Documente Academic
Documente Profesional
Documente Cultură
Made possible by
Thanks to
1
9/13/2018
Starting with a
packet
Source IP, Port
Destination IP, Port
2
9/13/2018
Internal IP
yes DHCP?
no
Which Search
computer? DHCP
Server Logs
Reverse
DNS
Consult
system
logs
Which
user/program?
Black box
Source IP, Port
Destination IP, Port
3
9/13/2018
Windows
Security Log Audit policy
Events
4
9/13/2018
Audit Policy
5
9/13/2018
Installation
Sysmon https://www.ultimatewindowssecurity.com/webinars/register.a
spx?id=1438
Configuration
Events
6
9/13/2018
<Sysmon schemaversion="4.0">
…
<EventFiltering>
…
<NetworkConnect onmatch="include">
<Initiated condition="is">true</Initiated>
Sysmon </NetworkConnect>
…
configuration </EventFiltering>
</Sysmon>
Event ID 3
Connection detected:
UtcTime: 2017-04-28 22:12:22.557
ProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ProcessId: 13220
Image: C:\Program Files (x86)\Google\Chrome\...\chrome.exe
User: LAB\rsmith
Protocol: tcp
Sysmon Event Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.1.250
SourceHostname: rfsH.lab.local
SourcePort: 3328
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 104.130.229.150
DestinationHostname:
DestinationPort: 443
DestinationPortName: https
7
9/13/2018
8
9/13/2018
9
9/13/2018
September 2018
Network Monitoring
Network Segments
Mirror
• Monitor all ingress/egress traffic on a segment
• Lateral movement
Distribution Distribution • Uplinks between distribution switches
Switch Switch
10
9/13/2018
Threat Hunting
Threat Hunting
Application bandwidth
over time
11
9/13/2018
Threat Hunting
Application tag
Threat Hunting
Detailed metadata
12
9/13/2018
13
9/13/2018
14
9/13/2018
Port misuse
• Port 88
• 96.5% of traffic is Kerberos
• What is the other 3.5%?
15
9/13/2018
Demo Time
16