Small Talk with the Threat Hunting TOolkit
By Ethan Robish
Investigations during a threat hunt or incident response are much like getting to know someone. In this article, you’ll find a series of questions you can ask to learn more about a new person non-biological entity. With help from the Threat Hunting Toolkit, I’ll explain where you can find information in the logs, and provide a command to print it.
You can think of the Threat Hunting Toolkit (THT) as a command line environment containing a curated selection of data-processing utilities you can take with you anywhere, much like a craftsman’s toolkit. While THT is designed with processing Zeek network logs in mind (both TSV and JSON), we’ve also used it successfully with other delimited logs, such as comma or whitespace separated.
Without further ado, let’s make some small talk.
What’s Your Name?
A name can tell a lot about a person. The same goes for a system’s host name. The host name shows up in different network service communication and can be pulled from a number of Zeek logs.
In the dns log, typically the query field will contain a domain and the answers field will contain one or more IP addresses, though it can also contain additional domains. (Note: For PTR requests, you can parse an IP address from the query field and a domain from the answers field instead.)
In the ssl log, the server_name field will contain a domain that corresponds with the IP address in the id.resp_h field. In the http log, the host field will contain a domain instead.
There are additional sources for systems on the local network as well. These services aren’t usually seen in internet-bound traffic and thus, only apply to the local network.
Here is the form of the command that will print the host names and IP addresses from a given log, sorted by the most frequently seen.
filter --http $IP | chop host id.resp_h | mfo
Example:
filter --http 165.227.88.15 | chop host id.resp_h | mfo
18438 drock.saintjameschurch.org 165.227.88.15
What Do You Do?
Just like a person's chosen profession or hobbies, the services used by or running on the system in question can reveal a lot about its purpose.
The conn log contains the port (id.resp_p), protocol (proto), and service (service) for each connection. This command can tell us what kinds of services an IP address is running by showing those with the most connections. id.resp_h contains the destination IP address, meaning that it is receiving the connection on a listening port.
filter --conn $IP | chop id.resp_h id.resp_p proto service | filter $IP | mfo
The services running can provide insight into the purpose of the server, as well as providing a sniff test. While investigating a network time protocol (NTP) server, I discovered the same IP address was hosting WordPress and a Minecraft server as well. This didn't exactly inspire confidence.
More often than not, I will use the conn-summary command to provide an overview for a system (or pair of systems). It's a little bit like looking at the system's résumé.
filter --conn $IP | conn-summary
conn-summary will display a breakdown of traffic between private and public IP ranges (so-called north-south traffic). The --all flag will summarize all connections, including traffic only between private IP addresses (east-west traffic).
You can visit ethack.github.io/tht/ and search “conn-summary” to read more about the conn-summary output format.
Where Are You From?
Where a person was born, to some extent, sheds light on what life was like for them growing up. In this case, we're going to find out which organization owns the IP address. This can tell us if the IP is from a private ISP, big name CDN, or is owned by an organization.
whois $IP
asn $IP
echo $IP | whois-bulk
whois and asn both take a single IP address or domain for an argument. You can pipe a long list of IP addresses to whois-bulk to get a quick summary table.
Do you come here often?
This might be more of a pick-up line than small talk, but it sure is useful to know whether a system has been seen numerous times in the past or if the current behavior is an anomaly. The easiest way to see a trend over time is with a graph. This command will show the number of SSL connections made per day. Empty days are hidden in this case.
filter --ssl $DOMAIN | chop ts | ts2 | freq | plot-bar
You can use the same formula in any log that contains a timestamp field.
Conclusion
Just like with people, as you learn more about a system, you start to develop a first impression. This impression can be good or bad, trustworthy or untrustworthy. With threat hunting, this can lead you further down the investigation path or help you decide to move on to other investigations.
You can find more information at the THT project's homepage:
github.com/ethack/tht/