Some notes that I’ve used when to identify suspicious activity searching through packet captures.
Of course some of the basic hunting should include looking at ports and strange host/ip addresses. Other than those basic locations, we can look at the different protocols. Within Packet captures there are certain activties of protocols which will automatically flag it as suspicious:
ARP
Suspicious ARP Behavior:
- Large amount of ARP broadcasts messages in a short amount of time
- Identical MAC/IP Addresses
- ARP replies without a request
ICMP
Suspicious ICMP Behavior:
- Large ICMP packets
- Unusual types/codes within the ICMP packets followed by a request
TCP
Suspicious TCP Behavior:
- Large amounts of SYN packets without SYN-ACK
- Any Three-Way Handshake that isn’t completed
- Sequence and Acknowledgement numbers that do not match
- Single hosts to multiple ports or single host to multiple nodes
DHCP
Suspicious DHCP Behavior:
- Not using ports 67 and 68
- DHCP Session that doesn’t follow the session
- DHCP Discover > Offer > Request > Ask
DNS
Suspicious DNS Behavior:
- Not using port 53
- Traffic on port 53 that is not using UDP
- DNS Traffic should only go to DNS Servers
- DNS responses with no queries
- Excessive DNS responses/queries
HTTP
Suspicious HTTP Behavior:
- Any traffic on port 80 should be investigated
- Strange user agents
- Encrypted traffic
- Web Server that is not in FQDN format
HTTPS
Suspicious HTTPS Behavior:
- Strange user agents
- Unencrypted traffic
- SSL Details are blank or contain strange information
- Web Server that is not in FQDN format