{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Squirrel Lolbin\n",
    "Detects Possible Squirrel Packages Manager as Lolbin"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Squirrel Lolbin\n",
    "  id: fa4b21c9-0057-4493-b289-2556416ae4d7\n",
    "  status: experimental\n",
    "  description: Detects Possible Squirrel Packages Manager as Lolbin\n",
    "  references:\n",
    "  - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n",
    "  - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\n",
    "  tags:\n",
    "  - attack.execution\n",
    "  author: Karneades / Markus Neis\n",
    "  falsepositives:\n",
    "  - 1Clipboard\n",
    "  - Beaker Browser\n",
    "  - Caret\n",
    "  - Collectie\n",
    "  - Discord\n",
    "  - Figma\n",
    "  - Flow\n",
    "  - Ghost\n",
    "  - GitHub Desktop\n",
    "  - GitKraken\n",
    "  - Hyper\n",
    "  - Insomnia\n",
    "  - JIBO\n",
    "  - Kap\n",
    "  - Kitematic\n",
    "  - Now Desktop\n",
    "  - Postman\n",
    "  - PostmanCanary\n",
    "  - Rambox\n",
    "  - Simplenote\n",
    "  - Skype\n",
    "  - Slack\n",
    "  - SourceTree\n",
    "  - Stride\n",
    "  - Svgsus\n",
    "  - WebTorrent\n",
    "  - WhatsApp\n",
    "  - WordPress.com\n",
    "  - atom\n",
    "  - gitkraken\n",
    "  - slack\n",
    "  - teams\n",
    "  level: high\n",
    "  logsource:\n",
    "    category: process_creation\n",
    "    product: windows\n",
    "    service: null\n",
    "  detection:\n",
    "    selection:\n",
    "      Image:\n",
    "      - '*\\update.exe'\n",
    "      CommandLine:\n",
    "      - '*--processStart*.exe*'\n",
    "      - '*--processStartAndWait*.exe*'\n",
    "      - \"*\\u2013createShortcut*.exe*\"\n",
    "    condition: selection\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='(process_path.keyword:(*\\\\update.exe) AND process_command_line.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *–createShortcut*.exe*))')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}