The team ran Splunk queries against six months of netflow data (February 2013 to August 2013). They were looking for "beaconing" traffic—small, regular pings from internal servers to external command-and-control (C2) servers.
If you are searching for this term as part of a forensic investigation today, ask yourself three questions: Searching for- palo alto 2013 in-
| Type | Indicator | Description | | :--- | :--- | :--- | | | 185.86.151[.]11 | C2 server located in Ukraine (taken down in 2014) | | Domain | update-office-support[.]com | Spoofed Microsoft login portal | | Hash (SHA256) | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | Null hash (fileless dropper launcher) | | Registry Key | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PaloAlto | Artifact left by persistence mechanism | The team ran Splunk queries against six months
To understand the gravity of the search, we must rewind to early 2013. Palo Alto Networks was riding a high. Their "next-generation firewall" (NGFW) was decimating legacy vendors like Check Point and Cisco. The company’s value proposition was simple: We see what others miss. Palo Alto Networks was riding a high