mirror of https://github.com/infosecn1nja/HELK.git
138 lines
3.3 KiB
Plaintext
138 lines
3.3 KiB
Plaintext
|
{
|
||
|
"cells": [
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"# Possible Applocker Bypass\n",
|
||
|
"Detects execution of executables that can be used to bypass Applocker whitelisting"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Rule Content\n",
|
||
|
"```\n",
|
||
|
"- title: Possible Applocker Bypass\n",
|
||
|
" id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\n",
|
||
|
" description: Detects execution of executables that can be used to bypass Applocker\n",
|
||
|
" whitelisting\n",
|
||
|
" status: experimental\n",
|
||
|
" references:\n",
|
||
|
" - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\n",
|
||
|
" - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/\n",
|
||
|
" author: juju4\n",
|
||
|
" tags:\n",
|
||
|
" - attack.defense_evasion\n",
|
||
|
" - attack.t1118\n",
|
||
|
" - attack.t1121\n",
|
||
|
" - attack.t1127\n",
|
||
|
" - attack.t1170\n",
|
||
|
" logsource:\n",
|
||
|
" category: process_creation\n",
|
||
|
" product: windows\n",
|
||
|
" service: null\n",
|
||
|
" detection:\n",
|
||
|
" selection:\n",
|
||
|
" CommandLine|contains:\n",
|
||
|
" - \\msdt.exe\n",
|
||
|
" - \\installutil.exe\n",
|
||
|
" - \\regsvcs.exe\n",
|
||
|
" - \\regasm.exe\n",
|
||
|
" - \\msbuild.exe\n",
|
||
|
" - \\ieexec.exe\n",
|
||
|
" condition: selection\n",
|
||
|
" falsepositives:\n",
|
||
|
" - False positives depend on scripts and administrative tools used in the monitored\n",
|
||
|
" environment\n",
|
||
|
" - Using installutil to add features for .NET applications (primarly would occur\n",
|
||
|
" in developer environments)\n",
|
||
|
" level: low\n",
|
||
|
"\n",
|
||
|
"```"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"## Querying Elasticsearch"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Import Libraries"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"from elasticsearch import Elasticsearch\n",
|
||
|
"from elasticsearch_dsl import Search\n",
|
||
|
"import pandas as pd"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Initialize Elasticsearch client"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
||
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Run Elasticsearch Query"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"s = searchContext.query('query_string', query='process_command_line.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*)')\n",
|
||
|
"response = s.execute()\n",
|
||
|
"if response.success():\n",
|
||
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "markdown",
|
||
|
"metadata": {},
|
||
|
"source": [
|
||
|
"### Show Results"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"cell_type": "code",
|
||
|
"execution_count": null,
|
||
|
"metadata": {},
|
||
|
"outputs": [],
|
||
|
"source": [
|
||
|
"df.head()"
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"metadata": {},
|
||
|
"nbformat": 4,
|
||
|
"nbformat_minor": 4
|
||
|
}
|