Scanning for activity of IPv6 and NetBIOS

Hi,

I am looking for a way to have a query to detect all activity of NetBIOS and IPv6. These two ports need to be disabled on all network devices so I am looking for a query I can run on a monthly basis to confirm these ports are disabled.

From my understanding there are two places that these ports can be disabled. In the control panel as well as the registry.

Has anyone ever built a query for these? Any help would be appreciated!

Thanks.

Christopher Danby

Qoosh over 1 year ago

The existing Live Discover query "Display registry section" can be used to find out if IPV6 is enabled or disabled. The value to use when the query runs is as follows.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents

You can use the following key name to search for the NetBIOS option.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\%\NetbiosOptions

To find out if any recent IPV6 network activity has occurred, you can use the existing Live Discover Query "IP address activity". By using the first few octets of an IPV6 address followed by a wildcard "2604:3d08:%" you can expand your query to all devices on your network.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Scanning for activity of IPv6 and NetBIOS