Hunting exfils

While hunting for exfil, you can use the source bytes field from Netflows and narrow down to a list of destination ips. Now you want to understand what these ips are. So just put all ips into a txt file and go through all ips performing reverse DNS lookups, using the following shell script:

while read p; do dig -x $p ; done < exfil_ips.txt | grep -i "ANSWER SECTION" -A2 | more

Another good subsequent hunt step would be to direct all the resolved domains to a text file and then recursively do whois lookups on the resolved domains and try to get other info like registrars, contact emails, date of registration etc. 

Comments

Popular Posts