infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/powershell_malicious_comman...

224 lines
8.7 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Malicious PowerShell Commandlets\n",
"Detects Commandlet names from well-known PowerShell exploitation frameworks"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Malicious PowerShell Commandlets\n",
" id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n",
" status: experimental\n",
" description: Detects Commandlet names from well-known PowerShell exploitation frameworks\n",
" modified: 2019/01/22\n",
" references:\n",
" - https://adsecurity.org/?p=2921\n",
" tags:\n",
" - attack.execution\n",
" - attack.t1086\n",
" author: Sean Metcalf (source), Florian Roth (rule)\n",
" logsource:\n",
" product: windows\n",
" service: powershell\n",
" definition: It is recommended to use the new \"Script Block Logging\" of PowerShell\n",
" v5 https://adsecurity.org/?p=2277\n",
" category: null\n",
" detection:\n",
" keywords:\n",
" Message:\n",
" - '*Invoke-DllInjection*'\n",
" - '*Invoke-Shellcode*'\n",
" - '*Invoke-WmiCommand*'\n",
" - '*Get-GPPPassword*'\n",
" - '*Get-Keystrokes*'\n",
" - '*Get-TimedScreenshot*'\n",
" - '*Get-VaultCredential*'\n",
" - '*Invoke-CredentialInjection*'\n",
" - '*Invoke-Mimikatz*'\n",
" - '*Invoke-NinjaCopy*'\n",
" - '*Invoke-TokenManipulation*'\n",
" - '*Out-Minidump*'\n",
" - '*VolumeShadowCopyTools*'\n",
" - '*Invoke-ReflectivePEInjection*'\n",
" - '*Invoke-UserHunter*'\n",
" - '*Find-GPOLocation*'\n",
" - '*Invoke-ACLScanner*'\n",
" - '*Invoke-DowngradeAccount*'\n",
" - '*Get-ServiceUnquoted*'\n",
" - '*Get-ServiceFilePermission*'\n",
" - '*Get-ServicePermission*'\n",
" - '*Invoke-ServiceAbuse*'\n",
" - '*Install-ServiceBinary*'\n",
" - '*Get-RegAutoLogon*'\n",
" - '*Get-VulnAutoRun*'\n",
" - '*Get-VulnSchTask*'\n",
" - '*Get-UnattendedInstallFile*'\n",
" - '*Get-ApplicationHost*'\n",
" - '*Get-RegAlwaysInstallElevated*'\n",
" - '*Get-Unconstrained*'\n",
" - '*Add-RegBackdoor*'\n",
" - '*Add-ScrnSaveBackdoor*'\n",
" - '*Gupt-Backdoor*'\n",
" - '*Invoke-ADSBackdoor*'\n",
" - '*Enabled-DuplicateToken*'\n",
" - '*Invoke-PsUaCme*'\n",
" - '*Remove-Update*'\n",
" - '*Check-VM*'\n",
" - '*Get-LSASecret*'\n",
" - '*Get-PassHashes*'\n",
" - '*Show-TargetScreen*'\n",
" - '*Port-Scan*'\n",
" - '*Invoke-PoshRatHttp*'\n",
" - '*Invoke-PowerShellTCP*'\n",
" - '*Invoke-PowerShellWMI*'\n",
" - '*Add-Exfiltration*'\n",
" - '*Add-Persistence*'\n",
" - '*Do-Exfiltration*'\n",
" - '*Start-CaptureServer*'\n",
" - '*Get-ChromeDump*'\n",
" - '*Get-ClipboardContents*'\n",
" - '*Get-FoxDump*'\n",
" - '*Get-IndexedItem*'\n",
" - '*Get-Screenshot*'\n",
" - '*Invoke-Inveigh*'\n",
" - '*Invoke-NetRipper*'\n",
" - '*Invoke-EgressCheck*'\n",
" - '*Invoke-PostExfil*'\n",
" - '*Invoke-PSInject*'\n",
" - '*Invoke-RunAs*'\n",
" - '*MailRaider*'\n",
" - '*New-HoneyHash*'\n",
" - '*Set-MacAttribute*'\n",
" - '*Invoke-DCSync*'\n",
" - '*Invoke-PowerDump*'\n",
" - '*Exploit-Jboss*'\n",
" - '*Invoke-ThunderStruck*'\n",
" - '*Invoke-VoiceTroll*'\n",
" - '*Set-Wallpaper*'\n",
" - '*Invoke-InveighRelay*'\n",
" - '*Invoke-PsExec*'\n",
" - '*Invoke-SSHCommand*'\n",
" - '*Get-SecurityPackages*'\n",
" - '*Install-SSP*'\n",
" - '*Invoke-BackdoorLNK*'\n",
" - '*PowerBreach*'\n",
" - '*Get-SiteListPassword*'\n",
" - '*Get-System*'\n",
" - '*Invoke-BypassUAC*'\n",
" - '*Invoke-Tater*'\n",
" - '*Invoke-WScriptBypassUAC*'\n",
" - '*PowerUp*'\n",
" - '*PowerView*'\n",
" - '*Get-RickAstley*'\n",
" - '*Find-Fruit*'\n",
" - '*HTTP-Login*'\n",
" - '*Find-TrustedDocuments*'\n",
" - '*Invoke-Paranoia*'\n",
" - '*Invoke-WinEnum*'\n",
" - '*Invoke-ARPScan*'\n",
" - '*Invoke-PortScan*'\n",
" - '*Invoke-ReverseDNSLookup*'\n",
" - '*Invoke-SMBScanner*'\n",
" - '*Invoke-Mimikittenz*'\n",
" - '*Invoke-AllChecks*'\n",
" false_positives:\n",
" - Get-SystemDriveInfo\n",
" condition: keywords and not false_positives\n",
" falsepositives:\n",
" - Penetration testing\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(Message.keyword:(*Invoke\\-DllInjection* OR *Invoke\\-Shellcode* OR *Invoke\\-WmiCommand* OR *Get\\-GPPPassword* OR *Get\\-Keystrokes* OR *Get\\-TimedScreenshot* OR *Get\\-VaultCredential* OR *Invoke\\-CredentialInjection* OR *Invoke\\-Mimikatz* OR *Invoke\\-NinjaCopy* OR *Invoke\\-TokenManipulation* OR *Out\\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\\-ReflectivePEInjection* OR *Invoke\\-UserHunter* OR *Find\\-GPOLocation* OR *Invoke\\-ACLScanner* OR *Invoke\\-DowngradeAccount* OR *Get\\-ServiceUnquoted* OR *Get\\-ServiceFilePermission* OR *Get\\-ServicePermission* OR *Invoke\\-ServiceAbuse* OR *Install\\-ServiceBinary* OR *Get\\-RegAutoLogon* OR *Get\\-VulnAutoRun* OR *Get\\-VulnSchTask* OR *Get\\-UnattendedInstallFile* OR *Get\\-ApplicationHost* OR *Get\\-RegAlwaysInstallElevated* OR *Get\\-Unconstrained* OR *Add\\-RegBackdoor* OR *Add\\-ScrnSaveBackdoor* OR *Gupt\\-Backdoor* OR *Invoke\\-ADSBackdoor* OR *Enabled\\-DuplicateToken* OR *Invoke\\-PsUaCme* OR *Remove\\-Update* OR *Check\\-VM* OR *Get\\-LSASecret* OR *Get\\-PassHashes* OR *Show\\-TargetScreen* OR *Port\\-Scan* OR *Invoke\\-PoshRatHttp* OR *Invoke\\-PowerShellTCP* OR *Invoke\\-PowerShellWMI* OR *Add\\-Exfiltration* OR *Add\\-Persistence* OR *Do\\-Exfiltration* OR *Start\\-CaptureServer* OR *Get\\-ChromeDump* OR *Get\\-ClipboardContents* OR *Get\\-FoxDump* OR *Get\\-IndexedItem* OR *Get\\-Screenshot* OR *Invoke\\-Inveigh* OR *Invoke\\-NetRipper* OR *Invoke\\-EgressCheck* OR *Invoke\\-PostExfil* OR *Invoke\\-PSInject* OR *Invoke\\-RunAs* OR *MailRaider* OR *New\\-HoneyHash* OR *Set\\-MacAttribute* OR *Invoke\\-DCSync* OR *Invoke\\-PowerDump* OR *Exploit\\-Jboss* OR *Invoke\\-ThunderStruck* OR *Invoke\\-VoiceTroll* OR *Set\\-Wallpaper* OR *Invoke\\-InveighRelay* OR *Invoke\\-PsExec* OR *Invoke\\-SSHCommand* OR *Get\\-SecurityPackages* OR *Install\\-SSP* OR *Invoke\\-BackdoorLNK* OR *PowerBreach* OR *Get\\-SiteListPassword* OR *Get\\-System* OR *Invoke\\-BypassUAC* OR *Invoke\\-Tater* OR *Invoke\\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\\-RickAstley* OR *Find\\-Fruit* OR *HTTP\\-Login* OR *Find\\-TrustedDocuments* OR *Invoke\\-Paranoia* OR *Invoke\\-WinEnum* OR *Invoke\\-ARPScan* OR *Invoke\\-PortScan* OR *Invoke\\-ReverseDNSLookup* OR *Invoke\\-SMBScanner* OR *Invoke\\-Mimikittenz* OR *Invoke\\-AllChecks*) AND (NOT \\*.keyword:(*Get\\-SystemDriveInfo*)))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink