mirror of https://github.com/infosecn1nja/HELK.git
136 lines
3.3 KiB
Plaintext
136 lines
3.3 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Detects Suspicious edit of .bash_profile and .bashrc on Linux systems\n",
|
|
"Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell."
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems\n",
|
|
" id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9\n",
|
|
" status: experimental\n",
|
|
" description: Detects change of user environment. Adversaries can insert code into\n",
|
|
" these files to gain persistence each time a user logs in or opens a new shell.\n",
|
|
" references:\n",
|
|
" - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '\n",
|
|
" date: 2019/05/12\n",
|
|
" tags:\n",
|
|
" - attack.s0003\n",
|
|
" - attack.t1156\n",
|
|
" - attack.persistence\n",
|
|
" author: Peter Matkovski\n",
|
|
" logsource:\n",
|
|
" product: linux\n",
|
|
" service: auditd\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" type: PATH\n",
|
|
" name:\n",
|
|
" - /home/*/.bashrc\n",
|
|
" - /home/*/.bash_profile\n",
|
|
" - /home/*/.profile\n",
|
|
" - /etc/profile\n",
|
|
" - /etc/shells\n",
|
|
" - /etc/bashrc\n",
|
|
" - /etc/csh.cshrc\n",
|
|
" - /etc/csh.login\n",
|
|
" condition: selection\n",
|
|
" falsepositives:\n",
|
|
" - Admin or User activity\n",
|
|
" level: medium\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(type:\"PATH\" AND name.keyword:(\\/home\\/*\\/.bashrc OR \\/home\\/*\\/.bash_profile OR \\/home\\/*\\/.profile OR \\/etc\\/profile OR \\/etc\\/shells OR \\/etc\\/bashrc OR \\/etc\\/csh.cshrc OR \\/etc\\/csh.login))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|