While I’ve been in the industry for a while, I’ve never had the opportunity to work in an environment where commands were monitored or recorded for analysis. For most of the red team exposure I have been focused on gaining initial access using hacking tools (nmap, mimikatz, metasploit, etc) rather than persisting in an environment.
As a result of this background, there’s a bit of a gap in my knowledge around what native applications that attackers use to live off the land and persist inside of environments.
Executive Summary Impact A user’s system has been infected with a malware family known as Dyreza which can be used to do any of the following:
Perform man-in-the-middle attacks via browser injections Monitor/take screenshots of browser activity Steal personal security certificates Steal online banking/login credentials Track the affected user’s location through STUN (Session Traversal Utilities for NAT). This malware is most commonly used by criminals to steal bank credentials from individual users rather than attack large corporations.
This post, assumes that you have a solid understanding of tcpdump bit-masking, if you need a refresher you can check out my other post: tcpdump Bit-Masking (with Sticky-Notes!)
WHY SAMPLE PACKETS INSTEAD OF FULL PACKET CAPTURE? If you are on a busy network and want to get a feel for what is running on that network, dumping 100% of packets will create a cumbersome file very quickly. You may find yourself having to use tiny capture windows to keep the size down which may not give you a complete view of what types of activity if it is happening outside of that small time frame.
Of all the topics I have taught to new analysts coming into the SOC, bit-masking was continually the most difficult one for me to articulate. For the longest time I tried to teach bit-masks to students by explaining it logically using math and XOR. Re framing bit-masks as a collection of tiny sticky notes provided a much needed bridge to help students mentally tie this concept to something tangible.
TCP FLAG PRIMER While tcpdump bit-masking can be used on any byte/nibble, it is often used to isolate combinations of TCP flags so that is the example that we will use here.