{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Unauthorized System Time Modification\n", "Detect scenarios where a potentially unauthorized application or user is modifying the system time." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Rule Content\n", "```\n", "- title: Unauthorized System Time Modification\n", " id: faa031b5-21ed-4e02-8881-2591f98d82ed\n", " status: experimental\n", " description: Detect scenarios where a potentially unauthorized application or user\n", " is modifying the system time.\n", " author: '@neu5ron'\n", " references:\n", " - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)\n", " - Live environment caused by malware\n", " date: 2019/02/05\n", " tags:\n", " - attack.defense_evasion\n", " - attack.t1099\n", " logsource:\n", " product: windows\n", " service: security\n", " definition: 'Requirements: Audit Policy : System > Audit Security State Change,\n", " Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced\n", " Audit Policy Configuration\\Audit Policies\\System\\Audit Security State Change'\n", " category: null\n", " detection:\n", " selection:\n", " EventID: 4616\n", " filter1:\n", " ProcessName: C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\n", " filter2:\n", " ProcessName: C:\\Windows\\System32\\VBoxService.exe\n", " filter3:\n", " ProcessName: C:\\Windows\\System32\\svchost.exe\n", " SubjectUserSid: S-1-5-19\n", " condition: selection and not ( filter1 or filter2 or filter3 )\n", " falsepositives:\n", " - HyperV or other virtualization technologies with binary not listed in filter portion\n", " of detection\n", " level: high\n", "\n", "```" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Querying Elasticsearch" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Import Libraries" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from elasticsearch import Elasticsearch\n", "from elasticsearch_dsl import Search\n", "import pandas as pd" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Initialize Elasticsearch client" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n", "searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Run Elasticsearch Query" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "s = searchContext.query('query_string', query='(event_id:\"4616\" AND (NOT (((process_path:\"C\\:\\\\Program\\ Files\\\\VMware\\\\VMware\\ Tools\\\\vmtoolsd.exe\" OR process_path:\"C\\:\\\\Windows\\\\System32\\\\VBoxService.exe\") OR (process_path:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\" AND SubjectUserSid:\"S\\-1\\-5\\-19\")))))')\n", "response = s.execute()\n", "if response.success():\n", " df = pd.DataFrame((d.to_dict() for d in s.scan()))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Show Results" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "df.head()" ] } ], "metadata": {}, "nbformat": 4, "nbformat_minor": 4 }