HELK/docker/helk-jupyter/notebooks/sigma/lnx_auditd_susp_cmds.ipynb

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Detects Suspicious Commands on Linux systems\n",
    "Detects relevant commands often related to malware or hacking activity"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Detects Suspicious Commands on Linux systems\n",
    "  id: 1543ae20-cbdf-4ec1-8d12-7664d667a825\n",
    "  status: experimental\n",
    "  description: Detects relevant commands often related to malware or hacking activity\n",
    "  references:\n",
    "  - Internal Research - mostly derived from exploit code including code in MSF\n",
    "  date: 2017/12/12\n",
    "  author: Florian Roth\n",
    "  logsource:\n",
    "    product: linux\n",
    "    service: auditd\n",
    "    category: null\n",
    "  detection:\n",
    "    cmd1:\n",
    "      type: EXECVE\n",
    "      a0: chmod\n",
    "      a1: '777'\n",
    "    cmd2:\n",
    "      type: EXECVE\n",
    "      a0: chmod\n",
    "      a1: u+s\n",
    "    cmd3:\n",
    "      type: EXECVE\n",
    "      a0: cp\n",
    "      a1: /bin/ksh\n",
    "    cmd4:\n",
    "      type: EXECVE\n",
    "      a0: cp\n",
    "      a1: /bin/sh\n",
    "    condition: 1 of them\n",
    "  falsepositives:\n",
    "  - Admin activity\n",
    "  level: medium\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='(type:\"EXECVE\" AND ((a0:\"chmod\" AND a1:\"777\") OR (a0:\"chmod\" AND a1:\"u\\+s\") OR (a0:\"cp\" AND a1:\"\\/bin\\/ksh\") OR (a0:\"cp\" AND a1:\"\\/bin\\/sh\")))')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}