Does anyone know if there is a way to detect traffic outbound from a host, without having to collect PCAP?
I’d like to set up a rule that can detect high volumes of outbound data (ideally to an external IP) from specific hosts (i.e., those that shouldn’t be uploading to the internet).
This is, of course, relatively trivial with Network Detection tools, but I’m keen to know if there was any way to bend LC to be able to do this on the host.
I’ve had a lot of success with the NETWORK_CONNECTIONS event for other detections, but this doesn’t capture anything like byte count.
I have looked at using pktmon counter or Get-NetAdapterStatisticsin a scheduled task on a Windows machine. My thought was to write the data to a file and use an LC artifact rule to grab and parse (and then maybe detect). Maybe this could be done in an LC Playbook? This won’t get you destination info but if you are running a script then getting the net connections should be trivial. All of this is pure theory at this point, with no proof of concept.
1 Like
Interesting 
I’ll check it out. I think I’ll need destination to weed out all the false positives. I want the ability to detect mass traffic moving to an external IP from something like a file server, but not mass traffic going to another internal system (as that could be normal).