infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/win_susp_psexec.ipynb

136 lines
3.6 KiB
Plaintext
Raw Normal View History

Sigma to Notebooks Integration + Translated every sigma rule to a notebook to query Elasticsearch via Elasticsearch query strings + Uploaded all sigma notebooks.
2020-01-11 17:59:39 +00:00
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious PsExec execution\n",
"detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious PsExec execution\n",
" id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82\n",
" description: detects execution of psexec or paexec with renamed service name, this\n",
" rule helps to filter out the noise if psexec is used for legit purposes or if\n",
" attacker uses a different psexec client other than sysinternal one\n",
" author: Samir Bousseaden\n",
" references:\n",
" - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\n",
" tags:\n",
" - attack.lateral_movement\n",
" - attack.t1077\n",
" logsource:\n",
" product: windows\n",
" service: security\n",
" description: The advanced audit policy setting \"Object Access > Audit Detailed\n",
" File Share\" must be configured for Success/Failure\n",
" category: null\n",
" detection:\n",
" selection1:\n",
" EventID: 5145\n",
" ShareName: \\\\*\\IPC$\n",
" RelativeTargetName:\n",
" - '*-stdin'\n",
" - '*-stdout'\n",
" - '*-stderr'\n",
" selection2:\n",
" EventID: 5145\n",
" ShareName: \\\\*\\IPC$\n",
" RelativeTargetName: PSEXESVC*\n",
" condition: selection1 and not selection2\n",
" falsepositives:\n",
" - nothing observed so far\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((event_id:\"5145\" AND share_name.keyword:\\\\*\\\\IPC$ AND share_relative_target_name.keyword:(*\\-stdin OR *\\-stdout OR *\\-stderr)) AND (NOT (event_id:\"5145\" AND share_name.keyword:\\\\*\\\\IPC$ AND share_relative_target_name.keyword:PSEXESVC*)))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}