Follow

Change Notes for Cognito Triage Templates and Pre-defined Groups

Cognito version 4.11

Triage Templates (Initial release)

C&C: Hidden HTTPS Tunnel
Triage As Applies To Conditions Description
Google Drive Control All Hosts

C&C Server Domain:
Cognito - Google Drive

Expected behavior when multiple people are editing the same Google Drive document.

Slack Tunnel All Hosts

C&C Server Domain:
Cognito - Slack

Expected behavior from Slack collaboration

Zoom Remote Control All Hosts

C&C Server IP:
69.174.57.0/24
209.9.211.0/24
3.104.34.128/25
3.80.20.128/25
202.177.207.128/27
13.52.6.128/25
4.35.64.128/25
210.57.55.0/24
4.34.125.128/25
213.244.140.0/24
115.114.56.192/26
3.208.72.0/25
3.120.121.0/25
99.79.20.0/25
64.211.144.0/24
52.61.100.128/25
13.52.146.0/25
162.12.232.0/22
52.202.62.192/26
221.122.88.128/25
202.177.213.96/27
209.9.215.0/24
69.174.108.0/22
207.226.132.0/24
120.29.148.0/24
221.122.88.64/27
192.204.12.0/22
8.5.128.0/23
18.205.93.128/25
221.122.89.128/25
109.94.160.0/24
115.114.131.0/26
52.215.168.0/25
162.255.36.0/22
50.239.202.0/23
103.122.166.0/24
65.39.152.0/24
64.69.74.0/24
64.125.62.0/24
213.19.153.0/24
50.239.204.0/24
213.19.144.0/24
204.141.28.0/22

Zoom.us IP ranges

 

Exfil: Data Smuggler
Triage As Applies To Conditions Description
Box Exfil All Hosts

External Target Domain:
Cognito - Box

Exfil or data storage to Box service

Dropbox Exfil All Hosts

External Target Domain:
Cognito - Dropbox

Exfil or data storage to Dropbox service

Google Drive Exfil All Hosts

External Target Domain:
Cognito - Google Drive

Exfil or data storage to Google Drive service

Salesforce Exfil All Hosts

External Target Domain:
Cognito - Salesforce

Exfil to Salesforce service

 

Exfil: Smash and Grab
Triage As Applies To Conditions Description
Box Exfil All Hosts

Destination Domain:
Cognito - Box

Exfil or data storage to Box service

Dropbox Exfil All Hosts

Destination Domain:
Cognito - Dropbox

Exfil or data storage to Dropbox service

Google Drive Exfil All Hosts

Destination Domain:
Cognito - Google Drive

Exfil or data storage to Google Drive service

Salesforce Exfil All Hosts

Destination Domain:
Cognito - Salesforce

Exfil to Salesforce service

 

Lateral: Automated Replication
Triage As Applies To Conditions Description
Expected Domain Controller Behavior Cognito - Domain Controllers

Destination Domain:
Cognito - Box

Port:
135

Expected Behavior for these devices

Expected Scanner Behavior Cognito - Scanners   Expected Behavior for these devices

 

Lateral: Shell Knocker Client  
Triage As Applies To Conditions Description
Expected Scanner Behavior Cognito - Scanners

 

Expected behavior from these devices

 

Lateral: Suspicious Admin  
Triage As Applies To Conditions Description
Expected Scanner Behavior Cognito - Scanners   Expected behavior from these devices

 

Lateral: Suspicious Kerberos Client  
Triage As Applies To Conditions Description
Expected Domain Controller Behavior Cognito - Domain Controllers   Expected behavior from these devices

 

Recon: Internal Darknet Scan    
Triage As Applies To Conditions Description
Expected IPAM Behavior Cognito - IPAM

Port:
135 

Expected behavior from these devices

Expected Scanner Behavior Cognito - Scanners   Expected behavior from these devices

 

Recon: Kerberos Account Scan      
Triage As Applies To Conditions Description
Expected Multi-Account Behavior Cognito - Domain Controllers
Cognito - Exchange Servers
Cognito - Terminal Servers
  Expected behavior from these devices

 

Recon: Port Scan        
Triage As Applies To Conditions Description
Expected Scanner Behavior Cognito - Scanners
  Expected behavior from these devices

 

Recon: Port Sweep          
Triage As Applies To Conditions Description
Expected IPAM Behavior Cognito - IPAM
Port:
135
Expected behavior from these devices
Expected Scanner Behavior  Cognito - Scanners   Expected behavior from these devices

 

Recon: SMB Account Scan          
Triage As Applies To Conditions Description
Expected Multi-Account Behavior Cognito - Scanners
Cognito - Terminal Servers
  Expected behavior from these devices

 


 

Domain Groups (Initial release)

Name Description Domains
Cognito - Box Domains used by the Box service *.box.com
*.box.net
*.boxcdn.net
*.boxcloud.com
*.boxrelay.com
Cognito - Dropbox Domains used by the Dropbox service *.dropbox.com
dropbox.com
*.dropbox-dns.com
dropbox-dns.com
*.dropboxapi.com
dropboxapi.com
*.db.tt
db.tt
Cognito - Google Drive Domains used by the Google Drive service accounts.google.com
googledrive.com
*.drive.google.com
drive.google.com
*.docs.google.com
docs.google.com
sheets.google.com
slides.google.com
talk.google.com
takeout.google.com
gg.google.com
script.google.com
video.google.com
s.ytimg.com
apis.google.com
*.googleapis.com
*.googleusercontent.com
*.gstatic.com
gv1.com
*.clients0.google.com
*.clients1.google.com
*.clients2.google.com
*.clients3.google.com
*.clients4.google.com
*.clients5.google.com
*.clients6.google.com
*.clients7.google.com
*.clients8.google.com
*.clients9.google.com
lh1.google.com
lh2.google.com
lh3.google.com
lh4.google.com
lh5.google.com
lh6.google.com
lh7.google.com
lh8.google.com
lh9.google.com
*.client-channel.google.com
clients0.google.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
clients7.google.com
clients8.google.com
clients9.google.com
Cognito - Slack Domains used by the Slack service *.slack.com
*.slack-msgs.com
*.slack-files.com
*.slack-imgs.com
*.slack-edge.com
*.slack-core.com
*.slack-redir.net
edgeapi.slack.com
wss-primary.slack.com
wss-backup.slack.com
wss-mobile.slack.com
Cognito - Facebook Domains used by the Facebook service  fbsbx.com
www.connect.facebook.net
www.fbcdn.com
*.facebook.com
*.fbcdn.net
*.tfbnw.net
connect.facebook.net.edgekey.net
ct-m-fbx.fbsbx.com
facebook-web
clients.appspot.com
fb.me
fbcdn-profile-a.akamaihd.net
*.fbsbx.com.online-metrix.net
*.fb.com
Cognito - Salesforce Domains used by the Salesforce service *.force.com
*.salesforce.com
*.salesforceliveagent.com
*.visualforce.com
*.documentforce.com
*.lightning.com
*.salesforce-communities.com
*.forceusercontent.com
*.forcesslreports.com
*.salesforce-hub.com
*.trailblazer.me 

 

Cognito version 4.12

IP Groups (Initial release)

IP Groups         
Name Description Members
Cognito - Data Center IP space used by Data Center User configurable
Cogntio - DMZ IP space used by DMZ User configurable
Cognito - Guest Wifi IP space used by Guest Wifi User configurable
Cognito - VPN Pool IP space used by VPN Pool User configurable

 

Cognito version 4.14

IP Groups

IP Groups         
Name Description Members
Cognito - Office365 IP space used by the Office365 service 13.107.128.0/22,13.107.18.10/31,13.107.6.152/31,131.253.33.215/32,132.245.0.0/16,150.171.32.0/22,191.234.140.0/22,204.79.197.215/32,23.103.160.0/20,40.104.0.0/15,40.96.0.0/13,52.96.0.0/14
Cogntio - Teamviewer IP space used by the Teamviewer service 178.77.120.0/24,185.188.32.0/24,185.188.33.0/24,185.188.34.0/24,185.188.35.0/24,185.245.28.0/24,185.245.29.0/24
Cognito - Webex IP space used by the Webex service 114.29.192.0/19,173.243.0.0/20,173.39.224.0/19,207.182.160.0/19,209.197.192.0/19,210.4.192.0/20,216.151.128.0/19,62.109.192.0/18,64.68.96.0/19,66.114.160.0/20,66.163.32.0/19,69.26.160.0/20,69.26.176.0/20
Cognito - Zoom IP space used by the Zoom service 103.122.166.0/23,109.94.160.0/24,115.114.131.0/26,115.114.56.192/26,120.29.148.0/24,13.52.146.0/25,13.52.6.128/25,160.1.56.128/25,161.199.136.0/22,162.12.232.0/22,162.255.36.0/22,18.205.93.128/25,192.204.12.0/22,202.177.207.128/27,202.177.213.96/27,204.141.28.0/22,207.226.132.0/24,209.9.211.0/24,209.9.215.0/24,210.57.55.0/24,213.19.144.0/24,213.19.153.0/24,213.244.140.0/24,221.122.88.128/25,221.122.88.64/27,221.122.89.128/25,3.104.34.128/25,3.120.121.0/25,3.208.72.0/25,3.80.20.128/25,4.34.125.128/25,4.35.64.128/25,50.239.202.0/23,50.239.204.0/24,52.202.62.192/26,52.215.168.0/25,52.61.100.128/25,64.125.62.0/24,64.211.144.0/24,64.69.74.0/24,65.39.152.0/24,69.174.108.0/2,69.174.57.0/24,8.5.128.0/23,99.79.20.0/25

 

Triage Templates

C&C: External Remote Access
Triage As Applies To Conditions Description Type
Webex Remote Control All Hosts

External Host IPsCognito - Webex

Port:
9000

Cisco Webex Meeting IP Ranges

Update

 

C&C: Hidden HTTPS Tunnel
Triage As Applies To Conditions Description Type
Zoom Remote Control All Hosts

C&C Server IP:
Cognito - Zoom

Zoom.us IP ranges

Update

Was this article helpful?
1 out of 1 found this helpful

Download PDF

0 Comments

Article is closed for comments.