Detections
- Home
- - Detections
- -DT098
- ID: DT098
- Created: 31st July 2024
- Updated: 31st July 2024
- Contributor: Ismael Briones-Vilar
NetFlow Analysis
Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.
NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.
Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors.
Sections
ID | Name | Description |
---|---|---|
AF023 | Browser or System Proxy Configuration | A subject configures either their web browser or operating system to route HTTP and HTTPS traffic through a manually defined outbound proxy server. This action enables them to redirect web activity through an external node, effectively masking the true destination of network traffic and undermining key layers of enterprise monitoring and control.
By placing a proxy between their endpoint and the internet, the subject can obscure final destinations, bypass domain-based filtering, evade SSL inspection, and suppress logging artifacts that would otherwise be available to investigative teams. This behavior, when unsanctioned, is a hallmark of anti-forensic preparation—often signaling an intent to conceal exfiltration, contact unmonitored services, or test visibility boundaries. While proxies are sometimes used for legitimate troubleshooting, research, or sandboxing purposes, their use outside approved configurations or infrastructure should be treated as an investigatory lead.
Technical MethodBoth browsers and operating systems offer mechanisms to define proxy behavior. These configurations typically involve:
Once defined, the behavior is as follows:
Proxy settings may be configured through user interfaces, system preferences, environment variables, or policy files—none of which necessarily require administrative privileges unless endpoint controls are in place.
This technique is especially potent in organizations with reliance on DNS logs, web filtering, or SSL interception as primary visibility mechanisms. It fractures investigative fidelity and should be escalated when observed in unauthorized contexts. |
IF004.005 | Exfiltration via Protocol Tunneling | A subject exfiltrates data from an organization by encapsulating or hiding it within an otherwise legitimate protocol. This technique allows the subject to covertly transfer data, evading detection by standard security monitoring tools. Commonly used protocols, such as DNS and ICMP, are often leveraged to secretly transmit data to an external destination. Prerequisites:
Steps: 1. The subject uses xxd to create a hex dump of the file they wish to exfiltrate. For example, if the file is secret.txt:
2. The subject splits the hexdump into manageable chunks that can fit into DNS query labels (each label can be up to 63 characters, but it’s often safe to use a smaller size, such as 32 characters):
3. The subject uses dig to send the data in DNS TXT queries. Looping through the split files and sending each chunk as the subdomain of example.com in a TXT record query:
On the target DNS server that they control, the subject captures the incoming DNS TXT record queries on the receiving DNS server and decode the reassembled hex data from the subdomain of the query.
DNS Tunneling (Windows)
Prerequisites:
Steps:
2. The subject splits the hex data into manageable chunks that can fit into DNS query labels (each label can be up to 63 characters, but it’s often safe to use a smaller size, such as 32 characters):
3. The subject sends the data in DNS TXT queries. Looping through the hex data chunks and sending each chunk as the subdomain of example.com in a TXT record query:
The subject will capture the incoming DNS TXT record queries on the receiving DNS server and decode the reassembled hex data from the subdomain of the query.
ICMP Tunneling (Linux) Prerequisites:
Steps: 1. The subject uses xxd to create a hex dump of the file they wish to exfiltrate. For example, if the file is secret.txt:
2. The subject splits the hexdump into manageable chunks. ICMP packets have a payload size limit, so it’s common to use small chunks. The following command will split the hex data into 32-byte chunks:
3. The subject uses ping to send the data in ICMP echo request packets. Loop through the split files and send each chunk as part of the ICMP payload:
The subject will capture the incoming ICMP packets on the destination server, extract the data from the packets and decode the reassembled the hex data. |
AF018.001 | Endpoint Tripwires | A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity.
The tripwire software monitors various aspects of the endpoint to detect potential investigations:
Upon detecting security activity, the tripwire can initiate various evasive responses:
|
AF018.002 | Environment Tripwires | The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.
This tripwire API is embedded within various parts of the environment:
Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:
The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.
Upon detecting activity, the API tripwire can take immediate evasive actions:
|
IF009.006 | Installing Crypto Mining Software | The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.
Characteristics
Example ScenarioA subject installs a customized |
MT017.001 | Nation-State Alignment | The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization.
Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence.
Example Scenarios:
|
PR003.012 | Installation of Dark Web-Capable Browsers | The subject installs a browser capable of accessing anonymity networks, such as the Tor Browser (used for
Installation of the Tor Browser Bundle typically involves downloading a signed executable or compressed package from
In environments with proxy filtering, the subject may attempt to chain Tor through bridge relays or VPNs, obfuscate traffic using SOCKS5 tunneling, or execute from non-standard directories (e.g., cloud-sync folders, external volumes). Some subjects bypass endpoint controls entirely by booting into live-operating systems (e.g., Tails, Whonix) which route all system traffic through Tor by default and leave minimal forensic artifacts on host storage.
This installation is rarely accidental and often coincides with other policy evasions or drift indicators. The presence of anonymizing tools—even in dormant form—warrants scrutiny as a preparatory indicator linked to potential data exfiltration, credential harvesting, or external coordination. |