All,
I am currently analyzing emails with NetWitness, one indicator I typically see used in spear phishing incidents is the use of logging in with a different IP than the sending mail server. I am noticing this behavior mostly with yahoo. Is there a way in NetWitness to create a search to pull up all network related sessions in this way? I am not seeing this as a searchable piece of meta data. I created a regex to try to search with no luck.
Thanks
It's difficult to qualify why your regex isn't working without seeing the session data and the regex, but in the end that's likely not the most efficient way to do it anyway. If you have a group of IPs that you've identified associated with this behavior, you could simply build a feed with those IPs, and then match on any login events from those IPs. Also, look at the possibility of other unique session elements that might be of use in detecting the activity that you're looking for in the sessions related to these campaigns.
These are fairly generic insights, so if there's any data that you could share we may be able to provide more specific answers.
//Ray
Ray, Thanks for your response. I for sure will take your suggestions. Here is a little excerpt of information I am looking for in the mail header. I am sure the IP's that I am looking for will change all the time. To start testing I took a session PCAP off production and loaded it on my local version of NW. I created a REGEX to look for the IP and came up with nothing. I can also create a feed for these IP's but I need to find them 1st Any other thoughts. Thanks for your help
30nZFZRO7vlJ82UqBOlaWR4bZAymwNu9wCRBMRUDoI1BIYywRxb6glKQ4kFo
SzCYh5g02ac42uqO5V4jONSQTWl.MSfmdpTAS5x5gWRWWsIJFzSoyOyjqWfc
uwyV3NNZscF8sl2xc10L09c0Mp8yOZEW6q4Qd8WFzfVDJY7pjzaaZ3nlzKsP
jjce8MtZFEPuSVtUL3hKsQ3opz9QvrGV4VYLlhPPTuJg9vOZ6zdE1GSTlqWj
UX35Fq2zv6R1vie3X1YUl6iU89LnB_01kv0hRbF1w8wdbxJNeHCSKRBHX2.p
pV7DBj4dH_Px2TQ--
X-Yahoo-SMTP: us59L6iswBAy1xt88nITHIhR3mgr_tcLKA--
Received: from tcwa ([USER]@X.X.X.197 with login)
by smtp191.mail.sg3.yahoo.com with SMTP; 28 Nov 2012 17:31:19 -0800 PST
Message-ID: <DAE2C10057D7A3E7892E200FED62FEA3@tcwa>
br0g,
What you are looking to do is to create a parser to pull and create this meta for you. The original IP address is what you are trying to get, which will be a variable.
A parser to addrtess this will match first on the "X-Yahoo-SMTP:" as a token to begin its work. Next it should look for the Received: at the beginning of a line and then capture the IP in question as the variable token you are looking for.
on Nov 27, 2012
br0g,
What you are looking to do is to create a parser to pull and create this meta for you. The original IP address is what you are trying to get, which will be a variable.
A parser to addrtess this will match first on the "X-Yahoo-SMTP:" as a token to begin its work. Next it should look for the Received: at the beginning of a line and then capture the IP in question as the variable token you are looking for.