Question

Which DNS servers are in use and have been used in the past?

Discover → DNS Compliance → Interesting Insights “Top DNS Servers”

Where are the DNS servers in use located and are any of them associated with malicious activity?

Discover → DNS Compliance → Interesting Insights “Top DNS Servers” → Click on VirusTotal link associated

What are the rarely used DNS servers and who is using them?

Discover → DNS Compliance → Interesting Insights “Top DNS Servers” → choose 50 on bottom left tab → look at servers listed on bottom

Are there long DNS queries being generated which could be possible DGA or exfiltration?

Discover → DNS Compliance → Filter by query_length:>30 Tweak the threshold as appropriate or filter by other criteria (such as query_domain).

Discover → DNS Compliance → Sort all queries by the query length column.

Who are the top querying nodes over DNS? (could be a sign of exfiltration)

Discover → DNS Compliance → Interesting Insights “Top Querying Clients”

What are the rarest domains being queried? (could be a sign of C2)

Discover → DNS Compliance → Interesting Insights “Least Queried Domains”

Which endpoints have the most DNS errors? (could be a sign of DGA activity)

Discover → DNS Compliance → Interesting Insights “Top Clients with DNS Errors”

Are outdated and vulnerable TLS versions in use in the network such as TLS 1.0? Are there SSL transactions in the network?

Discover → TLS Compliance → Interesting Insights “Outdated Versions”

Are there unusual protocols traversing the N-S interface such as RPC, SMB or RDP?

Is there RPC activity from external hosts to server IPs?

Discover → RPC→ Query <-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12">

Discover → SMB Mapping → Query <-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12">

Discover → RDP → Query <-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12">

Are standard protocols being used over non-standard ports?

Suspicious Objects → Interesting Insights “Standard protocols over non-standard ports”

Is there traffic, to/from the server farm that does not belong? - e.g. SSH,TLS using a certificate issued by an rare CA.

What kinds of files are being downloaded by servers? How many of such files are from external hosts?

Suspicious Objects → Query <_exists_:resp_h AND (-resp_h:"192.168.0.0/16" OR -resp_h:"10.0.0.0/8" OR -resp_h:"172.16.0.0/12")>

Are there outgoing compressed files? How much data is being transferred outside in that manner?

Suspicious Objects → Interesting Insight “Outgoing Compressed Files”

Are there files being transferred over SMB where the file type does not match the file name?

Suspicious Objects → Query “filetype:exe AND !filename: *exe*”

East-West Traffic

Questions

Are any endpoints performing recon activities?

Security Findings → Port Scan

Security Findings -> Address_Scan

Are administrative tasks occurring from the non-admin subnets?

If admin subnet is 192.168.0.0/16 then

Discover → RPC Tab and SMB Mapping Tab → Query <orig_h:"192.168.0.0/16">

Are users connecting to suspicious shares?

Discover → SMB Mapping → Suspicious SMB Shares

Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?

Discover → Connection Analytics → Top Uploaders/Downloaders”Downloaders

Are there files being transferred over SMB where the file type does not match the file name?

Discover → SMB Files → Query filetype:exe and AND !filename: *exe*

Which hosts are attempting to discover SMB shares?

Discover→ SMB Mapping

Which hosts are attempting to make multiple attempts at lateral movement?

Security Findings → Lateral Movement Detected

Was any host targeted with lateral movement and execution?

Security Findings → Lateral Movement and Execution

...

Versions Compared

Old Version 15

New Version 16

Key

Which DNS servers are in use and have been used in the past?

Where are the DNS servers in use located and are any of them associated with malicious activity?

What are the rarely used DNS servers and who is using them?

Are there long DNS queries being generated which could be possible DGA or exfiltration?

Who are the top querying nodes over DNS? (could be a sign of exfiltration)

What are the rarest domains being queried? (could be a sign of C2)

Which endpoints have the most DNS errors? (could be a sign of DGA activity)

Are outdated and vulnerable TLS versions in use in the network such as TLS 1.0? Are there SSL transactions in the network?

Is there RPC activity from external hosts to server IPs?

Are standard protocols being used over non-standard ports?

Is there traffic, to/from the server farm that does not belong? - e.g. SSH,TLS using a certificate issued by an rare CA.

What kinds of files are being downloaded by servers? How many of such files are from external hosts?

Are there outgoing compressed files? How much data is being transferred outside in that manner?

Are there files being transferred over SMB where the file type does not match the file name?

East-West Traffic

Are any endpoints performing recon activities?

Are administrative tasks occurring from the non-admin subnets?

Are users connecting to suspicious shares?

Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?

Are there files being transferred over SMB where the file type does not match the file name?

Which hosts are attempting to discover SMB shares?

Which hosts are attempting to make multiple attempts at lateral movement?

Was any host targeted with lateral movement and execution?

Page Comparison

Versions Compared

Old Version 15

New Version 16

Key

Which DNS servers are in use and have been used in the past?

Where are the DNS servers in use located and are any of them associated with malicious activity?

What are the rarely used DNS servers and who is using them?

Are there long DNS queries being generated which could be possible DGA or exfiltration?

Who are the top querying nodes over DNS? (could be a sign of exfiltration)

What are the rarest domains being queried? (could be a sign of C2)

Which endpoints have the most DNS errors? (could be a sign of DGA activity)

Are outdated and vulnerable TLS versions in use in the network such as TLS 1.0? Are there SSL transactions in the network?

Is there RPC activity from external hosts to server IPs?

Are standard protocols being used over non-standard ports?

Is there traffic, to/from the server farm that does not belong? - e.g. SSH,TLS using a certificate issued by an rare CA.

What kinds of files are being downloaded by servers? How many of such files are from external hosts?

Are there outgoing compressed files? How much data is being transferred outside in that manner?

Are there files being transferred over SMB where the file type does not match the file name?

East-West Traffic

Are any endpoints performing recon activities?

Are administrative tasks occurring from the non-admin subnets?

Are users connecting to suspicious shares?

Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?

Are there files being transferred over SMB where the file type does not match the file name?

Which hosts are attempting to discover SMB shares?

Which hosts are attempting to make multiple attempts at lateral movement?

Was any host targeted with lateral movement and execution?