infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/sysmon_cmstp_execution.ipynb

158 lines
3.8 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# CMSTP Execution\n",
"Detects various indicators of Microsoft Connection Manager Profile Installer execution"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: CMSTP Execution\n",
" id: 9d26fede-b526-4413-b069-6e24b6d07167\n",
" status: stable\n",
" description: Detects various indicators of Microsoft Connection Manager Profile\n",
" Installer execution\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.execution\n",
" - attack.t1191\n",
" - attack.g0069\n",
" - car.2019-04-001\n",
" author: Nik Seetharaman\n",
" references:\n",
" - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\n",
" detection:\n",
" condition: 1 of them\n",
" fields:\n",
" - CommandLine\n",
" - ParentCommandLine\n",
" - Details\n",
" falsepositives:\n",
" - Legitimate CMSTP use (unlikely in modern enterprise environments)\n",
" level: high\n",
"- logsource:\n",
" product: windows\n",
" service: sysmon\n",
" detection:\n",
" selection2:\n",
" EventID: 12\n",
" TargetObject: '*\\cmmgr32.exe*'\n",
" selection3:\n",
" EventID: 13\n",
" TargetObject: '*\\cmmgr32.exe*'\n",
" selection4:\n",
" EventID: 10\n",
" CallTrace: '*cmlua.dll*'\n",
"- logsource:\n",
" category: process_creation\n",
" product: windows\n",
" detection:\n",
" selection1:\n",
" ParentImage: '*\\cmstp.exe'\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((event_id:\"12\" AND registry_key_path.keyword:*\\\\cmmgr32.exe*) OR (event_id:\"13\" AND registry_key_path.keyword:*\\\\cmmgr32.exe*) OR (event_id:\"10\" AND process_call_trace.keyword:*cmlua.dll*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_parent_path.keyword:*\\\\cmstp.exe')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink