0

There is a publicly available tool called HTran which is widely used by criminal groups in cyberattacks to exfiltrate data. It simply relays traffic from one host to another, much like a proxy. It is typically used to relay information from an internal network that does not allow internet access, but allows access to the intermediate device.

If someone could do network analysis on both ends of the connection, what kinds of clues would be left in the traffic that would allow someone to detect the anomalous traffic?

john doe
  • 648
  • 4
  • 15

1 Answers1

1

If you are only doing network analysis and not using any IDS systems with signatures, one thing that would be observed is the traffic going between the hosts where that isn’t normal to see. Hosts don’t generally communicate to each other on a large enterprise network, host to server yes, not host to host. So with knowledge of the tool ports and protocols, you can look for traffic going host to host that matches. EDR software and IDS, data collection and analysis (e.g. splunk) and other tools will give you more to look at.

vol
  • 31
  • 3