Network Traffic Analysis

These detections identify suspicious activity from network flow records generated by Insight Network Sensor.

Required subscription

To detect on network flow data generated by the Insight Network Sensor, you'll need access to either of the following:

  • Enhanced Network Traffic Analysis
  • InsightIDR Ultimate package
Network Flow - Anomalous Data Transfer

Description

This detection identifies anomalous data transfers from systems in your environment. These types of events can be, but are not always, indicative of post-compromise activity performed by malicious actors moving or exfiltrating data.

The Anomalous Data Transfer (ADT) rule dynamically derives a baseline for each asset in your environment based on its active periods over 30 days. Every hour, the rule will detect network activity that is anomalously high in comparison to the baseline. This process reduces millions of network connections into a few detections that will alert you according to your Rule Action settings.

Recommendation

Review the network traffic in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Add exceptions to Anomalous Data Transfer

You can tune this detection rule by adding exceptions using these keys: Organization, Certificate, and Source IP/Subnet.

Network Flow - Destination Address In Abuse.ch Feodo Tracker

Description

This detection identifies network flow records that have a destination address that is in the Feodo Tracker from Abuse.ch. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to steal credentials.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Network Flow - Destination Address In AlienVault OTX Pulse

Description

This detection identifies network flow records that have a destination address that is in specific pulses from select publishers in the AlienVault Open Threat Exchange (OTX). These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to steal credentials.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Network Flow - Destination Address In Bambenek Consulting - C2 All Indicators

Description

This detection identifies network flow records that have a destination address that is in the Bambenek Consulting - C2 All Indicators list. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to steal credentials.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Network Flow - Destination Address in Brute Ratel C2 List

Description

This detection identifies network flow records that have a destination address that is in Brute Ratel C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Brute Ratel C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Network Flow - Destination Address in Cobalt Strike C2 List

Description

This detection identifies network flow records that have a destination address that is in Cobalt Strike C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve Cobalt Strike beacon payload.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Network Flow - Destination Address in Covenant C2 List

Description

This detection identifies network flow records that have a destination address that is in Covenant C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Covenant C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Network Flow - Destination Address in Deimos C2 List

Description

This detection identifies network flow records that have a destination address that is in Deimos C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Deimos C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
Network Flow - Destination Address in Mythic C2 List

Description

This detection identifies network flow records that have a destination address that is in Mythic C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Mythic C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Network Flow - Destination Address in Posh C2 List

Description

This detection identifies network flow records that have a destination address that is in Posh C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Posh C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Network Flow - Destination Address in Sliver C2 List

Description

This detection identifies network flow records that have a destination address that is in Sliver C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Sliver C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
Network Flow - Destination Address in Solarmarker C2 List

Description

This detection identifies network flow records that have a destination addresses known by Rapid7 to be associated with SolarMarker. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve information-stealing payloads.

Recommendation

Investigate the host that is the source of the traffic. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Protocols - T1071.001