infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/default_credentials_usage.i...

215 lines
6.1 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Default Credentials Usage\n",
"Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Default Credentials Usage\n",
" id: 1a395cbc-a84a-463a-9086-ed8a70e573c7\n",
" description: Before deploying any new asset, change all default passwords to have\n",
" values consistent with administrative level accounts. Sigma detects default credentials\n",
" usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\n",
" author: Alexandr Yampolskyi, SOC Prime\n",
" status: stable\n",
" references:\n",
" - https://www.cisecurity.org/controls/cis-controls-list/\n",
" - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n",
" - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n",
" - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists\n",
" date: 2019/03/26\n",
" logsource:\n",
" product: qualys\n",
" service: null\n",
" category: null\n",
" detection:\n",
" selection:\n",
" host.scan.vuln:\n",
" - 10693\n",
" - 11507\n",
" - 11633\n",
" - 11804\n",
" - 11821\n",
" - 11847\n",
" - 11867\n",
" - 11931\n",
" - 11935\n",
" - 11950\n",
" - 12541\n",
" - 12558\n",
" - 12559\n",
" - 12560\n",
" - 12562\n",
" - 12563\n",
" - 12565\n",
" - 12587\n",
" - 12590\n",
" - 12599\n",
" - 12702\n",
" - 12705\n",
" - 12706\n",
" - 12907\n",
" - 12928\n",
" - 12929\n",
" - 13053\n",
" - 13178\n",
" - 13200\n",
" - 13218\n",
" - 13241\n",
" - 13253\n",
" - 13274\n",
" - 13296\n",
" - 13301\n",
" - 13327\n",
" - 13373\n",
" - 13374\n",
" - 13409\n",
" - 13530\n",
" - 13532\n",
" - 20065\n",
" - 20073\n",
" - 20081\n",
" - 27202\n",
" - 27358\n",
" - 38702\n",
" - 38719\n",
" - 42045\n",
" - 42417\n",
" - 43029\n",
" - 43220\n",
" - 43221\n",
" - 43222\n",
" - 43223\n",
" - 43225\n",
" - 43246\n",
" - 43431\n",
" - 43484\n",
" - 86857\n",
" - 87098\n",
" - 87106\n",
" condition: selection\n",
" falsepositives:\n",
" - unknown\n",
" level: medium\n",
" tags:\n",
" - CSC4\n",
" - CSC4.2\n",
" - NIST CSF 1.1 PR.AC-4\n",
" - NIST CSF 1.1 PR.AT-2\n",
" - NIST CSF 1.1 PR.MA-2\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - ISO 27002-2013 A.9.1.1\n",
" - ISO 27002-2013 A.9.2.2\n",
" - ISO 27002-2013 A.9.2.3\n",
" - ISO 27002-2013 A.9.2.4\n",
" - ISO 27002-2013 A.9.2.5\n",
" - ISO 27002-2013 A.9.2.6\n",
" - ISO 27002-2013 A.9.3.1\n",
" - ISO 27002-2013 A.9.4.1\n",
" - ISO 27002-2013 A.9.4.2\n",
" - ISO 27002-2013 A.9.4.3\n",
" - ISO 27002-2013 A.9.4.4\n",
" - PCI DSS 3.2 2.1\n",
" - PCI DSS 3.2 7.1\n",
" - PCI DSS 3.2 7.2\n",
" - PCI DSS 3.2 7.3\n",
" - PCI DSS 3.2 8.1\n",
" - PCI DSS 3.2 8.2\n",
" - PCI DSS 3.2 8.3\n",
" - PCI DSS 3.2 8.7\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='host.scan.vuln:(\"10693\" OR \"11507\" OR \"11633\" OR \"11804\" OR \"11821\" OR \"11847\" OR \"11867\" OR \"11931\" OR \"11935\" OR \"11950\" OR \"12541\" OR \"12558\" OR \"12559\" OR \"12560\" OR \"12562\" OR \"12563\" OR \"12565\" OR \"12587\" OR \"12590\" OR \"12599\" OR \"12702\" OR \"12705\" OR \"12706\" OR \"12907\" OR \"12928\" OR \"12929\" OR \"13053\" OR \"13178\" OR \"13200\" OR \"13218\" OR \"13241\" OR \"13253\" OR \"13274\" OR \"13296\" OR \"13301\" OR \"13327\" OR \"13373\" OR \"13374\" OR \"13409\" OR \"13530\" OR \"13532\" OR \"20065\" OR \"20073\" OR \"20081\" OR \"27202\" OR \"27358\" OR \"38702\" OR \"38719\" OR \"42045\" OR \"42417\" OR \"43029\" OR \"43220\" OR \"43221\" OR \"43222\" OR \"43223\" OR \"43225\" OR \"43246\" OR \"43431\" OR \"43484\" OR \"86857\" OR \"87098\" OR \"87106\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink