infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/proxy_ua_apt.ipynb

165 lines
7.5 KiB
Plaintext
Raw Normal View History

Sigma to Notebooks Integration + Translated every sigma rule to a notebook to query Elasticsearch via Elasticsearch query strings + Uploaded all sigma notebooks.
2020-01-11 17:59:39 +00:00
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# APT User Agent\n",
"Detects suspicious user agent strings used in APT malware in proxy logs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: APT User Agent\n",
" id: 6ec820f2-e963-4801-9127-d8b2dce4d31b\n",
" status: experimental\n",
" description: Detects suspicious user agent strings used in APT malware in proxy\n",
" logs\n",
" references:\n",
" - Internal Research\n",
" author: Florian Roth, Markus Neis\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent:\n",
" - SJZJ (compatible; MSIE 6.0; Win32)\n",
" - Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0\n",
" - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;\n",
" SLCC'\n",
" - Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)\n",
" - webclient\n",
" - Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200\n",
" - Mozilla/4.0 (compatible; MSI 6.0;\n",
" - Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0\n",
" - Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/\n",
" - Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2\n",
" - Mozilla/4.0\n",
" - Netscape\n",
" - Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719\n",
" Firefox/1.0.7\n",
" - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13\n",
" GTB7.1\n",
" - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\n",
" - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;\n",
" .NETCLR 2.0.50727)\n",
" - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)\n",
" - Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)\n",
" - Mozilla/4.0 (compatible; MSIE 8.0; Win32)\n",
" - Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1\n",
" - Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)\n",
" - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;\n",
" .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)\n",
" - Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko\n",
" - Mozilla v5.1 *\n",
" - MSIE 8.0\n",
" - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727;\n",
" .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E;\n",
" InfoPath.2)\n",
" - Mozilla/4.0 (compatible; RMS)\n",
" - Mozilla/4.0 (compatible; MSIE 6.0; DynGate)\n",
" - O/9.27 (W; U; Z)\n",
" - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*\n",
" - Mozilla/5.0 (Windows NT 9; *\n",
" - hots scot\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Old browsers\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-useragent.keyword:(SJZJ\\ \\(compatible;\\ MSIE\\ 6.0;\\ Win32\\) OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.;\\ WOW64;\\ rv\\:20.0\\)\\ Gecko\\/20100101\\ Firefox\\/20.0 OR User\\-Agent\\:\\ Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Windows\\ NT\\ 6.1;\\ Trident\\/4.0;\\ SLCC OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 7.4;\\ Win32;32\\-bit\\) OR webclient OR Mozilla\\/5.0\\ \\(Windows;\\ U;\\ Windows\\ NT\\ 5.1;\\ zh\\-EN;\\ rv\\:1.7.12\\)\\ Gecko\\/200 OR Mozilla\\/4.0\\ \\(compatible;\\ MSI\\ 6.0; OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.3;\\ WOW64;\\ rv\\:28.0\\)\\ Gecko\\/20100101\\ Firefox\\/28.0 OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.2;\\ WOW64;\\ rv\\:20.0\\)\\ Gecko\\/20100101\\ Firefox\\/ OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.;\\ WOW64;\\ rv\\:20.0\\)\\ Gecko\\/20100101\\ Firefox\\/2 OR Mozilla\\/4.0 OR Netscape OR Mozilla\\/5.0\\ \\(Windows;\\ U;\\ Windows\\ NT\\ 5.1;\\ zh\\-EN;\\ rv\\:1.7.12\\)\\ Gecko\\/20100719\\ Firefox\\/1.0.7 OR Mozilla\\/5.0\\ \\(Windows;\\ U;\\ Windows\\ NT\\ 5.1;\\ en\\-US;\\ rv\\:1.9.2.13\\)\\ Firefox\\/3.6.13\\ GTB7.1 OR Mozilla\\/5.0\\ \\(compatible;\\ MSIE\\ 9.0;\\ Windows\\ NT\\ 6.1;\\ WOW64;\\ Trident\\/5.0\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Windows\\ NT\\ 6.1;\\ WOW64;\\ Trident\\/4.0;\\ SLCC2;\\ .NETCLR\\ 2.0.50727\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Windows\\ NT\\ 6.0;\\ SV1\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 11.0;\\ Windows\\ NT\\ 6.1;\\ SV1\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Win32\\) OR Mozilla\\ v5.1\\ \\(Windows\\ NT\\ 6.1;\\ rv\\:6.0.1\\)\\ Gecko\\/20100101\\ Firefox\\/6.0.1 OR Mozilla\\/6.1\\ \\(compatible;\\ MSIE\\ 9.0;\\ Windows\\ NT\\ 5.3;\\ Trident\\/5.0\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 6.0;\\ Windows\\ NT\\ 5.1;\\ SV1;\\ .NET\\ CLR\\ 1.1.4322;\\ .NET\\ CLR\\ 2.0.50727;\\ .NET\\ CLR\\ 3.0.04506.30;\\ .NET\\ CLR\\ 3.0.04506.648;\\ InfoPath.1\\) OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.1;\\ WOW64\\)\\ WinHttp\\/1.6.3.8\\ \\(WinHTTP\\/5.1\\)\\ like\\ Gecko OR Mozilla\\ v5.1\\ * OR MSIE\\ 8.0 OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 7.0;\\ Windows\\ NT\\ 6.1;\\ SLCC2;\\ .NET\\ CLR\\ 2.0.50727;\\ .NET\\ CLR\\ 3.5.30729;\\ .NET\\ CLR\\ 3.0.30729;\\ Media\\ Center\\ PC\\ 6.0;\\ .NET4.0C;\\ .NET4.0E;\\ InfoPath.2\\) OR Mozilla\\/4.0\\ \\(compatible;\\ RMS\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 6.0;\\ DynGate\\) OR O\\/9.27\\ \\(W;\\ U;\\ Z\\) OR Mozilla\\/5.0\\ \\(compatible;\\ MSIE\\ 9.0;\\ Windows\\ NT\\ 6.0;\\ Trident\\/5.0;\\ \\ Trident\\/5.0* OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 9;\\ * OR hots\\ scot)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}