Query Details

MontySecurity C2 Tracker All IPs

TI Feed Monty Security C2 Tracker All I Ps

Query

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

About this query

MontySecurity C2 Tracker All IPs

Source: MontySecurity

Feed information: https://github.com/montysecurity/C2-Tracker

Feed link: https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt

Defender XDR

let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName

Sentinel

Explanation

This query is designed to identify and provide information about potentially malicious IP addresses from a threat intelligence feed, specifically the MontySecurity C2 Tracker. Here's a simple breakdown of what the query does:

  1. Data Source: The query uses an external data source, which is a text file containing a list of IP addresses. This file is hosted on GitHub by MontySecurity.

  2. IP Extraction: It extracts IP addresses from the data using a regular expression that matches standard IPv4 address formats.

  3. Malicious IP Identification: The query identifies distinct IP addresses from the feed that match the IP format.

  4. Network Event Filtering: It then checks network events to see if any of these identified IP addresses appear as remote IPs in the network events.

  5. Geolocation Information: For any matching network events, the query retrieves geolocation information for the remote IPs, including country, state, city, latitude, and longitude.

  6. Output: Finally, it organizes the output to show relevant details such as the timestamp of the event, device name, remote IP and port, and the account name of the process that initiated the connection.

The query is structured similarly for both Defender XDR and Sentinel, with minor differences in the naming of the timestamp field (Timestamp vs. TimeGenerated).

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

ThreatIntelFeedDestIPDeviceNetworkEventsRemoteIPGeoIPInfoCountryStateCityLatitudeLongitudeTimestampDeviceNameRemotePortInitiatingProcessAccountNameTimeGenerated

Operators

letexternaldatawithmaterializewherematchesregexdistinctinextendgeo_info_from_ip_addresstostringparse_jsonproject-reorder

Actions

GitHub