infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/win_GPO_scheduledtasks.ipynb

131 lines
3.2 KiB
Plaintext
Raw Normal View History

Sigma to Notebooks Integration + Translated every sigma rule to a notebook to query Elasticsearch via Elasticsearch query strings + Uploaded all sigma notebooks.
2020-01-11 17:59:39 +00:00
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Persistence and Execution at scale via GPO scheduled task\n",
"Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Persistence and Execution at scale via GPO scheduled task\n",
" id: a8f29a7b-b137-4446-80a0-b804272f3da2\n",
" description: Detect lateral movement using GPO scheduled task, ususally used to\n",
" deploy ransomware at scale\n",
" author: Samir Bousseaden\n",
" references:\n",
" - https://twitter.com/menasec1/status/1106899890377052160\n",
" tags:\n",
" - attack.persistence\n",
" - attack.lateral_movement\n",
" - attack.t1053\n",
" logsource:\n",
" product: windows\n",
" service: security\n",
" description: The advanced audit policy setting \"Object Access > Audit Detailed\n",
" File Share\" must be configured for Success/Failure\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 5145\n",
" ShareName: \\\\*\\SYSVOL\n",
" RelativeTargetName: '*ScheduledTasks.xml'\n",
" Accesses: '*WriteData*'\n",
" condition: selection\n",
" falsepositives:\n",
" - if the source IP is not localhost then it's super suspicious, better to monitor\n",
" both local and remote changes to GPO scheduledtasks\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"5145\" AND share_name.keyword:\\\\*\\\\SYSVOL AND share_relative_target_name.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}