Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

You can filter out private CIDR blocks using a query such as:
-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"
Replace orig_h with the appropriate key.

Question

Which DNS servers are in use and have been used in the past? 


Discover → DNS Compliance → Interesting Insights “Top DNS Servers”

Where are the DNS servers in use located and are any of them associated with malicious activity?


Discover → DNS Compliance → Interesting Insights “Top DNS Servers” → Click on VirusTotal link associated


What are the rarely used DNS servers and who is using them?


Discover → DNS Compliance → Interesting Insights “Rare DNS Servers”


Are there long DNS queries being generated which could be possible DGA or exfiltration?


Discover → DNS Compliance → Filter by query_length:>30 Tweak the threshold as appropriate or filter by other criteria (such as query_domain).

Discover → DNS Compliance → Sort all queries by the query length column.

Who are the top querying nodes over DNS? (could be a sign of exfiltration)


Discover → DNS Compliance → Interesting Insights “Top Querying Clients”


What are the rarest domains being queried? (could be a sign of C2)


Discover → DNS Compliance → Interesting Insights “Least Queried Domains”


Which endpoints have the most DNS errors? (could be a sign of DGA activity)

Discover → DNS Compliance → Interesting Insights “Top Clients with DNS Errors”


Are outdated and vulnerable TLS versions in use in the network such as TLS 1.0? Are there SSL transactions in the network?

Discover → TLS Compliance → Interesting Insights “Outdated Versions”

Are there unusual protocols traversing the N-S interface such as RPC, SMB or RDP?

Is there RPC activity from external hosts to server IPs?

Discover → RPC→ Query -orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"

Discover → SMB Mapping → Query -orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"

Discover → RDP → Query -orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"


Are standard protocols being used over non-standard ports?

Suspicious Objects → Interesting Insights “Standard protocols over non-standard ports”

Is there traffic, to/from the server farm that does not belong? - e.g. SSH,TLS using a certificate issued by an rare CA. 


What kinds of files are being downloaded by servers? How many of such files are from external hosts?

Suspicious Objects → Query _exists_:resp_h AND (-resp_h:"192.168.0.0/16" OR -resp_h:"10.0.0.0/8" OR -resp_h:"172.16.0.0/12")

Are there outgoing compressed files? How much data is being transferred outside in that manner?


Suspicious Objects → Interesting Insight “Outgoing Compressed Files”

Are there files being transferred over SMB where the file type does not match the file name?


Suspicious Objects → Query filetype:exe AND !filename: *exe*

East-West Traffic

Questions

Are any endpoints performing recon activities?

Security Findings → Port Scan

Security Findings -> Address_Scan

Are administrative tasks occurring from the non-admin subnets?


If admin subnet is 192.168.0.0/16 then

Discover → RPC Tab and SMB Mapping Tab → Query orig_h:"192.168.0.0/16"

Are users connecting to suspicious shares?

Discover → SMB Mapping → Suspicious SMB Shares

Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?

Discover → Connection Analytics → Top Uploaders/Downloaders

Are there files being transferred over SMB where the file type does not match the file name?

Discover → SMB Files → Query filetype:exe AND !filename: *exe*

Which hosts are attempting to discover SMB shares?

Discover→ SMB Mapping

Which hosts are attempting to make multiple attempts at lateral movement?

Security Findings → Lateral Movement Detected

Was any host targeted with lateral movement and execution?

Security Findings → Lateral Movement and Execution

Hunting Beacons and Exfil

Questions

Are hosts connecting to Cobalt Strike Team Server controller ports?

Discover → Connection Outliers → Query conn_dst_port_list:"50050/tcp"

Are hosts using uncommon HTTP comms?

Discover → HTTP → Query !resp_p:80 AND !resp_p:443 AND method:POST

Are hosts using uncommon DNS comms with exfil or tunnel characteristics?

Discover → HTTP → Query query_length:>100 AND answers:"TXT*"

...