...
Blue Hexagon NDR Threat Hunting GuideNorth-South Traffic
Info |
---|
You can filter out private CIDR blocks using a query such as: |
Question |
Which DNS servers are in use and have been used in the past?Discover → DNS Compliance → Interesting Insights “Top DNS Servers” Where are the DNS servers in use located and are any of them associated with malicious activity?Discover → DNS Compliance → Interesting Insights “Top DNS Servers” → Click on VirusTotal link associated What are the rarely used DNS servers and who is using them?Discover → DNS Compliance → Interesting Insights “Rare DNS Servers” Are there long DNS queries being generated which could be possible DGA or exfiltration?
Discover → DNS Compliance → Sort all queries by the query length column. Who are the top querying nodes over DNS? (could be a sign of exfiltration)Discover → DNS Compliance → Interesting Insights “Top Querying Clients” What are the rarest domains being queried? (could be a sign of C2)Discover → DNS Compliance → Interesting Insights “Least Queried Domains” Which endpoints have the most DNS errors? (could be a sign of DGA activity)Discover → DNS Compliance → Interesting Insights “Top Clients with DNS Errors” |
Are outdated and vulnerable TLS versions in use in the network such as TLS 1.0? Are there SSL transactions in the network?Discover → TLS Compliance → Interesting Insights “Outdated Versions” |
Are there unusual protocols traversing the N-S interface such as RPC, SMB or RDP? Is there RPC activity from external hosts to server IPs?Discover → RPC→ Query Discover → SMB Mapping → Query Discover → RDP → Query |
Are standard protocols being used over non-standard ports?Suspicious Objects → Interesting Insights “Standard protocols over non-standard ports” |
Is there traffic, to/from the server farm that does not belong? - e.g. SSH,TLS using a certificate issued by an rare CA. |
What kinds of files are being downloaded by servers? How many of such files are from external hosts?Suspicious Objects → Query |
Are there outgoing compressed files? How much data is being transferred outside in that manner?Suspicious Objects → Interesting Insight “Outgoing Compressed Files” |
Are there files being transferred over SMB where the file type does not match the file name?Suspicious Objects → Query |
East-West Traffic
Questions |
Are any endpoints performing recon activities?Security Findings → Port Scan Security Findings -> Address_Scan |
Are administrative tasks occurring from the non-admin subnets?
Discover → RPC Tab and SMB Mapping Tab → Query |
Are users connecting to suspicious shares?Discover → SMB Mapping → Suspicious SMB Shares |
Which hosts (whether inside or outside) communicate with servers most often? What communication is happening at unusual times?Discover → Connection Analytics → Top Uploaders/Downloaders |
Are there files being transferred over SMB where the file type does not match the file name?Discover → SMB Files → Query |
Which hosts are attempting to discover SMB shares?Discover→ SMB Mapping |
Which hosts are attempting to make multiple attempts at lateral movement?Security Findings → Lateral Movement Detected |
Was any host targeted with lateral movement and execution?Security Findings → Lateral Movement and Execution |
Hunting Beacons and Exfil
Questions |
Are hosts connecting to Cobalt Strike Team Server controller ports?Discover → Connection Outliers → Query |
Are hosts using uncommon HTTP comms?Discover → HTTP → Query |
Are hosts using uncommon DNS comms with exfil or tunnel characteristics?Discover → HTTP → Query |