Back to Details

analyzing-ransomware-network-indicators

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Ransomware Network Indicators

分析勒索软件网络指标

Overview

概述

Before and during ransomware execution, adversaries establish C2 channels, exfiltrate data, and download encryption keys. This skill analyzes Zeek conn.log and NetFlow data to detect beaconing patterns (regular-interval callbacks), connections to known TOR exit nodes, large outbound data transfers, and suspicious DNS activity associated with ransomware families.
在勒索软件执行之前和执行期间,攻击者会建立C2通道、泄露数据并下载加密密钥。本技能通过分析Zeek conn.log和NetFlow数据,检测与勒索软件家族相关的信标模式(定期回调)、已知TOR出口节点的连接、大规模出站数据传输以及可疑DNS活动。

When to Use

使用场景

  • When investigating security incidents that require analyzing ransomware network indicators
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
  • 当需要分析勒索软件网络指标以调查安全事件时
  • 当构建该领域的检测规则或威胁狩猎查询时
  • 当SOC分析师需要此类分析的结构化流程时
  • 当验证相关攻击技术的安全监控覆盖范围时

Prerequisites

前提条件

  • Zeek conn.log files or NetFlow CSV/JSON exports
  • Python 3.8+ with standard library
  • TOR exit node list (fetched from Tor Project or threat intel feeds)
  • Optional: Known ransomware C2 IOC list
  • Zeek conn.log文件或NetFlow CSV/JSON导出文件
  • Python 3.8+及标准库
  • TOR出口节点列表(从Tor项目或威胁情报源获取)
  • 可选:已知勒索软件C2 IOC列表

Steps

步骤

  1. Parse Connection Logs — Ingest Zeek conn.log (TSV) or NetFlow records into structured format
  2. Detect Beaconing Patterns — Calculate connection interval statistics (mean, stddev, coefficient of variation) to identify periodic callbacks
  3. Check TOR Exit Node Connections — Cross-reference destination IPs against current TOR exit node list
  4. Identify Data Exfiltration — Flag connections with unusually high outbound byte ratios to external IPs
  5. Analyze DNS Patterns — Detect DGA-like domain queries and high-entropy subdomains
  6. Score and Correlate — Apply composite risk scoring across all indicator types
  7. Generate Report — Produce structured report with timeline and MITRE ATT&CK mapping
  1. 解析连接日志 — 将Zeek conn.log(TSV格式)或NetFlow记录转换为结构化格式
  2. 检测信标模式 — 计算连接间隔统计数据(均值、标准差、变异系数)以识别周期性回调
  3. 检查TOR出口节点连接 — 将目标IP与当前TOR出口节点列表进行交叉比对
  4. 识别数据泄露 — 标记出站字节占比异常高的外部IP连接
  5. 分析DNS模式 — 检测类DGA域名查询和高熵子域名
  6. 评分与关联 — 对所有指标类型应用综合风险评分
  7. 生成报告 — 生成包含时间线和MITRE ATT&CK映射的结构化报告

Expected Output

预期输出

  • JSON report with beaconing detections and interval statistics
  • TOR exit node connection alerts
  • Data exfiltration flow analysis
  • Composite ransomware risk score with MITRE mapping (T1071, T1573, T1041)
  • 包含信标检测结果和间隔统计数据的JSON报告
  • TOR出口节点连接告警
  • 数据泄露流分析
  • 带有MITRE映射(T1071、T1573、T1041)的勒索软件综合风险评分