Attacker uses connectionless UDP to transmit data chunks and avoid traditional TCP monitoring
Hunting
Statistics → Conversations → UDP
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Red Flags
- High volume UDP between two internal hosts
- Repetitive fixed-size UDP packets
- UDP to uncommon high ports
- Human-readable / encoded payload in UDP stream
- Regular timing intervals (beacon-like)
- No corresponding legitimate protocol (DNS/DHCP/SNMP/etc.)
Filters
# All UDP traffic
udp
# UDP between two hosts
udp && ip.addr == <suspect_ip>
# High port UDP
udp && udp.port > 1024
# Suspicious specific port
udp.port == 9999
# Large UDP packets (exfil chunks)
udp.length > 200
# UDP not DNS
udp && !dns