This use case demonstrates using McAfee Active Response to detect anomalous activity that may be reconnaissance.
1. There has been notification that the Host “10.0.119.142” has been exhibiting some strange behavior both in the past and currently. McAfee Active Response has the collector “CurrentFlow” which is a real time look into the network flow of the environment and can achieve single host granularity.
[CurrentFlow where CurrentFlow local_ip equals 10.0.119.142]
Using the quick filter – “nmap” Drill down into the netflow data that is related to the use of Nmap
Note in Blue – The enumeration of ports between “10.0.119.142” and “10.0.119.143” this is typical of port scanning from a tool such as Nmap / Zenmap
Note in Red – The process “nmap.exe” is present, which is related to the tool “Nmap” when it is conducting network discovery.
2. Using the “NetworkFlow” collector allows us to do a historical look into NetFlow, in this instance, “10.0.119.143”s traffic is of interest due to the previous findings.
[NetworkFlow where NetworkFlow src_ip 10.0.119.143 and NetworkFlow time after “2015-07-22 14:00:00”]
Tip: The “time” field for “NetworkFlow” allows for drilling down into a specific time, decreasing the time it takes sifting through piles of data!
Note in Red - The enumeration of ports between “10.0.119.143” & “10.0.119.142” is indicative of reconnaissance occuring between the two hosts, as we saw with the presence of “nmap.exe”.
3. Next, confirm that “10.0.119.142” or other endpoints that have “Nmap.exe” or something related to it by using both the “Hostinfo” collector and the “Files” collector.
[Hostinfo hostname, ip and Files where Files name contains “nmap.exe”]
Note you can also search for MD5 or SHA1, but in this case we used “nmap.exe” to find both nmap and “Zenmap.exe” which is a windows executable of Nmap.
4. Next, investigate whether or not if “Nmap” or “Zenmap” is currently running on the identified host “IP-0A00778E” or “10.0.119.142”
[Processes where Hostname hostname equals “IP-0A00778E”]
Quick Filter on “nmap” – This shows that the process associated with Nmap and our network reconnaissance in question is currently running on the host that was in the query.
5. One of the powerful features of Active Response are “Reactions” which allow you to take a specific action or series of actions either automatically through the use of “Triggers” or in the UI if necessary. It has been decided to kill off the process “Zenmap.exe”
Select Action – Execute Reaction
Select “Kill Process” reaction
Type “zenmap.exe” – Note: Be sure to include the full name of the process
Select “OK” and confirm the choice.
McAfee Active Response will then send out the “Kill Process” cmd via the Data Exchange Layer (DXL) and the process will be terminated.
6. [Processes where Hostname hostname equals “IP-0A00778E”] and Quick Filter on “nmap” – This shows that the process associated with Nmap and our network reconnaissance in question is currently running on the host that was in the query. Note – There are no returned results back for “Nmap” or “Zenmap” the process has been killed by the “Reaction – Kill Process” successfully.