NetWitness Community

MJKIM · ‎2016-03-17

Hi, I have a question

Sometimes when a computer is infected by malware, they will send their PC's information to C2 server via POST method

I wonder what they send to C2. But when I catch up PCAP by SA, most of them were sent by POST method.

Is there any means to check what they send using SA?

DavidWaugh1 · ‎2016-03-19

Hello as you can see that it is a POST method then it sounds as if the traffic is not encrypted.

I would make sure that you are subscribed to the RSA Firstwatch Feeds as they are designed to help detect this sort of traffic.

If you can see the traffic then meta can be generated that will enable detection. In 10.6 there is a new AutomatedThreat Detection Model that runs on the ESA that would assist with identifying these threats. (see https://sadocs.emc.com/0_en-us/088_SA106/50_Alrt/66_C2Thrt/01_ConfTD))

View solution in original post

DavidWaugh1 · ‎2016-03-19

Hello as you can see that it is a POST method then it sounds as if the traffic is not encrypted.

I would make sure that you are subscribed to the RSA Firstwatch Feeds as they are designed to help detect this sort of traffic.

If you can see the traffic then meta can be generated that will enable detection. In 10.6 there is a new AutomatedThreat Detection Model that runs on the ESA that would assist with identifying these threats. (see https://sadocs.emc.com/0_en-us/088_SA106/50_Alrt/66_C2Thrt/01_ConfTD))

NetWitness Community

Is it possible to check content on POST method?