Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Blue Hexagon NDR Threat Hunting Guide

Introduction

Blue Hexagon’s NDR platform performs deep packet inspection on network protocols and payloads and can generate security enriched data for providing a holistic view of the enterprise threat posture. Network metadata is filtered through a neural network exposed to malicious traffic from the past 15 years  and constantly tuned and updated by Blue Hexagon.  Insights so generated can be flexibly applied across a variety of deployments in the network, public cloud or SaaS. Network meta data metadata is available in a searchable console as SaaS as part of your subscription. 30 days of data retention is included for free.

Threat hunting is done using queries. IT It allows for manual, proactive investigations into possible security threats based on available data as well as collecting additional supporting evidence that will lead into an investigation.  It consists of several capabilities: 

  • Interesting Insights: These are built in queries that serve as a useful starting point for an advanced investigation. Oftentimes they point to weaknesses in the security environment (such as use of weak ciphers, potentially unauthorized recursive DNS servers, unusual SMB/RPC activity etc.  These insights can be run on ingested data as well as to do retroactive pursuits of attacks and RCA. 

  • Queries: Queries are based on the Kibana Query Language (KQL). These can be extremely simple to complex for exposing very specific threat scenarios.  For example, consider a query like: 

_exists_:dns_server_country AND dns_server_country:"United States" AND orig_h:10.70.120.10 AND -orig_h:10.150.120.10 AND -dns_server_ip:10.255.8.8 AND -dns_server_ip:10.150.120.10 AND  -dns_server_ip:10.150.117.100 AND  -dns_server_ip:10.30.223.10 AND dns_server_country:"United States" AND _exists_:dns_server_country

This query can expose all DNS servers that hosts in an enterprise are connecting to that are not in the United States and are not in the set of authorized DNS servers. Additional threat use cases are shown in the table below. 

...

When building a query, if you are not familiar with the data fields available, hovering on the columns reveals the data field name to use to build the query. For example, knowing the field name is upload_bytes one can construct queries to limit to data with upload_bytes > 1000.:>1000

...

Blue Hexagon NDR Threat Hunting GuideNorth-South Traffic

Which DNS servers are in use and have been used in the past?

Where are the DNS servers in use located and are any of them associated with malicious activity?

What are the rarely used DNS servers and who is using them?

Are there long DNS queries being generated which could be possible DGA or exfiltration?

Who are the top querying nodes over DNS? (could be a sign of exfiltration)

What are the rarest domains being queried? (could be a sign of C2)

Which endpoints have the most DNS errors? (could be a sign of DGA activity)

Are outdated and vulnerable TLS versions in use in the network such as TLS 1.0? Are there SSL transactions in the network?

Are there unusual protocols traversing the N-S interface such as RPC, SMB or RDP?

Is there RPC activity from external hosts to server IPs?

Are standard protocols being used over non-standard ports?

Is there traffic, to/from the server farm that does not belong? - e.g. SSH,TLS using a certificate issued by an rare CA.

What kinds of files are being downloaded by servers? How many of such files are from external hosts?

Are there outgoing compressed files? How much data is being transferred outside in that manner?

Are there files being transferred over SMB where the file type does not match the file name?

East-West Traffic

Are any endpoints performing recon activities?

Are administrative tasks occurring from the non-admin subnets?

Are users connecting to suspicious shares?

Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?

Are there files being transferred over SMB where the file type does not match the file name?

Which hosts are attempting to discover SMB shares?

Which hosts are attempting to make multiple attempts at lateral movement?

Was any host targeted with lateral movement and execution?

...

Info

You can filter out private CIDR blocks using a query such as:
-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"
Replace orig_h with the appropriate key.

Question

Which DNS servers are in use and have been used in the past? 


Discover → DNS Compliance → Interesting Insights “Top DNS Servers”

Where are the DNS servers in use located and are any of them associated with malicious activity?


Discover → DNS Compliance → Interesting Insights “Top DNS Servers” → Click on VirusTotal link associated


What are the rarely used DNS servers and who is using them?


Discover → DNS Compliance → Interesting Insights

“Top

“Rare DNS Servers”

→ choose 50 on bottom left tab → look at servers listed on bottom

Image Modified


Are there long DNS queries being generated which could be possible DGA or exfiltration?


Discover → DNS Compliance → Filter by query_length:>30 Tweak the threshold as appropriate or filter by other criteria (such as query_domain).

Discover → DNS Compliance → Sort all queries by the query length column.

Image Modified

Who are the top querying nodes over DNS? (could be a sign of exfiltration)


Discover → DNS Compliance → Interesting Insights “Top Querying Clients”


Image Modified

What are the rarest domains being queried? (could be a sign of C2)


Discover → DNS Compliance → Interesting Insights “Least Queried Domains”


Which endpoints have the most DNS errors? (could be a sign of DGA activity)

Image Modified

Discover → DNS Compliance → Interesting Insights “Top Clients with DNS Errors”

Image Modified


Are outdated and vulnerable TLS versions in use in the network such as TLS 1.0? Are there SSL transactions in the network?

Discover → TLS Compliance → Interesting Insights “Outdated Versions”

Image Removed
Image Added

Are there unusual protocols traversing the N-S interface such as RPC, SMB or RDP?

Is there RPC activity from external hosts to server IPs?

Discover → RPC→ Query

<

-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"

>

Discover → SMB Mapping

Analytics

→ Query

<

-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"

>

Discover → RDP

Analytics

→ Query

<

-orig_h:"192.168.0.0/16" OR -orig_h:"10.0.0.0/8" OR -orig_h:"172.16.0.0/12"

>

Image Removed
Image Added


Are standard protocols being used over non-standard ports?

Discover

Suspicious Objects

Malware Analytics →

Interesting Insights “Standard protocols over non-standard ports”

Image Removed
Image Added

Is there traffic, to/from the server farm that does not belong? - e.g. SSH,TLS using a certificate issued by an rare CA. 

Image Removed
Image Added


What kinds of files are being downloaded by servers? How many of such files are from external hosts?

Discover → Malware Analytics

Suspicious Objects → Query

<

_exists_:resp_h AND (-resp_h:"192.168.0.0/16" OR -resp_h:"10.0.0.0/8" OR -resp_h:"172.16.0.0/12")

>

Are there outgoing compressed files? How much data is being transferred outside in that manner?

Discover


Suspicious Objects

Malware Analytics →

Interesting Insight “Outgoing Compressed Files”

Are there files being transferred over SMB where the file type does not match the file name?

Discover


Suspicious Objects

Malware Analytics →

Query

“protocol:smb AND

filetype:exe AND !filename: *exe*

East-West Traffic

Questions

Are any endpoints performing recon activities?

Discover → Notifications Tab → Query “Port_Scan”

Discover → Notifications Tab → Query “Address_Scan”

Image Removed

Security Findings → Port Scan

Security Findings -> Address_Scan

Are administrative tasks occurring from the non-admin subnets?


If admin subnet is 192.168.0.0/16 then

Discover → RPC Tab and SMB Mapping Tab → Query

<orig

orig_h:"192.168.0.0/16"

>

Are users connecting to suspicious shares?

Discover → SMB Mapping

Tab → Query “*ADMIN*”

→ Suspicious SMB Shares

Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?

Discover → Connection Analytics →

Interesting Insights “Top

Top Uploaders/

Downloaders”

Downloaders

Are there files being transferred over SMB where the file type does not match the file name?

Discover →

Malware Analytics

SMB Files → Query

“filetype

filetype:exe

and

AND !filename: *exe*

Image Removed

Which hosts are attempting to discover SMB shares?

Discover→

Notifications → Query <Discovery>

SMB Mapping

Which hosts are attempting to make multiple attempts at lateral movement?

Discover→ Notifications → Query <Attempts>

Security Findings → Lateral Movement Detected

Was any host targeted with lateral movement and execution

?

Discover→ Notifications → Query <Execution>

...

?

Security Findings → Lateral Movement and Execution

Hunting Beacons and Exfil

Questions

Are hosts connecting to Cobalt Strike Team Server controller ports?

Discover → Connection Outliers → Query conn_dst_port_list:"50050/tcp"

Are hosts using uncommon HTTP comms?

Discover → HTTP → Query !resp_p:80 AND !resp_p:443 AND method:POST

Are hosts using uncommon DNS comms with exfil or tunnel characteristics?

Discover → HTTP → Query query_length:>100 AND answers:"TXT*"