首页 > 其他分享 >Fortinet检测命令控制——就是通过心跳,最短60s,最长1天的周期,检测偏离度0.2

Fortinet检测命令控制——就是通过心跳,最短60s,最长1天的周期,检测偏离度0.2

时间:2023-08-02 21:31:51浏览次数:232  
标签:used 60s 检测 over 0.2 list TimeDeltainSeconds C2 port

id: 3255ec41-6bd6-4f35-84b1-c032b18bbfcb
name: Fortinet - Beacon pattern detected
description: |
  'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.
   Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.
   The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a
   detection is set to 4.
   Increase the lookback period to capture beacons with larger periodicities.
   The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with
   automatically using series_outliers.
   Note: In large environments it may be necessary to reduce the lookback period to get fast query times.'
severity: Low
requiredDataConnectors:
  - connectorId: Fortinet
    dataTypes:
      - CommonSecurityLog
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1043
  - T1065
query: |
    let starttime = 1d;
    let TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold 
    let TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row
    let JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity
    let PrivateIPregex = @"^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\."; // exclude destinations that fall into this category
    CommonSecurityLog
    | where DeviceVendor == "Fortinet"
    | where TimeGenerated > ago(starttime)
    // eliminate bad data
    | where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != "0.0.0.0"
    // filter out deny, close, rst and SNMP to reduce data volume
    | where DeviceAction !in ("close", "client-rst", "server-rst", "deny") and DestinationPort != 161
    // map input fields
    | project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction 
    // where destination IPs are public
    | extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,"private" ,"public" )
    | where DestinationIPType == "public"
    // sort into source->destination 'sessions'
    | sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc
    | serialize
    // time diff the contact times between source and destination to get a list of deltas
    | extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)
    | extend TimeDeltainSeconds = datetime_diff("second",nextTimeGenerated,TimeGenerated)
    | where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort
    // remove small time deltas below the set threshold
    | where TimeDeltainSeconds > TimeDeltaThresholdInSeconds
    | project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction 
    // summarize the deltas by source->destination
    | summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort
    // get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)
    | extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)
    // expand the deltas and the outliers
    | mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)
    // replace outliers with the average of the distribution
    | extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)
    // summarize with the smoothed distribution
    | summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes
    // get stats on the smoothed distribution
    | extend series_stats(list_TimeDeltainSeconds_normalized)
    // match jitter tolerance on smoothed distrib
    | extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)
    | where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter
    // where the minimum beacon threshold is satisfied and there was some data transfer
    | where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)
    // final projection
    | project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction
    // where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)
    | where Periodicity >= (10*TimeDeltaThresholdInSeconds)
    | extend timestamp = StartTime, IPCustomEntity = DestinationIP
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity

  

对应att&ck里的不常用端口访问,其实还是有些偏差的。。。

Non-Standard Port

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088[1] or port 587[2] as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

 

ID: T1571

 

Sub-techniques:  No sub-techniques

Tactic: Command and Control

Platforms: Linux, Windows, macOS

Data Sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow

 

Version: 1.0

 

Created: 14 March 2020

 

Last Modified: 26 March 2020

Version Permalink

Procedure Examples

ID

Name

Description

G0099

APT-C-36

APT-C-36 has used port 4050 for C2 communications.[3]

G0050

APT32

An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.[4]

G0064

APT33

APT33 has used HTTP over TCP ports 808 and 880 for command and control.[1]

S0245

BADCALL

BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[5]

S0239

Bankshot

Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[6]

S0574

BendyBear

BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[7]

G0105

DarkVishnya

DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.[8]

S0021

Derusbi

Derusbi has used unencrypted HTTP on port 443 for C2.[9]

S0367

Emotet

Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.[10]

G0046

FIN7

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[11]

S0493

GoldenSpy

GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.[12]

S0237

GravityRAT

GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.[13]

S0246

HARDRAIN

HARDRAIN binds and listens on port 443 with a FakeTLS method.[14]

S0376

HOPLIGHT

HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[15]

G0032

Lazarus Group

Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.[16][17]

G0059

Magic Hound

Magic Hound malware has communicated with its C2 server over TCP port 4443 using HTTP.[18]

S0455

Metamorfo

Metamorfo has communicated with hosts over raw TCP on port 9999.[19]

S0149

MoonWind

MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.[20]

S0385

njRAT

njRAT has used port 1177 for HTTP C2 communications.[21]

S0428

PoetRAT

PoetRAT used TLS to encrypt communications over port 143[22]

S0153

RedLeaves

RedLeaves can use HTTP over non-standard ports, such as 995, for C2.[23]

G0106

Rocke

Rocke's miner connects to a C2 server using port 51640.[24]

S0148

RTM

RTM used Port 44443 for its VNC module.[25]

G0034

Sandworm Team

Sandworm Team has used port 6789 to accept connections on the group's SSH server.[26]

G0091

Silence

Silence has used port 444 when sending data about the system from the client to the server.[27]

S0491

StrongPity

StrongPity has used HTTPS over port 1402 in C2 communication.[28]

G0088

TEMP.Veles

TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.[29]

S0266

TrickBot

Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[30][31][32]

S0263

TYPEFRAME

TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.[33]

S0515

WellMail

WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.[34][35]

标签:used,60s,检测,over,0.2,list,TimeDeltainSeconds,C2,port
From: https://blog.51cto.com/u_11908275/6943354

相关文章

  • 进程注入如何通过调用栈,使用ML分类来检测——非常值得借鉴,待实践
    4、MachineLearningtoUltimatelyDefeatAdvancedRansomwareThreatsRSA2022的这个分享主题核心讲解了进程注入如何通过调用栈,使用ML分类来检测。当然,勒索的其他本质特征例如文件加密等没有提到。但是其进程注入的检测值得重点关注。Ryukasthemostadvancedformofransomw......
  • 进程注入检测 —— RtlCaptureStackBackTrace 获取当前函数的调用栈函数
    https://stackoverflow.com/questions/590160/how-to-log-stack-frames-with-windows-x64 https://cpp.hotexamples.com/examples/-/-/RtlCaptureStackBackTrace/cpp-rtlcapturestackbacktrace-function-examples.html  例子参考  平日里用VS开发工具在调时在Debug下有一个选......
  • 教程:开始使用 Microsoft Sentinel 中的 Jupyter Notebook 和 MSTICPy——威胁狩猎用,含
    教程:开始使用MicrosoftSentinel中的JupyterNotebook和MSTICPy项目2022/05/026个参与者  备注AzureSentinel现在称为MicrosoftSentinel,我们将在几周内更新相关页面。详细了解最近的Microsoft安全性增强。本教程介绍如何运行“MicrosoftSentinelMLNotebook入门......
  • 使用手机相机检测电脑屏幕刷新率Hz
    使用手机相机检测电脑屏幕刷新率Hz1、电脑打开https://www.testufo.com/frameskipping2、相机专业模式:快门1/10、ISO自动,拍摄一张照片。120Hz至少要有12个亮块,50Hz至少有6个亮块。更改刷新速率1、选择“开始>设置>系统>显示>高级显示器。2、在“选择刷新速率”旁边,选择......
  • 什么是软件检测证明材料,如何才能获得软件检测证明材料?
    一、什么是软件检测证明材料软件检测证明材料是指在软件开发和发布过程中,为了证明软件的质量和合法性,进行的一系列检测和测试的结果的集合。它是软件开发者和用户之间信任的桥梁,可以帮助用户了解软件的性能和安全性,让用户放心使用。二、软件检测证明材料包括以下几个方......
  • 检测代码被格式化
       RegExp=functionRegExp(str){this.flag=false;debugger;if(str==`\\w+*\\(\\)*{\\w+*['|"].+['|"];?*}`){this.flag=true;}};RegExp.prototype.test=functiontest(str){......
  • 30%Token就能实现SOTA性能,华为诺亚轻量目标检测器Focus-DETR效率倍增
    前言 目前DETR类模型已经成为了目标检测的一个主流范式。但DETR算法模型复杂度高,推理速度低,严重影响了高准确度目标检测模型在端侧设备的部署,加大了学术研究和产业应用之间的鸿沟。来自华为诺亚、华中科技大学的研究者们设计了一种新型的DETR轻量化模型Focus-DETR来解决这......
  • 开源流量检测引擎Dalton安装记录
    几个月之前照着官方文档安装过,一次性就成功,昨天重装了服务器再安装Dalton,怎么都安装不了一直报错ERROR:Service'agent-suricata-current'failedtobuild:Thecommand'/bin/sh-c./configure--enable-profiling${ENABLE_RUST}--enable-lua&&make-j$(nproc)&&make......
  • 基于STM32设计的人体健康检测仪
    一、项目介绍当前文章介绍基于STM32设计的人体健康检测仪。设备采用STM32系列MCU作为主控芯片,配备血氧浓度传感器(使用MAX30102血氧浓度检测传感器)、OLED屏幕和电池供电等外设模块。设备可以广泛应用于医疗、健康等领域。可以帮助医生和病人更好地了解病情变化,提高治疗效果和生活质......
  • 自助无障碍检测
    用无人车做市政自助无障碍检测机,根据残疾人申报的常用路线进行无障碍检测及日常巡逻,并作为新建公共设施的验收检测项目之一。是可行的。费用就从残疾人基金中扣除,费用应当有,但不能太高。几年前的方案,至今虽然市政高楼频起,城投不可谓不多,无人车也屡见于快递和酒店服务,却没有服务于......