hunting-for-unusual-network-connections

name: hunting-for-unusual-network-connections description: Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous connection frequencies from endpoints. domain: cybersecurity subdomain: threat-hunting tags:

• threat-hunting
• mitre-attack
• network-analysis
• c2
• anomaly-detection
• proactive-detection version: '1.0' author: mahipal license: Apache-2.0 d3fend_techniques:
• File Metadata Consistency Validation
• Certificate Analysis
• Application Protocol Command Analysis
• Content Format Conversion
• File Content Analysis nist_csf:
• DE.CM-01
• DE.AE-02
• DE.AE-07
• ID.RA-05

Hunting For Unusual Network Connections

When to Use

• When proactively hunting for indicators of hunting for unusual network connections in the environment
• After threat intelligence indicates active campaigns using these techniques
• During incident response to scope compromise related to these techniques
• When EDR or SIEM alerts trigger on related indicators
• During periodic security assessments and purple team exercises

Detection Gaps & Validation

• Beaconing blends in: low-and-slow C2 with jitter, domain-fronting (SNI/Host mismatch), and HTTPS-on-443 evade port-based rules — JA3/JA3S hashing and rare-destination scoring beat them; non-standard port (T1571) is only the loudest variant.
• DNS tunneling (T1071.004): needs query-length/entropy analysis and high TXT/NXDOMAIN volume — connection logs alone won't show it.
• Telemetry sampling: Sysmon EID 3 (NetworkConnect) is often throttled or disabled for performance, so short-lived connections are missed — pair with firewall/Zeek conn logs for ground truth.
• Lost attribution: when C2 runs inside an injected/legit process (svchost.exe), EID 3 names the wrong owner — correlate with EID 1/EID 8 to find the real source.
• Validate: simulate beaconing (benign curl loop or a C2 emulator) to a rare host; confirm EID 3 + proxy logs both capture it.
• FP tuning: baseline cloud/CDN/telemetry and software-update destinations per process, not per host.

Prerequisites

• EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne)
• SIEM with relevant log data ingested (Splunk, Elastic, Sentinel)
• Sysmon deployed with comprehensive configuration
• Windows Security Event Log forwarding enabled
• Threat intelligence feeds for IOC correlation

Workflow

1. Formulate Hypothesis: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis.
2. Identify Data Sources: Determine which logs and telemetry are needed to validate or refute the hypothesis.
3. Execute Queries: Run detection queries against SIEM and EDR platforms to collect relevant events.
4. Analyze Results: Examine query results for anomalies, correlating across multiple data sources.
5. Validate Findings: Distinguish true positives from false positives through contextual analysis.
6. Correlate Activity: Link findings to broader attack chains and threat actor TTPs.
7. Document and Report: Record findings, update detection rules, and recommend response actions.

Key Concepts

Tools & Systems

Common Scenarios

1. Scenario 1: Backdoor communicating to C2 on non-standard port
2. Scenario 2: Data exfiltration over DNS to attacker nameserver
3. Scenario 3: Compromised host scanning internal network
4. Scenario 4: Cryptominer connecting to mining pool

Output Format

Hunt ID: TH-HUNTIN-[DATE]-[SEQ]
Technique: T1071
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]