infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Sigma to Notebooks Integration 

+ Translated every sigma rule to a notebook to query Elasticsearch via Elasticsearch query strings
+ Uploaded all sigma notebooks.
updates_os_and_scripts
Roberto Rodriguez 2020-01-11 12:59:39 -05:00
parent 6e5b834a25
commit 46f3f98446
380 changed files with 51466 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docker/helk-jupyter/Dockerfile
View File

@ -25,7 +25,9 @@ RUN mkdir /opt/jupyter/notebooks/datasets \
&& wget https://jdbc.postgresql.org/download/postgresql-${POSTGRESQL_VERSION}.jar -P /opt/jupyter/spark/jars/
# *********** Adding HELK scripts and files to Container ***************
COPY notebooks/* ${JUPYTER_DIR}/notebooks/
COPY notebooks/demos ${JUPYTER_DIR}/notebooks/demos
COPY notebooks/tutorials ${JUPYTER_DIR}/notebooks/tutorials
COPY notebooks/sigma ${JUPYTER_DIR}/notebooks/sigma
COPY spark/* ${SPARK_HOME}/conf/
COPY scripts/* ${JUPYTER_DIR}/scripts/

123
docker/helk-jupyter/notebooks/sigma/app_python_sql_exceptions.ipynb Normal file
View File

@ -0,0 +1,123 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Python SQL Exceptions\n",
"Generic rule for SQL exceptions in Python according to PEP 249"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Python SQL Exceptions\n",
" id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9\n",
" description: Generic rule for SQL exceptions in Python according to PEP 249\n",
" author: Thomas Patzke\n",
" references:\n",
" - https://www.python.org/dev/peps/pep-0249/#exceptions\n",
" logsource:\n",
" category: application\n",
" product: python\n",
" service: null\n",
" detection:\n",
" exceptions:\n",
" - DataError\n",
" - IntegrityError\n",
" - ProgrammingError\n",
" - OperationalError\n",
" condition: exceptions\n",
" falsepositives:\n",
" - Application bugs\n",
" - Penetration testing\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*DataError* OR *IntegrityError* OR *ProgrammingError* OR *OperationalError*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

125
docker/helk-jupyter/notebooks/sigma/app_sqlinjection_errors.ipynb Normal file
View File

@ -0,0 +1,125 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious SQL Error Messages\n",
"Detects SQL error messages that indicate probing for an injection attack"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious SQL Error Messages\n",
" id: 8a670c6d-7189-4b1c-8017-a417ca84a086\n",
" status: experimental\n",
" description: Detects SQL error messages that indicate probing for an injection attack\n",
" author: Bjoern Kimminich\n",
" references:\n",
" - http://www.sqlinjection.net/errors\n",
" logsource:\n",
" category: application\n",
" product: sql\n",
" service: null\n",
" detection:\n",
" keywords:\n",
" - quoted string not properly terminated\n",
" - You have an error in your SQL syntax\n",
" - Unclosed quotation mark\n",
" - 'near \"*\": syntax error'\n",
" - SELECTs to the left and right of UNION do not have the same number of result\n",
" columns\n",
" condition: keywords\n",
" falsepositives:\n",
" - Application bugs\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*quoted\\ string\\ not\\ properly\\ terminated* OR *You\\ have\\ an\\ error\\ in\\ your\\ SQL\\ syntax* OR *Unclosed\\ quotation\\ mark* OR *near\\ \\\"*\\\"\\:\\ syntax\\ error* OR *SELECTs\\ to\\ the\\ left\\ and\\ right\\ of\\ UNION\\ do\\ not\\ have\\ the\\ same\\ number\\ of\\ result\\ columns*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

133
docker/helk-jupyter/notebooks/sigma/appframework_django_exceptions.ipynb Normal file
View File

@ -0,0 +1,133 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Django framework exceptions\n",
"Detects suspicious Django web application framework exceptions that could indicate exploitation attempts"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Django framework exceptions\n",
" id: fd435618-981e-4a7c-81f8-f78ce480d616\n",
" description: Detects suspicious Django web application framework exceptions that\n",
" could indicate exploitation attempts\n",
" author: Thomas Patzke\n",
" references:\n",
" - https://docs.djangoproject.com/en/1.11/ref/exceptions/\n",
" - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security\n",
" logsource:\n",
" category: application\n",
" product: django\n",
" service: null\n",
" detection:\n",
" keywords:\n",
" - SuspiciousOperation\n",
" - DisallowedHost\n",
" - DisallowedModelAdminLookup\n",
" - DisallowedModelAdminToField\n",
" - DisallowedRedirect\n",
" - InvalidSessionKey\n",
" - RequestDataTooBig\n",
" - SuspiciousFileOperation\n",
" - SuspiciousMultipartForm\n",
" - SuspiciousSession\n",
" - TooManyFieldsSent\n",
" - PermissionDenied\n",
" condition: keywords\n",
" falsepositives:\n",
" - Application bugs\n",
" - Penetration testing\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*SuspiciousOperation* OR *DisallowedHost* OR *DisallowedModelAdminLookup* OR *DisallowedModelAdminToField* OR *DisallowedRedirect* OR *InvalidSessionKey* OR *RequestDataTooBig* OR *SuspiciousFileOperation* OR *SuspiciousMultipartForm* OR *SuspiciousSession* OR *TooManyFieldsSent* OR *PermissionDenied*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

128
docker/helk-jupyter/notebooks/sigma/appframework_ruby_on_rails_exceptions.ipynb Normal file
View File

@ -0,0 +1,128 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Ruby on Rails framework exceptions\n",
"Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Ruby on Rails framework exceptions\n",
" id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a\n",
" description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation\n",
" attempts\n",
" author: Thomas Patzke\n",
" references:\n",
" - http://edgeguides.rubyonrails.org/security.html\n",
" - http://guides.rubyonrails.org/action_controller_overview.html\n",
" - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception\n",
" - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb\n",
" logsource:\n",
" category: application\n",
" product: ruby_on_rails\n",
" service: null\n",
" detection:\n",
" keywords:\n",
" - ActionController::InvalidAuthenticityToken\n",
" - ActionController::InvalidCrossOriginRequest\n",
" - ActionController::MethodNotAllowed\n",
" - ActionController::BadRequest\n",
" - ActionController::ParameterMissing\n",
" condition: keywords\n",
" falsepositives:\n",
" - Application bugs\n",
" - Penetration testing\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*ActionController\\:\\:InvalidAuthenticityToken* OR *ActionController\\:\\:InvalidCrossOriginRequest* OR *ActionController\\:\\:MethodNotAllowed* OR *ActionController\\:\\:BadRequest* OR *ActionController\\:\\:ParameterMissing*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

127
docker/helk-jupyter/notebooks/sigma/appframework_spring_exceptions.ipynb Normal file
View File

@ -0,0 +1,127 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Spring framework exceptions\n",
"Detects suspicious Spring framework exceptions that could indicate exploitation attempts"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Spring framework exceptions\n",
" id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33\n",
" description: Detects suspicious Spring framework exceptions that could indicate\n",
" exploitation attempts\n",
" author: Thomas Patzke\n",
" references:\n",
" - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html\n",
" logsource:\n",
" category: application\n",
" product: spring\n",
" service: null\n",
" detection:\n",
" keywords:\n",
" - AccessDeniedException\n",
" - CsrfException\n",
" - InvalidCsrfTokenException\n",
" - MissingCsrfTokenException\n",
" - CookieTheftException\n",
" - InvalidCookieException\n",
" - RequestRejectedException\n",
" condition: keywords\n",
" falsepositives:\n",
" - Application bugs\n",
" - Penetration testing\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*AccessDeniedException* OR *CsrfException* OR *InvalidCsrfTokenException* OR *MissingCsrfTokenException* OR *CookieTheftException* OR *InvalidCookieException* OR *RequestRejectedException*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

125
docker/helk-jupyter/notebooks/sigma/apt_apt29_thinktanks.ipynb Normal file
View File

@ -0,0 +1,125 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# APT29\n",
"This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: APT29\n",
" id: 033fe7d6-66d1-4240-ac6b-28908009c71f\n",
" description: This method detects a suspicious powershell command line combination\n",
" as used by APT29 in a campaign against US think tanks\n",
" references:\n",
" - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\n",
" tags:\n",
" - attack.execution\n",
" - attack.g0016\n",
" - attack.t1086\n",
" author: Florian Roth\n",
" date: 2018/12/04\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" CommandLine: '*-noni -ep bypass $*'\n",
" condition: selection\n",
" falsepositives:\n",
" - unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

132
docker/helk-jupyter/notebooks/sigma/apt_babyshark.ipynb Normal file
View File

@ -0,0 +1,132 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Baby Shark Activity\n",
"Detects activity that could be related to Baby Shark malware"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Baby Shark Activity\n",
" id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35\n",
" status: experimental\n",
" description: Detects activity that could be related to Baby Shark malware\n",
" references:\n",
" - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1059\n",
" - attack.t1086\n",
" - attack.discovery\n",
" - attack.t1012\n",
" - attack.defense_evasion\n",
" - attack.t1170\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" author: Florian Roth\n",
" date: 2019/02/24\n",
" detection:\n",
" selection:\n",
" CommandLine:\n",
" - reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\n",
" - powershell.exe mshta.exe http*\n",
" - cmd.exe /c taskkill /im cmd.exe\n",
" condition: selection\n",
" falsepositives:\n",
" - unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

129
docker/helk-jupyter/notebooks/sigma/apt_bear_activity_gtr19.ipynb Normal file
View File

@ -0,0 +1,129 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Judgement Panda Exfil Activity\n",
"Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Judgement Panda Exfil Activity\n",
" id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\n",
" description: Detects Russian group activity as described in Global Threat Report\n",
" 2019 by Crowdstrike\n",
" references:\n",
" - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n",
" author: Florian Roth\n",
" date: 2019/02/21\n",
" tags:\n",
" - attack.credential_access\n",
" - attack.t1081\n",
" - attack.t1003\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection1:\n",
" Image: '*\\xcopy.exe'\n",
" CommandLine: '* /S /E /C /Q /H \\\\*'\n",
" selection2:\n",
" Image: '*\\adexplorer.exe'\n",
" CommandLine: '* -snapshot \"\" c:\\users\\\\*'\n",
" condition: selection1 or selection2\n",
" falsepositives:\n",
" - unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((process_path.keyword:*\\\\xcopy.exe AND process_command_line.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (process_path.keyword:*\\\\adexplorer.exe AND process_command_line.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

127
docker/helk-jupyter/notebooks/sigma/apt_carbonpaper_turla.ipynb Normal file
View File

@ -0,0 +1,127 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Turla Service Install\n",
"This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Turla Service Install\n",
" id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4\n",
" description: This method detects a service install of malicious services mentioned\n",
" in Carbon Paper - Turla report by ESET\n",
" references:\n",
" - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\n",
" tags:\n",
" - attack.persistence\n",
" - attack.g0010\n",
" - attack.t1050\n",
" logsource:\n",
" product: windows\n",
" service: system\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 7045\n",
" ServiceName:\n",
" - srservice\n",
" - ipvpn\n",
" - hkmsvc\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-system-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"7045\" AND service_name:(\"srservice\" OR \"ipvpn\" OR \"hkmsvc\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

208
docker/helk-jupyter/notebooks/sigma/apt_chafer_mar18.ipynb Normal file
View File

@ -0,0 +1,208 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Chafer Activity\n",
"Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Chafer Activity\n",
" id: 53ba33fd-3a50-4468-a5ef-c583635cfa92\n",
" description: Detects Chafer activity attributed to OilRig as reported in Nyotron\n",
" report in March 2018\n",
" references:\n",
" - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/\n",
" tags:\n",
" - attack.persistence\n",
" - attack.g0049\n",
" - attack.t1053\n",
" - attack.s0111\n",
" - attack.defense_evasion\n",
" - attack.t1112\n",
" date: 2018/03/23\n",
" modified: 2019/03/01\n",
" author: Florian Roth, Markus Neis\n",
" detection:\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"- logsource:\n",
" product: windows\n",
" service: system\n",
" detection:\n",
" selection_service:\n",
" EventID: 7045\n",
" ServiceName:\n",
" - SC Scheduled Scan\n",
" - UpdatMachine\n",
"- logsource:\n",
" product: windows\n",
" service: security\n",
" detection:\n",
" selection_service:\n",
" EventID: 4698\n",
" TaskName:\n",
" - SC Scheduled Scan\n",
" - UpdatMachine\n",
"- logsource:\n",
" product: windows\n",
" service: sysmon\n",
" detection:\n",
" selection_reg1:\n",
" EventID: 13\n",
" TargetObject:\n",
" - '*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe'\n",
" - '*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT'\n",
" EventType: SetValue\n",
" selection_reg2:\n",
" EventID: 13\n",
" TargetObject: '*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential'\n",
" EventType: SetValue\n",
" Details: DWORD (0x00000001)\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection_process1:\n",
" CommandLine:\n",
" - '*\\Service.exe i'\n",
" - '*\\Service.exe u'\n",
" - '*\\microsoft\\Taskbar\\autoit3.exe'\n",
" - C:\\wsc.exe*\n",
" selection_process2:\n",
" Image: '*\\Windows\\Temp\\DB\\\\*.exe'\n",
" selection_process3:\n",
" CommandLine: '*\\nslookup.exe -q=TXT*'\n",
" ParentImage: '*\\Autoit*'\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"7045\" AND service_name:(\"SC\\ Scheduled\\ Scan\" OR \"UpdatMachine\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4698\" AND task_name:(\"SC\\ Scheduled\\ Scan\" OR \"UpdatMachine\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"13\" AND event_type:\"SetValue\" AND (registry_key_path.keyword:(*SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe OR *SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT) OR (registry_key_path.keyword:*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential AND registry_key_value:\"DWORD\\ \\(0x00000001\\)\")))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(process_command_line.keyword:(*\\\\Service.exe\\ i OR *\\\\Service.exe\\ u OR *\\\\microsoft\\\\Taskbar\\\\autoit3.exe OR C\\:\\\\wsc.exe*) OR process_path.keyword:*\\\\Windows\\\\Temp\\\\DB\\\\*.exe OR (process_command_line.keyword:*\\\\nslookup.exe\\ \\-q\\=TXT* AND process_parent_path.keyword:*\\\\Autoit*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

127
docker/helk-jupyter/notebooks/sigma/apt_cloudhopper.ipynb Normal file
View File

@ -0,0 +1,127 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# WMIExec VBS Script\n",
"Detects suspicious file execution by wscript and cscript"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: WMIExec VBS Script\n",
" id: 966e4016-627f-44f7-8341-f394905c361f\n",
" description: Detects suspicious file execution by wscript and cscript\n",
" author: Florian Roth\n",
" references:\n",
" - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\n",
" tags:\n",
" - attack.execution\n",
" - attack.g0045\n",
" - attack.t1064\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" Image: '*\\cscript.exe'\n",
" CommandLine: '*.vbs /shell *'\n",
" condition: selection\n",
" fields:\n",
" - CommandLine\n",
" - ParentCommandLine\n",
" falsepositives:\n",
" - Unlikely\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(process_path.keyword:*\\\\cscript.exe AND process_command_line.keyword:*.vbs\\ \\/shell\\ *)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

123
docker/helk-jupyter/notebooks/sigma/apt_dragonfly.ipynb Normal file
View File

@ -0,0 +1,123 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# CrackMapExecWin\n",
"Detects CrackMapExecWin Activity as Described by NCSC"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: CrackMapExecWin\n",
" id: 04d9079e-3905-4b70-ad37-6bdf11304965\n",
" description: Detects CrackMapExecWin Activity as Described by NCSC\n",
" status: experimental\n",
" references:\n",
" - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control\n",
" tags:\n",
" - attack.g0035\n",
" author: Markus Neis\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" Image:\n",
" - '*\\crackmapexec.exe'\n",
" condition: selection\n",
" falsepositives:\n",
" - None\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_path.keyword:(*\\\\crackmapexec.exe)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

128
docker/helk-jupyter/notebooks/sigma/apt_elise.ipynb Normal file
View File

@ -0,0 +1,128 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Elise Backdoor\n",
"Detects Elise backdoor acitivty as used by APT32"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Elise Backdoor\n",
" id: e507feb7-5f73-4ef6-a970-91bb6f6d744f\n",
" status: experimental\n",
" description: Detects Elise backdoor acitivty as used by APT32\n",
" references:\n",
" - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\n",
" tags:\n",
" - attack.g0030\n",
" - attack.g0050\n",
" - attack.s0081\n",
" author: Florian Roth\n",
" date: 2018/01/31\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection1:\n",
" Image: C:\\Windows\\SysWOW64\\cmd.exe\n",
" CommandLine: '*\\Windows\\Caches\\NavShExt.dll *'\n",
" selection2:\n",
" CommandLine: '*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting'\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((process_path:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND process_command_line.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR process_command_line.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

124
docker/helk-jupyter/notebooks/sigma/apt_emissarypanda_sep19.ipynb Normal file
View File

@ -0,0 +1,124 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Emissary Panda Malware SLLauncher\n",
"Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Emissary Panda Malware SLLauncher\n",
" id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014\n",
" status: experimental\n",
" description: Detects the execution of DLL side-loading malware used by threat group\n",
" Emissary Panda aka APT27\n",
" references:\n",
" - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\n",
" - https://twitter.com/cyb3rops/status/1168863899531132929\n",
" author: Florian Roth\n",
" date: 2018/09/03\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" ParentImage: '*\\sllauncher.exe'\n",
" Image: '*\\svchost.exe'\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(process_parent_path.keyword:*\\\\sllauncher.exe AND process_path.keyword:*\\\\svchost.exe)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

132
docker/helk-jupyter/notebooks/sigma/apt_empiremonkey.ipynb Normal file
View File

@ -0,0 +1,132 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Empire Monkey\n",
"Detects EmpireMonkey APT reported Activity"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Empire Monkey\n",
" id: 10152a7b-b566-438f-a33c-390b607d1c8d\n",
" description: Detects EmpireMonkey APT reported Activity\n",
" references:\n",
" - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b\n",
" tags:\n",
" - attack.t1086\n",
" - attack.execution\n",
" date: 2019/04/02\n",
" author: Markus Neis\n",
" detection:\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Very Unlikely\n",
" level: critical\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection_cutil:\n",
" CommandLine:\n",
" - '*/i:%APPDATA%\\logs.txt scrobj.dll'\n",
" Image:\n",
" - '*\\cutil.exe'\n",
" selection_regsvr32:\n",
" CommandLine:\n",
" - '*/i:%APPDATA%\\logs.txt scrobj.dll'\n",
" Description:\n",
" - Microsoft(C) Registerserver\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(process_command_line.keyword:(*\\/i\\:%APPDATA%\\\\logs.txt\\ scrobj.dll) AND (process_path.keyword:(*\\\\cutil.exe) OR file_description:(\"Microsoft\\(C\\)\\ Registerserver\")))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

130
docker/helk-jupyter/notebooks/sigma/apt_equationgroup_c2.ipynb Normal file
View File

@ -0,0 +1,130 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Equation Group C2 Communication\n",
"Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Equation Group C2 Communication\n",
" id: 881834a4-6659-4773-821e-1c151789d873\n",
" description: Detects communication to C2 servers mentioned in the operational notes\n",
" of the ShadowBroker leak of EquationGroup C2 tools\n",
" references:\n",
" - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation\n",
" - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195\n",
" tags:\n",
" - attack.command_and_control\n",
" - attack.g0020\n",
" author: Florian Roth\n",
" logsource:\n",
" category: firewall\n",
" product: null\n",
" service: null\n",
" detection:\n",
" outgoing:\n",
" dst_ip:\n",
" - 69.42.98.86\n",
" - 89.185.234.145\n",
" incoming:\n",
" src_ip:\n",
" - 69.42.98.86\n",
" - 89.185.234.145\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(dst_ip:(\"69.42.98.86\" OR \"89.185.234.145\") OR src_ip:(\"69.42.98.86\" OR \"89.185.234.145\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

130
docker/helk-jupyter/notebooks/sigma/apt_equationgroup_dll_u_load.ipynb Normal file
View File

@ -0,0 +1,130 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Equation Group DLL_U Load\n",
"Detects a specific tool and export used by EquationGroup"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Equation Group DLL_U Load\n",
" id: d465d1d8-27a2-4cca-9621-a800f37cf72e\n",
" author: Florian Roth\n",
" description: Detects a specific tool and export used by EquationGroup\n",
" references:\n",
" - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\n",
" - https://securelist.com/apt-slingshot/84312/\n",
" - https://twitter.com/cyb3rops/status/972186477512839170\n",
" tags:\n",
" - attack.execution\n",
" - attack.g0020\n",
" - attack.t1059\n",
" - attack.defense_evasion\n",
" - attack.t1085\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection1:\n",
" Image: '*\\rundll32.exe'\n",
" CommandLine: '*,dll_u'\n",
" selection2:\n",
" CommandLine: '* -export dll_u *'\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((process_path.keyword:*\\\\rundll32.exe AND process_command_line.keyword:*,dll_u) OR process_command_line.keyword:*\\ \\-export\\ dll_u\\ *)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

162
docker/helk-jupyter/notebooks/sigma/apt_equationgroup_lnx.ipynb Normal file
View File

@ -0,0 +1,162 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Equation Group Indicators\n",
"Detects suspicious shell commands used in various Equation Group scripts and tools"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Equation Group Indicators\n",
" id: 41e5c73d-9983-4b69-bd03-e13b67e9623c\n",
" description: Detects suspicious shell commands used in various Equation Group scripts\n",
" and tools\n",
" references:\n",
" - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1\n",
" tags:\n",
" - attack.execution\n",
" - attack.g0020\n",
" - attack.t1059\n",
" author: Florian Roth\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - 'chown root*chmod 4777 '\n",
" - cp /bin/sh .;chown\n",
" - chmod 4777 /tmp/.scsi/dev/bin/gsh\n",
" - chown root:root /tmp/.scsi/dev/bin/\n",
" - chown root:root x;\n",
" - /bin/telnet locip locport < /dev/console | /bin/sh\n",
" - /tmp/ratload\n",
" - 'ewok -t '\n",
" - 'xspy -display '\n",
" - cat > /dev/tcp/127.0.0.1/80 <<END\n",
" - rm -f /current/tmp/ftshell.latest\n",
" - 'ghost_* -v '\n",
" - ' --wipe > /dev/null'\n",
" - ping -c 2 *; grep * /proc/net/arp >/tmp/gx\n",
" - iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;\n",
" - '> /var/log/audit/audit.log; rm -f .'\n",
" - cp /var/log/audit/audit.log .tmp\n",
" - sh >/dev/tcp/* <&1 2>&1\n",
" - ncat -vv -l -p * <\n",
" - nc -vv -l -p * <\n",
" - < /dev/console | uudecode && uncompress\n",
" - sendmail -osendmail;chmod +x sendmail\n",
" - /usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron\n",
" - chmod 666 /var/run/utmp~\n",
" - chmod 700 nscd crond\n",
" - cp /etc/shadow /tmp/.\n",
" - </dev/console |uudecode > /dev/null 2>&1 && uncompress\n",
" - chmod 700 jp&&netstat -an|grep\n",
" - uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755\n",
" - chmod 700 crond\n",
" - wget http*; chmod +x /tmp/sendmail\n",
" - chmod 700 fp sendmail pt\n",
" - chmod 755 /usr/vmsys/bin/pipe\n",
" - chmod -R 755 /usr/vmsys\n",
" - chmod 755 $opbin/*tunnel\n",
" - chmod 700 sendmail\n",
" - chmod 0700 sendmail\n",
" - /usr/bin/wget http*sendmail;chmod +x sendmail;\n",
" - '&& telnet * 2>&1 </dev/console'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*chown\\ root*chmod\\ 4777\\ * OR *cp\\ \\/bin\\/sh\\ .;chown* OR *chmod\\ 4777\\ \\/tmp\\/.scsi\\/dev\\/bin\\/gsh* OR *chown\\ root\\:root\\ \\/tmp\\/.scsi\\/dev\\/bin\\/* OR *chown\\ root\\:root\\ x;* OR *\\/bin\\/telnet\\ locip\\ locport\\ \\ \\/dev\\/console\\ |\\ \\/bin\\/sh* OR *\\/tmp\\/ratload* OR *ewok\\ \\-t\\ * OR *xspy\\ \\-display\\ * OR *cat\\ \\ \\/dev\\/tcp\\/127.0.0.1\\/80\\ END* OR *rm\\ \\-f\\ \\/current\\/tmp\\/ftshell.latest* OR *ghost_*\\ \\-v\\ * OR *\\ \\-\\-wipe\\ \\ \\/dev\\/null* OR *ping\\ \\-c\\ 2\\ *;\\ grep\\ *\\ \\/proc\\/net\\/arp\\ \\/tmp\\/gx* OR *iptables\\ *\\ OUTPUT\\ \\-p\\ tcp\\ \\-d\\ 127.0.0.1\\ \\-\\-tcp\\-flags\\ RST\\ RST\\ \\-j\\ DROP;* OR *\\ \\/var\\/log\\/audit\\/audit.log;\\ rm\\ \\-f\\ .* OR *cp\\ \\/var\\/log\\/audit\\/audit.log\\ .tmp* OR *sh\\ \\/dev\\/tcp\\/*\\ &1\\ 2&1* OR *ncat\\ \\-vv\\ \\-l\\ \\-p\\ *\\ * OR *nc\\ \\-vv\\ \\-l\\ \\-p\\ *\\ * OR *\\ \\/dev\\/console\\ |\\ uudecode\\ \\&&\\ uncompress* OR *sendmail\\ \\-osendmail;chmod\\ \\+x\\ sendmail* OR *\\/usr\\/bin\\/wget\\ \\-O\\ \\/tmp\\/a\\ http*\\ \\&&\\ chmod\\ 755\\ \\/tmp\\/cron* OR *chmod\\ 666\\ \\/var\\/run\\/utmp\\~* OR *chmod\\ 700\\ nscd\\ crond* OR *cp\\ \\/etc\\/shadow\\ \\/tmp\\/.* OR *\\/dev\\/console\\ |uudecode\\ \\ \\/dev\\/null\\ 2&1\\ \\&&\\ uncompress* OR *chmod\\ 700\\ jp\\&&netstat\\ \\-an|grep* OR *uudecode\\ \\ \\/dev\\/null\\ 2&1\\ \\&&\\ uncompress\\ \\-f\\ *\\ \\&&\\ chmod\\ 755* OR *chmod\\ 700\\ crond* OR *wget\\ http*;\\ chmod\\ \\+x\\ \\/tmp\\/sendmail* OR *chmod\\ 700\\ fp\\ sendmail\\ pt* OR *chmod\\ 755\\ \\/usr\\/vmsys\\/bin\\/pipe* OR *chmod\\ \\-R\\ 755\\ \\/usr\\/vmsys* OR *chmod\\ 755\\ $opbin\\/*tunnel* OR *chmod\\ 700\\ sendmail* OR *chmod\\ 0700\\ sendmail* OR *\\/usr\\/bin\\/wget\\ http*sendmail;chmod\\ \\+x\\ sendmail;* OR *\\&&\\ telnet\\ *\\ 2&1\\ \\/dev\\/console*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

126
docker/helk-jupyter/notebooks/sigma/apt_hurricane_panda.ipynb Normal file
View File

@ -0,0 +1,126 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Hurricane Panda Activity\n",
"Detects Hurricane Panda Activity"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Hurricane Panda Activity\n",
" id: 0eb2107b-a596-422e-b123-b389d5594ed7\n",
" author: Florian Roth\n",
" status: experimental\n",
" description: Detects Hurricane Panda Activity\n",
" references:\n",
" - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\n",
" tags:\n",
" - attack.privilege_escalation\n",
" - attack.g0009\n",
" - attack.t1068\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" CommandLine:\n",
" - '* localgroup administrators admin /add'\n",
" - '*\\Win64.exe*'\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

138
docker/helk-jupyter/notebooks/sigma/apt_judgement_panda_gtr19.ipynb Normal file
View File

@ -0,0 +1,138 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Judgement Panda Exfil Activity\n",
"Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Judgement Panda Exfil Activity\n",
" id: 03e2746e-2b31-42f1-ab7a-eb39365b2422\n",
" description: Detects Judgement Panda activity as described in Global Threat Report\n",
" 2019 by Crowdstrike\n",
" references:\n",
" - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n",
" author: Florian Roth\n",
" date: 2019/02/21\n",
" tags:\n",
" - attack.lateral_movement\n",
" - attack.g0010\n",
" - attack.credential_access\n",
" - attack.t1098\n",
" - attack.exfiltration\n",
" - attack.t1002\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection1:\n",
" CommandLine:\n",
" - '*\\ldifde.exe -f -n *'\n",
" - '*\\7za.exe a 1.7z *'\n",
" - '* eprod.ldf'\n",
" - '*\\aaaa\\procdump64.exe*'\n",
" - '*\\aaaa\\netsess.exe*'\n",
" - '*\\aaaa\\7za.exe*'\n",
" - '*copy .\\1.7z \\\\*'\n",
" - '*copy \\\\client\\c$\\aaaa\\\\*'\n",
" selection2:\n",
" Image: C:\\Users\\Public\\7za.exe\n",
" condition: selection1 or selection2\n",
" falsepositives:\n",
" - unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(process_command_line.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR process_path:\"C\\:\\\\Users\\\\Public\\\\7za.exe\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

131
docker/helk-jupyter/notebooks/sigma/apt_oceanlotus_registry.ipynb Normal file
View File

@ -0,0 +1,131 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# OceanLotus Registry Activity\n",
"Detects registry keys created in OceanLotus (also known as APT32) attacks"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: OceanLotus Registry Activity\n",
" id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\n",
" status: experimental\n",
" description: Detects registry keys created in OceanLotus (also known as APT32) attacks\n",
" references:\n",
" - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\n",
" tags:\n",
" - attack.t1112\n",
" author: megan201296\n",
" date: 2019/04/14\n",
" logsource:\n",
" product: windows\n",
" service: sysmon\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 13\n",
" TargetObject:\n",
" - '*\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model'\n",
" - '*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application'\n",
" - '*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon'\n",
" - '*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application'\n",
" - '*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon'\n",
" - '*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application'\n",
" - '*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon'\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"13\" AND registry_key_path.keyword:(*\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\DefaultIcon))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

154
docker/helk-jupyter/notebooks/sigma/apt_pandemic.ipynb Normal file
View File

@ -0,0 +1,154 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Pandemic Registry Key\n",
"Detects Pandemic Windows Implant"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Pandemic Registry Key\n",
" id: 47e0852a-cf81-4494-a8e6-31864f8c86ed\n",
" status: experimental\n",
" description: Detects Pandemic Windows Implant\n",
" references:\n",
" - https://wikileaks.org/vault7/#Pandemic\n",
" - https://twitter.com/MalwareJake/status/870349480356454401\n",
" tags:\n",
" - attack.lateral_movement\n",
" - attack.t1105\n",
" author: Florian Roth\n",
" detection:\n",
" condition: 1 of them\n",
" fields:\n",
" - EventID\n",
" - CommandLine\n",
" - ParentCommandLine\n",
" - Image\n",
" - User\n",
" - TargetObject\n",
" falsepositives:\n",
" - unknown\n",
" level: critical\n",
"- logsource:\n",
" product: windows\n",
" service: sysmon\n",
" detection:\n",
" selection1:\n",
" EventID: 13\n",
" TargetObject:\n",
" - \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*\n",
" - \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\null\\Instance*\n",
" - \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet002\\services\\null\\Instance*\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection2:\n",
" Command: loaddll -a *\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"13\" AND registry_key_path.keyword:(\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance* OR \\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\services\\\\null\\\\Instance* OR \\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet002\\\\services\\\\null\\\\Instance*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='Command.keyword:loaddll\\ \\-a\\ *')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

146
docker/helk-jupyter/notebooks/sigma/apt_slingshot.ipynb Normal file
View File

@ -0,0 +1,146 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Defrag Deactivation\n",
"Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Defrag Deactivation\n",
" id: 958d81aa-8566-4cea-a565-59ccd4df27b0\n",
" author: Florian Roth\n",
" description: Detects the deactivation of the Scheduled defragmentation task as seen\n",
" by Slingshot APT group\n",
" references:\n",
" - https://securelist.com/apt-slingshot/84312/\n",
" tags:\n",
" - attack.persistence\n",
" - attack.t1053\n",
" - attack.s0111\n",
" detection:\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection1:\n",
" CommandLine:\n",
" - '*schtasks* /delete *Defrag\\ScheduledDefrag*'\n",
"- logsource:\n",
" product: windows\n",
" service: security\n",
" definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'\n",
" detection:\n",
" selection2:\n",
" EventID: 4701\n",
" TaskName: \\Microsoft\\Windows\\Defrag\\ScheduledDefrag\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:(*schtasks*\\ \\/delete\\ *Defrag\\\\ScheduledDefrag*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4701\" AND task_name:\"\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

131
docker/helk-jupyter/notebooks/sigma/apt_sofacy.ipynb Normal file
View File

@ -0,0 +1,131 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Sofacy Trojan Loader Activity\n",
"Detects Trojan loader acitivty as used by APT28"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Sofacy Trojan Loader Activity\n",
" id: ba778144-5e3d-40cf-8af9-e28fb1df1e20\n",
" author: Florian Roth\n",
" status: experimental\n",
" description: Detects Trojan loader acitivty as used by APT28\n",
" references:\n",
" - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\n",
" - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\n",
" - https://twitter.com/ClearskySec/status/960924755355369472\n",
" tags:\n",
" - attack.g0007\n",
" - attack.execution\n",
" - attack.t1059\n",
" - attack.defense_evasion\n",
" - attack.t1085\n",
" - car.2013-10-002\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" CommandLine:\n",
" - rundll32.exe %APPDATA%\\\\*.dat\",*\n",
" - rundll32.exe %APPDATA%\\\\*.dll\",#1\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

126
docker/helk-jupyter/notebooks/sigma/apt_stonedrill.ipynb Normal file
View File

@ -0,0 +1,126 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# StoneDrill Service Install\n",
"This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: StoneDrill Service Install\n",
" id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6\n",
" description: This method detects a service install of the malicious Microsoft Network\n",
" Realtime Inspection Service service described in StoneDrill report by Kaspersky\n",
" author: Florian Roth\n",
" references:\n",
" - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/\n",
" tags:\n",
" - attack.persistence\n",
" - attack.g0064\n",
" - attack.t1050\n",
" logsource:\n",
" product: windows\n",
" service: system\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 7045\n",
" ServiceName: NtsSrv\n",
" ServiceFileName: '* LocalService'\n",
" condition: selection\n",
" falsepositives:\n",
" - Unlikely\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-system-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"7045\" AND service_name:\"NtsSrv\" AND service_image_path.keyword:*\\ LocalService)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

126
docker/helk-jupyter/notebooks/sigma/apt_ta17_293a_ps.ipynb Normal file
View File

@ -0,0 +1,126 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Ps.exe Renamed SysInternals Tool\n",
"Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Ps.exe Renamed SysInternals Tool\n",
" id: 18da1007-3f26-470f-875d-f77faf1cab31\n",
" description: Detects renamed SysInternals tool execution with a binary named ps.exe\n",
" as used by Dragonfly APT group and documented in TA17-293A report\n",
" references:\n",
" - https://www.us-cert.gov/ncas/alerts/TA17-293A\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.g0035\n",
" - attack.t1036\n",
" - car.2013-05-009\n",
" author: Florian Roth\n",
" date: 2017/10/22\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" CommandLine: ps.exe -accepteula\n",
" condition: selection\n",
" falsepositives:\n",
" - Renamed SysInternals tool\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line:\"ps.exe\\ \\-accepteula\"')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

122
docker/helk-jupyter/notebooks/sigma/apt_tropictrooper.ipynb Normal file
View File

@ -0,0 +1,122 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# TropicTrooper Campaign November 2018\n",
"Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: TropicTrooper Campaign November 2018\n",
" id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79\n",
" author: '@41thexplorer, Windows Defender ATP'\n",
" status: stable\n",
" description: Detects TropicTrooper activity, an actor who targeted high-profile\n",
" organizations in the energy and food and beverage sectors in Asia\n",
" references:\n",
" - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1085\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'\n",
" condition: selection\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

132
docker/helk-jupyter/notebooks/sigma/apt_turla_namedpipes.ipynb Normal file
View File

@ -0,0 +1,132 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Turla Group Named Pipes\n",
"Detects a named pipe used by Turla group samples"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Turla Group Named Pipes\n",
" id: 739915e4-1e70-4778-8b8a-17db02f66db1\n",
" status: experimental\n",
" description: Detects a named pipe used by Turla group samples\n",
" references:\n",
" - Internal Research\n",
" date: 2017/11/06\n",
" tags:\n",
" - attack.g0010\n",
" author: Markus Neis\n",
" logsource:\n",
" product: windows\n",
" service: sysmon\n",
" definition: Note that you have to configure logging for PipeEvents in Symson config\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID:\n",
" - 17\n",
" - 18\n",
" PipeName:\n",
" - \\atctl\n",
" - \\userpipe\n",
" - \\iehelper\n",
" - \\sdlrpc\n",
" - \\comnap\n",
" condition: selection\n",
" falsepositives:\n",
" - Unkown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:(\"17\" OR \"18\") AND pipe_name:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

126
docker/helk-jupyter/notebooks/sigma/apt_turla_service_png.ipynb Normal file
View File

@ -0,0 +1,126 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Turla PNG Dropper Service\n",
"This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Turla PNG Dropper Service\n",
" id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1\n",
" description: This method detects malicious services mentioned in Turla PNG dropper\n",
" report by NCC Group in November 2018\n",
" references:\n",
" - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/\n",
" author: Florian Roth\n",
" date: 2018/11/23\n",
" tags:\n",
" - attack.persistence\n",
" - attack.g0010\n",
" - attack.t1050\n",
" logsource:\n",
" product: windows\n",
" service: system\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 7045\n",
" ServiceName: WerFaultSvc\n",
" condition: selection\n",
" falsepositives:\n",
" - unlikely\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-system-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"7045\" AND service_name:\"WerFaultSvc\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

146
docker/helk-jupyter/notebooks/sigma/apt_unidentified_nov_18.ipynb Normal file
View File

@ -0,0 +1,146 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Unidentified Attacker November 2018\n",
"A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Unidentified Attacker November 2018\n",
" id: 7453575c-a747-40b9-839b-125a0aae324b\n",
" status: stable\n",
" description: A sigma rule detecting an unidetefied attacker who used phishing emails\n",
" to target high profile orgs on November 2018. The Actor shares some TTPs with\n",
" YYTRIUM/APT29 campaign in 2016.\n",
" references:\n",
" - https://twitter.com/DrunkBinary/status/1063075530180886529\n",
" author: '@41thexplorer, Windows Defender ATP'\n",
" date: 2018/11/20\n",
" modified: 2018/12/11\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1085\n",
" detection:\n",
" condition: 1 of them\n",
" level: high\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection1:\n",
" CommandLine: '*cyzfc.dat, PointFunctionCall'\n",
"- logsource:\n",
" product: windows\n",
" service: sysmon\n",
" detection:\n",
" selection2:\n",
" EventID: 11\n",
" TargetFilename:\n",
" - '*ds7002.lnk*'\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:*cyzfc.dat,\\ PointFunctionCall')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"11\" AND file_name.keyword:(*ds7002.lnk*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

153
docker/helk-jupyter/notebooks/sigma/apt_wocao.ipynb Normal file
View File

@ -0,0 +1,153 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Operation Wocao Activity\n",
"Detects activity mentioned in Operation Wocao report"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Operation Wocao Activity\n",
" id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d\n",
" author: Florian Roth\n",
" status: experimental\n",
" description: Detects activity mentioned in Operation Wocao report\n",
" references:\n",
" - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\n",
" - https://twitter.com/SBousseaden/status/1207671369963646976\n",
" date: 2019/12/20\n",
" falsepositives:\n",
" - Administrators that use checkadmin.exe tool to enumerate local administrators\n",
" level: high\n",
"- logsource:\n",
" product: windows\n",
" service: security\n",
" detection:\n",
" selection:\n",
" EventID: 4799\n",
" GroupName: Administrators\n",
" ProcessName: '*\\checkadmin.exe'\n",
" condition: selection\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection:\n",
" CommandLine|contains:\n",
" - checkadmin.exe 127.0.0.1 -all\n",
" - netsh advfirewall firewall add rule name=powershell dir=in\n",
" - cmd /c powershell.exe -ep bypass -file c:\\s.ps1\n",
" - /tn win32times /f\n",
" - create win32times binPath=\n",
" - \\c$\\windows\\system32\\devmgr.dll\n",
" - ' -exec bypass -enc JgAg'\n",
" - type *keepass\\KeePass.config.xml\n",
" - iie.exe iie.txt\n",
" - reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\\n",
" condition: selection\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4799\" AND group_name:\"Administrators\" AND process_path.keyword:*\\\\checkadmin.exe)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:(*checkadmin.exe\\ 127.0.0.1\\ \\-all* OR *netsh\\ advfirewall\\ firewall\\ add\\ rule\\ name\\=powershell\\ dir\\=in* OR *cmd\\ \\/c\\ powershell.exe\\ \\-ep\\ bypass\\ \\-file\\ c\\:\\\\s.ps1* OR *\\/tn\\ win32times\\ \\/f* OR *create\\ win32times\\ binPath\\=* OR *\\\\c$\\\\windows\\\\system32\\\\devmgr.dll* OR *\\ \\-exec\\ bypass\\ \\-enc\\ JgAg* OR *type\\ *keepass\\\\KeePass.config.xml* OR *iie.exe\\ iie.txt* OR *reg\\ query\\ HKEY_CURRENT_USER\\\\Software\\*\\\\PuTTY\\\\Sessions\\*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

130
docker/helk-jupyter/notebooks/sigma/apt_zxshell.ipynb Normal file
View File

@ -0,0 +1,130 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# ZxShell Malware\n",
"Detects a ZxShell start by the called and well-known function name"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: ZxShell Malware\n",
" id: f0b70adb-0075-43b0-9745-e82a1c608fcc\n",
" description: Detects a ZxShell start by the called and well-known function name\n",
" author: Florian Roth\n",
" references:\n",
" - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\n",
" tags:\n",
" - attack.g0001\n",
" - attack.execution\n",
" - attack.t1059\n",
" - attack.defense_evasion\n",
" - attack.t1085\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" Command:\n",
" - rundll32.exe *,zxFunction*\n",
" - rundll32.exe *,RemoteDiskXXXXX\n",
" condition: selection\n",
" fields:\n",
" - CommandLine\n",
" - ParentCommandLine\n",
" falsepositives:\n",
" - Unlikely\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

139
docker/helk-jupyter/notebooks/sigma/av_exploiting.ipynb Normal file
View File

@ -0,0 +1,139 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Antivirus Exploitation Framework Detection\n",
"Detects a highly relevant Antivirus alert that reports an exploitation framework"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Antivirus Exploitation Framework Detection\n",
" id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864\n",
" description: Detects a highly relevant Antivirus alert that reports an exploitation\n",
" framework\n",
" date: 2018/09/09\n",
" modified: 2019/01/16\n",
" author: Florian Roth\n",
" references:\n",
" - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1203\n",
" - attack.command_and_control\n",
" - attack.t1219\n",
" logsource:\n",
" product: antivirus\n",
" service: null\n",
" category: null\n",
" detection:\n",
" selection:\n",
" Signature:\n",
" - '*MeteTool*'\n",
" - '*MPreter*'\n",
" - '*Meterpreter*'\n",
" - '*Metasploit*'\n",
" - '*PowerSploit*'\n",
" - '*CobaltSrike*'\n",
" - '*Swrort*'\n",
" - '*Rozena*'\n",
" - '*Backdoor.Cobalt*'\n",
" condition: selection\n",
" fields:\n",
" - FileName\n",
" - User\n",
" falsepositives:\n",
" - Unlikely\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

135
docker/helk-jupyter/notebooks/sigma/av_password_dumper.ipynb Normal file
View File

@ -0,0 +1,135 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Antivirus Password Dumper Detection\n",
"Detects a highly relevant Antivirus alert that reports a password dumper"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Antivirus Password Dumper Detection\n",
" id: 78cc2dd2-7d20-4d32-93ff-057084c38b93\n",
" description: Detects a highly relevant Antivirus alert that reports a password dumper\n",
" date: 2018/09/09\n",
" modified: 2019/10/04\n",
" author: Florian Roth\n",
" references:\n",
" - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/\n",
" tags:\n",
" - attack.credential_access\n",
" - attack.t1003\n",
" logsource:\n",
" product: antivirus\n",
" service: null\n",
" category: null\n",
" detection:\n",
" selection:\n",
" Signature:\n",
" - '*DumpCreds*'\n",
" - '*Mimikatz*'\n",
" - '*PWCrack*'\n",
" - HTool/WCE\n",
" - '*PSWtool*'\n",
" - '*PWDump*'\n",
" - '*SecurityTool*'\n",
" - '*PShlSpy*'\n",
" condition: selection\n",
" fields:\n",
" - FileName\n",
" - User\n",
" falsepositives:\n",
" - Unlikely\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

150
docker/helk-jupyter/notebooks/sigma/av_relevant_files.ipynb Normal file
View File

@ -0,0 +1,150 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Antivirus Relevant File Paths Alerts\n",
"Detects an Antivirus alert in a highly relevant file path or with a relevant file name"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Antivirus Relevant File Paths Alerts\n",
" id: c9a88268-0047-4824-ba6e-4d81ce0b907c\n",
" description: Detects an Antivirus alert in a highly relevant file path or with a\n",
" relevant file name\n",
" date: 2018/09/09\n",
" modified: 2019/10/04\n",
" author: Florian Roth\n",
" references:\n",
" - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/\n",
" logsource:\n",
" product: antivirus\n",
" service: null\n",
" category: null\n",
" detection:\n",
" selection:\n",
" FileName:\n",
" - C:\\Windows\\Temp\\\\*\n",
" - C:\\Temp\\\\*\n",
" - '*\\\\Client\\\\*'\n",
" - C:\\PerfLogs\\\\*\n",
" - C:\\Users\\Public\\\\*\n",
" - C:\\Users\\Default\\\\*\n",
" - '*.ps1'\n",
" - '*.vbs'\n",
" - '*.bat'\n",
" - '*.chm'\n",
" - '*.xml'\n",
" - '*.txt'\n",
" - '*.jsp'\n",
" - '*.jspx'\n",
" - '*.asp'\n",
" - '*.aspx'\n",
" - '*.php'\n",
" - '*.war'\n",
" - '*.hta'\n",
" - '*.lnk'\n",
" - '*.scf'\n",
" - '*.sct'\n",
" - '*.vbe'\n",
" - '*.wsf'\n",
" - '*.wsh'\n",
" condition: selection\n",
" fields:\n",
" - Signature\n",
" - User\n",
" falsepositives:\n",
" - Unlikely\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='file_name.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\Temp\\\\* OR *\\\\Client\\\\* OR C\\:\\\\PerfLogs\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.sct OR *.vbe OR *.wsf OR *.wsh)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

134
docker/helk-jupyter/notebooks/sigma/av_webshell.ipynb Normal file
View File

@ -0,0 +1,134 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Antivirus Web Shell Detection\n",
"Detects a highly relevant Antivirus alert that reports a web shell"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Antivirus Web Shell Detection\n",
" id: fdf135a2-9241-4f96-a114-bb404948f736\n",
" description: Detects a highly relevant Antivirus alert that reports a web shell\n",
" date: 2018/09/09\n",
" modified: 2019/10/04\n",
" author: Florian Roth\n",
" references:\n",
" - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/\n",
" tags:\n",
" - attack.persistence\n",
" - attack.t1100\n",
" logsource:\n",
" product: antivirus\n",
" service: null\n",
" category: null\n",
" detection:\n",
" selection:\n",
" Signature:\n",
" - PHP/Backdoor*\n",
" - JSP/Backdoor*\n",
" - ASP/Backdoor*\n",
" - Backdoor.PHP*\n",
" - Backdoor.JSP*\n",
" - Backdoor.ASP*\n",
" - '*Webshell*'\n",
" condition: selection\n",
" fields:\n",
" - FileName\n",
" - User\n",
" falsepositives:\n",
" - Unlikely\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='signature.keyword:(PHP\\/Backdoor* OR JSP\\/Backdoor* OR ASP\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

225
docker/helk-jupyter/notebooks/sigma/cleartext_protocols.ipynb Normal file
View File

@ -0,0 +1,225 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Cleartext Protocol Usage\n",
"Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Cleartext Protocol Usage\n",
" id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f\n",
" description: Ensure that all account usernames and authentication credentials are\n",
" transmitted across networks using encrypted channels. Ensure that an encryption\n",
" is used for all sensitive information in transit. Ensure that an encrypted channels\n",
" is used for all administrative account access.\n",
" references:\n",
" - https://www.cisecurity.org/controls/cis-controls-list/\n",
" - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n",
" - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n",
" author: Alexandr Yampolskyi, SOC Prime\n",
" status: stable\n",
" date: 2019/03/26\n",
" falsepositives:\n",
" - unknown\n",
" level: low\n",
" tags:\n",
" - CSC4\n",
" - CSC4.5\n",
" - CSC14\n",
" - CSC14.4\n",
" - CSC16\n",
" - CSC16.5\n",
" - NIST CSF 1.1 PR.AT-2\n",
" - NIST CSF 1.1 PR.MA-2\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - NIST CSF 1.1 PR.AC-1\n",
" - NIST CSF 1.1 PR.AC-4\n",
" - NIST CSF 1.1 PR.AC-5\n",
" - NIST CSF 1.1 PR.AC-6\n",
" - NIST CSF 1.1 PR.AC-7\n",
" - NIST CSF 1.1 PR.DS-1\n",
" - NIST CSF 1.1 PR.DS-2\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - ISO 27002-2013 A.9.2.1\n",
" - ISO 27002-2013 A.9.2.2\n",
" - ISO 27002-2013 A.9.2.3\n",
" - ISO 27002-2013 A.9.2.4\n",
" - ISO 27002-2013 A.9.2.5\n",
" - ISO 27002-2013 A.9.2.6\n",
" - ISO 27002-2013 A.9.3.1\n",
" - ISO 27002-2013 A.9.4.1\n",
" - ISO 27002-2013 A.9.4.2\n",
" - ISO 27002-2013 A.9.4.3\n",
" - ISO 27002-2013 A.9.4.4\n",
" - ISO 27002-2013 A.8.3.1\n",
" - ISO 27002-2013 A.9.1.1\n",
" - ISO 27002-2013 A.10.1.1\n",
" - PCI DSS 3.2 2.1\n",
" - PCI DSS 3.2 8.1\n",
" - PCI DSS 3.2 8.2\n",
" - PCI DSS 3.2 8.3\n",
" - PCI DSS 3.2 8.7\n",
" - PCI DSS 3.2 8.8\n",
" - PCI DSS 3.2 1.3\n",
" - PCI DSS 3.2 1.4\n",
" - PCI DSS 3.2 4.3\n",
" - PCI DSS 3.2 7.1\n",
" - PCI DSS 3.2 7.2\n",
" - PCI DSS 3.2 7.3\n",
"- logsource:\n",
" product: netflow\n",
" detection:\n",
" selection:\n",
" destination.port:\n",
" - 8080\n",
" - 21\n",
" - 80\n",
" - 23\n",
" - 50000\n",
" - 1521\n",
" - 27017\n",
" - 1433\n",
" - 11211\n",
" - 3306\n",
" - 15672\n",
" - 5900\n",
" - 5901\n",
" - 5902\n",
" - 5903\n",
" - 5904\n",
" condition: selection\n",
"- logsource:\n",
" product: firewall\n",
" detection:\n",
" selection1:\n",
" destination.port:\n",
" - 8080\n",
" - 21\n",
" - 80\n",
" - 23\n",
" - 50000\n",
" - 1521\n",
" - 27017\n",
" - 3306\n",
" - 1433\n",
" - 11211\n",
" - 15672\n",
" - 5900\n",
" - 5901\n",
" - 5902\n",
" - 5903\n",
" - 5904\n",
" selection2:\n",
" action:\n",
" - forward\n",
" - accept\n",
" - 2\n",
" condition: selection1 AND selection2\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='destination.port:(\"8080\" OR \"21\" OR \"80\" OR \"23\" OR \"50000\" OR \"1521\" OR \"27017\" OR \"1433\" OR \"11211\" OR \"3306\" OR \"15672\" OR \"5900\" OR \"5901\" OR \"5902\" OR \"5903\" OR \"5904\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(destination.port:(\"8080\" OR \"21\" OR \"80\" OR \"23\" OR \"50000\" OR \"1521\" OR \"27017\" OR \"3306\" OR \"1433\" OR \"11211\" OR \"15672\" OR \"5900\" OR \"5901\" OR \"5902\" OR \"5903\" OR \"5904\") AND action:(\"forward\" OR \"accept\" OR \"2\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

130
docker/helk-jupyter/notebooks/sigma/crime_fireball.ipynb Normal file
View File

@ -0,0 +1,130 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Fireball Archer Install\n",
"Detects Archer malware invocation via rundll32"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Fireball Archer Install\n",
" id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d\n",
" status: experimental\n",
" description: Detects Archer malware invocation via rundll32\n",
" author: Florian Roth\n",
" date: 2017/06/03\n",
" references:\n",
" - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\n",
" - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1059\n",
" - attack.defense_evasion\n",
" - attack.t1085\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" CommandLine: '*\\rundll32.exe *,InstallArcherSvc'\n",
" condition: selection\n",
" fields:\n",
" - CommandLine\n",
" - ParentCommandLine\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

214
docker/helk-jupyter/notebooks/sigma/default_credentials_usage.ipynb Normal file
View File

@ -0,0 +1,214 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Default Credentials Usage\n",
"Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Default Credentials Usage\n",
" id: 1a395cbc-a84a-463a-9086-ed8a70e573c7\n",
" description: Before deploying any new asset, change all default passwords to have\n",
" values consistent with administrative level accounts. Sigma detects default credentials\n",
" usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\n",
" author: Alexandr Yampolskyi, SOC Prime\n",
" status: stable\n",
" references:\n",
" - https://www.cisecurity.org/controls/cis-controls-list/\n",
" - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n",
" - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n",
" - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists\n",
" date: 2019/03/26\n",
" logsource:\n",
" product: qualys\n",
" service: null\n",
" category: null\n",
" detection:\n",
" selection:\n",
" host.scan.vuln:\n",
" - 10693\n",
" - 11507\n",
" - 11633\n",
" - 11804\n",
" - 11821\n",
" - 11847\n",
" - 11867\n",
" - 11931\n",
" - 11935\n",
" - 11950\n",
" - 12541\n",
" - 12558\n",
" - 12559\n",
" - 12560\n",
" - 12562\n",
" - 12563\n",
" - 12565\n",
" - 12587\n",
" - 12590\n",
" - 12599\n",
" - 12702\n",
" - 12705\n",
" - 12706\n",
" - 12907\n",
" - 12928\n",
" - 12929\n",
" - 13053\n",
" - 13178\n",
" - 13200\n",
" - 13218\n",
" - 13241\n",
" - 13253\n",
" - 13274\n",
" - 13296\n",
" - 13301\n",
" - 13327\n",
" - 13373\n",
" - 13374\n",
" - 13409\n",
" - 13530\n",
" - 13532\n",
" - 20065\n",
" - 20073\n",
" - 20081\n",
" - 27202\n",
" - 27358\n",
" - 38702\n",
" - 38719\n",
" - 42045\n",
" - 42417\n",
" - 43029\n",
" - 43220\n",
" - 43221\n",
" - 43222\n",
" - 43223\n",
" - 43225\n",
" - 43246\n",
" - 43431\n",
" - 43484\n",
" - 86857\n",
" - 87098\n",
" - 87106\n",
" condition: selection\n",
" falsepositives:\n",
" - unknown\n",
" level: medium\n",
" tags:\n",
" - CSC4\n",
" - CSC4.2\n",
" - NIST CSF 1.1 PR.AC-4\n",
" - NIST CSF 1.1 PR.AT-2\n",
" - NIST CSF 1.1 PR.MA-2\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - ISO 27002-2013 A.9.1.1\n",
" - ISO 27002-2013 A.9.2.2\n",
" - ISO 27002-2013 A.9.2.3\n",
" - ISO 27002-2013 A.9.2.4\n",
" - ISO 27002-2013 A.9.2.5\n",
" - ISO 27002-2013 A.9.2.6\n",
" - ISO 27002-2013 A.9.3.1\n",
" - ISO 27002-2013 A.9.4.1\n",
" - ISO 27002-2013 A.9.4.2\n",
" - ISO 27002-2013 A.9.4.3\n",
" - ISO 27002-2013 A.9.4.4\n",
" - PCI DSS 3.2 2.1\n",
" - PCI DSS 3.2 7.1\n",
" - PCI DSS 3.2 7.2\n",
" - PCI DSS 3.2 7.3\n",
" - PCI DSS 3.2 8.1\n",
" - PCI DSS 3.2 8.2\n",
" - PCI DSS 3.2 8.3\n",
" - PCI DSS 3.2 8.7\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='host.scan.vuln:(\"10693\" OR \"11507\" OR \"11633\" OR \"11804\" OR \"11821\" OR \"11847\" OR \"11867\" OR \"11931\" OR \"11935\" OR \"11950\" OR \"12541\" OR \"12558\" OR \"12559\" OR \"12560\" OR \"12562\" OR \"12563\" OR \"12565\" OR \"12587\" OR \"12590\" OR \"12599\" OR \"12702\" OR \"12705\" OR \"12706\" OR \"12907\" OR \"12928\" OR \"12929\" OR \"13053\" OR \"13178\" OR \"13200\" OR \"13218\" OR \"13241\" OR \"13253\" OR \"13274\" OR \"13296\" OR \"13301\" OR \"13327\" OR \"13373\" OR \"13374\" OR \"13409\" OR \"13530\" OR \"13532\" OR \"20065\" OR \"20073\" OR \"20081\" OR \"27202\" OR \"27358\" OR \"38702\" OR \"38719\" OR \"42045\" OR \"42417\" OR \"43029\" OR \"43220\" OR \"43221\" OR \"43222\" OR \"43223\" OR \"43225\" OR \"43246\" OR \"43431\" OR \"43484\" OR \"86857\" OR \"87098\" OR \"87106\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

168
docker/helk-jupyter/notebooks/sigma/group_modification_logging.ipynb Normal file
View File

@ -0,0 +1,168 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Group Modification Logging\n",
"Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects Event ID 4728 indicates a Member is added to a Security Group. Event ID 4729 indicates a Member is removed from a Security enabled-group. Event ID 4730 indicates aSecurity Group is deleted. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Group Modification Logging\n",
" id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e\n",
" description: \"Configure systems to issue a log entry and alert when an account is\\\n",
" \\ added to or removed from any group assigned administrative privileges. Sigma\\\n",
" \\ detects Event ID 4728 indicates a \\u2018Member is added to a Security Group\\u2019\\\n",
" . Event ID 4729 indicates a \\u2018Member is removed from a Security enabled-group\\u2019\\\n",
" . Event ID 4730 indicates a\\u2018Security Group is deleted\\u2019. The case is\\\n",
" \\ not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012\\\n",
" \\ R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows\\\n",
" \\ 2003 and XP.\"\n",
" author: Alexandr Yampolskyi, SOC Prime\n",
" status: stable\n",
" references:\n",
" - https://www.cisecurity.org/controls/cis-controls-list/\n",
" - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n",
" - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n",
" - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728\n",
" - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729\n",
" - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730\n",
" - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633\n",
" - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632\n",
" - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634\n",
" date: 2019/03/26\n",
" logsource:\n",
" product: windows\n",
" service: security\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID:\n",
" - 4728\n",
" - 4729\n",
" - 4730\n",
" - 633\n",
" - 632\n",
" - 634\n",
" condition: selection\n",
" falsepositives:\n",
" - unknown\n",
" level: low\n",
" tags:\n",
" - CSC4\n",
" - CSC4.8\n",
" - NIST CSF 1.1 PR.AC-4\n",
" - NIST CSF 1.1 PR.AT-2\n",
" - NIST CSF 1.1 PR.MA-2\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - ISO 27002-2013 A.9.1.1\n",
" - ISO 27002-2013 A.9.2.2\n",
" - ISO 27002-2013 A.9.2.3\n",
" - ISO 27002-2013 A.9.2.4\n",
" - ISO 27002-2013 A.9.2.5\n",
" - ISO 27002-2013 A.9.2.6\n",
" - ISO 27002-2013 A.9.3.1\n",
" - ISO 27002-2013 A.9.4.1\n",
" - ISO 27002-2013 A.9.4.2\n",
" - ISO 27002-2013 A.9.4.3\n",
" - ISO 27002-2013 A.9.4.4\n",
" - PCI DSS 3.2 2.1\n",
" - PCI DSS 3.2 7.1\n",
" - PCI DSS 3.2 7.2\n",
" - PCI DSS 3.2 7.3\n",
" - PCI DSS 3.2 8.1\n",
" - PCI DSS 3.2 8.2\n",
" - PCI DSS 3.2 8.3\n",
" - PCI DSS 3.2 8.7\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='event_id:(\"4728\" OR \"4729\" OR \"4730\" OR \"633\" OR \"632\" OR \"634\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

135
docker/helk-jupyter/notebooks/sigma/host_without_firewall.ipynb Normal file
View File

@ -0,0 +1,135 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Host Without Firewall\n",
"Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Host Without Firewall\n",
" id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9\n",
" description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability\n",
" scanner. Scan type - Vulnerability Management.\n",
" author: Alexandr Yampolskyi, SOC Prime\n",
" references:\n",
" - https://www.cisecurity.org/controls/cis-controls-list/\n",
" - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n",
" - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n",
" date: 2019/03/19\n",
" status: stable\n",
" level: low\n",
" logsource:\n",
" product: Qualys\n",
" service: null\n",
" category: null\n",
" detection:\n",
" selection:\n",
" event.category: Security Policy\n",
" host.scan.vuln_name: Firewall Product Not Detected*\n",
" condition: selection\n",
" tags:\n",
" - CSC9\n",
" - CSC9.4\n",
" - NIST CSF 1.1 PR.AC-5\n",
" - NIST CSF 1.1 PR.AC-6\n",
" - NIST CSF 1.1 PR.AC-7\n",
" - NIST CSF 1.1 DE.AE-1\n",
" - ISO 27002-2013 A.9.1.2\n",
" - ISO 27002-2013 A.13.2.1\n",
" - ISO 27002-2013 A.13.2.2\n",
" - ISO 27002-2013 A.14.1.2\n",
" - PCI DSS 3.2 1.4\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event.category:\"Security\\ Policy\" AND host.scan.vuln_name.keyword:Firewall\\ Product\\ Not\\ Detected*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

135
docker/helk-jupyter/notebooks/sigma/lnx_auditd_alter_bash_profile.ipynb Normal file
View File

@ -0,0 +1,135 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Detects Suspicious edit of .bash_profile and .bashrc on Linux systems\n",
"Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems\n",
" id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9\n",
" status: experimental\n",
" description: Detects change of user environment. Adversaries can insert code into\n",
" these files to gain persistence each time a user logs in or opens a new shell.\n",
" references:\n",
" - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '\n",
" date: 2019/05/12\n",
" tags:\n",
" - attack.s0003\n",
" - attack.t1156\n",
" - attack.persistence\n",
" author: Peter Matkovski\n",
" logsource:\n",
" product: linux\n",
" service: auditd\n",
" category: null\n",
" detection:\n",
" selection:\n",
" type: PATH\n",
" name:\n",
" - /home/*/.bashrc\n",
" - /home/*/.bash_profile\n",
" - /home/*/.profile\n",
" - /etc/profile\n",
" - /etc/shells\n",
" - /etc/bashrc\n",
" - /etc/csh.cshrc\n",
" - /etc/csh.login\n",
" condition: selection\n",
" falsepositives:\n",
" - Admin or User activity\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(type:\"PATH\" AND name.keyword:(\\/home\\/*\\/.bashrc OR \\/home\\/*\\/.bash_profile OR \\/home\\/*\\/.profile OR \\/etc\\/profile OR \\/etc\\/shells OR \\/etc\\/bashrc OR \\/etc\\/csh.cshrc OR \\/etc\\/csh.login))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

128
docker/helk-jupyter/notebooks/sigma/lnx_auditd_masquerading_crond.ipynb Normal file
View File

@ -0,0 +1,128 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Masquerading as Linux crond process\n",
"Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Masquerading as Linux crond process\n",
" id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0\n",
" status: experimental\n",
" description: Masquerading occurs when the name or location of an executable, legitimate\n",
" or malicious, is manipulated or abused for the sake of evading defenses and observation.\n",
" Several different variations of this technique have been observed.\n",
" author: Timur Zinniatullin, oscd.community\n",
" date: 2019/10/21\n",
" references:\n",
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml\n",
" logsource:\n",
" product: linux\n",
" service: auditd\n",
" category: null\n",
" detection:\n",
" selection:\n",
" type: execve\n",
" a0: cp\n",
" a1: -i\n",
" a2: /bin/sh\n",
" a3: '*/crond'\n",
" condition: selection\n",
" level: medium\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.t1036\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(type:\"execve\" AND a0:\"cp\" AND a1:\"\\-i\" AND a2:\"\\/bin\\/sh\" AND a3.keyword:*\\/crond)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

135
docker/helk-jupyter/notebooks/sigma/lnx_auditd_susp_cmds.ipynb Normal file
View File

@ -0,0 +1,135 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Detects Suspicious Commands on Linux systems\n",
"Detects relevant commands often related to malware or hacking activity"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Detects Suspicious Commands on Linux systems\n",
" id: 1543ae20-cbdf-4ec1-8d12-7664d667a825\n",
" status: experimental\n",
" description: Detects relevant commands often related to malware or hacking activity\n",
" references:\n",
" - Internal Research - mostly derived from exploit code including code in MSF\n",
" date: 2017/12/12\n",
" author: Florian Roth\n",
" logsource:\n",
" product: linux\n",
" service: auditd\n",
" category: null\n",
" detection:\n",
" cmd1:\n",
" type: EXECVE\n",
" a0: chmod\n",
" a1: '777'\n",
" cmd2:\n",
" type: EXECVE\n",
" a0: chmod\n",
" a1: u+s\n",
" cmd3:\n",
" type: EXECVE\n",
" a0: cp\n",
" a1: /bin/ksh\n",
" cmd4:\n",
" type: EXECVE\n",
" a0: cp\n",
" a1: /bin/sh\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Admin activity\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(type:\"EXECVE\" AND ((a0:\"chmod\" AND a1:\"777\") OR (a0:\"chmod\" AND a1:\"u\\+s\") OR (a0:\"cp\" AND a1:\"\\/bin\\/ksh\") OR (a0:\"cp\" AND a1:\"\\/bin\\/sh\")))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

140
docker/helk-jupyter/notebooks/sigma/lnx_auditd_susp_exe_folders.ipynb Normal file
View File

@ -0,0 +1,140 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Program Executions in Suspicious Folders\n",
"Detects program executions in suspicious non-program folders related to malware or hacking activity"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Program Executions in Suspicious Folders\n",
" id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc\n",
" status: experimental\n",
" description: Detects program executions in suspicious non-program folders related\n",
" to malware or hacking activity\n",
" references:\n",
" - Internal Research\n",
" date: 2018/01/23\n",
" author: Florian Roth\n",
" logsource:\n",
" product: linux\n",
" service: auditd\n",
" category: null\n",
" detection:\n",
" selection:\n",
" type: SYSCALL\n",
" exe:\n",
" - /tmp/*\n",
" - /var/www/*\n",
" - /home/*/public_html/*\n",
" - /usr/local/apache2/*\n",
" - /usr/local/httpd/*\n",
" - /var/apache/*\n",
" - /srv/www/*\n",
" - /home/httpd/html/*\n",
" - /srv/http/*\n",
" - /usr/share/nginx/html/*\n",
" - /var/lib/pgsql/data/*\n",
" - /usr/local/mysql/data/*\n",
" - /var/lib/mysql/*\n",
" - /var/vsftpd/*\n",
" - /etc/bind/*\n",
" - /var/named/*\n",
" condition: selection\n",
" falsepositives:\n",
" - Admin activity (especially in /tmp folders)\n",
" - Crazy web applications\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(type:\"SYSCALL\" AND exe.keyword:(\\/tmp\\/* OR \\/var\\/www\\/* OR \\/home\\/*\\/public_html\\/* OR \\/usr\\/local\\/apache2\\/* OR \\/usr\\/local\\/httpd\\/* OR \\/var\\/apache\\/* OR \\/srv\\/www\\/* OR \\/home\\/httpd\\/html\\/* OR \\/srv\\/http\\/* OR \\/usr\\/share\\/nginx\\/html\\/* OR \\/var\\/lib\\/pgsql\\/data\\/* OR \\/usr\\/local\\/mysql\\/data\\/* OR \\/var\\/lib\\/mysql\\/* OR \\/var\\/vsftpd\\/* OR \\/etc\\/bind\\/* OR \\/var\\/named\\/*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

130
docker/helk-jupyter/notebooks/sigma/lnx_auditd_user_discovery.ipynb Normal file
View File

@ -0,0 +1,130 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# System Owner or User Discovery\n",
"Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: System Owner or User Discovery\n",
" id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3\n",
" status: experimental\n",
" description: Adversaries may use the information from System Owner/User Discovery\n",
" during automated discovery to shape follow-on behaviors, including whether or\n",
" not the adversary fully infects the target and/or attempts specific actions.\n",
" author: Timur Zinniatullin, oscd.community\n",
" date: 2019/10/21\n",
" references:\n",
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml\n",
" logsource:\n",
" product: linux\n",
" service: auditd\n",
" category: null\n",
" detection:\n",
" selection:\n",
" type: EXECVE\n",
" a0:\n",
" - users\n",
" - w\n",
" - who\n",
" condition: selection\n",
" falsepositives:\n",
" - Admin activity\n",
" level: low\n",
" tags:\n",
" - attack.discovery\n",
" - attack.t1033\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(type:\"EXECVE\" AND a0:(\"users\" OR \"w\" OR \"who\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

128
docker/helk-jupyter/notebooks/sigma/lnx_auditd_web_rce.ipynb Normal file
View File

@ -0,0 +1,128 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Webshell Remote Command Execution\n",
"Detects posible command execution by web application/web shell"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Webshell Remote Command Execution\n",
" id: c0d3734d-330f-4a03-aae2-65dacc6a8222\n",
" status: experimental\n",
" description: Detects posible command execution by web application/web shell\n",
" tags:\n",
" - attack.persistence\n",
" - attack.t1100\n",
" references:\n",
" - personal experience\n",
" author: Ilyas Ochkov, Beyu Denis, oscd.community\n",
" date: 2019/10/12\n",
" modified: 2019/11/04\n",
" logsource:\n",
" product: linux\n",
" service: auditd\n",
" category: null\n",
" detection:\n",
" selection:\n",
" type: SYSCALL\n",
" SYSCALL: execve\n",
" key: detect_execve_www\n",
" condition: selection\n",
" falsepositives:\n",
" - Admin activity\n",
" - Crazy web applications\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(type:\"SYSCALL\" AND SYSCALL:\"execve\" AND key:\"detect_execve_www\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

121
docker/helk-jupyter/notebooks/sigma/lnx_buffer_overflows.ipynb Normal file
View File

@ -0,0 +1,121 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Buffer Overflow Attempts\n",
"Detects buffer overflow attempts in Unix system log files"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Buffer Overflow Attempts\n",
" id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781\n",
" description: Detects buffer overflow attempts in Unix system log files\n",
" references:\n",
" - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml\n",
" logsource:\n",
" product: unix\n",
" service: null\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - attempt to execute code on stack by\n",
" - FTP LOGIN FROM .* 0bin0sh\n",
" - 'rpc.statd[\\d+]: gethostbyname error for'\n",
" - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unkown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*attempt\\ to\\ execute\\ code\\ on\\ stack\\ by* OR *FTP\\ LOGIN\\ FROM\\ .*\\ 0bin0sh* OR *rpc.statd\\[\\\\d\\+\\]\\:\\ gethostbyname\\ error\\ for* OR *AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

122
docker/helk-jupyter/notebooks/sigma/lnx_clamav.ipynb Normal file
View File

@ -0,0 +1,122 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Relevant ClamAV Message\n",
"Detects relevant ClamAV messages"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Relevant ClamAV Message\n",
" id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb\n",
" description: Detects relevant ClamAV messages\n",
" references:\n",
" - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml\n",
" logsource:\n",
" product: linux\n",
" service: clamav\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - Trojan*FOUND\n",
" - VirTool*FOUND\n",
" - Webshell*FOUND\n",
" - Rootkit*FOUND\n",
" - Htran*FOUND\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*Trojan*FOUND* OR *VirTool*FOUND* OR *Webshell*FOUND* OR *Rootkit*FOUND* OR *Htran*FOUND*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

136
docker/helk-jupyter/notebooks/sigma/lnx_data_compressed.ipynb Normal file
View File

@ -0,0 +1,136 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Data Compressed\n",
"An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Data Compressed\n",
" id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee\n",
" status: experimental\n",
" description: An adversary may compress data (e.g., sensitive documents) that is\n",
" collected prior to exfiltration in order to make it portable and minimize the\n",
" amount of data sent over the network\n",
" author: Timur Zinniatullin, oscd.community\n",
" date: 2019/10/21\n",
" modified: 2019/11/04\n",
" references:\n",
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\n",
" logsource:\n",
" product: linux\n",
" service: auditd\n",
" category: null\n",
" detection:\n",
" selection1:\n",
" type: execve\n",
" a0: zip\n",
" selection2:\n",
" type: execve\n",
" a0: gzip\n",
" a1: -f\n",
" selection3:\n",
" type: execve\n",
" a0: tar\n",
" a1|contains: -c\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Legitimate use of archiving tools by legitimate user\n",
" level: low\n",
" tags:\n",
" - attack.exfiltration\n",
" - attack.t1002\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(type:\"execve\" AND (a0:\"zip\" OR (a0:\"gzip\" AND a1:\"\\-f\") OR (a0:\"tar\" AND a1.keyword:*\\-c*)))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

138
docker/helk-jupyter/notebooks/sigma/lnx_network_sniffing.ipynb Normal file
View File

@ -0,0 +1,138 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Network Sniffing\n",
"Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Network Sniffing\n",
" id: f4d3748a-65d1-4806-bd23-e25728081d01\n",
" status: experimental\n",
" description: Network sniffing refers to using the network interface on a system\n",
" to monitor or capture information sent over a wired or wireless connection. An\n",
" adversary may place a network interface into promiscuous mode to passively access\n",
" data in transit over the network, or use span ports to capture a larger amount\n",
" of data.\n",
" author: Timur Zinniatullin, oscd.community\n",
" date: 2019/10/21\n",
" modified: 2019/11/04\n",
" references:\n",
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml\n",
" logsource:\n",
" product: linux\n",
" service: auditd\n",
" category: null\n",
" detection:\n",
" selection1:\n",
" type: execve\n",
" a0: tcpdump\n",
" a1: -c\n",
" a3|contains: -i\n",
" selection2:\n",
" type: execve\n",
" a0: tshark\n",
" a1: -c\n",
" a3: -i\n",
" condition: selection1 or selection2\n",
" falsepositives:\n",
" - Legitimate administrator or user uses network sniffing tool for legitimate reason\n",
" level: low\n",
" tags:\n",
" - attack.credential_access\n",
" - attack.discovery\n",
" - attack.t1040\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(type:\"execve\" AND a1:\"\\-c\" AND ((a0:\"tcpdump\" AND a3.keyword:*\\-i*) OR (a0:\"tshark\" AND a3:\"\\-i\")))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

134
docker/helk-jupyter/notebooks/sigma/lnx_shell_clear_cmd_history.ipynb Normal file
View File

@ -0,0 +1,134 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Clear Command History\n",
"Clear command history in linux which is used for defense evasion."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Clear Command History\n",
" id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e\n",
" status: experimental\n",
" description: Clear command history in linux which is used for defense evasion.\n",
" references:\n",
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml\n",
" - https://attack.mitre.org/techniques/T1146/\n",
" - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics\n",
" author: Patrick Bareiss\n",
" date: 2019/03/24\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - rm *bash_history\n",
" - echo \"\" > *bash_history\n",
" - cat /dev/null > *bash_history\n",
" - ln -sf /dev/null *bash_history\n",
" - truncate -s0 *bash_history\n",
" - export HISTFILESIZE=0\n",
" - history -c\n",
" - history -w\n",
" - shred *bash_history\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.t1146\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*rm\\ *bash_history* OR *echo\\ \\\"\\\"\\ \\ *bash_history* OR *cat\\ \\/dev\\/null\\ \\ *bash_history* OR *ln\\ \\-sf\\ \\/dev\\/null\\ *bash_history* OR *truncate\\ \\-s0\\ *bash_history* OR *export\\ HISTFILESIZE\\=0* OR *history\\ \\-c* OR *history\\ \\-w* OR *shred\\ *bash_history*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

156
docker/helk-jupyter/notebooks/sigma/lnx_shell_susp_commands.ipynb Normal file
View File

@ -0,0 +1,156 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious Activity in Shell Commands\n",
"Detects suspicious shell commands used in various exploit codes (see references)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious Activity in Shell Commands\n",
" id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695\n",
" description: Detects suspicious shell commands used in various exploit codes (see\n",
" references)\n",
" references:\n",
" - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html\n",
" - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121\n",
" - http://pastebin.com/FtygZ1cg\n",
" - https://artkond.com/2017/03/23/pivoting-guide/\n",
" author: Florian Roth\n",
" date: 2017/08/21\n",
" modified: 2019/02/05\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - wget * - http* | perl\n",
" - wget * - http* | sh\n",
" - wget * - http* | bash\n",
" - python -m SimpleHTTPServer\n",
" - -m http.server\n",
" - import pty; pty.spawn*\n",
" - socat exec:*\n",
" - socat -O /tmp/*\n",
" - socat tcp-connect*\n",
" - '*echo binary >>*'\n",
" - '*wget *; chmod +x*'\n",
" - '*wget *; chmod 777 *'\n",
" - '*cd /tmp || cd /var/run || cd /mnt*'\n",
" - '*stop;service iptables stop;*'\n",
" - '*stop;SuSEfirewall2 stop;*'\n",
" - chmod 777 2020*\n",
" - '*>>/etc/rc.local'\n",
" - '*base64 -d /tmp/*'\n",
" - '* | base64 -d *'\n",
" - '*/chmod u+s *'\n",
" - '*chmod +s /tmp/*'\n",
" - '*chmod u+s /tmp/*'\n",
" - '* /tmp/haxhax*'\n",
" - '* /tmp/ns_sploit*'\n",
" - nc -l -p *\n",
" - cp /bin/ksh *\n",
" - cp /bin/sh *\n",
" - '* /tmp/*.b64 *'\n",
" - '*/tmp/ysocereal.jar*'\n",
" - '*/tmp/x *'\n",
" - '*; chmod +x /tmp/*'\n",
" - '*;chmod +x /tmp/*'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*wget\\ *\\ \\-\\ http*\\ |\\ perl* OR *wget\\ *\\ \\-\\ http*\\ |\\ sh* OR *wget\\ *\\ \\-\\ http*\\ |\\ bash* OR *python\\ \\-m\\ SimpleHTTPServer* OR *\\-m\\ http.server* OR *import\\ pty;\\ pty.spawn* OR *socat\\ exec\\:* OR *socat\\ \\-O\\ \\/tmp\\/* OR *socat\\ tcp\\-connect* OR *echo\\ binary\\ * OR *wget\\ *;\\ chmod\\ \\+x* OR *wget\\ *;\\ chmod\\ 777\\ * OR *cd\\ \\/tmp\\ \\||\\ cd\\ \\/var\\/run\\ \\||\\ cd\\ \\/mnt* OR *stop;service\\ iptables\\ stop;* OR *stop;SuSEfirewall2\\ stop;* OR *chmod\\ 777\\ 2020* OR *\\/etc\\/rc.local* OR *base64\\ \\-d\\ \\/tmp\\/* OR *\\ |\\ base64\\ \\-d\\ * OR *\\/chmod\\ u\\+s\\ * OR *chmod\\ \\+s\\ \\/tmp\\/* OR *chmod\\ u\\+s\\ \\/tmp\\/* OR *\\ \\/tmp\\/haxhax* OR *\\ \\/tmp\\/ns_sploit* OR *nc\\ \\-l\\ \\-p\\ * OR *cp\\ \\/bin\\/ksh\\ * OR *cp\\ \\/bin\\/sh\\ * OR *\\ \\/tmp\\/*.b64\\ * OR *\\/tmp\\/ysocereal.jar* OR *\\/tmp\\/x\\ * OR *;\\ chmod\\ \\+x\\ \\/tmp\\/* OR *;chmod\\ \\+x\\ \\/tmp\\/*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

120
docker/helk-jupyter/notebooks/sigma/lnx_shell_susp_log_entries.ipynb Normal file
View File

@ -0,0 +1,120 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious Log Entries\n",
"Detects suspicious log entries in Linux log files"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious Log Entries\n",
" id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1\n",
" description: Detects suspicious log entries in Linux log files\n",
" author: Florian Roth\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - entered promiscuous mode\n",
" - Deactivating service\n",
" - Oversized packet received from\n",
" - imuxsock begins to drop messages\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*entered\\ promiscuous\\ mode* OR *Deactivating\\ service* OR *Oversized\\ packet\\ received\\ from* OR *imuxsock\\ begins\\ to\\ drop\\ messages*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

147
docker/helk-jupyter/notebooks/sigma/lnx_shell_susp_rev_shells.ipynb Normal file
View File

@ -0,0 +1,147 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious Reverse Shell Command Line\n",
"Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious Reverse Shell Command Line\n",
" id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab\n",
" status: experimental\n",
" description: Detects suspicious shell commands or program code that may be exected\n",
" or used in command line to establish a reverse shell\n",
" references:\n",
" - https://alamot.github.io/reverse_shells/\n",
" author: Florian Roth\n",
" date: 2019/04/02\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - BEGIN {s = \"/inet/tcp/0/\n",
" - bash -i >& /dev/tcp/\n",
" - bash -i >& /dev/udp/\n",
" - sh -i >$ /dev/udp/\n",
" - sh -i >$ /dev/tcp/\n",
" - '&& while read line 0<&5; do'\n",
" - /bin/bash -c exec 5<>/dev/tcp/\n",
" - /bin/bash -c exec 5<>/dev/udp/\n",
" - 'nc -e /bin/sh '\n",
" - /bin/sh | nc\n",
" - 'rm -f backpipe; mknod /tmp/backpipe p && nc '\n",
" - ;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i))))\n",
" - ;STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\n",
" - /bin/sh -i <&3 >&3 2>&3\n",
" - uname -a; w; id; /bin/bash -i\n",
" - $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length);\n",
" $stream.Flush()};\n",
" - ;os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');\n",
" - .to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)\n",
" - ;while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print\n",
" - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:'\n",
" - rm -f /tmp/p; mknod /tmp/p p &&\n",
" - ' | /bin/bash | telnet '\n",
" - ',echo=0,raw tcp-listen:'\n",
" - 'nc -lvvp '\n",
" - xterm -display 1\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*BEGIN\\ \\{s\\ \\=\\ \\\"\\/inet\\/tcp\\/0\\/* OR *bash\\ \\-i\\ &\\ \\/dev\\/tcp\\/* OR *bash\\ \\-i\\ &\\ \\/dev\\/udp\\/* OR *sh\\ \\-i\\ $\\ \\/dev\\/udp\\/* OR *sh\\ \\-i\\ $\\ \\/dev\\/tcp\\/* OR *\\&&\\ while\\ read\\ line\\ 0&5;\\ do* OR *\\/bin\\/bash\\ \\-c\\ exec\\ 5\\/dev\\/tcp\\/* OR *\\/bin\\/bash\\ \\-c\\ exec\\ 5\\/dev\\/udp\\/* OR *nc\\ \\-e\\ \\/bin\\/sh\\ * OR *\\/bin\\/sh\\ |\\ nc* OR *rm\\ \\-f\\ backpipe;\\ mknod\\ \\/tmp\\/backpipe\\ p\\ \\&&\\ nc\\ * OR *;socket\\(S,PF_INET,SOCK_STREAM,getprotobyname\\(\\\"tcp\\\"\\)\\);if\\(connect\\(S,sockaddr_in\\($p,inet_aton\\($i\\)\\)\\)\\)* OR *;STDIN\\-fdopen\\($c,r\\);$\\~\\-fdopen\\($c,w\\);system$_\\ while;* OR *\\/bin\\/sh\\ \\-i\\ &3\\ &3\\ 2&3* OR *uname\\ \\-a;\\ w;\\ id;\\ \\/bin\\/bash\\ \\-i* OR *$sendbyte\\ \\=\\ \\(\\[text.encoding\\]\\:\\:ASCII\\).GetBytes\\($sendback2\\);\\ $stream.Write\\($sendbyte,0,$sendbyte.Length\\);\\ $stream.Flush\\(\\)\\};* OR *;os.dup2\\(s.fileno\\(\\),0\\);os.dup2\\(s.fileno\\(\\),1\\);os.dup2\\(s.fileno\\(\\),2\\);os.putenv\\('HISTFILE','\\/dev\\/null'\\);* OR *.to_i;exec\\ sprintf\\(\\\"\\/bin\\/sh\\ \\-i\\ &%d\\ &%d\\ 2&%d\\\",f,f,f\\)* OR *;while\\(cmd\\=c.gets\\);IO.popen\\(cmd,\\\"r\\\"\\)\\{|io|c.print* OR *socat\\ exec\\:'bash\\ \\-li',pty,stderr,setsid,sigint,sane\\ tcp\\:* OR *rm\\ \\-f\\ \\/tmp\\/p;\\ mknod\\ \\/tmp\\/p\\ p\\ \\&&* OR *\\ |\\ \\/bin\\/bash\\ |\\ telnet\\ * OR *,echo\\=0,raw\\ tcp\\-listen\\:* OR *nc\\ \\-lvvp\\ * OR *xterm\\ \\-display\\ 1*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

118
docker/helk-jupyter/notebooks/sigma/lnx_shellshock.ipynb Normal file
View File

@ -0,0 +1,118 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Shellshock Expression\n",
"Detects shellshock expressions in log files"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Shellshock Expression\n",
" id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e\n",
" description: Detects shellshock expressions in log files\n",
" references:\n",
" - http://rubular.com/r/zxBfjWfFYs\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" detection:\n",
" expression:\n",
" - /\\(\\)\\s*\\t*\\{.*;\\s*\\}\\s*;/\n",
" condition: expression\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\/\\\\\\(\\\\\\)\\\\s*\\\\t*\\\\\\{.*;\\\\s*\\\\\\}\\\\s*;\\/')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

120
docker/helk-jupyter/notebooks/sigma/lnx_ssh_cve_2018_15473.ipynb Normal file
View File

@ -0,0 +1,120 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# SSHD Error Message CVE-2018-15473\n",
"Detects exploitation attempt using public exploit code for CVE-2018-15473"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: SSHD Error Message CVE-2018-15473\n",
" id: 4c9d903d-4939-4094-ade0-3cb748f4d7da\n",
" description: Detects exploitation attempt using public exploit code for CVE-2018-15473\n",
" references:\n",
" - https://github.com/Rhynorater/CVE-2018-15473-Exploit\n",
" author: Florian Roth\n",
" date: 2017/08/24\n",
" logsource:\n",
" product: linux\n",
" service: sshd\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='error\\:\\ buffer_get_ret\\:\\ trying\\ to\\ get\\ more\\ bytes\\ 1907\\ than\\ in\\ buffer\\ 308\\ \\[preauth\\]')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

147
docker/helk-jupyter/notebooks/sigma/lnx_sudo_cve_2019_14287.ipynb Normal file
View File

@ -0,0 +1,147 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Sudo Privilege Escalation CVE-2019-14287\n",
"Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Sudo Privilege Escalation CVE-2019-14287\n",
" id: f74107df-b6c6-4e80-bf00-4170b658162b\n",
" status: experimental\n",
" description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287\n",
" references:\n",
" - https://www.openwall.com/lists/oss-security/2019/10/14/1\n",
" - https://access.redhat.com/security/cve/cve-2019-14287\n",
" - https://twitter.com/matthieugarin/status/1183970598210412546\n",
" author: Florian Roth\n",
" date: 2019/10/15\n",
" modified: 2019/10/20\n",
" tags:\n",
" - attack.privilege_escalation\n",
" - attack.t1068\n",
" - attack.t1169\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" falsepositives:\n",
" - Unlikely\n",
" level: critical\n",
"- detection:\n",
" selection_keywords:\n",
" - '* -u#*'\n",
" condition: selection_keywords\n",
"- detection:\n",
" selection_user:\n",
" USER:\n",
" - '#-*'\n",
" - '#*4294967295'\n",
" condition: selection_user\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='*\\ \\-u#*')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='USER.keyword:(#\\-* OR #*4294967295)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

122
docker/helk-jupyter/notebooks/sigma/lnx_susp_jexboss.ipynb Normal file
View File

@ -0,0 +1,122 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# JexBoss Command Sequence\n",
"Detects suspicious command sequence that JexBoss"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: JexBoss Command Sequence\n",
" id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae\n",
" description: Detects suspicious command sequence that JexBoss\n",
" references:\n",
" - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A\n",
" author: Florian Roth\n",
" date: 2017/08/24\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" detection:\n",
" selection1:\n",
" - bash -c /bin/bash\n",
" selection2:\n",
" - '&/dev/tcp/'\n",
" condition: selection1 and selection2\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*bash\\ \\-c\\ \\/bin\\/bash* AND *&\\/dev\\/tcp\\/*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

124
docker/helk-jupyter/notebooks/sigma/lnx_susp_named.ipynb Normal file
View File

@ -0,0 +1,124 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious Named Error\n",
"Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious Named Error\n",
" id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365\n",
" status: experimental\n",
" description: Detects suspicious DNS error messages that indicate a fatal or suspicious\n",
" error that could be caused by exploiting attempts\n",
" references:\n",
" - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml\n",
" author: Florian Roth\n",
" date: 2018/02/20\n",
" logsource:\n",
" product: linux\n",
" service: syslog\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - '* dropping source port zero packet from *'\n",
" - '* denied AXFR from *'\n",
" - '* exiting (due to fatal error)*'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*\\ dropping\\ source\\ port\\ zero\\ packet\\ from\\ * OR *\\ denied\\ AXFR\\ from\\ * OR *\\ exiting\\ \\(due\\ to\\ fatal\\ error\\)*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

132
docker/helk-jupyter/notebooks/sigma/lnx_susp_ssh.ipynb Normal file
View File

@ -0,0 +1,132 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious SSHD Error\n",
"Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious SSHD Error\n",
" id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc\n",
" description: Detects suspicious SSH / SSHD error messages that indicate a fatal\n",
" or suspicious error that could be caused by exploiting attempts\n",
" references:\n",
" - https://github.com/openssh/openssh-portable/blob/master/ssherr.c\n",
" - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml\n",
" author: Florian Roth\n",
" date: 2017/06/30\n",
" logsource:\n",
" product: linux\n",
" service: sshd\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - '*unexpected internal error*'\n",
" - '*unknown or unsupported key type*'\n",
" - '*invalid certificate signing key*'\n",
" - '*invalid elliptic curve value*'\n",
" - '*incorrect signature*'\n",
" - '*error in libcrypto*'\n",
" - '*unexpected bytes remain after decoding*'\n",
" - '*fatal: buffer_get_string: bad string*'\n",
" - '*Local: crc32 compensation attack*'\n",
" - '*bad client public DH value*'\n",
" - '*Corrupted MAC on input*'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*unexpected\\ internal\\ error* OR *unknown\\ or\\ unsupported\\ key\\ type* OR *invalid\\ certificate\\ signing\\ key* OR *invalid\\ elliptic\\ curve\\ value* OR *incorrect\\ signature* OR *error\\ in\\ libcrypto* OR *unexpected\\ bytes\\ remain\\ after\\ decoding* OR *fatal\\:\\ buffer_get_string\\:\\ bad\\ string* OR *Local\\:\\ crc32\\ compensation\\ attack* OR *bad\\ client\\ public\\ DH\\ value* OR *Corrupted\\ MAC\\ on\\ input*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

137
docker/helk-jupyter/notebooks/sigma/lnx_susp_vsftp.ipynb Normal file
View File

@ -0,0 +1,137 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious VSFTPD Error Messages\n",
"Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious VSFTPD Error Messages\n",
" id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe\n",
" description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious\n",
" error that could be caused by exploiting attempts\n",
" references:\n",
" - https://github.com/dagwieers/vsftpd/\n",
" author: Florian Roth\n",
" date: 2017/07/05\n",
" logsource:\n",
" product: linux\n",
" service: vsftpd\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - 'Connection refused: too many sessions for this address.'\n",
" - 'Connection refused: tcp_wrappers denial.'\n",
" - Bad HTTP verb.\n",
" - port and pasv both active\n",
" - pasv and port both active\n",
" - Transfer done (but failed to open directory).\n",
" - Could not set file modification time.\n",
" - 'bug: pid active in ptrace_sandbox_free'\n",
" - PTRACE_SETOPTIONS failure\n",
" - 'weird status:'\n",
" - couldn't handle sandbox event\n",
" - syscall * out of bounds\n",
" - 'syscall not permitted:'\n",
" - 'syscall validate failed:'\n",
" - Input line too long.\n",
" - poor buffer accounting in str_netfd_alloc\n",
" - vsf_sysutil_read_loop\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*Connection\\ refused\\:\\ too\\ many\\ sessions\\ for\\ this\\ address.* OR *Connection\\ refused\\:\\ tcp_wrappers\\ denial.* OR *Bad\\ HTTP\\ verb.* OR *port\\ and\\ pasv\\ both\\ active* OR *pasv\\ and\\ port\\ both\\ active* OR *Transfer\\ done\\ \\(but\\ failed\\ to\\ open\\ directory\\).* OR *Could\\ not\\ set\\ file\\ modification\\ time.* OR *bug\\:\\ pid\\ active\\ in\\ ptrace_sandbox_free* OR *PTRACE_SETOPTIONS\\ failure* OR *weird\\ status\\:* OR *couldn't\\ handle\\ sandbox\\ event* OR *syscall\\ *\\ out\\ of\\ bounds* OR *syscall\\ not\\ permitted\\:* OR *syscall\\ validate\\ failed\\:* OR *Input\\ line\\ too\\ long.* OR *poor\\ buffer\\ accounting\\ in\\ str_netfd_alloc* OR *vsf_sysutil_read_loop*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

123
docker/helk-jupyter/notebooks/sigma/net_mal_dns_cobaltstrike.ipynb Normal file
View File

@ -0,0 +1,123 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Cobalt Strike DNS Beaconing\n",
"Detects suspicious DNS queries known from Cobalt Strike beacons"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Cobalt Strike DNS Beaconing\n",
" id: 2975af79-28c4-4d2f-a951-9095f229df29\n",
" status: experimental\n",
" description: Detects suspicious DNS queries known from Cobalt Strike beacons\n",
" references:\n",
" - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns\n",
" author: Florian Roth\n",
" date: 2018/05/10\n",
" logsource:\n",
" category: dns\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" query:\n",
" - aaa.stage.*\n",
" - post.1*\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='query.keyword:(aaa.stage.* OR post.1*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

122
docker/helk-jupyter/notebooks/sigma/net_susp_dns_b64_queries.ipynb Normal file
View File

@ -0,0 +1,122 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious DNS Query with B64 Encoded String\n",
"Detects suspicious DNS queries using base64 encoding"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious DNS Query with B64 Encoded String\n",
" id: 4153a907-2451-4e4f-a578-c52bb6881432\n",
" status: experimental\n",
" description: Detects suspicious DNS queries using base64 encoding\n",
" references:\n",
" - https://github.com/krmaxwell/dns-exfiltration\n",
" author: Florian Roth\n",
" date: 2018/05/10\n",
" logsource:\n",
" category: dns\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" query:\n",
" - '*==.*'\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='query.keyword:(*\\=\\=.*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

128
docker/helk-jupyter/notebooks/sigma/net_susp_dns_txt_exec_strings.ipynb Normal file
View File

@ -0,0 +1,128 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# DNS TXT Answer with possible execution strings\n",
"Detects strings used in command execution in DNS TXT Answer"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: DNS TXT Answer with possible execution strings\n",
" id: 8ae51330-899c-4641-8125-e39f2e07da72\n",
" status: experimental\n",
" description: Detects strings used in command execution in DNS TXT Answer\n",
" references:\n",
" - https://twitter.com/stvemillertime/status/1024707932447854592\n",
" - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1\n",
" tags:\n",
" - attack.t1071\n",
" author: Markus Neis\n",
" date: 2018/08/08\n",
" logsource:\n",
" category: dns\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" record_type: TXT\n",
" answer:\n",
" - '*IEX*'\n",
" - '*Invoke-Expression*'\n",
" - '*cmd.exe*'\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(record_type:\"TXT\" AND answer.keyword:(*IEX* OR *Invoke\\-Expression* OR *cmd.exe*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

126
docker/helk-jupyter/notebooks/sigma/net_susp_telegram_api.ipynb Normal file
View File

@ -0,0 +1,126 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Telegram Bot API Request\n",
"Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Telegram Bot API Request\n",
" id: c64c5175-5189-431b-a55e-6d9882158251\n",
" status: experimental\n",
" description: Detects suspicious DNS queries to api.telegram.org used by Telegram\n",
" Bots of any kind\n",
" references:\n",
" - https://core.telegram.org/bots/faq\n",
" - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\n",
" - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/\n",
" - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\n",
" author: Florian Roth\n",
" date: 2018/06/05\n",
" logsource:\n",
" category: dns\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" query:\n",
" - api.telegram.org\n",
" condition: selection\n",
" falsepositives:\n",
" - Legitimate use of Telegram bots in the company\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='query:(\"api.telegram.org\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

132
docker/helk-jupyter/notebooks/sigma/powershell_data_compressed.ipynb Normal file
View File

@ -0,0 +1,132 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Data Compressed - Powershell\n",
"An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Data Compressed - Powershell\n",
" id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a\n",
" status: experimental\n",
" description: An adversary may compress data (e.g., sensitive documents) that is\n",
" collected prior to exfiltration in order to make it portable and minimize the\n",
" amount of data sent over the network\n",
" author: Timur Zinniatullin, oscd.community\n",
" date: 2019/10/21\n",
" modified: 2019/11/04\n",
" references:\n",
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" description: Script block logging must be enabled\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 4104\n",
" keywords|contains|all:\n",
" - -Recurse\n",
" - '|'\n",
" - Compress-Archive\n",
" condition: selection\n",
" falsepositives:\n",
" - highly likely if archive ops are done via PS\n",
" level: low\n",
" tags:\n",
" - attack.exfiltration\n",
" - attack.t1002\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4104\" AND keywords.keyword:*\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\-Archive*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

129
docker/helk-jupyter/notebooks/sigma/powershell_downgrade_attack.ipynb Normal file
View File

@ -0,0 +1,129 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# PowerShell Downgrade Attack\n",
"Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: PowerShell Downgrade Attack\n",
" id: 6331d09b-4785-4c13-980f-f96661356249\n",
" status: experimental\n",
" description: Detects PowerShell downgrade attack by comparing the host versions\n",
" with the actually used engine version 2.0\n",
" references:\n",
" - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Florian Roth (rule), Lee Holmes (idea)\n",
" logsource:\n",
" product: windows\n",
" service: powershell-classic\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 400\n",
" EngineVersion: 2.*\n",
" filter:\n",
" HostVersion: 2.*\n",
" condition: selection and not filter\n",
" falsepositives:\n",
" - Penetration Test\n",
" - Unknown\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((event_id:\"400\" AND powershell.engine.version.keyword:2.*) AND (NOT (powershell.host.version.keyword:2.*)))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

131
docker/helk-jupyter/notebooks/sigma/powershell_exe_calling_ps.ipynb Normal file
View File

@ -0,0 +1,131 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# PowerShell called from an Executable Version Mismatch\n",
"Detects PowerShell called from an executable by the version mismatch method"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: PowerShell called from an Executable Version Mismatch\n",
" id: c70e019b-1479-4b65-b0cc-cd0c6093a599\n",
" status: experimental\n",
" description: Detects PowerShell called from an executable by the version mismatch\n",
" method\n",
" references:\n",
" - https://adsecurity.org/?p=2921\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Sean Metcalf (source), Florian Roth (rule)\n",
" logsource:\n",
" product: windows\n",
" service: powershell-classic\n",
" category: null\n",
" detection:\n",
" selection1:\n",
" EventID: 400\n",
" EngineVersion:\n",
" - 2.*\n",
" - 4.*\n",
" - 5.*\n",
" HostVersion: 3.*\n",
" condition: selection1\n",
" falsepositives:\n",
" - Penetration Tests\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"400\" AND powershell.engine.version.keyword:(2.* OR 4.* OR 5.*) AND powershell.host.version.keyword:3.*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

223
docker/helk-jupyter/notebooks/sigma/powershell_malicious_commandlets.ipynb Normal file
View File

@ -0,0 +1,223 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Malicious PowerShell Commandlets\n",
"Detects Commandlet names from well-known PowerShell exploitation frameworks"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Malicious PowerShell Commandlets\n",
" id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n",
" status: experimental\n",
" description: Detects Commandlet names from well-known PowerShell exploitation frameworks\n",
" modified: 2019/01/22\n",
" references:\n",
" - https://adsecurity.org/?p=2921\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Sean Metcalf (source), Florian Roth (rule)\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" definition: It is recommended to use the new \"Script Block Logging\" of PowerShell\n",
" v5 https://adsecurity.org/?p=2277\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" Message:\n",
" - '*Invoke-DllInjection*'\n",
" - '*Invoke-Shellcode*'\n",
" - '*Invoke-WmiCommand*'\n",
" - '*Get-GPPPassword*'\n",
" - '*Get-Keystrokes*'\n",
" - '*Get-TimedScreenshot*'\n",
" - '*Get-VaultCredential*'\n",
" - '*Invoke-CredentialInjection*'\n",
" - '*Invoke-Mimikatz*'\n",
" - '*Invoke-NinjaCopy*'\n",
" - '*Invoke-TokenManipulation*'\n",
" - '*Out-Minidump*'\n",
" - '*VolumeShadowCopyTools*'\n",
" - '*Invoke-ReflectivePEInjection*'\n",
" - '*Invoke-UserHunter*'\n",
" - '*Find-GPOLocation*'\n",
" - '*Invoke-ACLScanner*'\n",
" - '*Invoke-DowngradeAccount*'\n",
" - '*Get-ServiceUnquoted*'\n",
" - '*Get-ServiceFilePermission*'\n",
" - '*Get-ServicePermission*'\n",
" - '*Invoke-ServiceAbuse*'\n",
" - '*Install-ServiceBinary*'\n",
" - '*Get-RegAutoLogon*'\n",
" - '*Get-VulnAutoRun*'\n",
" - '*Get-VulnSchTask*'\n",
" - '*Get-UnattendedInstallFile*'\n",
" - '*Get-ApplicationHost*'\n",
" - '*Get-RegAlwaysInstallElevated*'\n",
" - '*Get-Unconstrained*'\n",
" - '*Add-RegBackdoor*'\n",
" - '*Add-ScrnSaveBackdoor*'\n",
" - '*Gupt-Backdoor*'\n",
" - '*Invoke-ADSBackdoor*'\n",
" - '*Enabled-DuplicateToken*'\n",
" - '*Invoke-PsUaCme*'\n",
" - '*Remove-Update*'\n",
" - '*Check-VM*'\n",
" - '*Get-LSASecret*'\n",
" - '*Get-PassHashes*'\n",
" - '*Show-TargetScreen*'\n",
" - '*Port-Scan*'\n",
" - '*Invoke-PoshRatHttp*'\n",
" - '*Invoke-PowerShellTCP*'\n",
" - '*Invoke-PowerShellWMI*'\n",
" - '*Add-Exfiltration*'\n",
" - '*Add-Persistence*'\n",
" - '*Do-Exfiltration*'\n",
" - '*Start-CaptureServer*'\n",
" - '*Get-ChromeDump*'\n",
" - '*Get-ClipboardContents*'\n",
" - '*Get-FoxDump*'\n",
" - '*Get-IndexedItem*'\n",
" - '*Get-Screenshot*'\n",
" - '*Invoke-Inveigh*'\n",
" - '*Invoke-NetRipper*'\n",
" - '*Invoke-EgressCheck*'\n",
" - '*Invoke-PostExfil*'\n",
" - '*Invoke-PSInject*'\n",
" - '*Invoke-RunAs*'\n",
" - '*MailRaider*'\n",
" - '*New-HoneyHash*'\n",
" - '*Set-MacAttribute*'\n",
" - '*Invoke-DCSync*'\n",
" - '*Invoke-PowerDump*'\n",
" - '*Exploit-Jboss*'\n",
" - '*Invoke-ThunderStruck*'\n",
" - '*Invoke-VoiceTroll*'\n",
" - '*Set-Wallpaper*'\n",
" - '*Invoke-InveighRelay*'\n",
" - '*Invoke-PsExec*'\n",
" - '*Invoke-SSHCommand*'\n",
" - '*Get-SecurityPackages*'\n",
" - '*Install-SSP*'\n",
" - '*Invoke-BackdoorLNK*'\n",
" - '*PowerBreach*'\n",
" - '*Get-SiteListPassword*'\n",
" - '*Get-System*'\n",
" - '*Invoke-BypassUAC*'\n",
" - '*Invoke-Tater*'\n",
" - '*Invoke-WScriptBypassUAC*'\n",
" - '*PowerUp*'\n",
" - '*PowerView*'\n",
" - '*Get-RickAstley*'\n",
" - '*Find-Fruit*'\n",
" - '*HTTP-Login*'\n",
" - '*Find-TrustedDocuments*'\n",
" - '*Invoke-Paranoia*'\n",
" - '*Invoke-WinEnum*'\n",
" - '*Invoke-ARPScan*'\n",
" - '*Invoke-PortScan*'\n",
" - '*Invoke-ReverseDNSLookup*'\n",
" - '*Invoke-SMBScanner*'\n",
" - '*Invoke-Mimikittenz*'\n",
" - '*Invoke-AllChecks*'\n",
" false_positives:\n",
" - Get-SystemDriveInfo\n",
" condition: keywords and not false_positives\n",
" falsepositives:\n",
" - Penetration testing\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(Message.keyword:(*Invoke\\-DllInjection* OR *Invoke\\-Shellcode* OR *Invoke\\-WmiCommand* OR *Get\\-GPPPassword* OR *Get\\-Keystrokes* OR *Get\\-TimedScreenshot* OR *Get\\-VaultCredential* OR *Invoke\\-CredentialInjection* OR *Invoke\\-Mimikatz* OR *Invoke\\-NinjaCopy* OR *Invoke\\-TokenManipulation* OR *Out\\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\\-ReflectivePEInjection* OR *Invoke\\-UserHunter* OR *Find\\-GPOLocation* OR *Invoke\\-ACLScanner* OR *Invoke\\-DowngradeAccount* OR *Get\\-ServiceUnquoted* OR *Get\\-ServiceFilePermission* OR *Get\\-ServicePermission* OR *Invoke\\-ServiceAbuse* OR *Install\\-ServiceBinary* OR *Get\\-RegAutoLogon* OR *Get\\-VulnAutoRun* OR *Get\\-VulnSchTask* OR *Get\\-UnattendedInstallFile* OR *Get\\-ApplicationHost* OR *Get\\-RegAlwaysInstallElevated* OR *Get\\-Unconstrained* OR *Add\\-RegBackdoor* OR *Add\\-ScrnSaveBackdoor* OR *Gupt\\-Backdoor* OR *Invoke\\-ADSBackdoor* OR *Enabled\\-DuplicateToken* OR *Invoke\\-PsUaCme* OR *Remove\\-Update* OR *Check\\-VM* OR *Get\\-LSASecret* OR *Get\\-PassHashes* OR *Show\\-TargetScreen* OR *Port\\-Scan* OR *Invoke\\-PoshRatHttp* OR *Invoke\\-PowerShellTCP* OR *Invoke\\-PowerShellWMI* OR *Add\\-Exfiltration* OR *Add\\-Persistence* OR *Do\\-Exfiltration* OR *Start\\-CaptureServer* OR *Get\\-ChromeDump* OR *Get\\-ClipboardContents* OR *Get\\-FoxDump* OR *Get\\-IndexedItem* OR *Get\\-Screenshot* OR *Invoke\\-Inveigh* OR *Invoke\\-NetRipper* OR *Invoke\\-EgressCheck* OR *Invoke\\-PostExfil* OR *Invoke\\-PSInject* OR *Invoke\\-RunAs* OR *MailRaider* OR *New\\-HoneyHash* OR *Set\\-MacAttribute* OR *Invoke\\-DCSync* OR *Invoke\\-PowerDump* OR *Exploit\\-Jboss* OR *Invoke\\-ThunderStruck* OR *Invoke\\-VoiceTroll* OR *Set\\-Wallpaper* OR *Invoke\\-InveighRelay* OR *Invoke\\-PsExec* OR *Invoke\\-SSHCommand* OR *Get\\-SecurityPackages* OR *Install\\-SSP* OR *Invoke\\-BackdoorLNK* OR *PowerBreach* OR *Get\\-SiteListPassword* OR *Get\\-System* OR *Invoke\\-BypassUAC* OR *Invoke\\-Tater* OR *Invoke\\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\\-RickAstley* OR *Find\\-Fruit* OR *HTTP\\-Login* OR *Find\\-TrustedDocuments* OR *Invoke\\-Paranoia* OR *Invoke\\-WinEnum* OR *Invoke\\-ARPScan* OR *Invoke\\-PortScan* OR *Invoke\\-ReverseDNSLookup* OR *Invoke\\-SMBScanner* OR *Invoke\\-Mimikittenz* OR *Invoke\\-AllChecks*) AND (NOT \\*.keyword:(*Get\\-SystemDriveInfo*)))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

146
docker/helk-jupyter/notebooks/sigma/powershell_malicious_keywords.ipynb Normal file
View File

@ -0,0 +1,146 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Malicious PowerShell Keywords\n",
"Detects keywords from well-known PowerShell exploitation frameworks"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Malicious PowerShell Keywords\n",
" id: f62176f3-8128-4faa-bf6c-83261322e5eb\n",
" status: experimental\n",
" description: Detects keywords from well-known PowerShell exploitation frameworks\n",
" modified: 2019/01/22\n",
" references:\n",
" - https://adsecurity.org/?p=2921\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Sean Metcalf (source), Florian Roth (rule)\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" definition: It is recommended to use the new \"Script Block Logging\" of PowerShell\n",
" v5 https://adsecurity.org/?p=2277\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" Message:\n",
" - '*AdjustTokenPrivileges*'\n",
" - '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'\n",
" - '*Microsoft.Win32.UnsafeNativeMethods*'\n",
" - '*ReadProcessMemory.Invoke*'\n",
" - '*SE_PRIVILEGE_ENABLED*'\n",
" - '*LSA_UNICODE_STRING*'\n",
" - '*MiniDumpWriteDump*'\n",
" - '*PAGE_EXECUTE_READ*'\n",
" - '*SECURITY_DELEGATION*'\n",
" - '*TOKEN_ADJUST_PRIVILEGES*'\n",
" - '*TOKEN_ALL_ACCESS*'\n",
" - '*TOKEN_ASSIGN_PRIMARY*'\n",
" - '*TOKEN_DUPLICATE*'\n",
" - '*TOKEN_ELEVATION*'\n",
" - '*TOKEN_IMPERSONATE*'\n",
" - '*TOKEN_INFORMATION_CLASS*'\n",
" - '*TOKEN_PRIVILEGES*'\n",
" - '*TOKEN_QUERY*'\n",
" - '*Metasploit*'\n",
" - '*Mimikatz*'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Penetration tests\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

128
docker/helk-jupyter/notebooks/sigma/powershell_ntfs_ads_access.ipynb Normal file
View File

@ -0,0 +1,128 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# NTFS Alternate Data Stream\n",
"Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: NTFS Alternate Data Stream\n",
" id: 8c521530-5169-495d-a199-0a3a881ad24e\n",
" status: experimental\n",
" description: Detects writing data into NTFS alternate data streams from powershell.\n",
" Needs Script Block Logging.\n",
" references:\n",
" - http://www.powertheshell.com/ntfsstreams/\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.t1096\n",
" author: Sami Ruohonen\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" definition: It is recommended to use the new \"Script Block Logging\" of PowerShell\n",
" v5 https://adsecurity.org/?p=2277\n",
" category: null\n",
" detection:\n",
" keyword1:\n",
" - set-content\n",
" keyword2:\n",
" - -stream\n",
" condition: keyword1 and keyword2\n",
" falsepositives:\n",
" - unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*set\\-content* AND *\\-stream*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

129
docker/helk-jupyter/notebooks/sigma/powershell_prompt_credentials.ipynb Normal file
View File

@ -0,0 +1,129 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# PowerShell Credential Prompt\n",
"Detects PowerShell calling a credential prompt"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: PowerShell Credential Prompt\n",
" id: ca8b77a9-d499-4095-b793-5d5f330d450e\n",
" status: experimental\n",
" description: Detects PowerShell calling a credential prompt\n",
" references:\n",
" - https://twitter.com/JohnLaTwC/status/850381440629981184\n",
" - https://t.co/ezOTGy1a1G\n",
" tags:\n",
" - attack.execution\n",
" - attack.credential_access\n",
" - attack.t1086\n",
" author: John Lambert (idea), Florian Roth (rule)\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" definition: Script block logging must be enabled\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 4104\n",
" keyword:\n",
" Message:\n",
" - '*PromptForCredential*'\n",
" condition: all of them\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4104\" AND Message.keyword:(*PromptForCredential*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

127
docker/helk-jupyter/notebooks/sigma/powershell_psattack.ipynb Normal file
View File

@ -0,0 +1,127 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# PowerShell PSAttack\n",
"Detects the use of PSAttack PowerShell hack tool"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: PowerShell PSAttack\n",
" id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5\n",
" status: experimental\n",
" description: Detects the use of PSAttack PowerShell hack tool\n",
" references:\n",
" - https://adsecurity.org/?p=2921\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Sean Metcalf (source), Florian Roth (rule)\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" definition: It is recommended to use the new \"Script Block Logging\" of PowerShell\n",
" v5 https://adsecurity.org/?p=2277\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 4103\n",
" keyword:\n",
" - PS ATTACK!!!\n",
" condition: all of them\n",
" falsepositives:\n",
" - Pentesters\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4103\" AND \"PS\\ ATTACK\\!\\!\\!\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

132
docker/helk-jupyter/notebooks/sigma/powershell_shellcode_b64.ipynb Normal file
View File

@ -0,0 +1,132 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# PowerShell ShellCode\n",
"Detects Base64 encoded Shellcode"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: PowerShell ShellCode\n",
" id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd\n",
" status: experimental\n",
" description: Detects Base64 encoded Shellcode\n",
" references:\n",
" - https://twitter.com/cyb3rops/status/1063072865992523776\n",
" tags:\n",
" - attack.privilege_escalation\n",
" - attack.execution\n",
" - attack.t1055\n",
" - attack.t1086\n",
" author: David Ledbetter (shellcode), Florian Roth (rule)\n",
" date: 2018/11/17\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" description: Script block logging must be enabled\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 4104\n",
" keyword1:\n",
" - '*AAAAYInlM*'\n",
" keyword2:\n",
" - '*OiCAAAAYInlM*'\n",
" - '*OiJAAAAYInlM*'\n",
" condition: selection and keyword1 and keyword2\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((event_id:\"4104\" AND \"*AAAAYInlM*\") AND \\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

123
docker/helk-jupyter/notebooks/sigma/powershell_suspicious_download.ipynb Normal file
View File

@ -0,0 +1,123 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious PowerShell Download\n",
"Detects suspicious PowerShell download command"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious PowerShell Download\n",
" id: 65531a81-a694-4e31-ae04-f8ba5bc33759\n",
" status: experimental\n",
" description: Detects suspicious PowerShell download command\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Florian Roth\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" Message:\n",
" - '*System.Net.WebClient).DownloadString(*'\n",
" - '*system.net.webclient).downloadfile(*'\n",
" condition: keywords\n",
" falsepositives:\n",
" - PowerShell scripts that download content from the Internet\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='Message.keyword:(*System.Net.WebClient\\).DownloadString\\(* OR *system.net.webclient\\).downloadfile\\(*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

130
docker/helk-jupyter/notebooks/sigma/powershell_suspicious_invocation_generic.ipynb Normal file
View File

@ -0,0 +1,130 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious PowerShell Invocations - Generic\n",
"Detects suspicious PowerShell invocation command parameters"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious PowerShell Invocations - Generic\n",
" id: 3d304fda-78aa-43ed-975c-d740798a49c1\n",
" status: experimental\n",
" description: Detects suspicious PowerShell invocation command parameters\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Florian Roth (rule)\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" category: null\n",
" detection:\n",
" encoded:\n",
" - ' -enc '\n",
" - ' -EncodedCommand '\n",
" hidden:\n",
" - ' -w hidden '\n",
" - ' -window hidden '\n",
" - ' - windowstyle hidden '\n",
" noninteractive:\n",
" - ' -noni '\n",
" - ' -noninteractive '\n",
" condition: all of them\n",
" falsepositives:\n",
" - Penetration tests\n",
" - Very special / sneaky PowerShell scripts\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(\\*.keyword:(*\\ \\-enc\\ * OR *\\ \\-EncodedCommand\\ *) AND \\*.keyword:(*\\ \\-w\\ hidden\\ * OR *\\ \\-window\\ hidden\\ * OR *\\ \\-\\ windowstyle\\ hidden\\ *) AND \\*.keyword:(*\\ \\-noni\\ * OR *\\ \\-noninteractive\\ *))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

127
docker/helk-jupyter/notebooks/sigma/powershell_suspicious_invocation_specific.ipynb Normal file
View File

@ -0,0 +1,127 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious PowerShell Invocations - Specific\n",
"Detects suspicious PowerShell invocation command parameters"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious PowerShell Invocations - Specific\n",
" id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c\n",
" status: experimental\n",
" description: Detects suspicious PowerShell invocation command parameters\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Florian Roth (rule)\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" Message:\n",
" - '* -nop -w hidden -c * [Convert]::FromBase64String*'\n",
" - '* -w hidden -noni -nop -c \"iex(New-Object*'\n",
" - '* -w hidden -ep bypass -Enc*'\n",
" - '*powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run*'\n",
" - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'\n",
" - '*iex(New-Object Net.WebClient).Download*'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Penetration tests\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='Message.keyword:(*\\ \\-nop\\ \\-w\\ hidden\\ \\-c\\ *\\ \\[Convert\\]\\:\\:FromBase64String* OR *\\ \\-w\\ hidden\\ \\-noni\\ \\-nop\\ \\-c\\ \\\"iex\\(New\\-Object* OR *\\ \\-w\\ hidden\\ \\-ep\\ bypass\\ \\-Enc* OR *powershell.exe\\ reg\\ add\\ HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run* OR *bypass\\ \\-noprofile\\ \\-windowstyle\\ hidden\\ \\(new\\-object\\ system.net.webclient\\).download* OR *iex\\(New\\-Object\\ Net.WebClient\\).Download*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

128
docker/helk-jupyter/notebooks/sigma/powershell_suspicious_keywords.ipynb Normal file
View File

@ -0,0 +1,128 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious PowerShell Keywords\n",
"Detects keywords that could indicate the use of some PowerShell exploitation framework"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious PowerShell Keywords\n",
" id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf\n",
" status: experimental\n",
" description: Detects keywords that could indicate the use of some PowerShell exploitation\n",
" framework\n",
" date: 2019/02/11\n",
" author: Florian Roth\n",
" references:\n",
" - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1086\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" definition: It is recommended to use the new \"Script Block Logging\" of PowerShell\n",
" v5 https://adsecurity.org/?p=2277\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" Message:\n",
" - '*[System.Reflection.Assembly]::Load*'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Penetration tests\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='Message.keyword:(*\\[System.Reflection.Assembly\\]\\:\\:Load*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

137
docker/helk-jupyter/notebooks/sigma/powershell_winlogon_helper_dll.ipynb Normal file
View File

@ -0,0 +1,137 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Winlogon Helper DLL\n",
"Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Winlogon Helper DLL\n",
" id: 851c506b-6b7c-4ce2-8802-c703009d03c0\n",
" status: experimental\n",
" description: Winlogon.exe is a Windows component responsible for actions at logon/logoff\n",
" as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry\n",
" entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\n",
" and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage\n",
" additional helper programs and functionalities that support Winlogon. Malicious\n",
" modifications to these Registry keys may cause Winlogon to load and execute malicious\n",
" DLLs and/or executables.\n",
" author: Timur Zinniatullin, oscd.community\n",
" date: 2019/10/21\n",
" modified: 2019/11/04\n",
" references:\n",
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" description: Script block logging must be enabled\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 4104\n",
" keyword1:\n",
" - '*Set-ItemProperty*'\n",
" - '*New-Item*'\n",
" keyword2:\n",
" - '*CurrentVersion\\Winlogon*'\n",
" condition: selection and ( keyword1 and keyword2 )\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
" tags:\n",
" - attack.persistence\n",
" - attack.t1004\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4104\" AND \\*.keyword:(*Set\\-ItemProperty* OR *New\\-Item*) AND \"*CurrentVersion\\\\Winlogon*\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

125
docker/helk-jupyter/notebooks/sigma/proxy_apt40.ipynb Normal file
View File

@ -0,0 +1,125 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# APT40 Dropbox Tool User Agent\n",
"Detects suspicious user agent string of APT40 Dropbox tool"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: APT40 Dropbox Tool User Agent\n",
" id: 5ba715b6-71b7-44fd-8245-f66893e81b3d\n",
" status: experimental\n",
" description: Detects suspicious user agent string of APT40 Dropbox tool\n",
" references:\n",
" - Internal research from Florian Roth\n",
" author: Thomas Patzke\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,\n",
" like Gecko) Chrome/36.0.1985.143 Safari/537.36\n",
" r-dns: api.dropbox.com\n",
" condition: selection\n",
" fields:\n",
" - c-ip\n",
" - c-uri\n",
" falsepositives:\n",
" - Old browsers\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-useragent:\"Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.1;\\ WOW64\\)\\ AppleWebKit\\/537.36\\ \\(KHTML,\\ like\\ Gecko\\)\\ Chrome\\/36.0.1985.143\\ Safari\\/537.36\" AND r-dns:\"api.dropbox.com\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

125
docker/helk-jupyter/notebooks/sigma/proxy_chafer_malware.ipynb Normal file
View File

@ -0,0 +1,125 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Chafer Malware URL Pattern\n",
"Detects HTTP requests used by Chafer malware"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Chafer Malware URL Pattern\n",
" id: fb502828-2db0-438e-93e6-801c7548686d\n",
" status: experimental\n",
" description: Detects HTTP requests used by Chafer malware\n",
" references:\n",
" - https://securelist.com/chafer-used-remexi-malware/89538/\n",
" author: Florian Roth\n",
" date: 2019/01/31\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-uri: '*/asp.asp?ui=*'\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-uri.keyword:*\\/asp.asp?ui\\=*')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

134
docker/helk-jupyter/notebooks/sigma/proxy_cobalt_amazon.ipynb Normal file
View File

@ -0,0 +1,134 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# CobaltStrike Malleable Amazon browsing traffic profile\n",
"Detects Malleable Amazon Profile"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: CobaltStrike Malleable Amazon browsing traffic profile\n",
" id: 953b895e-5cc9-454b-b183-7f3db555452e\n",
" status: experimental\n",
" description: Detects Malleable Amazon Profile\n",
" references:\n",
" - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile\n",
" - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100\n",
" author: Markus Neis\n",
" tags:\n",
" - attack.t1102\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection1:\n",
" c-useragent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like\n",
" Gecko\n",
" cs-method: GET\n",
" c-uri: /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books\n",
" cs-host: www.amazon.com\n",
" cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'\n",
" selection2:\n",
" c-useragent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like\n",
" Gecko\n",
" cs-method: POST\n",
" c-uri: /N4215/adj/amzn.us.sr.aps\n",
" cs-host: www.amazon.com\n",
" condition: selection1 or selection2\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-useragent:\"Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.1;\\ WOW64;\\ Trident\\/7.0;\\ rv\\:11.0\\)\\ like\\ Gecko\" AND cs-host:\"www.amazon.com\" AND ((cs-method:\"GET\" AND c-uri:\"\\/s\\/ref\\=nb_sb_noss_1\\/167\\-3294888\\-0262949\\/field\\-keywords\\=books\" AND cs-cookie.keyword:*\\=csm\\-hit\\=s\\-24KU11BB82RZSYGJ3BDK|1419899012996) OR (cs-method:\"POST\" AND c-uri:\"\\/N4215\\/adj\\/amzn.us.sr.aps\")))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

123
docker/helk-jupyter/notebooks/sigma/proxy_cobalt_ocsp.ipynb Normal file
View File

@ -0,0 +1,123 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# CobaltStrike Malleable (OCSP) Profile\n",
"Detects Malleable (OCSP) Profile with Typo (OSCP) in URL"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: CobaltStrike Malleable (OCSP) Profile\n",
" id: 37325383-740a-403d-b1a2-b2b4ab7992e7\n",
" status: experimental\n",
" description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL\n",
" references:\n",
" - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile\n",
" author: Markus Neis\n",
" tags:\n",
" - attack.t1102\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-uri: '*/oscp/*'\n",
" cs-host: ocsp.verisign.com\n",
" condition: selection\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-uri.keyword:*\\/oscp\\/* AND cs-host:\"ocsp.verisign.com\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

126
docker/helk-jupyter/notebooks/sigma/proxy_cobalt_onedrive.ipynb Normal file
View File

@ -0,0 +1,126 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# CobaltStrike Malleable OneDrive browsing traffic profile\n",
"Detects Malleable OneDrive Profile"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: CobaltStrike Malleable OneDrive browsing traffic profile\n",
" id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc\n",
" status: experimental\n",
" description: Detects Malleable OneDrive Profile\n",
" references:\n",
" - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile\n",
" author: Markus Neis\n",
" tags:\n",
" - attack.t1102\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" cs-method: GET\n",
" c-uri: '*?manifest=wac'\n",
" cs-host: onedrive.live.com\n",
" filter:\n",
" c-uri: http*://onedrive.live.com/*\n",
" condition: selection and not filter\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((cs-method:\"GET\" AND c-uri.keyword:*?manifest\\=wac AND cs-host:\"onedrive.live.com\") AND (NOT (c-uri.keyword:http*\\:\\/\\/onedrive.live.com\\/*)))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

213
docker/helk-jupyter/notebooks/sigma/proxy_download_susp_dyndns.ipynb Normal file
View File

@ -0,0 +1,213 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Download from Suspicious Dyndns Hosts\n",
"Detects download of certain file types from hosts with dynamic DNS names (selected list)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Download from Suspicious Dyndns Hosts\n",
" id: 195c1119-ef07-4909-bb12-e66f5e07bf3c\n",
" status: experimental\n",
" description: Detects download of certain file types from hosts with dynamic DNS\n",
" names (selected list)\n",
" references:\n",
" - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats\n",
" author: Florian Roth\n",
" date: 2017/11/08\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-uri-extension:\n",
" - exe\n",
" - vbs\n",
" - bat\n",
" - rar\n",
" - ps1\n",
" - doc\n",
" - docm\n",
" - xls\n",
" - xlsm\n",
" - pptm\n",
" - rtf\n",
" - hta\n",
" - dll\n",
" - ws\n",
" - wsf\n",
" - sct\n",
" - zip\n",
" r-dns:\n",
" - '*.hopto.org'\n",
" - '*.no-ip.org'\n",
" - '*.no-ip.info'\n",
" - '*.no-ip.biz'\n",
" - '*.no-ip.com'\n",
" - '*.noip.com'\n",
" - '*.ddns.name'\n",
" - '*.myftp.org'\n",
" - '*.myftp.biz'\n",
" - '*.serveblog.net'\n",
" - '*.servebeer.com'\n",
" - '*.servemp3.com'\n",
" - '*.serveftp.com'\n",
" - '*.servequake.com'\n",
" - '*.servehalflife.com'\n",
" - '*.servehttp.com'\n",
" - '*.servegame.com'\n",
" - '*.servepics.com'\n",
" - '*.myvnc.com'\n",
" - '*.ignorelist.com'\n",
" - '*.jkub.com'\n",
" - '*.dlinkddns.com'\n",
" - '*.jumpingcrab.com'\n",
" - '*.ddns.info'\n",
" - '*.mooo.com'\n",
" - '*.dns-dns.com'\n",
" - '*.strangled.net'\n",
" - '*.adultdns.net'\n",
" - '*.craftx.biz'\n",
" - '*.ddns01.com'\n",
" - '*.dns53.biz'\n",
" - '*.dnsapi.info'\n",
" - '*.dnsd.info'\n",
" - '*.dnsdynamic.com'\n",
" - '*.dnsdynamic.net'\n",
" - '*.dnsget.org'\n",
" - '*.fe100.net'\n",
" - '*.flashserv.net'\n",
" - '*.ftp21.net'\n",
" - '*.http01.com'\n",
" - '*.http80.info'\n",
" - '*.https443.com'\n",
" - '*.imap01.com'\n",
" - '*.kadm5.com'\n",
" - '*.mysq1.net'\n",
" - '*.ns360.info'\n",
" - '*.ntdll.net'\n",
" - '*.ole32.com'\n",
" - '*.proxy8080.com'\n",
" - '*.sql01.com'\n",
" - '*.ssh01.com'\n",
" - '*.ssh22.net'\n",
" - '*.tempors.com'\n",
" - '*.tftpd.net'\n",
" - '*.ttl60.com'\n",
" - '*.ttl60.org'\n",
" - '*.user32.com'\n",
" - '*.voip01.com'\n",
" - '*.wow64.net'\n",
" - '*.x64.me'\n",
" - '*.xns01.com'\n",
" - '*.dyndns.org'\n",
" - '*.dyndns.info'\n",
" - '*.dyndns.tv'\n",
" - '*.dyndns-at-home.com'\n",
" - '*.dnsomatic.com'\n",
" - '*.zapto.org'\n",
" - '*.webhop.net'\n",
" - '*.25u.com'\n",
" - '*.slyip.net'\n",
" condition: selection\n",
" fields:\n",
" - cs-ip\n",
" - c-uri\n",
" falsepositives:\n",
" - Software downloads\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-uri-extension:(\"exe\" OR \"vbs\" OR \"bat\" OR \"rar\" OR \"ps1\" OR \"doc\" OR \"docm\" OR \"xls\" OR \"xlsm\" OR \"pptm\" OR \"rtf\" OR \"hta\" OR \"dll\" OR \"ws\" OR \"wsf\" OR \"sct\" OR \"zip\") AND r-dns.keyword:(*.hopto.org OR *.no\\-ip.org OR *.no\\-ip.info OR *.no\\-ip.biz OR *.no\\-ip.com OR *.noip.com OR *.ddns.name OR *.myftp.org OR *.myftp.biz OR *.serveblog.net OR *.servebeer.com OR *.servemp3.com OR *.serveftp.com OR *.servequake.com OR *.servehalflife.com OR *.servehttp.com OR *.servegame.com OR *.servepics.com OR *.myvnc.com OR *.ignorelist.com OR *.jkub.com OR *.dlinkddns.com OR *.jumpingcrab.com OR *.ddns.info OR *.mooo.com OR *.dns\\-dns.com OR *.strangled.net OR *.adultdns.net OR *.craftx.biz OR *.ddns01.com OR *.dns53.biz OR *.dnsapi.info OR *.dnsd.info OR *.dnsdynamic.com OR *.dnsdynamic.net OR *.dnsget.org OR *.fe100.net OR *.flashserv.net OR *.ftp21.net OR *.http01.com OR *.http80.info OR *.https443.com OR *.imap01.com OR *.kadm5.com OR *.mysq1.net OR *.ns360.info OR *.ntdll.net OR *.ole32.com OR *.proxy8080.com OR *.sql01.com OR *.ssh01.com OR *.ssh22.net OR *.tempors.com OR *.tftpd.net OR *.ttl60.com OR *.ttl60.org OR *.user32.com OR *.voip01.com OR *.wow64.net OR *.x64.me OR *.xns01.com OR *.dyndns.org OR *.dyndns.info OR *.dyndns.tv OR *.dyndns\\-at\\-home.com OR *.dnsomatic.com OR *.zapto.org OR *.webhop.net OR *.25u.com OR *.slyip.net))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

206
docker/helk-jupyter/notebooks/sigma/proxy_download_susp_tlds_blacklist.ipynb Normal file
View File

@ -0,0 +1,206 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Download from Suspicious TLD\n",
"Detects download of certain file types from hosts in suspicious TLDs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Download from Suspicious TLD\n",
" id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19\n",
" status: experimental\n",
" description: Detects download of certain file types from hosts in suspicious TLDs\n",
" references:\n",
" - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap\n",
" - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf\n",
" - https://www.spamhaus.org/statistics/tlds/\n",
" - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/\n",
" author: Florian Roth\n",
" date: 2018/06/13\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-uri-extension:\n",
" - exe\n",
" - vbs\n",
" - bat\n",
" - rar\n",
" - ps1\n",
" - doc\n",
" - docm\n",
" - xls\n",
" - xlsm\n",
" - pptm\n",
" - rtf\n",
" - hta\n",
" - dll\n",
" - ws\n",
" - wsf\n",
" - sct\n",
" - zip\n",
" r-dns:\n",
" - '*.country'\n",
" - '*.stream'\n",
" - '*.gdn'\n",
" - '*.mom'\n",
" - '*.xin'\n",
" - '*.kim'\n",
" - '*.men'\n",
" - '*.loan'\n",
" - '*.download'\n",
" - '*.racing'\n",
" - '*.online'\n",
" - '*.science'\n",
" - '*.ren'\n",
" - '*.gb'\n",
" - '*.win'\n",
" - '*.top'\n",
" - '*.review'\n",
" - '*.vip'\n",
" - '*.party'\n",
" - '*.tech'\n",
" - '*.xyz'\n",
" - '*.date'\n",
" - '*.faith'\n",
" - '*.zip'\n",
" - '*.cricket'\n",
" - '*.space'\n",
" - '*.info'\n",
" - '*.vn'\n",
" - '*.cm'\n",
" - '*.am'\n",
" - '*.cc'\n",
" - '*.asia'\n",
" - '*.ws'\n",
" - '*.tk'\n",
" - '*.biz'\n",
" - '*.su'\n",
" - '*.st'\n",
" - '*.ro'\n",
" - '*.ge'\n",
" - '*.ms'\n",
" - '*.pk'\n",
" - '*.nu'\n",
" - '*.me'\n",
" - '*.ph'\n",
" - '*.to'\n",
" - '*.tt'\n",
" - '*.name'\n",
" - '*.tv'\n",
" - '*.kz'\n",
" - '*.tc'\n",
" - '*.mobi'\n",
" - '*.study'\n",
" - '*.click'\n",
" - '*.link'\n",
" - '*.trade'\n",
" - '*.accountant'\n",
" - '*.cf'\n",
" - '*.gq'\n",
" - '*.ml'\n",
" - '*.ga'\n",
" - '*.pw'\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" falsepositives:\n",
" - All kinds of software downloads\n",
" level: low\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-uri-extension:(\"exe\" OR \"vbs\" OR \"bat\" OR \"rar\" OR \"ps1\" OR \"doc\" OR \"docm\" OR \"xls\" OR \"xlsm\" OR \"pptm\" OR \"rtf\" OR \"hta\" OR \"dll\" OR \"ws\" OR \"wsf\" OR \"sct\" OR \"zip\") AND r-dns.keyword:(*.country OR *.stream OR *.gdn OR *.mom OR *.xin OR *.kim OR *.men OR *.loan OR *.download OR *.racing OR *.online OR *.science OR *.ren OR *.gb OR *.win OR *.top OR *.review OR *.vip OR *.party OR *.tech OR *.xyz OR *.date OR *.faith OR *.zip OR *.cricket OR *.space OR *.info OR *.vn OR *.cm OR *.am OR *.cc OR *.asia OR *.ws OR *.tk OR *.biz OR *.su OR *.st OR *.ro OR *.ge OR *.ms OR *.pk OR *.nu OR *.me OR *.ph OR *.to OR *.tt OR *.name OR *.tv OR *.kz OR *.tc OR *.mobi OR *.study OR *.click OR *.link OR *.trade OR *.accountant OR *.cf OR *.gq OR *.ml OR *.ga OR *.pw))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

158
docker/helk-jupyter/notebooks/sigma/proxy_download_susp_tlds_whitelist.ipynb Normal file
View File

@ -0,0 +1,158 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Download EXE from Suspicious TLD\n",
"Detects executable downloads from suspicious remote systems"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Download EXE from Suspicious TLD\n",
" id: b5de2919-b74a-4805-91a7-5049accbaefe\n",
" status: experimental\n",
" description: Detects executable downloads from suspicious remote systems\n",
" author: Florian Roth\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-uri-extension:\n",
" - exe\n",
" - vbs\n",
" - bat\n",
" - rar\n",
" - ps1\n",
" - doc\n",
" - docm\n",
" - xls\n",
" - xlsm\n",
" - pptm\n",
" - rtf\n",
" - hta\n",
" - dll\n",
" - ws\n",
" - wsf\n",
" - sct\n",
" - zip\n",
" filter:\n",
" r-dns:\n",
" - '*.com'\n",
" - '*.org'\n",
" - '*.net'\n",
" - '*.edu'\n",
" - '*.gov'\n",
" - '*.uk'\n",
" - '*.ca'\n",
" - '*.de'\n",
" - '*.jp'\n",
" - '*.fr'\n",
" - '*.au'\n",
" - '*.us'\n",
" - '*.ch'\n",
" - '*.it'\n",
" - '*.nl'\n",
" - '*.se'\n",
" - '*.no'\n",
" - '*.es'\n",
" condition: selection and not filter\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" falsepositives:\n",
" - All kind of software downloads\n",
" level: low\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-uri-extension:(\"exe\" OR \"vbs\" OR \"bat\" OR \"rar\" OR \"ps1\" OR \"doc\" OR \"docm\" OR \"xls\" OR \"xlsm\" OR \"pptm\" OR \"rtf\" OR \"hta\" OR \"dll\" OR \"ws\" OR \"wsf\" OR \"sct\" OR \"zip\") AND (NOT (r-dns.keyword:(*.com OR *.org OR *.net OR *.edu OR *.gov OR *.uk OR *.ca OR *.de OR *.jp OR *.fr OR *.au OR *.us OR *.ch OR *.it OR *.nl OR *.se OR *.no OR *.es))))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

129
docker/helk-jupyter/notebooks/sigma/proxy_downloadcradle_webdav.ipynb Normal file
View File

@ -0,0 +1,129 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Windows WebDAV User Agent\n",
"Detects WebDav DownloadCradle"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Windows WebDAV User Agent\n",
" id: e09aed7a-09e0-4c9a-90dd-f0d52507347e\n",
" status: experimental\n",
" description: Detects WebDav DownloadCradle\n",
" references:\n",
" - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\n",
" author: Florian Roth\n",
" date: 2018/04/06\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent: Microsoft-WebDAV-MiniRedir/*\n",
" cs-method: GET\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" - cs-method\n",
" falsepositives:\n",
" - Administrative scripts that download files from the Internet\n",
" - Administrative scripts that retrieve certain website contents\n",
" - Legitimate WebDAV administration\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-useragent.keyword:Microsoft\\-WebDAV\\-MiniRedir\\/* AND cs-method:\"GET\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

124
docker/helk-jupyter/notebooks/sigma/proxy_empty_ua.ipynb Normal file
View File

@ -0,0 +1,124 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Empty User Agent\n",
"Detects suspicious empty user agent strings in proxy logs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Empty User Agent\n",
" id: 21e44d78-95e7-421b-a464-ffd8395659c4\n",
" status: experimental\n",
" description: Detects suspicious empty user agent strings in proxy logs\n",
" references:\n",
" - https://twitter.com/Carlos_Perez/status/883455096645931008\n",
" author: Florian Roth\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent: ''\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-useragent:\"\"')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

126
docker/helk-jupyter/notebooks/sigma/proxy_ios_implant.ipynb Normal file
View File

@ -0,0 +1,126 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# iOS Implant URL Pattern\n",
"Detects URL pattern used by iOS Implant"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: iOS Implant URL Pattern\n",
" id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6\n",
" status: experimental\n",
" description: Detects URL pattern used by iOS Implant\n",
" references:\n",
" - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html\n",
" - https://twitter.com/craiu/status/1167358457344925696\n",
" author: Florian Roth\n",
" date: 2019/08/30\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-uri: '*/list/suc?name=*'\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-uri.keyword:*\\/list\\/suc?name\\=*')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

125
docker/helk-jupyter/notebooks/sigma/proxy_powershell_ua.ipynb Normal file
View File

@ -0,0 +1,125 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Windows PowerShell User Agent\n",
"Detects Windows PowerShell Web Access"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Windows PowerShell User Agent\n",
" id: c8557060-9221-4448-8794-96320e6f3e74\n",
" status: experimental\n",
" description: Detects Windows PowerShell Web Access\n",
" references:\n",
" - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest\n",
" author: Florian Roth\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent: '* WindowsPowerShell/*'\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Administrative scripts that download files from the Internet\n",
" - Administrative scripts that retrieve certain website contents\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-useragent.keyword:*\\ WindowsPowerShell\\/*')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

134
docker/helk-jupyter/notebooks/sigma/proxy_raw_paste_service_access.ipynb Normal file
View File

@ -0,0 +1,134 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Raw Paste Service Access\n",
"Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Raw Paste Service Access\n",
" id: 5468045b-4fcc-4d1a-973c-c9c9578edacb\n",
" status: experimental\n",
" description: Detects direct access to raw pastes in different paste services often\n",
" used by malware in their second stages to download malicious code in encrypted\n",
" or encoded form\n",
" references:\n",
" - https://www.virustotal.com/gui/domain/paste.ee/relations\n",
" author: Florian Roth\n",
" date: 2019/12/05\n",
" tags:\n",
" - attack.t1102\n",
" - attack.defense_evasion\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-uri|contains:\n",
" - .paste.ee/r/\n",
" - .pastebin.com/raw/\n",
" - .hastebin.com/raw/\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - User activity (e.g. developer that shared and copied code snippets and used the\n",
" raw link instead of just copy & paste)\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-uri.keyword:(*.paste.ee\\/r\\/* OR *.pastebin.com\\/raw\\/* OR *.hastebin.com\\/raw\\/*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

124
docker/helk-jupyter/notebooks/sigma/proxy_susp_flash_download_loc.ipynb Normal file
View File

@ -0,0 +1,124 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Flash Player Update from Suspicious Location\n",
"Detects a flashplayer update from an unofficial location"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Flash Player Update from Suspicious Location\n",
" id: 4922a5dd-6743-4fc2-8e81-144374280997\n",
" status: experimental\n",
" description: Detects a flashplayer update from an unofficial location\n",
" references:\n",
" - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb\n",
" author: Florian Roth\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-uri-query:\n",
" - '*/install_flash_player.exe'\n",
" - '*/flash_install.php*'\n",
" filter:\n",
" c-uri-stem: '*.adobe.com/*'\n",
" condition: selection and not filter\n",
" falsepositives:\n",
" - Unknown flash download locations\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-uri-query.keyword:(*\\/install_flash_player.exe OR *\\/flash_install.php*) AND (NOT (c-uri-stem.keyword:*.adobe.com\\/*)))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

133
docker/helk-jupyter/notebooks/sigma/proxy_telegram_api.ipynb Normal file
View File

@ -0,0 +1,133 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Telegram API Access\n",
"Detects suspicious requests to Telegram API without the usual Telegram User-Agent"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Telegram API Access\n",
" id: b494b165-6634-483d-8c47-2026a6c52372\n",
" status: experimental\n",
" description: Detects suspicious requests to Telegram API without the usual Telegram\n",
" User-Agent\n",
" references:\n",
" - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\n",
" - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/\n",
" - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\n",
" author: Florian Roth\n",
" date: 2018/06/05\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" r-dns:\n",
" - api.telegram.org\n",
" filter:\n",
" c-useragent:\n",
" - '*Telegram*'\n",
" - '*Bot*'\n",
" condition: selection and not filter\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Legitimate use of Telegram bots in the company\n",
" level: medium\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(r-dns:(\"api.telegram.org\") AND (NOT (c-useragent.keyword:(*Telegram* OR *Bot*))))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

164
docker/helk-jupyter/notebooks/sigma/proxy_ua_apt.ipynb Normal file
View File

@ -0,0 +1,164 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# APT User Agent\n",
"Detects suspicious user agent strings used in APT malware in proxy logs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: APT User Agent\n",
" id: 6ec820f2-e963-4801-9127-d8b2dce4d31b\n",
" status: experimental\n",
" description: Detects suspicious user agent strings used in APT malware in proxy\n",
" logs\n",
" references:\n",
" - Internal Research\n",
" author: Florian Roth, Markus Neis\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent:\n",
" - SJZJ (compatible; MSIE 6.0; Win32)\n",
" - Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0\n",
" - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;\n",
" SLCC'\n",
" - Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)\n",
" - webclient\n",
" - Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200\n",
" - Mozilla/4.0 (compatible; MSI 6.0;\n",
" - Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0\n",
" - Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/\n",
" - Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2\n",
" - Mozilla/4.0\n",
" - Netscape\n",
" - Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719\n",
" Firefox/1.0.7\n",
" - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13\n",
" GTB7.1\n",
" - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\n",
" - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;\n",
" .NETCLR 2.0.50727)\n",
" - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)\n",
" - Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)\n",
" - Mozilla/4.0 (compatible; MSIE 8.0; Win32)\n",
" - Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1\n",
" - Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)\n",
" - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;\n",
" .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)\n",
" - Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko\n",
" - Mozilla v5.1 *\n",
" - MSIE 8.0\n",
" - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727;\n",
" .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E;\n",
" InfoPath.2)\n",
" - Mozilla/4.0 (compatible; RMS)\n",
" - Mozilla/4.0 (compatible; MSIE 6.0; DynGate)\n",
" - O/9.27 (W; U; Z)\n",
" - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*\n",
" - Mozilla/5.0 (Windows NT 9; *\n",
" - hots scot\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Old browsers\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-useragent.keyword:(SJZJ\\ \\(compatible;\\ MSIE\\ 6.0;\\ Win32\\) OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.;\\ WOW64;\\ rv\\:20.0\\)\\ Gecko\\/20100101\\ Firefox\\/20.0 OR User\\-Agent\\:\\ Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Windows\\ NT\\ 6.1;\\ Trident\\/4.0;\\ SLCC OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 7.4;\\ Win32;32\\-bit\\) OR webclient OR Mozilla\\/5.0\\ \\(Windows;\\ U;\\ Windows\\ NT\\ 5.1;\\ zh\\-EN;\\ rv\\:1.7.12\\)\\ Gecko\\/200 OR Mozilla\\/4.0\\ \\(compatible;\\ MSI\\ 6.0; OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.3;\\ WOW64;\\ rv\\:28.0\\)\\ Gecko\\/20100101\\ Firefox\\/28.0 OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.2;\\ WOW64;\\ rv\\:20.0\\)\\ Gecko\\/20100101\\ Firefox\\/ OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.;\\ WOW64;\\ rv\\:20.0\\)\\ Gecko\\/20100101\\ Firefox\\/2 OR Mozilla\\/4.0 OR Netscape OR Mozilla\\/5.0\\ \\(Windows;\\ U;\\ Windows\\ NT\\ 5.1;\\ zh\\-EN;\\ rv\\:1.7.12\\)\\ Gecko\\/20100719\\ Firefox\\/1.0.7 OR Mozilla\\/5.0\\ \\(Windows;\\ U;\\ Windows\\ NT\\ 5.1;\\ en\\-US;\\ rv\\:1.9.2.13\\)\\ Firefox\\/3.6.13\\ GTB7.1 OR Mozilla\\/5.0\\ \\(compatible;\\ MSIE\\ 9.0;\\ Windows\\ NT\\ 6.1;\\ WOW64;\\ Trident\\/5.0\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Windows\\ NT\\ 6.1;\\ WOW64;\\ Trident\\/4.0;\\ SLCC2;\\ .NETCLR\\ 2.0.50727\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Windows\\ NT\\ 6.0;\\ SV1\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 11.0;\\ Windows\\ NT\\ 6.1;\\ SV1\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Win32\\) OR Mozilla\\ v5.1\\ \\(Windows\\ NT\\ 6.1;\\ rv\\:6.0.1\\)\\ Gecko\\/20100101\\ Firefox\\/6.0.1 OR Mozilla\\/6.1\\ \\(compatible;\\ MSIE\\ 9.0;\\ Windows\\ NT\\ 5.3;\\ Trident\\/5.0\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 6.0;\\ Windows\\ NT\\ 5.1;\\ SV1;\\ .NET\\ CLR\\ 1.1.4322;\\ .NET\\ CLR\\ 2.0.50727;\\ .NET\\ CLR\\ 3.0.04506.30;\\ .NET\\ CLR\\ 3.0.04506.648;\\ InfoPath.1\\) OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.1;\\ WOW64\\)\\ WinHttp\\/1.6.3.8\\ \\(WinHTTP\\/5.1\\)\\ like\\ Gecko OR Mozilla\\ v5.1\\ * OR MSIE\\ 8.0 OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 7.0;\\ Windows\\ NT\\ 6.1;\\ SLCC2;\\ .NET\\ CLR\\ 2.0.50727;\\ .NET\\ CLR\\ 3.5.30729;\\ .NET\\ CLR\\ 3.0.30729;\\ Media\\ Center\\ PC\\ 6.0;\\ .NET4.0C;\\ .NET4.0E;\\ InfoPath.2\\) OR Mozilla\\/4.0\\ \\(compatible;\\ RMS\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 6.0;\\ DynGate\\) OR O\\/9.27\\ \\(W;\\ U;\\ Z\\) OR Mozilla\\/5.0\\ \\(compatible;\\ MSIE\\ 9.0;\\ Windows\\ NT\\ 6.0;\\ Trident\\/5.0;\\ \\ Trident\\/5.0* OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 9;\\ * OR hots\\ scot)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

130
docker/helk-jupyter/notebooks/sigma/proxy_ua_bitsadmin_susp_tld.ipynb Normal file
View File

@ -0,0 +1,130 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Bitsadmin to Uncommon TLD\n",
"Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Bitsadmin to Uncommon TLD\n",
" id: 9eb68894-7476-4cd6-8752-23b51f5883a7\n",
" status: experimental\n",
" description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248\n",
" - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/\n",
" author: Florian Roth\n",
" date: 2019/03/07\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent:\n",
" - Microsoft BITS/*\n",
" falsepositives:\n",
" r-dns:\n",
" - '*.com'\n",
" - '*.net'\n",
" - '*.org'\n",
" condition: selection and not falsepositives\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(c-useragent.keyword:(Microsoft\\ BITS\\/*) AND (NOT (r-dns.keyword:(*.com OR *.net OR *.org))))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

129
docker/helk-jupyter/notebooks/sigma/proxy_ua_cryptominer.ipynb Normal file
View File

@ -0,0 +1,129 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Crypto Miner User Agent\n",
"Detects suspicious user agent strings used by crypto miners in proxy logs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Crypto Miner User Agent\n",
" id: fa935401-513b-467b-81f4-f9e77aa0dd78\n",
" status: experimental\n",
" description: Detects suspicious user agent strings used by crypto miners in proxy\n",
" logs\n",
" references:\n",
" - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65\n",
" - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h\n",
" author: Florian Roth\n",
" date: 2019/10/21\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent:\n",
" - XMRig *\n",
" - ccminer*\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-useragent.keyword:(XMRig\\ * OR ccminer*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

149
docker/helk-jupyter/notebooks/sigma/proxy_ua_frameworks.ipynb Normal file
View File

@ -0,0 +1,149 @@
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Exploit Framework User Agent\n",
"Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Exploit Framework User Agent\n",
" id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f\n",
" status: experimental\n",
" description: Detects suspicious user agent strings used by exploit / pentest framworks\n",
" like Metasploit in proxy logs\n",
" references:\n",
" - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/\n",
" author: Florian Roth\n",
" logsource:\n",
" category: proxy\n",
" product: null\n",
" service: null\n",
" detection:\n",
" selection:\n",
" c-useragent:\n",
" - Internet Explorer *\n",
" - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)\n",
" - Mozilla/4.0 (compatible; Metasploit RSPEC)\n",
" - Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\n",
" - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n",
" - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)\n",
" - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)\n",
" - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E};\n",
" SLCC1; .N\n",
" - Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\n",
" - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML,\n",
" like Gecko) Chrome/4.0.221.6 Safari/525.13\n",
" - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)\n",
" - Mozilla/5.0\n",
" - Mozilla/4.0 (compatible; SPIPE/1.0\n",
" - Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0\n",
" - Sametime Community Agent\n",
" - X-FORWARDED-FOR\n",
" - DotDotPwn v2.1\n",
" - SIPDROID\n",
" - Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)\n",
" - Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0\n",
" - '*wordpress hash grabber*'\n",
" - '*exploit*'\n",
" condition: selection\n",
" fields:\n",
" - ClientIP\n",
" - c-uri\n",
" - c-useragent\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='c-useragent.keyword:(Internet\\ Explorer\\ * OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 6.0;\\ Windows\\ NT\\ 5.1;\\ SV1;\\ InfoPath.2\\) OR Mozilla\\/4.0\\ \\(compatible;\\ Metasploit\\ RSPEC\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 6.1;\\ Windows\\ NT\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 6.0;\\ Windows\\ NT\\ 5.1\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 7.0;\\ Windows\\ NT\\ 6.0\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 8.0;\\ Windows\\ NT\\ 6.0;\\ Trident\\/4.0\\) OR Mozilla\\/4.0\\ \\(compatible;\\ MSIE\\ 7.0;\\ Windows\\ NT\\ 6.0;\\ Trident\\/4.0;\\ SIMBAR\\=\\{7DB0F6DE\\-8DE7\\-4841\\-9084\\-28FA914B0F2E\\};\\ SLCC1;\\ .N OR Mozilla\\/5.0\\ \\(compatible;\\ Googlebot\\/2.1;\\ \\+http\\:\\/\\/www.google.com\\/bot.html\\) OR Mozilla\\/5.0\\ \\(Windows;\\ U;\\ Windows\\ NT\\ 5.1;\\ en\\-US\\)\\ AppleWebKit\\/525.13\\ \\(KHTML,\\ like\\ Gecko\\)\\ Chrome\\/4.0.221.6\\ Safari\\/525.13 OR Mozilla\\/5.0\\ \\(compatible;\\ MSIE\\ 9.0;\\ Windows\\ NT\\ 6.1;\\ WOW64;\\ Trident\\/5.0;\\ MAAU\\) OR Mozilla\\/5.0 OR Mozilla\\/4.0\\ \\(compatible;\\ SPIPE\\/1.0 OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 6.3;\\ rv\\:39.0\\)\\ Gecko\\/20100101\\ Firefox\\/35.0 OR Sametime\\ Community\\ Agent OR X\\-FORWARDED\\-FOR OR DotDotPwn\\ v2.1 OR SIPDROID OR Mozilla\\/5.0\\ \\(Windows\\ NT\\ 10.0;\\ Win32;\\ x32;\\ rv\\:60.0\\) OR Mozilla\\/6.0\\ \\(X11;\\ Linux\\ x86_64;\\ rv\\:24.0\\)\\ Gecko\\/20140205\\ \\ \\ \\ \\ Firefox\\/27.0\\ Iceweasel\\/25.3.0 OR *wordpress\\ hash\\ grabber* OR *exploit*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}

Some files were not shown because too many files have changed in this diff Show More