One hunting technique could be to look for 1 host trying to RDP multiple host in a short time.īut I don't know if it's possible to hunt for tunnels, network redirection.at the end what the host is doing is redirecting all the traffic from one port to another in another host, isn't it? In both they used the proxy to move RDP, the tunnel was for port 3389. Ngrok was renamed as "sysmon" and this is how we got it. Another member of the team is doing a more in deep forensics analysis but I still don't have the latest information. In this company we detect it while we were deploying Crowdstrike, so we have no info from before. We deployed Crowdstrike and we got an alert for an intell indicator, an IP. This was an IR were the company didn't have any security tools and poor event auditing. It was 99% like this: (the difference is we were a bit faster and avoided the encryption!) The first was after a ProxyShell attack, attackers installed Fast Reverse Proxy, move laterally with RDP, dumped credentials and created a new Domain Admin user. Maybe this could be a request for u/andrew-cs for a CQF ) I only could hunt for specific activity.įor example, hunting for Ngrok could be easy just looking for DNS activity over this domains: "." OR "." OR "tunnel.ap." OR "." OR "tunnel.sa." OR "tunnel.jp." OR "tunnel.in." OR "*.ngrok.io"įor Fast Reverse Proxy, looking for command lines like this: * -c *.ini I've not been able to create what we could call a "generic threat hunting query for tunneling activity", and this is what I'm looking for. I would like to ask the crowdstrike community if someone has developed any kind of threat hunting queries over Crowdstrike to hunt for this kind of activity. During this attacks what lead us to discover this activity were other indicators that took later to find the use of this tools in the compromised hosts. I find this kind of attacks more difficult to be hunted. They created tunnels with this tools to launch further attacks withouth deploying malware over the hosts. Basically, they were using tunneling tools to get persistence and pivot over the network. In the last 4 months I've been involved in some incident response were attackers used non-malware tools. Live chat available 6-6PT M-F via the Support Portal No SLA for assistance - CrowdStrike Customer Success advises you to engage with a Support case to express any high priority issues.Your Views Are Your Own - Topics and comments on /r/crowdstrike do not necessarily reflect official views of CrowdStrike.Avoid entering sensitive information from which your identity is apparent or can be reasonably ascertained.Do not post disparaging comments about competitive products or otherwise. Posts must be about CrowdStrike products and/or product functionality.Search by: Query Help Troubleshooting Feature Questions Feature Requests (requires login) RULES Subreddit Rules
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |