场景概述
勒索软件加密文件前通常会进行特定行为模式。
QRadar 检测方案
1. 文件修改异常检测
-- 检测大量文件修改事件
SELECT sourceip, username,
QIDNAME(qid),
COUNT(*) as file_modifications
FROM events
WHERE QIDNAME(qid) CONTAINS 'File'
OR QIDNAME(qid) CONTAINS 'Write'
GROUP BY sourceip, username, QIDNAME(qid)
HAVING file_modifications > 1000
ORDER BY file_modifications DESC
LAST 1 HOURS2. SMB 异常检测
-- 检测 SMB 扫描/传播
SELECT sourceip, destinationip,
COUNT(*) as smb_connections
FROM flows
WHERE destinationport = 445
GROUP BY sourceip, destinationip
HAVING smb_connections > 50
ORDER BY smb_connections DESC
LAST 1 HOURS