infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/apt_wocao.ipynb

154 lines
4.3 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Operation Wocao Activity\n",
"Detects activity mentioned in Operation Wocao report"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Operation Wocao Activity\n",
" id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d\n",
" author: Florian Roth\n",
" status: experimental\n",
" description: Detects activity mentioned in Operation Wocao report\n",
" references:\n",
" - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\n",
" - https://twitter.com/SBousseaden/status/1207671369963646976\n",
" date: 2019/12/20\n",
" falsepositives:\n",
" - Administrators that use checkadmin.exe tool to enumerate local administrators\n",
" level: high\n",
"- logsource:\n",
" product: windows\n",
" service: security\n",
" detection:\n",
" selection:\n",
" EventID: 4799\n",
" GroupName: Administrators\n",
" ProcessName: '*\\checkadmin.exe'\n",
" condition: selection\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection:\n",
" CommandLine|contains:\n",
" - checkadmin.exe 127.0.0.1 -all\n",
" - netsh advfirewall firewall add rule name=powershell dir=in\n",
" - cmd /c powershell.exe -ep bypass -file c:\\s.ps1\n",
" - /tn win32times /f\n",
" - create win32times binPath=\n",
" - \\c$\\windows\\system32\\devmgr.dll\n",
" - ' -exec bypass -enc JgAg'\n",
" - type *keepass\\KeePass.config.xml\n",
" - iie.exe iie.txt\n",
" - reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\\n",
" condition: selection\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4799\" AND group_name:\"Administrators\" AND process_path.keyword:*\\\\checkadmin.exe)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:(*checkadmin.exe\\ 127.0.0.1\\ \\-all* OR *netsh\\ advfirewall\\ firewall\\ add\\ rule\\ name\\=powershell\\ dir\\=in* OR *cmd\\ \\/c\\ powershell.exe\\ \\-ep\\ bypass\\ \\-file\\ c\\:\\\\s.ps1* OR *\\/tn\\ win32times\\ \\/f* OR *create\\ win32times\\ binPath\\=* OR *\\\\c$\\\\windows\\\\system32\\\\devmgr.dll* OR *\\ \\-exec\\ bypass\\ \\-enc\\ JgAg* OR *type\\ *keepass\\\\KeePass.config.xml* OR *iie.exe\\ iie.txt* OR *reg\\ query\\ HKEY_CURRENT_USER\\\\Software\\*\\\\PuTTY\\\\Sessions\\*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink