AbuseCH Botnet C2 Indicators Of Compromise
TI Feed Abuse CH Botnet C2indicators
Query
let BotnetIP = externaldata(IP: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
BotnetIP
| where IP matches regex IPRegex
| distinct IP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder
TimeGenerated,
ActionType,
RemoteIP,
RemotePort,
LocalPort,
Protocol,
DeviceName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPathAbout this query
AbuseCH Botnet C2 Indicators Of Compromise
Source: AbuseCH
Feed information: https://feodotracker.abuse.ch/blocklist/
Feed link: https://feodotracker.abuse.ch/downloads/ipblocklist.txt
Defender XDR
let BotnetIP = externaldata(IP: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
BotnetIP
| where IP matches regex IPRegex
| distinct IP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder
Timestamp,
ActionType,
RemoteIP,
RemotePort,
LocalPort,
Protocol,
DeviceName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPath
Sentinel
Explanation
This query is designed to identify and analyze network events involving potentially malicious IP addresses associated with botnet command and control (C2) servers. Here's a simplified breakdown of what the query does:
-
Data Source: It uses an external data source from AbuseCH, specifically the Feodo Tracker IP blocklist, which contains IP addresses known to be associated with botnet C2 servers.
-
Data Extraction: The query retrieves the list of IP addresses from the provided URL and filters them to ensure they match the standard IP address format using a regular expression.
-
Identify Malicious IPs: It creates a list of distinct IP addresses that are considered malicious based on the blocklist.
-
Network Event Filtering: The query then examines network events (from
DeviceNetworkEvents) to find any events where the remote IP address matches one of the malicious IPs identified earlier. -
Geolocation Information: For each matching network event, it retrieves geolocation information (country, state, city, latitude, longitude) based on the remote IP address.
-
Data Presentation: Finally, it organizes the results to display relevant details such as the timestamp of the event, action type, remote and local ports, protocol used, device name, and information about the process that initiated the network connection.
The query is structured similarly for both Defender XDR and Sentinel, with slight differences in the field names used for timestamps (Timestamp vs. TimeGenerated). This allows security analysts to monitor and investigate potential botnet activities within their network by leveraging threat intelligence from AbuseCH.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators