mirror of https://github.com/infosecn1nja/HELK.git
140 lines
3.2 KiB
Plaintext
140 lines
3.2 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Antivirus Exploitation Framework Detection\n",
|
|
"Detects a highly relevant Antivirus alert that reports an exploitation framework"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Antivirus Exploitation Framework Detection\n",
|
|
" id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864\n",
|
|
" description: Detects a highly relevant Antivirus alert that reports an exploitation\n",
|
|
" framework\n",
|
|
" date: 2018/09/09\n",
|
|
" modified: 2019/01/16\n",
|
|
" author: Florian Roth\n",
|
|
" references:\n",
|
|
" - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/\n",
|
|
" tags:\n",
|
|
" - attack.execution\n",
|
|
" - attack.t1203\n",
|
|
" - attack.command_and_control\n",
|
|
" - attack.t1219\n",
|
|
" logsource:\n",
|
|
" product: antivirus\n",
|
|
" service: null\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" Signature:\n",
|
|
" - '*MeteTool*'\n",
|
|
" - '*MPreter*'\n",
|
|
" - '*Meterpreter*'\n",
|
|
" - '*Metasploit*'\n",
|
|
" - '*PowerSploit*'\n",
|
|
" - '*CobaltSrike*'\n",
|
|
" - '*Swrort*'\n",
|
|
" - '*Rozena*'\n",
|
|
" - '*Backdoor.Cobalt*'\n",
|
|
" condition: selection\n",
|
|
" fields:\n",
|
|
" - FileName\n",
|
|
" - User\n",
|
|
" falsepositives:\n",
|
|
" - Unlikely\n",
|
|
" level: critical\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|