cancel
Showing results for 
Search instead for 
Did you mean: 

Use Case - Detecting Reconnaissance

Purpose


This use case demonstrates using McAfee Active Response to detect anomalous activity that may be reconnaissance.

1. There has been notification that the Host “10.0.119.142” has been exhibiting some strange behavior both in the past and currently. McAfee Active Response has the collector “CurrentFlow” which is a real time look into the network flow of the environment and can achieve single host granularity.


[CurrentFlow where CurrentFlow local_ip equals 10.0.119.142]


Using the quick filter – “nmap” Drill down into the netflow data that is related to the use of Nmap

Note in Blue – The enumeration of ports between “10.0.119.142” and “10.0.119.143” this is typical of port scanning from a tool such as Nmap / Zenmap

Note in Red – The process “nmap.exe” is present, which is related to the tool “Nmap” when it is conducting network discovery.

Picture1.jpg

2. Using the “NetworkFlow” collector allows us to do a historical look into NetFlow, in this instance, “10.0.119.143”s traffic is of interest due to the previous findings.

[NetworkFlow where NetworkFlow src_ip 10.0.119.143 and NetworkFlow time after “2015-07-22 14:00:00”]


Tip: The “time” field for “NetworkFlow” allows for drilling down into a specific time, decreasing the time it takes sifting through piles of data!

Note in Red - The enumeration of ports between “10.0.119.143” & “10.0.119.142” is indicative of reconnaissance occuring between the two hosts, as we saw with the presence of “nmap.exe”.

Picture2.jpg

3. Next, confirm that “10.0.119.142” or other endpoints that have “Nmap.exe” or something related to it by using both the “Hostinfo” collector and the “Files” collector.

[Hostinfo hostname, ip and Files where Files name contains “nmap.exe”]


Note you can also search for MD5 or SHA1, but in this case we used “nmap.exe” to find both nmap and “Zenmap.exe” which is a windows executable of Nmap.

Picture3.jpg

4. Next, investigate whether or not if “Nmap” or “Zenmap” is currently running on the identified host “IP-0A00778E” or “10.0.119.142”

[Processes where Hostname hostname equals “IP-0A00778E”]


Quick Filter on “nmap” – This shows that the process associated with Nmap and our network reconnaissance in question is currently running on the host that was in the query.

Picture4.jpg

5. One of the powerful features of Active Response are “Reactions” which allow you to take a specific action or series of actions either automatically through the use of “Triggers” or in the UI if necessary. It has been decided to kill off the process “Zenmap.exe”

  •   Select Action – Execute Reaction
  •   Select “Kill Process” reaction
  •   Type “zenmap.exe” – Note: Be sure to include the full name of the process
  •   Select “OK” and confirm the choice.

McAfee Active Response will then send out the “Kill Process” cmd via the Data Exchange Layer (DXL) and the process will be terminated.


Picture5.jpg


6. [Processes where Hostname hostname equals “IP-0A00778E”] and Quick Filter on “nmap” – This shows that the process associated with Nmap and our network reconnaissance in question is currently running on the host that was in the query. Note – There are no returned results back for “Nmap” or “Zenmap” the process has been killed by the “Reaction – Kill Process” successfully.

Picture6.jpg

Version history
Revision #:
1 of 1
Last update:
‎08-07-2015 09:40 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community