mirror of https://github.com/infosecn1nja/HELK.git
137 lines
3.7 KiB
Plaintext
137 lines
3.7 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Malware Shellcode in Verclsid Target Process\n",
|
|
"Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Malware Shellcode in Verclsid Target Process\n",
|
|
" id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1\n",
|
|
" status: experimental\n",
|
|
" description: Detects a process access to verclsid.exe that injects shellcode from\n",
|
|
" a Microsoft Office application / VBA macro\n",
|
|
" references:\n",
|
|
" - https://twitter.com/JohnLaTwC/status/837743453039534080\n",
|
|
" tags:\n",
|
|
" - attack.defense_evasion\n",
|
|
" - attack.privilege_escalation\n",
|
|
" - attack.t1055\n",
|
|
" author: John Lambert (tech), Florian Roth (rule)\n",
|
|
" date: 2017/03/04\n",
|
|
" logsource:\n",
|
|
" product: windows\n",
|
|
" service: sysmon\n",
|
|
" definition: 'Use the following config to generate the necessary Event ID 10 Process\n",
|
|
" Access events: <ProcessAccess onmatch=\"include\"><CallTrace condition=\"contains\">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess\n",
|
|
" onmatch=\"exclude\"><CallTrace condition=\"excludes\">UNKNOWN</CallTrace></ProcessAccess>'\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" EventID: 10\n",
|
|
" TargetImage: '*\\verclsid.exe'\n",
|
|
" GrantedAccess: '0x1FFFFF'\n",
|
|
" combination1:\n",
|
|
" CallTrace: '*|UNKNOWN(*VBE7.DLL*'\n",
|
|
" combination2:\n",
|
|
" SourceImage: '*\\Microsoft Office\\\\*'\n",
|
|
" CallTrace: '*|UNKNOWN*'\n",
|
|
" condition: selection and 1 of combination*\n",
|
|
" falsepositives:\n",
|
|
" - unknown\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='((event_id:\"10\" AND target_process_path.keyword:*\\\\verclsid.exe AND process_granted_access:\"0x1FFFFF\") AND (process_call_trace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (process_path.keyword:*\\\\Microsoft\\ Office\\\\* AND process_call_trace.keyword:*|UNKNOWN*)))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|