infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/apt_equationgroup_lnx.ipynb

163 lines
6.1 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Equation Group Indicators\n",
"Detects suspicious shell commands used in various Equation Group scripts and tools"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Equation Group Indicators\n",
" id: 41e5c73d-9983-4b69-bd03-e13b67e9623c\n",
" description: Detects suspicious shell commands used in various Equation Group scripts\n",
" and tools\n",
" references:\n",
" - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1\n",
" tags:\n",
" - attack.execution\n",
" - attack.g0020\n",
" - attack.t1059\n",
" author: Florian Roth\n",
" logsource:\n",
" product: linux\n",
" service: null\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" - 'chown root*chmod 4777 '\n",
" - cp /bin/sh .;chown\n",
" - chmod 4777 /tmp/.scsi/dev/bin/gsh\n",
" - chown root:root /tmp/.scsi/dev/bin/\n",
" - chown root:root x;\n",
" - /bin/telnet locip locport < /dev/console | /bin/sh\n",
" - /tmp/ratload\n",
" - 'ewok -t '\n",
" - 'xspy -display '\n",
" - cat > /dev/tcp/127.0.0.1/80 <<END\n",
" - rm -f /current/tmp/ftshell.latest\n",
" - 'ghost_* -v '\n",
" - ' --wipe > /dev/null'\n",
" - ping -c 2 *; grep * /proc/net/arp >/tmp/gx\n",
" - iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;\n",
" - '> /var/log/audit/audit.log; rm -f .'\n",
" - cp /var/log/audit/audit.log .tmp\n",
" - sh >/dev/tcp/* <&1 2>&1\n",
" - ncat -vv -l -p * <\n",
" - nc -vv -l -p * <\n",
" - < /dev/console | uudecode && uncompress\n",
" - sendmail -osendmail;chmod +x sendmail\n",
" - /usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron\n",
" - chmod 666 /var/run/utmp~\n",
" - chmod 700 nscd crond\n",
" - cp /etc/shadow /tmp/.\n",
" - </dev/console |uudecode > /dev/null 2>&1 && uncompress\n",
" - chmod 700 jp&&netstat -an|grep\n",
" - uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755\n",
" - chmod 700 crond\n",
" - wget http*; chmod +x /tmp/sendmail\n",
" - chmod 700 fp sendmail pt\n",
" - chmod 755 /usr/vmsys/bin/pipe\n",
" - chmod -R 755 /usr/vmsys\n",
" - chmod 755 $opbin/*tunnel\n",
" - chmod 700 sendmail\n",
" - chmod 0700 sendmail\n",
" - /usr/bin/wget http*sendmail;chmod +x sendmail;\n",
" - '&& telnet * 2>&1 </dev/console'\n",
" condition: keywords\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='\\*.keyword:(*chown\\ root*chmod\\ 4777\\ * OR *cp\\ \\/bin\\/sh\\ .;chown* OR *chmod\\ 4777\\ \\/tmp\\/.scsi\\/dev\\/bin\\/gsh* OR *chown\\ root\\:root\\ \\/tmp\\/.scsi\\/dev\\/bin\\/* OR *chown\\ root\\:root\\ x;* OR *\\/bin\\/telnet\\ locip\\ locport\\ \\ \\/dev\\/console\\ |\\ \\/bin\\/sh* OR *\\/tmp\\/ratload* OR *ewok\\ \\-t\\ * OR *xspy\\ \\-display\\ * OR *cat\\ \\ \\/dev\\/tcp\\/127.0.0.1\\/80\\ END* OR *rm\\ \\-f\\ \\/current\\/tmp\\/ftshell.latest* OR *ghost_*\\ \\-v\\ * OR *\\ \\-\\-wipe\\ \\ \\/dev\\/null* OR *ping\\ \\-c\\ 2\\ *;\\ grep\\ *\\ \\/proc\\/net\\/arp\\ \\/tmp\\/gx* OR *iptables\\ *\\ OUTPUT\\ \\-p\\ tcp\\ \\-d\\ 127.0.0.1\\ \\-\\-tcp\\-flags\\ RST\\ RST\\ \\-j\\ DROP;* OR *\\ \\/var\\/log\\/audit\\/audit.log;\\ rm\\ \\-f\\ .* OR *cp\\ \\/var\\/log\\/audit\\/audit.log\\ .tmp* OR *sh\\ \\/dev\\/tcp\\/*\\ &1\\ 2&1* OR *ncat\\ \\-vv\\ \\-l\\ \\-p\\ *\\ * OR *nc\\ \\-vv\\ \\-l\\ \\-p\\ *\\ * OR *\\ \\/dev\\/console\\ |\\ uudecode\\ \\&&\\ uncompress* OR *sendmail\\ \\-osendmail;chmod\\ \\+x\\ sendmail* OR *\\/usr\\/bin\\/wget\\ \\-O\\ \\/tmp\\/a\\ http*\\ \\&&\\ chmod\\ 755\\ \\/tmp\\/cron* OR *chmod\\ 666\\ \\/var\\/run\\/utmp\\~* OR *chmod\\ 700\\ nscd\\ crond* OR *cp\\ \\/etc\\/shadow\\ \\/tmp\\/.* OR *\\/dev\\/console\\ |uudecode\\ \\ \\/dev\\/null\\ 2&1\\ \\&&\\ uncompress* OR *chmod\\ 700\\ jp\\&&netstat\\ \\-an|grep* OR *uudecode\\ \\ \\/dev\\/null\\ 2&1\\ \\&&\\ uncompress\\ \\-f\\ *\\ \\&&\\ chmod\\ 755* OR *chmod\\ 700\\ crond* OR *wget\\ http*;\\ chmod\\ \\+x\\ \\/tmp\\/sendmail* OR *chmod\\ 700\\ fp\\ sendmail\\ pt* OR *chmod\\ 755\\ \\/usr\\/vmsys\\/bin\\/pipe* OR *chmod\\ \\-R\\ 755\\ \\/usr\\/vmsys* OR *chmod\\ 755\\ $opbin\\/*tunnel* OR *chmod\\ 700\\ sendmail* OR *chmod\\ 0700\\ sendmail* OR *\\/usr\\/bin\\/wget\\ http*sendmail;chmod\\ \\+x\\ sendmail;* OR *\\&&\\ telnet\\ *\\ 2&1\\ \\/dev\\/console*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink