Query Details

AbuseCH Botnet C2 Indicators Of Compromise

TI Feed Abuse CH Botnet C2indicators

Query

let BotnetIP = externaldata(IP: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
     BotnetIP
     | where IP matches regex IPRegex
     | distinct IP
     );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder
     TimeGenerated,
     ActionType,
     RemoteIP,
     RemotePort,
     LocalPort,
     Protocol,
     DeviceName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath

About this query

AbuseCH Botnet C2 Indicators Of Compromise

Source: AbuseCH

Feed information: https://feodotracker.abuse.ch/blocklist/

Feed link: https://feodotracker.abuse.ch/downloads/ipblocklist.txt

Defender XDR

let BotnetIP = externaldata(IP: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
     BotnetIP
     | where IP matches regex IPRegex
     | distinct IP
     );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder
     Timestamp,
     ActionType,
     RemoteIP,
     RemotePort,
     LocalPort,
     Protocol,
     DeviceName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath

Sentinel

Explanation

This query is designed to identify and analyze network events involving potentially malicious IP addresses associated with botnet command and control (C2) servers. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses an external data source from AbuseCH, specifically the Feodo Tracker IP blocklist, which contains IP addresses known to be associated with botnet C2 servers.

  2. Data Extraction: The query retrieves the list of IP addresses from the provided URL and filters them to ensure they match the standard IP address format using a regular expression.

  3. Identify Malicious IPs: It creates a list of distinct IP addresses that are considered malicious based on the blocklist.

  4. Network Event Filtering: The query then examines network events (from DeviceNetworkEvents) to find any events where the remote IP address matches one of the malicious IPs identified earlier.

  5. Geolocation Information: For each matching network event, it retrieves geolocation information (country, state, city, latitude, longitude) based on the remote IP address.

  6. Data Presentation: Finally, it organizes the results to display relevant details such as the timestamp of the event, action type, remote and local ports, protocol used, device name, and information about the process that initiated the network connection.

The query is structured similarly for both Defender XDR and Sentinel, with slight differences in the field names used for timestamps (Timestamp vs. TimeGenerated). This allows security analysts to monitor and investigate potential botnet activities within their network by leveraging threat intelligence from AbuseCH.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

BotnetIndicatorsOfCompromiseDeviceNetworkEventsGeoIPInformation

Operators

letexternaldatawithmatchesregexdistinctmaterializewhereinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub