Versions Compared

Old Version 18

changes.mady.by.user Saumitra Das

Saved on

compared with

New Version 19

changes.mady.by.user Saumitra Das

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Questions

Are any endpoints performing recon activities?

Security Findings → Port Scan

Security Findings -> Address_Scan

Are administrative tasks occurring from the non-admin subnets?


If admin subnet is 192.168.0.0/16 then

Discover → RPC Tab and SMB Mapping Tab → Query orig_h:"192.168.0.0/16"

Are users connecting to suspicious shares?

Discover → SMB Mapping → Suspicious SMB Shares

Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?

Discover → Connection Analytics → Top Uploaders/Downloaders

Are there files being transferred over SMB where the file type does not match the file name?

Discover → SMB Files → Query filetype:exe AND !filename: *exe*

Which hosts are attempting to discover SMB shares?

Discover→ SMB Mapping

Which hosts are attempting to make multiple attempts at lateral movement?

Security Findings → Lateral Movement Detected

Was any host targeted with lateral movement and execution?

Security Findings → Lateral Movement and Execution

Hunting

...

Beacons and Exfil

Questions

Are hosts connecting to Cobalt Strike Team Server controller ports?

Discover → Connection Outliers → Query conn_dst_port_list:"50050/tcp"

Are hosts using uncommon HTTP comms?

Discover → HTTP → Query !resp_p:80 AND !resp_p:443 AND method:POST

Are hosts using uncommon DNS comms with exfil or tunnel characteristics?

Discover → HTTP → Query query_length:>100 AND answers:"TXT*"