HELK/docker/helk-jupyter/notebooks/sigma/proxy_download_susp_dyndns....

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Download from Suspicious Dyndns Hosts\n",
    "Detects download of certain file types from hosts with dynamic DNS names (selected list)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Download from Suspicious Dyndns Hosts\n",
    "  id: 195c1119-ef07-4909-bb12-e66f5e07bf3c\n",
    "  status: experimental\n",
    "  description: Detects download of certain file types from hosts with dynamic DNS\n",
    "    names (selected list)\n",
    "  references:\n",
    "  - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats\n",
    "  author: Florian Roth\n",
    "  date: 2017/11/08\n",
    "  logsource:\n",
    "    category: proxy\n",
    "    product: null\n",
    "    service: null\n",
    "  detection:\n",
    "    selection:\n",
    "      c-uri-extension:\n",
    "      - exe\n",
    "      - vbs\n",
    "      - bat\n",
    "      - rar\n",
    "      - ps1\n",
    "      - doc\n",
    "      - docm\n",
    "      - xls\n",
    "      - xlsm\n",
    "      - pptm\n",
    "      - rtf\n",
    "      - hta\n",
    "      - dll\n",
    "      - ws\n",
    "      - wsf\n",
    "      - sct\n",
    "      - zip\n",
    "      r-dns:\n",
    "      - '*.hopto.org'\n",
    "      - '*.no-ip.org'\n",
    "      - '*.no-ip.info'\n",
    "      - '*.no-ip.biz'\n",
    "      - '*.no-ip.com'\n",
    "      - '*.noip.com'\n",
    "      - '*.ddns.name'\n",
    "      - '*.myftp.org'\n",
    "      - '*.myftp.biz'\n",
    "      - '*.serveblog.net'\n",
    "      - '*.servebeer.com'\n",
    "      - '*.servemp3.com'\n",
    "      - '*.serveftp.com'\n",
    "      - '*.servequake.com'\n",
    "      - '*.servehalflife.com'\n",
    "      - '*.servehttp.com'\n",
    "      - '*.servegame.com'\n",
    "      - '*.servepics.com'\n",
    "      - '*.myvnc.com'\n",
    "      - '*.ignorelist.com'\n",
    "      - '*.jkub.com'\n",
    "      - '*.dlinkddns.com'\n",
    "      - '*.jumpingcrab.com'\n",
    "      - '*.ddns.info'\n",
    "      - '*.mooo.com'\n",
    "      - '*.dns-dns.com'\n",
    "      - '*.strangled.net'\n",
    "      - '*.adultdns.net'\n",
    "      - '*.craftx.biz'\n",
    "      - '*.ddns01.com'\n",
    "      - '*.dns53.biz'\n",
    "      - '*.dnsapi.info'\n",
    "      - '*.dnsd.info'\n",
    "      - '*.dnsdynamic.com'\n",
    "      - '*.dnsdynamic.net'\n",
    "      - '*.dnsget.org'\n",
    "      - '*.fe100.net'\n",
    "      - '*.flashserv.net'\n",
    "      - '*.ftp21.net'\n",
    "      - '*.http01.com'\n",
    "      - '*.http80.info'\n",
    "      - '*.https443.com'\n",
    "      - '*.imap01.com'\n",
    "      - '*.kadm5.com'\n",
    "      - '*.mysq1.net'\n",
    "      - '*.ns360.info'\n",
    "      - '*.ntdll.net'\n",
    "      - '*.ole32.com'\n",
    "      - '*.proxy8080.com'\n",
    "      - '*.sql01.com'\n",
    "      - '*.ssh01.com'\n",
    "      - '*.ssh22.net'\n",
    "      - '*.tempors.com'\n",
    "      - '*.tftpd.net'\n",
    "      - '*.ttl60.com'\n",
    "      - '*.ttl60.org'\n",
    "      - '*.user32.com'\n",
    "      - '*.voip01.com'\n",
    "      - '*.wow64.net'\n",
    "      - '*.x64.me'\n",
    "      - '*.xns01.com'\n",
    "      - '*.dyndns.org'\n",
    "      - '*.dyndns.info'\n",
    "      - '*.dyndns.tv'\n",
    "      - '*.dyndns-at-home.com'\n",
    "      - '*.dnsomatic.com'\n",
    "      - '*.zapto.org'\n",
    "      - '*.webhop.net'\n",
    "      - '*.25u.com'\n",
    "      - '*.slyip.net'\n",
    "    condition: selection\n",
    "  fields:\n",
    "  - cs-ip\n",
    "  - c-uri\n",
    "  falsepositives:\n",
    "  - Software downloads\n",
    "  level: medium\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='(c-uri-extension:(\"exe\" OR \"vbs\" OR \"bat\" OR \"rar\" OR \"ps1\" OR \"doc\" OR \"docm\" OR \"xls\" OR \"xlsm\" OR \"pptm\" OR \"rtf\" OR \"hta\" OR \"dll\" OR \"ws\" OR \"wsf\" OR \"sct\" OR \"zip\") AND r-dns.keyword:(*.hopto.org OR *.no\\-ip.org OR *.no\\-ip.info OR *.no\\-ip.biz OR *.no\\-ip.com OR *.noip.com OR *.ddns.name OR *.myftp.org OR *.myftp.biz OR *.serveblog.net OR *.servebeer.com OR *.servemp3.com OR *.serveftp.com OR *.servequake.com OR *.servehalflife.com OR *.servehttp.com OR *.servegame.com OR *.servepics.com OR *.myvnc.com OR *.ignorelist.com OR *.jkub.com OR *.dlinkddns.com OR *.jumpingcrab.com OR *.ddns.info OR *.mooo.com OR *.dns\\-dns.com OR *.strangled.net OR *.adultdns.net OR *.craftx.biz OR *.ddns01.com OR *.dns53.biz OR *.dnsapi.info OR *.dnsd.info OR *.dnsdynamic.com OR *.dnsdynamic.net OR *.dnsget.org OR *.fe100.net OR *.flashserv.net OR *.ftp21.net OR *.http01.com OR *.http80.info OR *.https443.com OR *.imap01.com OR *.kadm5.com OR *.mysq1.net OR *.ns360.info OR *.ntdll.net OR *.ole32.com OR *.proxy8080.com OR *.sql01.com OR *.ssh01.com OR *.ssh22.net OR *.tempors.com OR *.tftpd.net OR *.ttl60.com OR *.ttl60.org OR *.user32.com OR *.voip01.com OR *.wow64.net OR *.x64.me OR *.xns01.com OR *.dyndns.org OR *.dyndns.info OR *.dyndns.tv OR *.dyndns\\-at\\-home.com OR *.dnsomatic.com OR *.zapto.org OR *.webhop.net OR *.25u.com OR *.slyip.net))')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}
Sigma to Notebooks Integration + Translated every sigma rule to a notebook to query Elasticsearch via Elasticsearch query strings + Uploaded all sigma notebooks. 2020-01-11 17:59:39 +00:00			`{`
			`"cells": [`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"# Download from Suspicious Dyndns Hosts\n",`
			`"Detects download of certain file types from hosts with dynamic DNS names (selected list)"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"## Rule Content\n",`
			"```\n",
			`"- title: Download from Suspicious Dyndns Hosts\n",`
			`" id: 195c1119-ef07-4909-bb12-e66f5e07bf3c\n",`
			`" status: experimental\n",`
			`" description: Detects download of certain file types from hosts with dynamic DNS\n",`
			`" names (selected list)\n",`
			`" references:\n",`
			`" - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats\n",`
			`" author: Florian Roth\n",`
			`" date: 2017/11/08\n",`
			`" logsource:\n",`
			`" category: proxy\n",`
			`" product: null\n",`
			`" service: null\n",`
			`" detection:\n",`
			`" selection:\n",`
			`" c-uri-extension:\n",`
			`" - exe\n",`
			`" - vbs\n",`
			`" - bat\n",`
			`" - rar\n",`
			`" - ps1\n",`
			`" - doc\n",`
			`" - docm\n",`
			`" - xls\n",`
			`" - xlsm\n",`
			`" - pptm\n",`
			`" - rtf\n",`
			`" - hta\n",`
			`" - dll\n",`
			`" - ws\n",`
			`" - wsf\n",`
			`" - sct\n",`
			`" - zip\n",`
			`" r-dns:\n",`
			`" - '*.hopto.org'\n",`
			`" - '*.no-ip.org'\n",`
			`" - '*.no-ip.info'\n",`
			`" - '*.no-ip.biz'\n",`
			`" - '*.no-ip.com'\n",`
			`" - '*.noip.com'\n",`
			`" - '*.ddns.name'\n",`
			`" - '*.myftp.org'\n",`
			`" - '*.myftp.biz'\n",`
			`" - '*.serveblog.net'\n",`
			`" - '*.servebeer.com'\n",`
			`" - '*.servemp3.com'\n",`
			`" - '*.serveftp.com'\n",`
			`" - '*.servequake.com'\n",`
			`" - '*.servehalflife.com'\n",`
			`" - '*.servehttp.com'\n",`
			`" - '*.servegame.com'\n",`
			`" - '*.servepics.com'\n",`
			`" - '*.myvnc.com'\n",`
			`" - '*.ignorelist.com'\n",`
			`" - '*.jkub.com'\n",`
			`" - '*.dlinkddns.com'\n",`
			`" - '*.jumpingcrab.com'\n",`
			`" - '*.ddns.info'\n",`
			`" - '*.mooo.com'\n",`
			`" - '*.dns-dns.com'\n",`
			`" - '*.strangled.net'\n",`
			`" - '*.adultdns.net'\n",`
			`" - '*.craftx.biz'\n",`
			`" - '*.ddns01.com'\n",`
			`" - '*.dns53.biz'\n",`
			`" - '*.dnsapi.info'\n",`
			`" - '*.dnsd.info'\n",`
			`" - '*.dnsdynamic.com'\n",`
			`" - '*.dnsdynamic.net'\n",`
			`" - '*.dnsget.org'\n",`
			`" - '*.fe100.net'\n",`
			`" - '*.flashserv.net'\n",`
			`" - '*.ftp21.net'\n",`
			`" - '*.http01.com'\n",`
			`" - '*.http80.info'\n",`
			`" - '*.https443.com'\n",`
			`" - '*.imap01.com'\n",`
			`" - '*.kadm5.com'\n",`
			`" - '*.mysq1.net'\n",`
			`" - '*.ns360.info'\n",`
			`" - '*.ntdll.net'\n",`
			`" - '*.ole32.com'\n",`
			`" - '*.proxy8080.com'\n",`
			`" - '*.sql01.com'\n",`
			`" - '*.ssh01.com'\n",`
			`" - '*.ssh22.net'\n",`
			`" - '*.tempors.com'\n",`
			`" - '*.tftpd.net'\n",`
			`" - '*.ttl60.com'\n",`
			`" - '*.ttl60.org'\n",`
			`" - '*.user32.com'\n",`
			`" - '*.voip01.com'\n",`
			`" - '*.wow64.net'\n",`
			`" - '*.x64.me'\n",`
			`" - '*.xns01.com'\n",`
			`" - '*.dyndns.org'\n",`
			`" - '*.dyndns.info'\n",`
			`" - '*.dyndns.tv'\n",`
			`" - '*.dyndns-at-home.com'\n",`
			`" - '*.dnsomatic.com'\n",`
			`" - '*.zapto.org'\n",`
			`" - '*.webhop.net'\n",`
			`" - '*.25u.com'\n",`
			`" - '*.slyip.net'\n",`
			`" condition: selection\n",`
			`" fields:\n",`
			`" - cs-ip\n",`
			`" - c-uri\n",`
			`" falsepositives:\n",`
			`" - Software downloads\n",`
			`" level: medium\n",`
			`"\n",`
			"```"
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"## Querying Elasticsearch"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Import Libraries"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"from elasticsearch import Elasticsearch\n",`
			`"from elasticsearch_dsl import Search\n",`
			`"import pandas as pd"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Initialize Elasticsearch client"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",`
			`"searchContext = Search(using=es, index='logs-*', doc_type='doc')"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Run Elasticsearch Query"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			"s = searchContext.query('query_string', query='(c-uri-extension:(\"exe\" OR \"vbs\" OR \"bat\" OR \"rar\" OR \"ps1\" OR \"doc\" OR \"docm\" OR \"xls\" OR \"xlsm\" OR \"pptm\" OR \"rtf\" OR \"hta\" OR \"dll\" OR \"ws\" OR \"wsf\" OR \"sct\" OR \"zip\") AND r-dns.keyword:(.hopto.org OR .no\\-ip.org OR .no\\-ip.info OR .no\\-ip.biz OR .no\\-ip.com OR .noip.com OR .ddns.name OR .myftp.org OR .myftp.biz OR .serveblog.net OR .servebeer.com OR .servemp3.com OR .serveftp.com OR .servequake.com OR .servehalflife.com OR .servehttp.com OR .servegame.com OR .servepics.com OR .myvnc.com OR .ignorelist.com OR .jkub.com OR .dlinkddns.com OR .jumpingcrab.com OR .ddns.info OR .mooo.com OR .dns\\-dns.com OR .strangled.net OR .adultdns.net OR .craftx.biz OR .ddns01.com OR .dns53.biz OR .dnsapi.info OR .dnsd.info OR .dnsdynamic.com OR .dnsdynamic.net OR .dnsget.org OR .fe100.net OR .flashserv.net OR .ftp21.net OR .http01.com OR .http80.info OR .https443.com OR .imap01.com OR .kadm5.com OR .mysq1.net OR .ns360.info OR .ntdll.net OR .ole32.com OR .proxy8080.com OR .sql01.com OR .ssh01.com OR .ssh22.net OR .tempors.com OR .tftpd.net OR .ttl60.com OR .ttl60.org OR .user32.com OR .voip01.com OR .wow64.net OR .x64.me OR .xns01.com OR .dyndns.org OR .dyndns.info OR .dyndns.tv OR .dyndns\\-at\\-home.com OR .dnsomatic.com OR .zapto.org OR .webhop.net OR .25u.com OR .slyip.net))')\n",
			`"response = s.execute()\n",`
			`"if response.success():\n",`
			`" df = pd.DataFrame((d.to_dict() for d in s.scan()))"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Show Results"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"df.head()"`
			`]`
			`}`
			`],`
			`"metadata": {},`
			`"nbformat": 4,`
			`"nbformat_minor": 4`
			`}`