Identifying Device vendors behind connections attempts based on MAC Addresses - SharITSec

When researching information about remote connections to exposed devices, it is often necessary to gather logs from multiple sources, such as firewalls, Web Application Firewalls (WAFs), and other security systems. These logs provide valuable insights into network activity and potential threats.

However, this does not mean that we cannot extract meaningful information from more basic data sources. A few weeks ago, I discussed the insights that can be gained from analyzing TCP flags (Detecting attacks based on TCP Flags). Today, I want to explore another valuable piece of information that can be decoded: MAC addresses. These identifiers can reveal useful details about vendor devices, helping us understand the nature of incoming connections.

Let’s take a closer look at how MAC addresses are structured and what valuable information we can extract from them.

MAC Address Structure

A MAC address is a 48-bit (6-byte) hexadecimal identifier assigned to network interfaces. It is usually formatted as:

XX:XX:XX:YY:YY:YY

• The first three bytes (OUI — Organizationally Unique Identifier) → 00:50:56
• The last three bytes (NIC — Network Interface Controller Specific) → 98:a2:25

The MAC address 00:50:56:98:a2:25 can be decoded to reveal the manufacturer of the device. Here’s the breakdown:

1. Organizationally Unique Identifier (OUI): The first three octets (00:50:56) identify the manufacturer of the device. Let’s look up the vendor.

• First 3 Octets: 00:50:56
• Manufacturer: VMware, Inc.
• Address: 3401 Hillview Avenue, Palo Alto, CA 94304, USA.

2. Network Interface Controller (NIC) Specific: These are assigned by the manufacturer (VMware) to uniquely identify the device.

• Last 3 Octets: 98:a2:25

Preparing the Hunting

Interesting, right? The first three octets of a MAC address reveal the manufacturer. This means that if you have this value, you can extract the first part of this field and classify them by vendor.

With this in mind, my next step was to find a repository or list that provides a classification of MAC addresses and their corresponding manufacturers and I found two interesting ones:

1. Wireshark manufacturer database: Wireshark includes a manufacturer database, which maps MAC address prefixes (OUI — Organizationally Unique Identifier) to their respective manufacturers. This helps identify the vendor of network devices based on their MAC addresses.
2. The IEEE (Institute of Electrical and Electronics Engineers) maintains the official OUI (Organizationally Unique Identifier) registry, which is a database of MAC address prefixes assigned to manufacturers of network devices. (https://standards-oui.ieee.org/oui/oui.txt )

Based on these 2 sources I created my own lists:

• Wireshark_manufacter_DB (GitHub Sergio Albea)
• IEE Mac_Address _list (GitHub Sergio Albea)

Why didn’t I use the source sites directly? Mainly because of the format and size of the original files. If you’re able to extract the values directly from them, don’t hesitate to use them instead of using my Git repository.

Case 1 : Identifying Devices by Vendor based on Inbound Connections

Now, we’re ready to dive into the first KQL query. The initial scenario focuses on summarizing the number of devices attempting to connect to exposed servers, categorized by vendor, by decoding their MAC addresses.

// Importing the Vendor MAC Address table 
let mac_info = externaldata(mac: string)[@“https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/mac_list_Type2.txt”] with (format=“txt”, ignoreFirstRecord=True);
let info =mac_info
| extend SplitValues = split(mac, “,”)
| extend mac = tostring(SplitValues[0]), vendor_sn = tostring( SplitValues[1]), vendor = tostring(SplitValues[2])
| project mac,vendor;
// selecting the Source MAC Address of the remote connections
DeviceNetworkEvents 
| extend AdditionalFields = parse_json( AdditionalFields)
| extend direction =  AdditionalFields[“direction”]
| where direction has “In”
| extend Source_Mac =  tostring(AdditionalFields[“Source Mac”])
// formatting the First 3 Octets of the MAC Address
| extend MAC_Prefix_format = replace(“:”, “-”, Source_Mac)
| extend MAC_Prefix = substring(MAC_Prefix_format, 0, 8)
// joining the Vendor MAC address info table
| join kind=inner (info) on $left.MAC_Prefix == $right.mac
// Getting the Country of the RemoteIPs
| extend geo_ip = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty (geo_ip)
| summarize Different_Countries_using_Manufacter_Device= dcount(geo_ip), make_set(geo_ip),Total_devices_by_vendor=dcount(Source_Mac),Total_different_RemoteIPs=dcount(RemoteIP),make_set(RemoteIP)  by vendor

KQL Query output example

Among the different threats that we could identify we have:

• Identify unexpected devices vendors: identify gaming console, smart TV, or IoT vendors in an environment where only enterprise laptops should be present, may help to identify unexpected vendors and their associated devices.
• Detect virtual devices (such as VMware): Are we expecting users to initiate connection attempts to our tenants using virtual machines? If not, this could be a sign of suspicious activity that warrants further investigation.
• Correlating Manufacturers with Known Threats: Certain nation-state actors and cybercriminal groups tend to use specific manufacturers more frequently. If a connection attempt originates from a device associated with known attacker infrastructure, it could serve as an early indicator of a potential attack.

Case 2 : Identifying Devices by Vendor&Country based on Inbound Connections

// Importing the Vendor MAC Address table 
let mac_info = externaldata(MAC: string,Vendor:string ,Country:string)[@“https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/mac_list.csv”] with (format=“csv”, ignoreFirstRecord=True);
// selecting the Source MAC Address of the remote connections
DeviceNetworkEvents 
| extend AdditionalFields = parse_json( AdditionalFields)
| extend direction =  AdditionalFields[“direction”]
| where direction has “In”
| extend Source_Mac =  tostring(AdditionalFields[“Source Mac”])
// formatting the First 3 Octets of the MAC Address
| extend MAC_Prefix_format = replace(“:”, “-”, Source_Mac)
| extend MAC_Prefix = substring(MAC_Prefix_format, 0, 8)
// joining the Vendor MAC address info table
| join kind=inner (mac_info) on $left.MAC_Prefix == $right.MAC
// Getting the Country of the RemoteIPs
| extend geo_ip = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty (geo_ip)
| distinct Source_Mac,Vendor, Device_Component_Country= Country, RemoteIP_Country = geo_ip , RemoteIP , ActionType, DeviceName

By analyzing both, the device manufacturer’s country and the origin country of the connection (Remote IP), you could:

• Identify if an unusual combination appears (e.g., a Chinese-manufactured device but the connection originates from Russia).
• Detect nation-state attack patterns, as certain adversaries often use infrastructure in specific regions.
• Attackers often route traffic through VPNs, proxies, or compromised hosts to obfuscate their real location. If the Remote IP’s country differs from the vendor’s country, it could indicate an attacker is using a botnet or a compromised device instead of a legitimate user.

Certain vendors primarily sell to specific regions, so a mismatch (e.g., an IoT device from a vendor based in the U.S. but connecting from North Korea) might signal an attacker using spoofed or compromised devices.

Case 3 : Identifying RemoteIP using distinct vendors

• Do you want to identify if specific Remote IPs are making connection attempts to your exposed devices with different vendors devices?
• Do you need to determine if a Remote IP is using multiple devices?

This KQL query will provide valuable insights into these scenarios, helping you detect unusual or suspicious activity.

// Importing the Vendor MAC Address table 
let mac_info = externaldata(mac: string)[@“https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/mac_list_Type2.txt”] with (format=“txt”, ignoreFirstRecord=True);
let info =mac_info
| extend SplitValues = split(mac, “,”)
| extend mac = tostring(SplitValues[0]), vendor_sn = tostring( SplitValues[1]), vendor = tostring(SplitValues[2])
| project mac,vendor;
// selecting the Source MAC Address of the remote connections
DeviceNetworkEvents 
| extend AdditionalFields = parse_json( AdditionalFields)
| extend direction =  AdditionalFields[“direction”]
| where direction has “In”
| extend Source_Mac =  tostring(AdditionalFields[“Source Mac”])
// formatting the First 3 Octets of the MAC Address
| extend MAC_Prefix_format = replace(“:”, “-”, Source_Mac)
| extend MAC_Prefix = substring(MAC_Prefix_format, 0, 8)
// joining the Vendor MAC address info table
| join kind=inner (info) on $left.MAC_Prefix == $right.mac
// Getting the Country of the RemoteIPs
| extend geo_ip = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty (geo_ip)
| summarize Total_devices=dcount(Source_Mac),make_set(Source_Mac),Total_vendors=dcount(vendor),make_set(vendor) by RemoteIP, geo_ip
| order by Total_vendors

What can you do with this Information?

Option 1 : Focus on unexpected vendors

Create a KQL query that detects connections from unexpected vendors but with an additional condition to exclude known or trusted vendors. This helps to reduce false positives and focus on suspicious or unauthorized vendors. Simply add the following line to filter out trusted ones:

| where vendor !in (“VMWare”,“Dell_Inc.”)

Option 2: Identify Virtual Devices connections

For scenarios where you are provisioning laptops for users to access specific resources and do not expect or allow virtual machines, you can easily add an additional condition to detect that cases:

| where vendor in (“VMWare”)

Option 3: Restrict devices with vendors located in specific countries

By leveraging the Case 2 KQL query, you could add a condition to specify the detection of vendors located in specific countries which can allow you to filter by non-compliance locations:

| where Country !in (“RU”,“CN”)

Summary

By analyzing the Organizationally Unique Identifier (OUI) of MAC addresses, security teams can identify the manufacturer of a device, enabling the detection of unexpected vendors, virtual devices, and potential attacker infrastructure. This method enhances security monitoring by uncovering unauthorized devices, correlating known malicious vendors with attack patterns, and identifying unusual geographic mismatches between vendor origin and connection source. Leveraging this approach in KQL queries allows for more precise threat detection and proactive defense measures.

Identifying Device vendors behind connections attempts based on MAC Addresses was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: Identifying Device vendors behind connections attempts based on MAC Addresses | by Sergio Albea | Mar, 2025 | Detect FYI

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics