{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Judgement Panda Exfil Activity\n",
    "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Judgement Panda Exfil Activity\n",
    "  id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\n",
    "  description: Detects Russian group activity as described in Global Threat Report\n",
    "    2019 by Crowdstrike\n",
    "  references:\n",
    "  - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n",
    "  author: Florian Roth\n",
    "  date: 2019/02/21\n",
    "  tags:\n",
    "  - attack.credential_access\n",
    "  - attack.t1081\n",
    "  - attack.t1003\n",
    "  logsource:\n",
    "    category: process_creation\n",
    "    product: windows\n",
    "    service: null\n",
    "  detection:\n",
    "    selection1:\n",
    "      Image: '*\\xcopy.exe'\n",
    "      CommandLine: '* /S /E /C /Q /H \\\\*'\n",
    "    selection2:\n",
    "      Image: '*\\adexplorer.exe'\n",
    "      CommandLine: '* -snapshot \"\" c:\\users\\\\*'\n",
    "    condition: selection1 or selection2\n",
    "  falsepositives:\n",
    "  - unknown\n",
    "  level: critical\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='((process_path.keyword:*\\\\xcopy.exe AND process_command_line.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (process_path.keyword:*\\\\adexplorer.exe AND process_command_line.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*))')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}