KQL Search

Query Details

HomeAI ToolsDevice Query

TI Feed Abuse CH Botnet C2indicators

Query

# AbuseCH Botnet C2 Indicators Of Compromise

#### Source: AbuseCH
#### Feed information: https://feodotracker.abuse.ch/blocklist/
#### Feed link: https://feodotracker.abuse.ch/downloads/ipblocklist.txt

### Defender For Endpoint
```
let BotnetIP = externaldata(IP: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
     BotnetIP
     | where IP matches regex IPRegex
     | distinct IP
     );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder
     Timestamp,
     ActionType,
     RemoteIP,
     RemotePort,
     LocalPort,
     Protocol,
     DeviceName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath
```


### Sentinel
```
let BotnetIP = externaldata(IP: string)[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
     BotnetIP
     | where IP matches regex IPRegex
     | distinct IP
     );
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder
     TimeGenerated,
     ActionType,
     RemoteIP,
     RemotePort,
     LocalPort,
     Protocol,
     DeviceName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath
```

Explanation

The query retrieves a list of IP addresses associated with a botnet from the AbuseCH feed. It then filters network events based on whether the remote IP address is in the list of malicious IP addresses. The query also includes additional information such as geolocation data for the IP addresses. The final result includes specific fields related to the network events.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User,KQL,BotnetIP,IP,IPRegex,MaliciousIP,DeviceNetworkEvents,RemoteIP,GeoIPInfo,country,state,city,latitude,longitude,Timestamp,ActionType,RemotePort,LocalPort,Protocol,DeviceName,InitiatingProcessCommandLine,InitiatingProcessFolderPath,TimeGenerated

Operators

externaldatawithformatignoreFirstRecordletstring[@"https://feodotracker.abuse.ch/downloads/ipblocklist.txt"]IPBotnetIPletIPRegex'[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'MaliciousIPmaterializewherematches regexdistinctIPDeviceNetworkEventswhereRemoteIP inMaliciousIPextendGeoIPInfogeo_info_from_ip_addressRemoteIPextendcountrytostringparse_jsonGeoIPInfo.countrystate.statecity.citylatitude.latitudelongitude.longitudeproject-reorderTimestampActionTypeRemoteIPRemotePortLocalPortProtocolDeviceNameInitiatingProcessCommandLineInitiatingProcessFolderPath

Actions