{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Execution of Renamed PaExec\n",
    "Detects execution of renamed paexec via imphash and executable product string"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Execution of Renamed PaExec\n",
    "  id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\n",
    "  status: experimental\n",
    "  description: Detects execution of renamed paexec via imphash and executable product\n",
    "    string\n",
    "  references:\n",
    "  - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\n",
    "  - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\n",
    "  tags:\n",
    "  - attack.defense_evasion\n",
    "  - attack.t1036\n",
    "  - FIN7\n",
    "  - car.2013-05-009\n",
    "  date: 2019/04/17\n",
    "  author: Jason Lynch\n",
    "  falsepositives:\n",
    "  - Unknown imphashes\n",
    "  level: medium\n",
    "  logsource:\n",
    "    category: process_creation\n",
    "    product: windows\n",
    "    service: null\n",
    "  detection:\n",
    "    selection1:\n",
    "      Product:\n",
    "      - '*PAExec*'\n",
    "    selection2:\n",
    "      Imphash:\n",
    "      - 11D40A7B7876288F919AB819CC2D9802\n",
    "      - 6444f8a34e99b8f7d9647de66aabe516\n",
    "      - dfd6aa3f7b2b1035b76b718f1ddc689f\n",
    "      - 1a6cca4d5460b1710a12dea39e4a592c\n",
    "    filter1:\n",
    "      Image: '*paexec*'\n",
    "    condition: (selection1 and selection2) and not filter1\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='((file_product.keyword:(*PAExec*) AND hash_imphash:(\"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"1a6cca4d5460b1710a12dea39e4a592c\")) AND (NOT (process_path.keyword:*paexec*)))')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}