Home  ›  Malware  ›  Malware Analysis  ›  News and Indicators - Latest topics

Uncovering Device Activities on Wi-Fi and Hotspot Connections

on Post a Comment

Nowadays, we understand that our users travel worldwide and frequently connect to Wi-Fi networks, personal hotspots, and other open access points.

Once a device connects to one of these networks, its security will have an important dependency on the ASN (Autonomous System Number) or the ISP (Internet Service Provider) managing the connection.

At this stage, I identify mainly two main scenarios:

  1. Users can connect from any network without restrictions.
  2. Users are restricted to connecting only from specific countries, network types, device compliance and other aspects.

First, let’s gather details about all Wireless connections:

DeviceNetworkInfo
| extend Network_Name = tostring(parse_json(ConnectedNetworks)[0][“Name”])
| where isnotempty(Network_Name) and NetworkAdapterType has “Wireless80211”
| extend IP_info = (todynamic(parse_json(IPAddresses)))
| mv-expand IP_info
| extend Ip_Received = tostring(parse_json(IP_info).IPAddress)
| extend IP_Type = tostring(parse_json(IP_info).AddressType)
| extend geo_ip = todynamic(geo_info_from_ip_address(Ip_Received).country)
| mv-expand geo_ip
| summarize  by  Network_Name, DefaultGateways, DnsAddresses,DeviceName, Ip_Received,IP_Type, tostring(geo_ip), NetworkAdapterName, NetworkAdapterStatus, NetworkAdapterType, NetworkAdapterVendor

Differentiating between WIFI and HotSpots

The types of threats and activities vary depending on the network to which our users are connected. Therefore, after identifying all networks associated with Wi-Fi and Hotspots, it would be beneficial to distinguish between them. To achieve this, we can analyze specific patterns.

A first example, is detecting when a connection is shared by an IPhone device and for that we can use a default Gateway assigned when a connection is shared from these Apple phones which is “172.20.10.1”.

Detecting networks shared by phones with key words in their Names such as “FREE”, “AIRPORT” “OPEN”, can be potential cases of Evil Twin Attack where malicious actors can intercept network traffic, steal login credentials, capture sensitive data, or launch further attacks like Man-in-the-Middle (MitM) attacks.
DeviceNetworkInfo
| where DefaultGateways has “172.20.10.1”
| extend Network_Name = tostring(parse_json(ConnectedNetworks)[0][“Name”])
| where isnotempty(Network_Name)
| extend IP_info = (todynamic(parse_json(IPAddresses)))
| mv-expand IP_info
| extend Ip_Received = tostring(parse_json(IP_info).IPAddress)
| extend IP_Type = tostring(parse_json(IP_info).AddressType)
| extend geo_ip = tostring(geo_info_from_ip_address(Ip_Received).country)
//| where (Network_Name contains “Free” or Network_Name  contains “Open”  or Network_Name  contains “Airport” or Network_Name  contains “hotel”)
| summarize by  Network_Name, DefaultGateways,Ip_Received, IP_Type, geo_ip, DnsAddresses,DeviceName, NetworkAdapterName, NetworkAdapterStatus, NetworkAdapterType, NetworkAdapterVendor

Another method for detecting hotspots shared by mobile phones is to directly search for cases where network names contain phone brands or types, such as “Android,” “Xiaomi,” and others.

DeviceNetworkInfo
| extend Network_Name = tostring(parse_json(ConnectedNetworks)[0][“Name”])
| where isnotempty(Network_Name)
| extend IP_info = (todynamic(parse_json(IPAddresses)))
| mv-expand IP_info
| extend Ip_Received = tostring(parse_json(IP_info).IPAddress)
| extend IP_Type = tostring(parse_json(IP_info).AddressType)
| extend geo_ip = tostring(geo_info_from_ip_address(Ip_Received).country)
| where (Network_Name contains “Android” or Network_Name  contains “Xiaomi”  or Network_Name  contains “Nokia” or Network_Name  contains “Iphone”)
| summarize by  Network_Name, DefaultGateways,Ip_Received, IP_Type, geo_ip, DnsAddresses,DeviceName, NetworkAdapterName, NetworkAdapterStatus, NetworkAdapterType, NetworkAdapterVendor

Identify and protecting us from external connections

There are various options to secure user and device access to our organization when connecting to external Wi-Fi networks. These include implementing a VPN, configuring Indicators of Compromise (IOCs) at the endpoint level — ensuring protection regardless of location — and enforcing Conditional Access policies.

However, this does not mean that before connecting to our organization with all security layers in place, they did not access a malicious site while connected to an external network. They may return to our systems with an infected device, and during the external connection, sensitive data could have been shared.

When connecting to Wi-Fi networks or hotspots, devices typically receive a private IP address. However, their internet access relies on the public IP address associated with the connected network. To analyze these connections, we can filter and correlate the public IP address of the network with the associated device connections using the DeviceNetworkEvents table:

DeviceNetworkInfo
| extend Network_Name = tostring(parse_json(ConnectedNetworks)[0][“Name”])
| where isnotempty(Network_Name) and NetworkAdapterType has “Wireless80211”
| extend IP_info = (todynamic(parse_json(IPAddresses)))
| mv-expand IP_info
| extend Ip_Received = tostring(parse_json(IP_info).IPAddress),
           IP_Type = tostring(parse_json(IP_info).AddressType)
| where IP_Type has “Public”
| extend Network_IP_Location = tostring(geo_info_from_ip_address(Ip_Received).country), tostring(IP_info)
| join kind=inner (DeviceNetworkEvents) on $left.Ip_Received == $right.LocalIP
| where DeviceName == DeviceName1
| extend Remote_IP_Location = tostring(geo_info_from_ip_address(RemoteIP).country)
| summarize by DeviceName, Network_Name, NetworkAdapterType,LocalIP, Network_IP_Location, IP_Type, RemoteIP,Remote_IP_Location, RemotePort, RemoteUrl, ActionType, Protocol,InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessIntegrityLevel

Another scenario involves identifying whether our users, when connecting from the mentioned external locations, authenticated using their accounts. Depending on the organization’s policies and requirements, this may necessitate a password reset or token revocation:

DeviceNetworkInfo
| extend Network_Name = tostring(parse_json(ConnectedNetworks)[0][“Name”])
| where isnotempty(Network_Name) and NetworkAdapterType has “Wireless80211”
| extend IP_info = (todynamic(parse_json(IPAddresses)))
| mv-expand IP_info
| extend Ip_Received = tostring(parse_json(IP_info).IPAddress),
           IP_Type = tostring(parse_json(IP_info).AddressType)
| where IP_Type has “Public”
| extend Network_IP_Location = tostring(geo_info_from_ip_address(Ip_Received).country), tostring(IP_info)
| join kind=inner (AADSignInEventsBeta) on $left.Ip_Received == $right.IPAddress
| summarize by DeviceName, Network_Name, NetworkAdapterType,IPAddress, Network_IP_Location, IP_Type,  ErrorCode , State

Another scenario could involve users connecting to shared networks and subsequently opening malicious files, sharing sensitive documents via email or cloud applications such as Microsoft Teams, or engaging in specific activities on a shared network located in a specific country.

In various cases, we can implement different detection rule actions, such as isolating a device, blocking a user, and other appropriate responses, once specific shared scenarios are confirmed.

Summary

To summarize, even if you are protecting the access to your environment restricting by network and other mechanism, it not means that the devices have been previously in risky sites. This different hunting cases will helps to have an historical about the time of the devices and users navigating outside of your network and be able to react or restrict the access to your systems depending on the cases.

Uncovering Device Activities on Wi-Fi and Hotspot Connections was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: https://detect.fyi/uncovering-device-activities-on-wi-fi-and-hotspot-connections-fc5f85bcb83b?source=rss----d5fd8f494f6a---4

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Malware Malware Analysis News and Indicators - Latest topics
Sp123
"The real threat is actually not when the computer begins to think like a human, but when humans begin to think like computers."

Post a Comment

Post a Comment