mirror of https://github.com/infosecn1nja/HELK.git
157 lines
4.8 KiB
Plaintext
157 lines
4.8 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspicious Activity in Shell Commands\n",
|
|
"Detects suspicious shell commands used in various exploit codes (see references)"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspicious Activity in Shell Commands\n",
|
|
" id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695\n",
|
|
" description: Detects suspicious shell commands used in various exploit codes (see\n",
|
|
" references)\n",
|
|
" references:\n",
|
|
" - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html\n",
|
|
" - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121\n",
|
|
" - http://pastebin.com/FtygZ1cg\n",
|
|
" - https://artkond.com/2017/03/23/pivoting-guide/\n",
|
|
" author: Florian Roth\n",
|
|
" date: 2017/08/21\n",
|
|
" modified: 2019/02/05\n",
|
|
" logsource:\n",
|
|
" product: linux\n",
|
|
" service: null\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" keywords:\n",
|
|
" - wget * - http* | perl\n",
|
|
" - wget * - http* | sh\n",
|
|
" - wget * - http* | bash\n",
|
|
" - python -m SimpleHTTPServer\n",
|
|
" - -m http.server\n",
|
|
" - import pty; pty.spawn*\n",
|
|
" - socat exec:*\n",
|
|
" - socat -O /tmp/*\n",
|
|
" - socat tcp-connect*\n",
|
|
" - '*echo binary >>*'\n",
|
|
" - '*wget *; chmod +x*'\n",
|
|
" - '*wget *; chmod 777 *'\n",
|
|
" - '*cd /tmp || cd /var/run || cd /mnt*'\n",
|
|
" - '*stop;service iptables stop;*'\n",
|
|
" - '*stop;SuSEfirewall2 stop;*'\n",
|
|
" - chmod 777 2020*\n",
|
|
" - '*>>/etc/rc.local'\n",
|
|
" - '*base64 -d /tmp/*'\n",
|
|
" - '* | base64 -d *'\n",
|
|
" - '*/chmod u+s *'\n",
|
|
" - '*chmod +s /tmp/*'\n",
|
|
" - '*chmod u+s /tmp/*'\n",
|
|
" - '* /tmp/haxhax*'\n",
|
|
" - '* /tmp/ns_sploit*'\n",
|
|
" - nc -l -p *\n",
|
|
" - cp /bin/ksh *\n",
|
|
" - cp /bin/sh *\n",
|
|
" - '* /tmp/*.b64 *'\n",
|
|
" - '*/tmp/ysocereal.jar*'\n",
|
|
" - '*/tmp/x *'\n",
|
|
" - '*; chmod +x /tmp/*'\n",
|
|
" - '*;chmod +x /tmp/*'\n",
|
|
" condition: keywords\n",
|
|
" falsepositives:\n",
|
|
" - Unknown\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='\\*.keyword:(*wget\\ *\\ \\-\\ http*\\ |\\ perl* OR *wget\\ *\\ \\-\\ http*\\ |\\ sh* OR *wget\\ *\\ \\-\\ http*\\ |\\ bash* OR *python\\ \\-m\\ SimpleHTTPServer* OR *\\-m\\ http.server* OR *import\\ pty;\\ pty.spawn* OR *socat\\ exec\\:* OR *socat\\ \\-O\\ \\/tmp\\/* OR *socat\\ tcp\\-connect* OR *echo\\ binary\\ * OR *wget\\ *;\\ chmod\\ \\+x* OR *wget\\ *;\\ chmod\\ 777\\ * OR *cd\\ \\/tmp\\ \\||\\ cd\\ \\/var\\/run\\ \\||\\ cd\\ \\/mnt* OR *stop;service\\ iptables\\ stop;* OR *stop;SuSEfirewall2\\ stop;* OR *chmod\\ 777\\ 2020* OR *\\/etc\\/rc.local* OR *base64\\ \\-d\\ \\/tmp\\/* OR *\\ |\\ base64\\ \\-d\\ * OR *\\/chmod\\ u\\+s\\ * OR *chmod\\ \\+s\\ \\/tmp\\/* OR *chmod\\ u\\+s\\ \\/tmp\\/* OR *\\ \\/tmp\\/haxhax* OR *\\ \\/tmp\\/ns_sploit* OR *nc\\ \\-l\\ \\-p\\ * OR *cp\\ \\/bin\\/ksh\\ * OR *cp\\ \\/bin\\/sh\\ * OR *\\ \\/tmp\\/*.b64\\ * OR *\\/tmp\\/ysocereal.jar* OR *\\/tmp\\/x\\ * OR *;\\ chmod\\ \\+x\\ \\/tmp\\/* OR *;chmod\\ \\+x\\ \\/tmp\\/*)')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|