Full Report
Logan Lembke// Here at BHIS, we ♥ Bro IDS. Imagine… Bro IDS Everywhere! If you haven’t encountered Bro IDS before, checkout this webcast on John’s Youtube channel discussing the need for Bro […] The post Let’s Go Hunting! How to Hunt Command & Control Channels Using Bro IDS and RITA appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Bro IDS / Zeek (Implied)
## Overview
Bro IDS (now Zeek) is a powerful network security monitoring tool that analyzes network traffic (live or from PCAP files) to generate detailed logs about connections, DNS requests, application-layer data, and more. It is used by blue teams for threat detection and analysis, especially in environments where traditional endpoint security may be bypassed.
## Technical Details
- Type: Tool / Framework (Network Monitoring)
- Platform: UNIX-like operating systems (Linux, Mac OS, BSD)
- Capabilities: Real-time or offline packet capture analysis, generation of detailed logs (conn.log, dns.log), ability to analyze traffic patterns indicative of C2 activity (e.g., long-running UDP sessions).
- First Seen: Not specified in the text, but Bro/Zeek has been around for a significant time.
## MITRE ATT&CK Mapping
The section focuses on how Bro IDS *detects* attacker activity, not the activity itself. The detected activities primarily map to Command and Control.
- T1071 - Application Layer Protocol
- T1071.004 - DNS Protocol
- T1071.001 - Web Protocols
## Functionality
### Core Capabilities
- Packet capture analysis from raw PCAP files.
- Logging of connection information (TCP, UDP, ICMP) in `conn.log`.
- Detailed logging of DNS queries in `dns.log`.
- Identification of long-running "sessions" or flows, even over protocols like UDP.
### Advanced Features
- Ability to analyze traffic patterns indicative of C2 frameworks like Dnscat2, Powershell Empire, and Meterpreter.
- Flexibility in configuration (e.g., defining local networks using `site::local_nets`).
- Automation via scripts (e.g., installation scripts are mentioned).
## Indicators of Compromise
The text does not list specific IOCs for Bro IDS itself, but rather uses traffic generated by specific malware samples analyzed *by* Bro IDS:
- File Hashes: N/A
- File Names: `dnscat2.pcap.gz`, `ps-empire.pcap.gz`, `meterpreter.pcap.gz`
- Registry Keys: N/A
- Network Indicators:
- Infected Host: `10.200.201.29` (Example internal IP)
- C2 Server (Dnscat2 example): Associated with the domain `sirknightthe.chickenkiller[.]com`
- C2 Server (Meterpreter example): `18.220.208.40` (Defanged approximation of mentioned IP)
- Behavioral Indicators:
- Long-running UDP sessions over Port 53 (DNS) indicating DNS tunneling (Dnscat2).
- High volume of DNS queries to subdomains of a single domain (Dnscat2).
- Regular beaconing activity at consistent intervals (e.g., 5-second intervals for Meterpreter).
## Associated Threat Actors
The article uses traffic generated by various C2 frameworks, which are associated with numerous threat actor groups, including:
- Groups using **Dnscat2** (used to bypass Cylance).
- Users of **Powershell Empire**.
- Users of **Meterpreter**.
## Detection Methods
- Log review of `conn.log` for unusually long connections on non-typical protocols (e.g., UDP connections lasting hours).
- Log review of `dns.log` for high volumes of queries resolving to unique subdomains of a single parent domain (DNS tunneling/exfiltration).
- Monitoring beacon timing and frequency in connection logs.
## Mitigation Strategies
- Ensure network taps are in place to feed traffic to Bro IDS sensors.
- Implement filtering/tuning of Bro to manage the high volume of generated data.
- Manual or automated (e.g., RITA) analysis must be performed on Bro logs to extract actionable intelligence.
- Consider using RITA (mentioned as an assistant tool) to automate analysis components like blacklist checks and connection analysis.
## Related Tools/Techniques
- **RITA (Bro/Zeek Analysis Assistant)**: Mentioned as a tool to automate the analysis of large Bro log files.
- **Dnscat2**: A C2 tool utilizing DNS for command and control, whose traffic is analyzed by Bro.
- **Powershell Empire**: A C2 framework whose HTTPS traffic can be monitored by Bro.
- **Meterpreter**: A C2 framework whose TCP traffic can be monitored by Bro.