Identifying Malicious Traffic
Identifying Malicious Traffic
Network forensics helps identify various attack patterns:
Command and Control (C2) Detection:
- Regular beaconing intervals
- Unusual port usage
- Encrypted traffic to suspicious IPs
- DNS queries with high entropy
- Non-standard protocols
Data Exfiltration Patterns:
- Large outbound transfers
- Unusual destination countries
- Off-hours activity
- Encrypted archives
- DNS tunneling
Lateral Movement Indicators:
- SMB/RDP between workstations
- Service account usage
- Pass-the-hash artifacts
- PowerShell remoting
- WMI activity