HELK/docker/helk-jupyter/notebooks/sigma/apt_wocao.ipynb

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Operation Wocao Activity\n",
    "Detects activity mentioned in Operation Wocao report"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- action: global\n",
    "  title: Operation Wocao Activity\n",
    "  id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d\n",
    "  author: Florian Roth\n",
    "  status: experimental\n",
    "  description: Detects activity mentioned in Operation Wocao report\n",
    "  references:\n",
    "  - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\n",
    "  - https://twitter.com/SBousseaden/status/1207671369963646976\n",
    "  date: 2019/12/20\n",
    "  falsepositives:\n",
    "  - Administrators that use checkadmin.exe tool to enumerate local administrators\n",
    "  level: high\n",
    "- logsource:\n",
    "    product: windows\n",
    "    service: security\n",
    "  detection:\n",
    "    selection:\n",
    "      EventID: 4799\n",
    "      GroupName: Administrators\n",
    "      ProcessName: '*\\checkadmin.exe'\n",
    "    condition: selection\n",
    "- logsource:\n",
    "    category: process_creation\n",
    "    product: windows\n",
    "  detection:\n",
    "    selection:\n",
    "      CommandLine|contains:\n",
    "      - checkadmin.exe 127.0.0.1 -all\n",
    "      - netsh advfirewall firewall add rule name=powershell dir=in\n",
    "      - cmd /c powershell.exe -ep bypass -file c:\\s.ps1\n",
    "      - /tn win32times /f\n",
    "      - create win32times binPath=\n",
    "      - \\c$\\windows\\system32\\devmgr.dll\n",
    "      - ' -exec bypass -enc JgAg'\n",
    "      - type *keepass\\KeePass.config.xml\n",
    "      - iie.exe iie.txt\n",
    "      - reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\\n",
    "    condition: selection\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='(event_id:\"4799\" AND group_name:\"Administrators\" AND process_path.keyword:*\\\\checkadmin.exe)')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='process_command_line.keyword:(*checkadmin.exe\\ 127.0.0.1\\ \\-all* OR *netsh\\ advfirewall\\ firewall\\ add\\ rule\\ name\\=powershell\\ dir\\=in* OR *cmd\\ \\/c\\ powershell.exe\\ \\-ep\\ bypass\\ \\-file\\ c\\:\\\\s.ps1* OR *\\/tn\\ win32times\\ \\/f* OR *create\\ win32times\\ binPath\\=* OR *\\\\c$\\\\windows\\\\system32\\\\devmgr.dll* OR *\\ \\-exec\\ bypass\\ \\-enc\\ JgAg* OR *type\\ *keepass\\\\KeePass.config.xml* OR *iie.exe\\ iie.txt* OR *reg\\ query\\ HKEY_CURRENT_USER\\\\Software\\*\\\\PuTTY\\\\Sessions\\*)')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}
Sigma to Notebooks Integration + Translated every sigma rule to a notebook to query Elasticsearch via Elasticsearch query strings + Uploaded all sigma notebooks. 2020-01-11 17:59:39 +00:00			`{`
			`"cells": [`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"# Operation Wocao Activity\n",`
			`"Detects activity mentioned in Operation Wocao report"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"## Rule Content\n",`
			"```\n",
			`"- action: global\n",`
			`" title: Operation Wocao Activity\n",`
			`" id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d\n",`
			`" author: Florian Roth\n",`
			`" status: experimental\n",`
			`" description: Detects activity mentioned in Operation Wocao report\n",`
			`" references:\n",`
			`" - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\n",`
			`" - https://twitter.com/SBousseaden/status/1207671369963646976\n",`
			`" date: 2019/12/20\n",`
			`" falsepositives:\n",`
			`" - Administrators that use checkadmin.exe tool to enumerate local administrators\n",`
			`" level: high\n",`
			`"- logsource:\n",`
			`" product: windows\n",`
			`" service: security\n",`
			`" detection:\n",`
			`" selection:\n",`
			`" EventID: 4799\n",`
			`" GroupName: Administrators\n",`
			`" ProcessName: '*\\checkadmin.exe'\n",`
			`" condition: selection\n",`
			`"- logsource:\n",`
			`" category: process_creation\n",`
			`" product: windows\n",`
			`" detection:\n",`
			`" selection:\n",`
			`" CommandLine\|contains:\n",`
			`" - checkadmin.exe 127.0.0.1 -all\n",`
			`" - netsh advfirewall firewall add rule name=powershell dir=in\n",`
			`" - cmd /c powershell.exe -ep bypass -file c:\\s.ps1\n",`
			`" - /tn win32times /f\n",`
			`" - create win32times binPath=\n",`
			`" - \\c$\\windows\\system32\\devmgr.dll\n",`
			`" - ' -exec bypass -enc JgAg'\n",`
			`" - type *keepass\\KeePass.config.xml\n",`
			`" - iie.exe iie.txt\n",`
			`" - reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\\n",`
			`" condition: selection\n",`
			`"\n",`
			"```"
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"## Querying Elasticsearch"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Import Libraries"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"from elasticsearch import Elasticsearch\n",`
			`"from elasticsearch_dsl import Search\n",`
			`"import pandas as pd"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Initialize Elasticsearch client"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",`
			`"searchContext = Search(using=es, index='logs-*', doc_type='doc')"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Run Elasticsearch Query"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"s = searchContext.query('query_string', query='(event_id:\"4799\" AND group_name:\"Administrators\" AND process_path.keyword:*\\\\checkadmin.exe)')\n",`
			`"response = s.execute()\n",`
			`"if response.success():\n",`
			`" df = pd.DataFrame((d.to_dict() for d in s.scan()))"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			"s = searchContext.query('query_string', query='process_command_line.keyword:(checkadmin.exe\\ 127.0.0.1\\ \\-all OR netsh\\ advfirewall\\ firewall\\ add\\ rule\\ name\\=powershell\\ dir\\=in OR cmd\\ \\/c\\ powershell.exe\\ \\-ep\\ bypass\\ \\-file\\ c\\:\\\\s.ps1 OR \\/tn\\ win32times\\ \\/f OR create\\ win32times\\ binPath\\= OR \\\\c$\\\\windows\\\\system32\\\\devmgr.dll OR \\ \\-exec\\ bypass\\ \\-enc\\ JgAg OR type\\ keepass\\\\KeePass.config.xml* OR iie.exe\\ iie.txt OR reg\\ query\\ HKEY_CURRENT_USER\\\\Software\\\\\\PuTTY\\\\Sessions\\*)')\n",
			`"response = s.execute()\n",`
			`"if response.success():\n",`
			`" df = pd.DataFrame((d.to_dict() for d in s.scan()))"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Show Results"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"df.head()"`
			`]`
			`}`
			`],`
			`"metadata": {},`
			`"nbformat": 4,`
			`"nbformat_minor": 4`
			`}`