpoints “10.0.119.142” and “10.0.119.143” using “31337”. At this point, its determined to kill off the connection between these two endpoints, as well as create a “Trigger” to alert the incident response team to the presence of “ncat.exe”.

Picture13.jpg

8. Now we are going to leverage McAfee Active Response’s trigger functionality to build a trigger in response to “Ncat” presence on the network.


Under the Trigger Configuration:

              Select “Enable” for Status and “Alert” for Event Severity

Under Detection:

              1. Select “Network” for Trigger Type

              2. Select “Port Opened” for Trigger Event (Anytime a Port matching the condition opens, it will    cause the trigger to fire)

              Note: The Trigger Outputs changes based on the Event selected, showing the conditions allowed for that Event type

              3. “src_port equals 31337” should be entered into the Conditions field (In the course of the investigation, Ncat uses “31337” as its backdoor, we want to be alerted to its presence moving forward)

              4. Select “Send Event to ePO” for the Reaction and save the Trigger.

              Note: There are many variations that you can do to be alerted to Ncat’s presence, such as triggering off of running processes named “ncat” or its MD5/SHA1, experiment with these options.

Picture14.jpg

9. Referring to the Threat Event Log – The Trigger we created for “Ncat” has successfully deployed, as well as been triggered due to the backdoor listener still being active. Let’s take a deeper look into the event to see what exactly is shown.

Picture15.png

10.  In Red – Take note of the category “Threat Name”, for this instance it is “Remote Port – Ncat” which is what the trigger was named during creation. In Blue – Threat Source & Threat Target are Source / Destination for this event, which enables investigators to quickly pinpoint the issue, and reduce the amount of time needed for investigation.

Picture16.jpg


Version history
Revision #:
1 of 1
Last update:
‎08-07-2015 10:12 AM
Updated by: