• Fortinet检测命令控制——就是通过心跳,最短60s,最长1天的周期,检测偏离度0.2


    id: 3255ec41-6bd6-4f35-84b1-c032b18bbfcb
    name: Fortinet - Beacon pattern detected
    description: |
      'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.
       Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.
       The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a
       detection is set to 4.
       Increase the lookback period to capture beacons with larger periodicities.
       The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with
       automatically using series_outliers.
       Note: In large environments it may be necessary to reduce the lookback period to get fast query times.'
    severity: Low
    requiredDataConnectors:
      - connectorId: Fortinet
        dataTypes:
          - CommonSecurityLog
    queryFrequency: 1d
    queryPeriod: 1d
    triggerOperator: gt
    triggerThreshold: 0
    tactics:
      - CommandAndControl
    relevantTechniques:
      - T1043
      - T1065
    query: |
        let starttime = 1d;
        let TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold 
        let TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row
        let JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity
        let PrivateIPregex = @"^127.|^10.|^172.1[6-9].|^172.2[0-9].|^172.3[0-1].|^192.168."; // exclude destinations that fall into this category
        CommonSecurityLog
        | where DeviceVendor == "Fortinet"
        | where TimeGenerated > ago(starttime)
        // eliminate bad data
        | where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != "0.0.0.0"
        // filter out deny, close, rst and SNMP to reduce data volume
        | where DeviceAction !in ("close", "client-rst", "server-rst", "deny") and DestinationPort != 161
        // map input fields
        | project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction 
        // where destination IPs are public
        | extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,"private" ,"public" )
        | where DestinationIPType == "public"
        // sort into source->destination 'sessions'
        | sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc
        | serialize
        // time diff the contact times between source and destination to get a list of deltas
        | extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)
        | extend TimeDeltainSeconds = datetime_diff("second",nextTimeGenerated,TimeGenerated)
        | where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort
        // remove small time deltas below the set threshold
        | where TimeDeltainSeconds > TimeDeltaThresholdInSeconds
        | project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction 
        // summarize the deltas by source->destination
        | summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort
        // get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)
        | extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)
        // expand the deltas and the outliers
        | mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)
        // replace outliers with the average of the distribution
        | extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)
        // summarize with the smoothed distribution
        | summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes
        // get stats on the smoothed distribution
        | extend series_stats(list_TimeDeltainSeconds_normalized)
        // match jitter tolerance on smoothed distrib
        | extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)
        | where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter
        // where the minimum beacon threshold is satisfied and there was some data transfer
        | where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)
        // final projection
        | project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction
        // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)
        | where Periodicity >= (10*TimeDeltaThresholdInSeconds)
        | extend timestamp = StartTime, IPCustomEntity = DestinationIP
    entityMappings:
      - entityType: IP
        fieldMappings:
          - identifier: Address
            columnName: IPCustomEntity
    

      

    对应att&ck里的不常用端口访问,其实还是有些偏差的。。。

    Non-Standard Port

    Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088[1] or port 587[2] as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

     
    ID: T1571
     
    Sub-techniques:  No sub-techniques
    Platforms: Linux, Windows, macOS
    Data Sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
     
    Version: 1.0
     
    Created: 14 March 2020
     
    Last Modified: 26 March 2020

    Procedure Examples

    IDNameDescription
    G0099 APT-C-36

    APT-C-36 has used port 4050 for C2 communications.[3]

    G0050 APT32

    An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.[4]

    G0064 APT33

    APT33 has used HTTP over TCP ports 808 and 880 for command and control.[1]

    S0245 BADCALL

    BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[5]

    S0239 Bankshot

    Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[6]

    S0574 BendyBear

    BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[7]

    G0105 DarkVishnya

    DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.[8]

    S0021 Derusbi

    Derusbi has used unencrypted HTTP on port 443 for C2.[9]

    S0367 Emotet

    Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.[10]

    G0046 FIN7

    FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[11]

    S0493 GoldenSpy

    GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.[12]

    S0237 GravityRAT

    GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.[13]

    S0246 HARDRAIN

    HARDRAIN binds and listens on port 443 with a FakeTLS method.[14]

    S0376 HOPLIGHT

    HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[15]

    G0032 Lazarus Group

    Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.[16][17]

    G0059 Magic Hound

    Magic Hound malware has communicated with its C2 server over TCP port 4443 using HTTP.[18]

    S0455 Metamorfo

    Metamorfo has communicated with hosts over raw TCP on port 9999.[19]

    S0149 MoonWind

    MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.[20]

    S0385 njRAT

    njRAT has used port 1177 for HTTP C2 communications.[21]

    S0428 PoetRAT

    PoetRAT used TLS to encrypt communications over port 143[22]

    S0153 RedLeaves

    RedLeaves can use HTTP over non-standard ports, such as 995, for C2.[23]

    G0106 Rocke

    Rocke's miner connects to a C2 server using port 51640.[24]

    S0148 RTM

    RTM used Port 44443 for its VNC module.[25]

    G0034 Sandworm Team

    Sandworm Team has used port 6789 to accept connections on the group's SSH server.[26]

    G0091 Silence

    Silence has used port 444 when sending data about the system from the client to the server.[27]

    S0491 StrongPity

    StrongPity has used HTTPS over port 1402 in C2 communication.[28]

    G0088 TEMP.Veles

    TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.[29]

    S0266 TrickBot

    Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[30][31][32]

    S0263 TYPEFRAME

    TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.[33]

    S0515 WellMail

    WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.[34][35]

  • 相关阅读:
    Codeforces Round #595 (Div. 3) A,B,C,D
    计算几何板子题【2019牛客国庆集训派对day7——三角形和矩形】【多边形相交的面积】
    [POJ]POJ1753(dfs)
    [POJ]POJ2965(dfs)
    洛谷 P1772 [ZJOI2006]物流运输 题解
    简单概率与期望
    洛谷 P3802 小魔女帕琪 题解
    用树状数组实现的平衡树
    【模板】扩展中国剩余定理(EXCRT)
    新博客开通通知
  • 原文地址:https://www.cnblogs.com/bonelee/p/15272188.html
Copyright © 2020-2023  润新知