Once an attacker gains access to a machine, the timer starts ticking for the defender to notice their activity and kick them off the system. This could be done by terminating a network connection or changing the password on a compromised account. Because of this, threat actors are always trying to find ways to persist in an environment, in other words leaving a backdoor unlocked to let themselves back in. An easy way to do this is to create a new account on a machine to log back into at a later time.
While I’ve been in the industry for a while, I’ve never had the opportunity to work in an environment where commands were monitored or recorded for analysis. For most of the red team exposure I have been focused on gaining initial access using hacking tools (nmap, mimikatz, metasploit, etc) rather than persisting in an environment.
As a result of this background, there’s a bit of a gap in my knowledge around what native applications that attackers use to live off the land and persist inside of environments.
This post, assumes that you have a solid understanding of tcpdump bit-masking, if you need a refresher you can check out my other post: tcpdump Bit-Masking (with Sticky-Notes!)
WHY SAMPLE PACKETS INSTEAD OF FULL PACKET CAPTURE? If you are on a busy network and want to get a feel for what is running on that network, dumping 100% of packets will create a cumbersome file very quickly. You may find yourself having to use tiny capture windows to keep the size down which may not give you a complete view of what types of activity if it is happening outside of that small time frame.
Of all the topics I have taught to new analysts coming into the SOC, bit-masking was continually the most difficult one for me to articulate. For the longest time I tried to teach bit-masks to students by explaining it logically using math and XOR. Re framing bit-masks as a collection of tiny sticky notes provided a much needed bridge to help students mentally tie this concept to something tangible.
TCP FLAG PRIMER While tcpdump bit-masking can be used on any byte/nibble, it is often used to isolate combinations of TCP flags so that is the example that we will use here.