OUTBOUND C2 COMMS CORRELATION

The firewall_logs will be a tremendous asset in correlating outbound C2 traffic

SPLUNK: Search & Reporting
 SPL: sourcetype=firewall_logs src_ip="10.10.1.5" AND dest_ip="<REDACTED>" AND action="ALLOWED" | table _time, action, protocol, src_ip, dest_ip, dest_port, reason
 DTG: All time
 TAB: Statistics
 
 * src_ip="10.10.1.5" is the compromised server
 * The ACTION=ALLOWED and REASON=C2_CONTACT fields is used to confirm the malware 
   communication channel
    - a value of "active" can confirm a hypothesis

PreviousRANSOMWARE STAGING & RCE NextCOMMAND INJECTIONS

Last updated 2 days ago