场景概述
已感染主机与攻击者控制的命令控制(C2)服务器通信。
QRadar 检测方案
1. DGA 域名检测
-- 检测高熵域名查询
SELECT sourceip, domain, COUNT(*) as query_count
FROM events
WHERE CATEGORYNAME(category) = 'DNS'
AND LENGTH(domain) > 20
GROUP BY sourceip, domain
HAVING query_count > 10
ORDER BY query_count DESC
LAST 24 HOURS2. Beaconing 检测
-- 检测固定间隔通信
SELECT sourceip, destinationip,
COUNT(*) as connections,
AVG(INTERVAL(firstpackettime, lastpackettime) / packetcount) as avg_interval
FROM flows
WHERE destinationport = 443
GROUP BY sourceip, destinationip
HAVING connections > 50
AND avg_interval BETWEEN 55 AND 65
LAST 24 HOURS