forked from FalconForceTeam/FalconFriday
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding query for FalconFriday 0xFF0D
- Loading branch information
Showing
1 changed file
with
114 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| # T1071.001 - Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains | ||
| ## Hunt Tags | ||
| **ID:** T1071.001 | ||
|
|
||
| **Last Modified:** 26/02/2021 | ||
|
|
||
| **Author:** [FalconForce](https://falconforce.nl/) | ||
|
|
||
| **License:** [BSD 3-Clause License](https://github.com/FalconForceTeam/FalconFriday/blob/master/LICENSE) | ||
|
|
||
| **References:** [Link to medium post](https://medium.com/falconforce/falconfriday-recognizing-beaconing-traffic-0xff0d-f0fab038c22f) | ||
|
|
||
| ## ATT&CK Tags | ||
| **Tactic:** Command and Control | ||
|
|
||
| **Technique:** Application Layer Protocol - Web Protocols | ||
|
|
||
| ## Technical description of the attack | ||
| This query searches web proxy logs for a specific type of beaconing behavior by joining a number of sources together | ||
| * Traffic by actual web browsers - by looking at traffic generated by a UserAgent that looks like a Browser and is used by multiple users | ||
| to visit a large number of domains. | ||
| * Users that make request using one of these actual browsers but only to a small set of domains, none of which are common domains. | ||
| * The traffic is beacon like, meaning that it occurs during many different hours of the day (i.e. periodic) | ||
|
|
||
| ## Permission required to execute the technique | ||
| User | ||
| ## Detection description | ||
| Attackers often attempt to masquerade beaconing traffic to a C&C server as genuine browser traffic by setting the UserAgent equal to the UserAgent used by a common Web Browser such as Edge or Chrome. This query attempts to detect this behavior where the attacker spoofs a common UserAgent value but one that is not actively used by the user to browse the internet. If such a UserAgent is detected making periodic queries to a domain that is not common, this will trigger an alert. | ||
|
|
||
| ## Utilized Data Source | ||
| | Log Provider | Event ID | Event Name | ATT&CK Data Source | | ||
| |---------|---------|----------|---------| | ||
| |Proxy|||| | ||
|
|
||
| ## Hunt details | ||
| ### KQL | ||
|
|
||
| **FP Rate:** *Medium* | ||
|
|
||
| **Source:** *Sentinel Proxy Logs* | ||
|
|
||
| **Description:** *See above* | ||
|
|
||
| **Query:** | ||
| Approach 1: | ||
| ```C# | ||
| let timeframe = 1d; // timeframe during which to search for beaconing behaviour | ||
| let lookback = 7d; // Look back period to find if browser was used for other domains by user | ||
| let min_requests=50; // Minimum number of requests to consider it beacon traffic | ||
| let min_hours=8; // Minimum number of different hours during which connections were made to consider it beacon traffic | ||
| let trusted_user_count=10; // If visited by this many users a domain is considered 'trusted' | ||
| let max_sites=3; // Maximum number of different sites visited using this user-agent | ||
| // Client specific Query to obtain 'browser like' traffic from Proxy logs | ||
| let BrowserTraffic = (p:timespan) { | ||
| CommonSecurityLog | ||
| | where DeviceVendor == "Zscaler" and DeviceProduct == "NSSWeblog" | ||
| | where TimeGenerated >ago(p) | ||
| | project TimeGenerated, SourceUserName, DestinationHostName, RequestClientApplication | ||
| | where (RequestClientApplication startswith "Mozilla/" and RequestClientApplication contains "Gecko") | ||
| }; | ||
| let CommonDomains = BrowserTraffic(timeframe) | ||
| | summarize source_count=dcount(SourceUserName) by DestinationHostName | ||
| | where source_count>trusted_user_count | ||
| | project DestinationHostName; | ||
| let CommonUA = BrowserTraffic(timeframe) | ||
| | summarize source_count=dcount(SourceUserName), host_count=dcount(DestinationHostName) by RequestClientApplication | ||
| | where source_count>trusted_user_count and host_count > 100 // Normal browsers are browsers used by many people and visiting many different sites | ||
| | project RequestClientApplication; | ||
| // Find browsers that are common, i.e. many users use them and they use them to visit many different sites | ||
| // But some users only use the browser to visit a very limited set of sites | ||
| // These are considered suspicious - since they might be an attacker masquerading a beacon as a legitimate browser | ||
| let SuspiciousBrowers = BrowserTraffic(timeframe) | ||
| | where RequestClientApplication in(CommonUA) | ||
| | summarize BrowserHosts=make_set(DestinationHostName),request_count=count() by RequestClientApplication, SourceUserName | ||
| | where array_length(BrowserHosts) <= max_sites and request_count >= min_requests | ||
| | project RequestClientApplication, SourceUserName,BrowserHosts; | ||
| // Just reporting on suspicious browsers gives too many false positives | ||
| // For example users that have the browser open on the login screen of 1 specific application | ||
| // In the suspicious browsers we can search for 'Beacon like' behaviour | ||
| // Get all browser traffic by the suspicious browsers | ||
| let PotentialAlerts=SuspiciousBrowers | ||
| | join BrowserTraffic(timeframe) on RequestClientApplication, SourceUserName | ||
| // Find beaconing like traffic - i.e. contacting the same host in many different hours | ||
| | summarize hour_count=dcount(bin(TimeGenerated,1h)), BrowserHosts=any(BrowserHosts), request_count=count() by RequestClientApplication, SourceUserName, DestinationHostName | ||
| | where hour_count >= min_hours and request_count >= min_requests | ||
| // Remove common domains like login.microsoft.com | ||
| | join kind=leftanti CommonDomains on DestinationHostName | ||
| | summarize RareHosts=make_set(DestinationHostName), TotalRequestCount=sum(request_count), BrowserHosts=any(BrowserHosts) by RequestClientApplication, SourceUserName | ||
| // Remove browsers that visit any common domains | ||
| | where array_length(RareHosts) == array_length(BrowserHosts); | ||
| // Look back for 7 days to see the browser was not used to visit more hosts | ||
| // This is to get rid of someone that started up the browser a long time ago | ||
| // And left only a single tab open | ||
| PotentialAlerts | ||
| | join BrowserTraffic(lookback) on SourceUserName, RequestClientApplication | ||
| | summarize RareHosts=any(RareHosts),BrowserHosts1d=any(BrowserHosts),BrowserHostsLookback=make_set(DestinationHostName) by SourceUserName, RequestClientApplication | ||
| | where array_length(RareHosts) == array_length(BrowserHostsLookback) | ||
|
|
||
| ``` | ||
|
|
||
| ## Considerations | ||
| * The results of this query will show users that are periodically beaconing to a certain domain. | ||
|
|
||
| ## False Positives | ||
| * Not all results are by definition malicious, for example there might be a legitimate tool that exhibits this behaviour. | ||
|
|
||
| ## Detection Blind Spots | ||
| Attackers can use various techniques to remain undetected, for example: | ||
| * Using a User Agent that exactly matches the User Agent in use by the end user; | ||
| * Making sure the beacon also connects to a number of common domains such as www.google.com; | ||
| * Using domain fronting to make the beaconing connections appear to target a common domain. | ||
|
|
||
| ## References | ||
| * https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml |