infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/apt_chafer_mar18.ipynb

209 lines
5.9 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Chafer Activity\n",
"Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Chafer Activity\n",
" id: 53ba33fd-3a50-4468-a5ef-c583635cfa92\n",
" description: Detects Chafer activity attributed to OilRig as reported in Nyotron\n",
" report in March 2018\n",
" references:\n",
" - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/\n",
" tags:\n",
" - attack.persistence\n",
" - attack.g0049\n",
" - attack.t1053\n",
" - attack.s0111\n",
" - attack.defense_evasion\n",
" - attack.t1112\n",
" date: 2018/03/23\n",
" modified: 2019/03/01\n",
" author: Florian Roth, Markus Neis\n",
" detection:\n",
" condition: 1 of them\n",
" falsepositives:\n",
" - Unknown\n",
" level: critical\n",
"- logsource:\n",
" product: windows\n",
" service: system\n",
" detection:\n",
" selection_service:\n",
" EventID: 7045\n",
" ServiceName:\n",
" - SC Scheduled Scan\n",
" - UpdatMachine\n",
"- logsource:\n",
" product: windows\n",
" service: security\n",
" detection:\n",
" selection_service:\n",
" EventID: 4698\n",
" TaskName:\n",
" - SC Scheduled Scan\n",
" - UpdatMachine\n",
"- logsource:\n",
" product: windows\n",
" service: sysmon\n",
" detection:\n",
" selection_reg1:\n",
" EventID: 13\n",
" TargetObject:\n",
" - '*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe'\n",
" - '*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT'\n",
" EventType: SetValue\n",
" selection_reg2:\n",
" EventID: 13\n",
" TargetObject: '*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential'\n",
" EventType: SetValue\n",
" Details: DWORD (0x00000001)\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection_process1:\n",
" CommandLine:\n",
" - '*\\Service.exe i'\n",
" - '*\\Service.exe u'\n",
" - '*\\microsoft\\Taskbar\\autoit3.exe'\n",
" - C:\\wsc.exe*\n",
" selection_process2:\n",
" Image: '*\\Windows\\Temp\\DB\\\\*.exe'\n",
" selection_process3:\n",
" CommandLine: '*\\nslookup.exe -q=TXT*'\n",
" ParentImage: '*\\Autoit*'\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"7045\" AND service_name:(\"SC\\ Scheduled\\ Scan\" OR \"UpdatMachine\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4698\" AND task_name:(\"SC\\ Scheduled\\ Scan\" OR \"UpdatMachine\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"13\" AND event_type:\"SetValue\" AND (registry_key_path.keyword:(*SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe OR *SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT) OR (registry_key_path.keyword:*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential AND registry_key_value:\"DWORD\\ \\(0x00000001\\)\")))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(process_command_line.keyword:(*\\\\Service.exe\\ i OR *\\\\Service.exe\\ u OR *\\\\microsoft\\\\Taskbar\\\\autoit3.exe OR C\\:\\\\wsc.exe*) OR process_path.keyword:*\\\\Windows\\\\Temp\\\\DB\\\\*.exe OR (process_command_line.keyword:*\\\\nslookup.exe\\ \\-q\\=TXT* AND process_parent_path.keyword:*\\\\Autoit*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink