Relevance to get remote host names my machine is talking with

Content Authoring
1

Happy Friday! Relevance challenge…

I have the following relevance that will tell me all remote connections my windows machine is making…

(unique values of ((remote address of it as string|"0.0.0.0")) of sockets of network)

I am not sure how to get host names of the devices that I have recently connected.

I am sure it is obvious and someone will find it in seconds.

laters.

-jgo

Related: Tesla and locky malware detection

2 Likes
2

I would write that relevance this way:

unique values of remote addresses of sockets of networks

A bit simpler and slightly more efficient. I also recommend using Plural relevance whenever possible.

I’m not either, unless you could somehow access the DNS cache of the local machine.

There is an issue in general that there is not a 1-to-1 relationship between IPs and hostname so it isn’t completely possible to do this in a definitive way, but knowing the DNS cache of the local machine would definitely be a good clue.

You could pull back the results of this relevance in an analysis property, then use session relevance to query the unique results across a set of systems using the REST API, and then do reverse DNS lookups at that point on the command line or however you are using the REST API.

The fact that there isn’t a 1-to-1 relationship between IP and hostname will still be an issue.

The following command does appear to expose the DNS cache on windows:

ipconfig /displaydns > C:\temp\dns_cache.txt

Mapping of IPs to Hostnames in DNS Cache:
this might be even better as-is

(following text of last ": " of it & " ;; " & following text of last ": " of unique value of previous lines of previous lines of previous lines of previous lines of previous lines of it) of lines whose(it contains "A (Host) Record") of files "C:\temp\dns_cache.txt"

Mapping of IPs of current connections to hostnames in DNS Cache:
(this result may often be empty, or my relevance is just wrong)

items 1 of ((it as string) of unique values of remote addresses of sockets of networks, it) whose(item 1 of it contains item 0 of it) of (following text of last ": " of it & " ;; " & following text of last ": " of unique value of previous lines of previous lines of previous lines of previous lines of previous lines of it) of lines whose(it contains "A (Host) Record") of files "C:\temp\dns_cache.txt"

Nope. I’d say this doesn’t actually have a complete solution.

Related:

3

Fixlet: https://bigfix.me/fixlet/details/9278 (will make improvements to this)

Analysis: https://bigfix.me/analysis/details/2995860