Sqrrl Blog

Jan 12, 2017 8:00:00 AM

The Hunter's Den: Command and Control

By Josh Liburdi, Sqrrl Security Technologist, and George Aquila

The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. In our previous post, we examined the practical ways that one can hunt for Internal Reconnaissance. In this post, we will take a look at how to hunt for Command and Control (C2) activity. Command and control is the process through which an attacker establishes a connection with a compromised asset that they have taken control of in a target network. C2 is a critical step in the process of carrying out an attack on a network. It is a category broad enough that it has its own kill chain step (KC6, “Command and Control”). Although it is a broad tactic, this post will survey the different ways that it might generally be carried out by an adversary.

Understanding Command and Control

C2 enables remote access for attackers into target networks. Architecturally, C2 is fairly predictable. It will follow generally one of two models for implementation: a Client-Server model or a Peer-to-Peer model. Attackers have multiple options of building their C2 channel, each of which are outlined below.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Nov 10, 2016 7:30:00 AM

The Hunter’s Den: Internal Reconnaissance (Part 2)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

In part 1 of this hunter’s den post we took a look at the adversary tactic of internal reconnaissance, including what kinds of artifacts might be left behind when internal reconnaissance has occurred on your network. In this post we’ll take a look at the types of data and the various hunting techniques that you can use to hunt for the various kinds of internal reconnaissance.

Datasets to explore

Data is a critical component of hunting, and many different kinds of datasets can be useful depending on the type of hunt that you are carrying out. For internal reconnaissance, there are two major data types that are useful to a hunt, process execution metadata and network connection metadata. 

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Nov 3, 2016 3:00:00 PM

The Hunter’s Den: Internal Reconnaissance (Part 1)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

As we laid out in our introduction, The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. This first post will focus on hunting for Internal Reconnaissance. Before we dive into the specifics of how to do this, let’s briefly review the two major models that we’ll be referencing over the course of the series.

The first is the Threat Hunting Loop, which outlines a process for threat hunting. As a loop, it is specifically meant to be repeated continually.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den