检测Beacon c2网络特征
网络 检测 特征 C2
2023-09-14 09:11:45 时间
Azure-Sentinel/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml
id: 3255ec41-6bd6-4f35-84b1-c032b18bbfcb | |
name: Fortinet - Beacon pattern detected | |
description: | | |
'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. | |
Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern. | |
The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a | |
detection is set to 4. | |
Increase the lookback period to capture beacons with larger periodicities. | |
The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with | |
automatically using series_outliers. | |
Note: In large environments it may be necessary to reduce the lookback period to get fast query times.' | |
severity: Low | |
requiredDataConnectors: | |
- connectorId: Fortinet | |
dataTypes: | |
- CommonSecurityLog | |
queryFrequency: 1d | |
queryPeriod: 1d | |
triggerOperator: gt | |
triggerThreshold: 0 | |
tactics: | |
- CommandAndControl | |
relevantTechniques: | |
- T1043 | |
- T1065 | |
query: | | |
let starttime = 1d; | |
let TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold | |
let TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row | |
let JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity | |
let PrivateIPregex = @"^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\."; // exclude destinations that fall into this category | |
CommonSecurityLog | |
| where DeviceVendor == "Fortinet" | |
| where TimeGenerated > ago(starttime) | |
// eliminate bad data | |
| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != "0.0.0.0" | |
// filter out deny, close, rst and SNMP to reduce data volume | |
| where DeviceAction !in ("close", "client-rst", "server-rst", "deny") and DestinationPort != 161 | |
// map input fields | |
| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction | |
// where destination IPs are public | |
| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,"private" ,"public" ) | |
| where DestinationIPType == "public" | |
// sort into source->destination 'sessions' | |
| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc | |
| serialize | |
// time diff the contact times between source and destination to get a list of deltas | |
| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1) | |
| extend TimeDeltainSeconds = datetime_diff("second",nextTimeGenerated,TimeGenerated) | |
| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort | |
// remove small time deltas below the set threshold | |
| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds | |
| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction | |
// summarize the deltas by source->destination | |
| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort | |
// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours) | |
| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds) | |
// expand the deltas and the outliers | |
| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double) | |
// replace outliers with the average of the distribution | |
| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds) | |
// summarize with the smoothed distribution | |
| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes | |
// get stats on the smoothed distribution | |
| extend series_stats(list_TimeDeltainSeconds_normalized) | |
// match jitter tolerance on smoothed distrib | |
| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance) | |
| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter | |
// where the minimum beacon threshold is satisfied and there was some data transfer | |
| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0) | |
// final projection | |
| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction | |
// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored) | |
| where Periodicity >= (10*TimeDeltaThresholdInSeconds) | |
| extend timestamp = StartTime, IPCustomEntity = DestinationIP | |
entityMappings: | |
- entityType: IP | |
fieldMappings: | |
- identifier: Address | |
columnName: IPCustomEntity |
相关文章
- 以resnet作为前置网络的ssd目标提取检测
- Java实现 蓝桥杯 历届试题 网络寻路
- 直播带练 | 30 分钟用阿里云容器服务和容器网络文件系统搭建 WordPress 网站
- nginx重新整理——————nginx 的网络模型[九]
- 网络分层模型
- Efficient and Accurate Arbitrary-Shaped Text Detection with Pixel Aggregation Network(利用像素聚合网络进行高效准确的任意形状文本检测)
- k8s pod实现共享网络和共享存储机制原理及pod内容器共享存储代码示例
- Atitit 图像资料文档分类器 netpic image 网络图片与人像图片分类 微信图片分类 D:0workspaceatiplat_imgsrccomattilaximgut
- Flutter进阶第9篇:检测网络连接,监听网络变化
- 【目标检测】48、YOLOv5 | 可方便工程部署的 YOLO 网络
- UDP协议实现可靠网络传输策略
- 网络KPI异常检测之时序分解算法
- 干货下载:可能是你见过的最全的网络爬虫总结
- 基于DNN深度学习网络的OFDM信号检测算法的仿真,对比LS和MMSE
- VGG16网络,VGG19
- 设置非阻塞网络I/O
- 人脸检测FaceNet网络训练自己的数据集
- 基于FPGA的Yolov4 tiny目标检测网络加速器
- 深度学习 dns tunnel检测 使用统计特征 全连接网络——精度99.8%
- MDNS DDoS 反射放大攻击——攻击者假冒被攻击者IP向网络发送DNS请求,域名为“_services._dns-sd._udp.local”,这将引起本地网络中所有提供服务的主机都向被攻击者IP发送DNS响应,列举网络中所有服务
- DDos攻击的一些领域知识——(流量模型针对稳定业务比较有效)不稳定业务采用流量成本的检测算法,攻击发生的时候网络中各个协议的占比发生了明显的变化
- 目标检测算法——YOLOv5/YOLOv7改进之结合PP-LCNet(轻量级CPU网络)
- Linux- 系统随你玩之--网络上的黑客帝国
- 目标检测00-10:mmdetection(Foveabox为例)-源码无死角解析(3)-头部网络bbox_head-训练过程
- 行人检测0-08:LFFD-源码无死角解析(3)-网络架构讲解
- 网络工程师备查表
- HTTP 学习,程序员不懂网络怎么行,一篇HTTP入门 不收藏都可惜
- 目标检测系列算法:HybridNets端到端感知网络