Network Traffic Analysis

These detections identify suspicious activity from network flow records generated by Insight Network Sensor.

Required subscription

To detect on network flow data generated by the Insight Network Sensor, you'll need access to either of the following:

  • Enhanced Network Traffic Analysis
  • InsightIDR Ultimate package
Network Flow - Anomalous Data Transfer

Description

This detection identifies anomalous data transfers from systems in the environment. These types of events can be, but are not always, indicative of post compromise activity performed by malicious actors moving or exfiltrating data.

Recommendation

Review the network traffic in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Add exceptions to Anomalous Data Transfer

You can tune this detection rule by adding exceptions using these keys: Organization, Certificate, and Source IP/Subnet.

Network Flow - Destination Address In Abuse.ch Feodo Tracker

Description

This detection identifies network flow records that have a destination address that is in the Feodo Tracker from Abuse.ch. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to steal credentials.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Network Flow - Destination Address In AlienVault OTX Pulse

Description

This detection identifies network flow records that have a destination address that is in specific pulses from select publishers in the AlienVault Open Threat Exchange (OTX). These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to steal credentials.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Network Flow - Destination Address In Bambenek Consulting - C2 All Indicators

Description

This detection identifies network flow records that have a destination address that is in the Bambenek Consulting - C2 All Indicators list. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to steal credentials.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Network Flow - Destination Address in Cobalt Strike C2 List

Description

This detection identifies network flow records that have a destination address that is in Cobalt Strike C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve Cobalt Strike beacon payload.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Network Flow - Destination Address in Solarmarker C2 List

Description

This detection identifies network flow records that have a destination addresses known by Rapid7 to be associated with SolarMarker. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve information-stealing payloads.

Recommendation

Investigate the host that is the source of the traffic. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Protocols - T1071.001