Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Hunting Guide - Page 6

NetWitness Hunting Guide - Continued

Appendix: Static Meta Values

The following table presents a reference list (similar to a command/value list), of the possible meta values that the content in the Hunting pack would create.

  • Parser Name: apt_artifacts.lua
  • Meta Key: ioc
  • Static Value: apt possible invokemimikatz
  • Description: PEbytes64/32 byte array match and strings found in various versions of invoke mimikatz
  • Why it Matters: May be an attacker trying to dump credentials out of local security authority subsytem service (lsas)

  • Parser Name: apt_artifacts.lua
  • Meta Key: ioc
  • Static Value: apt possible prefetch deletion
  • Description: Prefetch text string content match
  • Why it Matters: May be an attacker trying to cover their escalation of privilege artifacts via anti-forensic techniques

  • Parser Name: apt_artifacts.lua
  • Meta Key: ioc
  • Static Value: apt possible registry deletion
  • Description: Registry deletion content matches
  • Why it Matters: May be an attacker trying to cover their escalation of privilege artifacts via anti-forensic techniques

  • Parser Name: apt_artifacts.lua
  • Meta Key: ioc
  • Static Value: apt possible wmic cleareventlog
  • Description: Windows management instrumentation command-line (wmic.exe) event log clearing content matches
  • Why it Matters: May be an attacker trying to cover their escalation of privilege artifacts via anti-forensic techniques

  • Parser Name: dns_verbose.lua
  • Meta Key: analysis.service
  • Static Value: dns base36 txt record
  • Description: DNS records that contain patterns matching a base36 alphabet
  • Why it Matters: Based on known patterns seen being used in the field by recent malware and attackers, DNS records that contain certain patterns matching a base36 alphabet are flagged for further investigation.

  • Parser Name: dns_verbose.lua
  • Meta Key: analysis.service
  • Static Value: dns base64 txt record
  • Description: DNS records that contain patterns matching a base64 alphabet
  • Why it Matters: Based on known patterns seen being used in the field by recent malware and attackers, DNS records that contain certain patterns matching a base64 alphabet are flagged for further investigation.

  • Parser Name: dns_verbose.lua
  • Meta Key: analysis.service
  • Static Value: dns single request response
  • Description: A DNS session that consists of a single request and/or response.
  • Why it Matters: Enables focus on unique DNS sessions potentially indicating origin of infection or multiple names for the same C2 IP address.

  • Parser Name: dns_verbose.lua
  • Meta Key: analysis.service
  • Static Value: large session dns port
  • Description: Outbound non-DNS sessions using port 53 greater than 100 kilobytes
  • Why it Matters: Large outbound DNS sessions could be indicative of active exfiltration

  • Parser Name: dns_verbose.lua
  • Meta Key: analysis.service
  • Static Value: large session dns service
  • Description: Outbound DNS sessions greater than 100 kilobytes
  • Why it Matters: Large outbound DNS sessions could be indicative of active exfiltration

  • Parser Name: dns_verbose.lua
  • Meta Key: analysis.service
  • Static Value: loopback resolution of non-local name
  • Description: Registers when a hostname external to the environment resolves to the loopback address (127.0.0.1). Configure the TLD Lua Parser Options File Lua parser function localDomains() to enable this meta key for generation
  • Why it Matters: Attackers often change DNS records in order to make sure that connections to their C&Cs are not blocked. This includes 'parking' the hostname on an IP address that does not map back to the attacker's IP address. A common IP address to use is the loopback address (127.0.0.1) as it is non-routable within an environment. While it is odd that internal hostnames resolve to the loopback address, it does happen occasionally. By looking for just external hostnames this helps filter local activity.

  • Parser Name: dns_verbose.lua
  • Meta Key: analysis.service
  • Static Value: outbound dns
  • Description: Outbound identification of the DNS service
  • Why it Matters: Outbound DNS should be inspected for compliance and security purposes

  • Parser Name: dns_verbose.lua
  • Meta Key: analysis.service
  • Static Value: suspicious traffic port 53
  • Description: Outbound HTTP or SSL sessions on port 53
  • Why it Matters: DNS tunneling can be used to transport data out of a network, masquerading as legitimate domain name services

  • Parser Name: dns_verbose.lua
  • Meta Key: ioc
  • Static Value: dns with executable
  • Description: DNS traffic containing an executable fingerprint
  • Why it Matters: Natively, DNS is not a protocol designed for file transfer, so the presence of any file type is considered suspicious when encountered in DNS payload data, more so if this file is or could be an executable file.

  • Parser Name: dns_verbose.lua
  • Meta Key: ioc
  • Static Value: dns with file
  • Description: DNS traffic containing a file fingerprint
  • Why it Matters: Natively, DNS is not a protocol designed for file transfer, so the presence of any file type is considered suspicious when encountered in DNS payload data.

  • Parser Name: dyndns.lua
  • Meta Key: analysis.service
  • Static Value: dyanmic dns host
  • Description: A host entry that is a subdomain of a Dynamic DNS provider
  • Why it Matters: Dynamic DNS provides a rapid mechanism for attackers to evade traditional reputation service detections

  • Parser Name: dyndns.lua
  • Meta Key: analysis.service
  • Static Value: dyanmic dns server
  • Description: A host entry matching a known Dynamic DNS Server
  • Why it Matters: Dynamic DNS provides a rapid mechanism for attackers to evade traditional reputation service detections

  • Parser Name: dyndns.lua
  • Meta Key: analysis.service
  • Static Value: dynamic dns http
  • Description: Dynamic DNS web requests
  • Why it Matters: Dynamic DNS provides a rapid mechanism for attackers to evade traditional reputation service detections

  • Parser Name: dyndns.lua
  • Meta Key: analysis.service
  • Static Value: dynamic dns query
  • Description: Dynamic DNS queries
  • Why it Matters: Dynamic DNS provides a rapid mechanism for attackers to evade traditional reputation service detections

  • Parser Name: eoc
  • Meta Key: html hidden div
  • Static Value: html hidden span
  • Description: Dynamic DNS queries
  • Why it Matters: Dynamic DNS provides a rapid mechanism for attackers to evade traditional reputation service detections

  • Parser Name: fingerprint_java.lua
  • Meta Key: analysis.file
  • Static Value: one two filename java class
  • Description: Java class filename consisting of only one or two characters excluding extension
  • Why it Matters: The Java Virtual Machine is a popular vector for malware delivery

  • Parser Name: fingerprint_java.lua
  • Meta Key: analysis.file
  • Static Value: small java class
  • Description:

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: direct to ip one char php
  • Description: An HTTP request to an IP address, not a hostname, that queries for a single character PHP script
  • Why it Matters: It is uncommon for a human to directly request an address over a domain name and doubly suspicious to query for a single character PHP script

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: host header contains port
  • Description: Host header directly declares a port such as 'www.example.com:80'
  • Why it Matters: Explicitly declaring a port in the HTTP Host Header is uncommon and can be an indicator that; a) an application or user is attempting to subvert security controls by using HTTP on a non-standard port or b) an application is attempting to signal to a proxy which port to use for the HTTP transaction.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http connect
  • Description: Sessions with only HTTP CONNECT methods
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http direct to ip request
  • Description: An HTTP request direct to an IP Address
  • Why it Matters: Identifying suspicious domains may uncover nefarious behaviors in a dataset. It is uncommon for a human to directly request an address over a domain name during regular browsing activity.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http explicit proxy request
  • Description: HTTP with directed protocol and location URI after the request
  • Why it Matters: Any attempt at an explicit proxy request using protocol and full URL after the request method seems programmatic

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http four headers
  • Description: Sessions with four HTTP headers
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http four or less headers
  • Description: Four or less HTTP headers in a session
  • Why it Matters: Modern web browsers generally use 6 or more HTTP headers when making requests. Common examples of these headers are Accept, Accept-Encoding , , GET,PUT, , ,PUT, , -, and spaces excepted) - GET,?,PUT, , %,$, , PUT,GET, , , POST, PUT, etc.) to the browser., some of the contents of memory are returned along with the available methods., 4.0 or 5.0
  • Column 6: User agent analysis helps establish interactive sessions versus mechanical sessions and aid in identifying a malware behavior's bidirectional communications

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http not good mozilla
  • Description: A user-agent string without the standard Mozilla identifier
  • Why it Matters: User agent analysis helps establish interactive sessions versus mechanical sessions and aid in identifying a malware behavior's bidirectional communications

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http possible exploitkit
  • Description: Outbound HTTP Java Virtual Machine requests for unrecognized filetype
  • Why it Matters: The Java Virtual Machine is a popular vector for malware delivery. All outbound JVM and GET methods should be analyzed.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http post and get
  • Description: HTTP sessions with at least one each GET request and POST request
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http post no get
  • Description: HTTP sessions with at least one POST request and no GET requests
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http post no get low header count not flash
  • Description: An HTTP POST request with less than 6 Headers and the user-agent is not ‘shockwave flash’
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http post no get missing content-length
  • Description: HTTP session with at least one POST request, no GET requests, and no Content-Type header
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http post no get no referer
  • Description: HTTP session with at least one POST request, no GET requests, and no referer
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http post no get no referer directtoip
  • Description: HTTP session with at least one POST request to an IP address, no GET requests, and no referer
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http post no get short filename suspicious extension
  • Description: An HTTP POST request to a 3 byte or less filename with an executable extension
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http post no get short user-agent
  • Description: HTTP session with at least one POST request, no GET requests , , , , , , , , though may be legitimate when used by CDNs., , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Accept-Encoding, Accept-Language, Cache-Control, Connection, Host, Referer and User-Agent. Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http suspicious 4 headers
  • Description: Sessions with only HTTP POST and four HTTP headers
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http suspicious 6 headers
  • Description: Sessions with only HTTP POST and six HTTP headers
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http suspicious connect
  • Description: Sessions using only HTTP CONNECT method with less than four headers and no user-agent
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http suspicious no cookie
  • Description: HTTP session with at least one POST request, no GET requests, and no cookie
  • Why it Matters: Attackers and malware authors try to blend in with regular network communications. Establishing interactive sessions versus mechanical sessions aids in identifying a malware behavior's bidirectional communications.

  • Parser Name: http.lua
  • Meta Key: analysis.service
  • Static Value: http suspicious user-agent
  • Description: A user-agent with common formatting mistakes
  • Why it Matters: User agent analysis helps establish interactive sessions versus mechanical sessions and aid in identifying a malware behavior's bidirectional communications

,