HELK/docker/helk-jupyter/notebooks/sigma/win_susp_svchost_no_cli.ipynb

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Suspect svchost Activity\n",
    "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Suspect svchost Activity\n",
    "  id: 16c37b52-b141-42a5-a3ea-bbe098444397\n",
    "  status: experimental\n",
    "  description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n",
    "    and is normally observed when a malicious process spawns the process and injects\n",
    "    code into the process memory space.\n",
    "  references:\n",
    "  - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n",
    "  author: David Burkett\n",
    "  date: 12/28/2019\n",
    "  tags:\n",
    "  - attack.t1055\n",
    "  logsource:\n",
    "    category: process_creation\n",
    "    product: windows\n",
    "    service: null\n",
    "  detection:\n",
    "    selection1:\n",
    "      CommandLine: null\n",
    "    selection2:\n",
    "      Image: '*\\svchost.exe'\n",
    "    filter:\n",
    "      ParentImage:\n",
    "      - '*\\rpcnet.exe'\n",
    "      - '*\\rpcnetp.exe'\n",
    "    condition: (selection1 and selection2) and not filter\n",
    "  fields:\n",
    "  - CommandLine\n",
    "  - ParentCommandLine\n",
    "  falsepositives:\n",
    "  - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n",
    "  level: critical\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='((NOT _exists_:process_command_line AND process_path.keyword:*\\\\svchost.exe) AND (NOT (process_parent_path.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}
Sigma to Notebooks Integration + Translated every sigma rule to a notebook to query Elasticsearch via Elasticsearch query strings + Uploaded all sigma notebooks. 2020-01-11 17:59:39 +00:00			`{`
			`"cells": [`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"# Suspect svchost Activity\n",`
			`"It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space."`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"## Rule Content\n",`
			"```\n",
			`"- title: Suspect svchost Activity\n",`
			`" id: 16c37b52-b141-42a5-a3ea-bbe098444397\n",`
			`" status: experimental\n",`
			`" description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n",`
			`" and is normally observed when a malicious process spawns the process and injects\n",`
			`" code into the process memory space.\n",`
			`" references:\n",`
			`" - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n",`
			`" author: David Burkett\n",`
			`" date: 12/28/2019\n",`
			`" tags:\n",`
			`" - attack.t1055\n",`
			`" logsource:\n",`
			`" category: process_creation\n",`
			`" product: windows\n",`
			`" service: null\n",`
			`" detection:\n",`
			`" selection1:\n",`
			`" CommandLine: null\n",`
			`" selection2:\n",`
			`" Image: '*\\svchost.exe'\n",`
			`" filter:\n",`
			`" ParentImage:\n",`
			`" - '*\\rpcnet.exe'\n",`
			`" - '*\\rpcnetp.exe'\n",`
			`" condition: (selection1 and selection2) and not filter\n",`
			`" fields:\n",`
			`" - CommandLine\n",`
			`" - ParentCommandLine\n",`
			`" falsepositives:\n",`
			`" - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n",`
			`" level: critical\n",`
			`"\n",`
			"```"
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"## Querying Elasticsearch"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Import Libraries"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"from elasticsearch import Elasticsearch\n",`
			`"from elasticsearch_dsl import Search\n",`
			`"import pandas as pd"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Initialize Elasticsearch client"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",`
			`"searchContext = Search(using=es, index='logs-*', doc_type='doc')"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Run Elasticsearch Query"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"s = searchContext.query('query_string', query='((NOT _exists_:process_command_line AND process_path.keyword:\\\\svchost.exe) AND (NOT (process_parent_path.keyword:(\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))')\n",`
			`"response = s.execute()\n",`
			`"if response.success():\n",`
			`" df = pd.DataFrame((d.to_dict() for d in s.scan()))"`
			`]`
			`},`
			`{`
			`"cell_type": "markdown",`
			`"metadata": {},`
			`"source": [`
			`"### Show Results"`
			`]`
			`},`
			`{`
			`"cell_type": "code",`
			`"execution_count": null,`
			`"metadata": {},`
			`"outputs": [],`
			`"source": [`
			`"df.head()"`
			`]`
			`}`
			`],`
			`"metadata": {},`
			`"nbformat": 4,`
			`"nbformat_minor": 4`
			`}`