{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Operation Wocao Activity\n", "Detects activity mentioned in Operation Wocao report" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Rule Content\n", "```\n", "- action: global\n", " title: Operation Wocao Activity\n", " id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d\n", " author: Florian Roth\n", " status: experimental\n", " description: Detects activity mentioned in Operation Wocao report\n", " references:\n", " - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\n", " - https://twitter.com/SBousseaden/status/1207671369963646976\n", " date: 2019/12/20\n", " falsepositives:\n", " - Administrators that use checkadmin.exe tool to enumerate local administrators\n", " level: high\n", "- logsource:\n", " product: windows\n", " service: security\n", " detection:\n", " selection:\n", " EventID: 4799\n", " GroupName: Administrators\n", " ProcessName: '*\\checkadmin.exe'\n", " condition: selection\n", "- logsource:\n", " category: process_creation\n", " product: windows\n", " detection:\n", " selection:\n", " CommandLine|contains:\n", " - checkadmin.exe 127.0.0.1 -all\n", " - netsh advfirewall firewall add rule name=powershell dir=in\n", " - cmd /c powershell.exe -ep bypass -file c:\\s.ps1\n", " - /tn win32times /f\n", " - create win32times binPath=\n", " - \\c$\\windows\\system32\\devmgr.dll\n", " - ' -exec bypass -enc JgAg'\n", " - type *keepass\\KeePass.config.xml\n", " - iie.exe iie.txt\n", " - reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\\n", " condition: selection\n", "\n", "```" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Querying Elasticsearch" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Import Libraries" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from elasticsearch import Elasticsearch\n", "from elasticsearch_dsl import Search\n", "import pandas as pd" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Initialize Elasticsearch client" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n", "searchContext = Search(using=es, index='logs-*', doc_type='doc')" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Run Elasticsearch Query" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "s = searchContext.query('query_string', query='(event_id:\"4799\" AND group_name:\"Administrators\" AND process_path.keyword:*\\\\checkadmin.exe)')\n", "response = s.execute()\n", "if response.success():\n", " df = pd.DataFrame((d.to_dict() for d in s.scan()))" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "s = searchContext.query('query_string', query='process_command_line.keyword:(*checkadmin.exe\\ 127.0.0.1\\ \\-all* OR *netsh\\ advfirewall\\ firewall\\ add\\ rule\\ name\\=powershell\\ dir\\=in* OR *cmd\\ \\/c\\ powershell.exe\\ \\-ep\\ bypass\\ \\-file\\ c\\:\\\\s.ps1* OR *\\/tn\\ win32times\\ \\/f* OR *create\\ win32times\\ binPath\\=* OR *\\\\c$\\\\windows\\\\system32\\\\devmgr.dll* OR *\\ \\-exec\\ bypass\\ \\-enc\\ JgAg* OR *type\\ *keepass\\\\KeePass.config.xml* OR *iie.exe\\ iie.txt* OR *reg\\ query\\ HKEY_CURRENT_USER\\\\Software\\*\\\\PuTTY\\\\Sessions\\*)')\n", "response = s.execute()\n", "if response.success():\n", " df = pd.DataFrame((d.to_dict() for d in s.scan()))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Show Results" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "df.head()" ] } ], "metadata": {}, "nbformat": 4, "nbformat_minor": 4 }