Versions Compared

Old Version 9

changes.mady.by.user Arun Raman

Saved on

compared with

New Version 10

changes.mady.by.user Arun Raman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Blue Hexagon’s NDR platform performs deep packet inspection on network protocols and payloads and can generate security enriched data for providing a holistic view of the enterprise threat posture. Network metadata is filtered through a neural network exposed to malicious traffic from the past 15 years  and constantly tuned and updated by Blue Hexagon.  Insights so generated can be flexibly applied across a variety of deployments in the network, public cloud or SaaS. Network meta data metadata is available in a searchable console as SaaS as part of your subscription. 30 days of data retention is included for free.

...

When building a query, if you are not familiar with the data fields available, hovering on the columns reveals the data field name to use to build the query. For example, knowing the field name is upload_bytes one can construct queries to limit to data with upload_bytes:>1000.

...

Blue Hexagon NDR Threat Hunting Guide

North-South Traffic

Info

You can filter out private CIDR blocks using a query such as:
-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"
Replace orig_h with the appropriate key.

Question

Which DNS servers are in use and have been used in the past? 


Discover → DNS Compliance → Interesting Insights “Top DNS Servers”

Where are the DNS servers in use located and are any of them associated with malicious activity?


Discover → DNS Compliance → Interesting Insights “Top DNS Servers” → Click on VirusTotal link associated


What are the rarely used DNS servers and who is using them?


Discover → DNS Compliance → Interesting Insights “Top DNS Servers” → choose 50 on bottom left tab → look at servers listed on bottom


Are there long DNS queries being generated which could be possible DGA or exfiltration?


Discover → DNS Compliance → Sort all queries by the query length column.

Who are the top querying nodes over DNS? (could be a sign of exfiltration)


Discover → DNS Compliance → Interesting Insights “Top Querying Clients”


What are the rarest domains being queried? (could be a sign of C2)


Discover → DNS Compliance → Interesting Insights “Least Queried Domains”


Which endpoints have the most DNS errors? (could be a sign of DGA activity)

Discover → DNS Compliance → Interesting Insights “Top Clients with DNS Errors”


Are outdated and vulnerable TLS versions in use in the network such as TLS 1.0? Are there SSL transactions in the network?

Discover → TLS Compliance → Interesting Insights “Outdated Versions”

Are there unusual protocols traversing the N-S interface such as RPC, SMB or RDP?

Is there RPC activity from external hosts to server IPs?

Discover → RPC→ Query <-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12">

Discover → SMB Mapping → Query <-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12">

Discover → RDP → Query <-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12">


Are standard protocols being used over non-standard ports?

Suspicious Objects → Interesting Insights “Standard protocols over non-standard ports”

Is there traffic, to/from the server farm that does not belong? - e.g. SSH,TLS using a certificate issued by an rare CA. 


What kinds of files are being downloaded by servers? How many of such files are from external hosts?

Suspicious Objects → Query <_exists_:resp_h AND (-resp_h:"192.168.0.0/16" OR -resp_h:"10.0.0.0/8" OR -resp_h:"172.16.0.0/12")>

Are there outgoing compressed files? How much data is being transferred outside in that manner?


Suspicious Objects → Interesting Insight “Outgoing Compressed Files”

Are there files being transferred over SMB where the file type does not match the file name?


Suspicious Objects → Query “filetype: exe AND !filename: *exe*”

...