mirror of https://github.com/infosecn1nja/HELK.git
221 lines
9.7 KiB
Plaintext
221 lines
9.7 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Malicious PowerShell Commandlet Names\n",
|
|
"Detects the creation of known powershell scripts for exploitation"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Malicious PowerShell Commandlet Names\n",
|
|
" id: f331aa1f-8c53-4fc3-b083-cc159bc971cb\n",
|
|
" status: experimental\n",
|
|
" description: Detects the creation of known powershell scripts for exploitation\n",
|
|
" references:\n",
|
|
" - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml\n",
|
|
" tags:\n",
|
|
" - attack.execution\n",
|
|
" - attack.t1086\n",
|
|
" author: Markus Neis\n",
|
|
" date: 2018/04/07\n",
|
|
" logsource:\n",
|
|
" product: windows\n",
|
|
" service: sysmon\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" EventID: 11\n",
|
|
" TargetFilename:\n",
|
|
" - '*\\Invoke-DllInjection.ps1'\n",
|
|
" - '*\\Invoke-WmiCommand.ps1'\n",
|
|
" - '*\\Get-GPPPassword.ps1'\n",
|
|
" - '*\\Get-Keystrokes.ps1'\n",
|
|
" - '*\\Get-VaultCredential.ps1'\n",
|
|
" - '*\\Invoke-CredentialInjection.ps1'\n",
|
|
" - '*\\Invoke-Mimikatz.ps1'\n",
|
|
" - '*\\Invoke-NinjaCopy.ps1'\n",
|
|
" - '*\\Invoke-TokenManipulation.ps1'\n",
|
|
" - '*\\Out-Minidump.ps1'\n",
|
|
" - '*\\VolumeShadowCopyTools.ps1'\n",
|
|
" - '*\\Invoke-ReflectivePEInjection.ps1'\n",
|
|
" - '*\\Get-TimedScreenshot.ps1'\n",
|
|
" - '*\\Invoke-UserHunter.ps1'\n",
|
|
" - '*\\Find-GPOLocation.ps1'\n",
|
|
" - '*\\Invoke-ACLScanner.ps1'\n",
|
|
" - '*\\Invoke-DowngradeAccount.ps1'\n",
|
|
" - '*\\Get-ServiceUnquoted.ps1'\n",
|
|
" - '*\\Get-ServiceFilePermission.ps1'\n",
|
|
" - '*\\Get-ServicePermission.ps1'\n",
|
|
" - '*\\Invoke-ServiceAbuse.ps1'\n",
|
|
" - '*\\Install-ServiceBinary.ps1'\n",
|
|
" - '*\\Get-RegAutoLogon.ps1'\n",
|
|
" - '*\\Get-VulnAutoRun.ps1'\n",
|
|
" - '*\\Get-VulnSchTask.ps1'\n",
|
|
" - '*\\Get-UnattendedInstallFile.ps1'\n",
|
|
" - '*\\Get-WebConfig.ps1'\n",
|
|
" - '*\\Get-ApplicationHost.ps1'\n",
|
|
" - '*\\Get-RegAlwaysInstallElevated.ps1'\n",
|
|
" - '*\\Get-Unconstrained.ps1'\n",
|
|
" - '*\\Add-RegBackdoor.ps1'\n",
|
|
" - '*\\Add-ScrnSaveBackdoor.ps1'\n",
|
|
" - '*\\Gupt-Backdoor.ps1'\n",
|
|
" - '*\\Invoke-ADSBackdoor.ps1'\n",
|
|
" - '*\\Enabled-DuplicateToken.ps1'\n",
|
|
" - '*\\Invoke-PsUaCme.ps1'\n",
|
|
" - '*\\Remove-Update.ps1'\n",
|
|
" - '*\\Check-VM.ps1'\n",
|
|
" - '*\\Get-LSASecret.ps1'\n",
|
|
" - '*\\Get-PassHashes.ps1'\n",
|
|
" - '*\\Show-TargetScreen.ps1'\n",
|
|
" - '*\\Port-Scan.ps1'\n",
|
|
" - '*\\Invoke-PoshRatHttp.ps1'\n",
|
|
" - '*\\Invoke-PowerShellTCP.ps1'\n",
|
|
" - '*\\Invoke-PowerShellWMI.ps1'\n",
|
|
" - '*\\Add-Exfiltration.ps1'\n",
|
|
" - '*\\Add-Persistence.ps1'\n",
|
|
" - '*\\Do-Exfiltration.ps1'\n",
|
|
" - '*\\Start-CaptureServer.ps1'\n",
|
|
" - '*\\Invoke-ShellCode.ps1'\n",
|
|
" - '*\\Get-ChromeDump.ps1'\n",
|
|
" - '*\\Get-ClipboardContents.ps1'\n",
|
|
" - '*\\Get-FoxDump.ps1'\n",
|
|
" - '*\\Get-IndexedItem.ps1'\n",
|
|
" - '*\\Get-Screenshot.ps1'\n",
|
|
" - '*\\Invoke-Inveigh.ps1'\n",
|
|
" - '*\\Invoke-NetRipper.ps1'\n",
|
|
" - '*\\Invoke-EgressCheck.ps1'\n",
|
|
" - '*\\Invoke-PostExfil.ps1'\n",
|
|
" - '*\\Invoke-PSInject.ps1'\n",
|
|
" - '*\\Invoke-RunAs.ps1'\n",
|
|
" - '*\\MailRaider.ps1'\n",
|
|
" - '*\\New-HoneyHash.ps1'\n",
|
|
" - '*\\Set-MacAttribute.ps1'\n",
|
|
" - '*\\Invoke-DCSync.ps1'\n",
|
|
" - '*\\Invoke-PowerDump.ps1'\n",
|
|
" - '*\\Exploit-Jboss.ps1'\n",
|
|
" - '*\\Invoke-ThunderStruck.ps1'\n",
|
|
" - '*\\Invoke-VoiceTroll.ps1'\n",
|
|
" - '*\\Set-Wallpaper.ps1'\n",
|
|
" - '*\\Invoke-InveighRelay.ps1'\n",
|
|
" - '*\\Invoke-PsExec.ps1'\n",
|
|
" - '*\\Invoke-SSHCommand.ps1'\n",
|
|
" - '*\\Get-SecurityPackages.ps1'\n",
|
|
" - '*\\Install-SSP.ps1'\n",
|
|
" - '*\\Invoke-BackdoorLNK.ps1'\n",
|
|
" - '*\\PowerBreach.ps1'\n",
|
|
" - '*\\Get-SiteListPassword.ps1'\n",
|
|
" - '*\\Get-System.ps1'\n",
|
|
" - '*\\Invoke-BypassUAC.ps1'\n",
|
|
" - '*\\Invoke-Tater.ps1'\n",
|
|
" - '*\\Invoke-WScriptBypassUAC.ps1'\n",
|
|
" - '*\\PowerUp.ps1'\n",
|
|
" - '*\\PowerView.ps1'\n",
|
|
" - '*\\Get-RickAstley.ps1'\n",
|
|
" - '*\\Find-Fruit.ps1'\n",
|
|
" - '*\\HTTP-Login.ps1'\n",
|
|
" - '*\\Find-TrustedDocuments.ps1'\n",
|
|
" - '*\\Invoke-Paranoia.ps1'\n",
|
|
" - '*\\Invoke-WinEnum.ps1'\n",
|
|
" - '*\\Invoke-ARPScan.ps1'\n",
|
|
" - '*\\Invoke-PortScan.ps1'\n",
|
|
" - '*\\Invoke-ReverseDNSLookup.ps1'\n",
|
|
" - '*\\Invoke-SMBScanner.ps1'\n",
|
|
" - '*\\Invoke-Mimikittenz.ps1'\n",
|
|
" condition: selection\n",
|
|
" falsepositives:\n",
|
|
" - Penetration Tests\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(event_id:\"11\" AND file_name.keyword:(*\\\\Invoke\\-DllInjection.ps1 OR *\\\\Invoke\\-WmiCommand.ps1 OR *\\\\Get\\-GPPPassword.ps1 OR *\\\\Get\\-Keystrokes.ps1 OR *\\\\Get\\-VaultCredential.ps1 OR *\\\\Invoke\\-CredentialInjection.ps1 OR *\\\\Invoke\\-Mimikatz.ps1 OR *\\\\Invoke\\-NinjaCopy.ps1 OR *\\\\Invoke\\-TokenManipulation.ps1 OR *\\\\Out\\-Minidump.ps1 OR *\\\\VolumeShadowCopyTools.ps1 OR *\\\\Invoke\\-ReflectivePEInjection.ps1 OR *\\\\Get\\-TimedScreenshot.ps1 OR *\\\\Invoke\\-UserHunter.ps1 OR *\\\\Find\\-GPOLocation.ps1 OR *\\\\Invoke\\-ACLScanner.ps1 OR *\\\\Invoke\\-DowngradeAccount.ps1 OR *\\\\Get\\-ServiceUnquoted.ps1 OR *\\\\Get\\-ServiceFilePermission.ps1 OR *\\\\Get\\-ServicePermission.ps1 OR *\\\\Invoke\\-ServiceAbuse.ps1 OR *\\\\Install\\-ServiceBinary.ps1 OR *\\\\Get\\-RegAutoLogon.ps1 OR *\\\\Get\\-VulnAutoRun.ps1 OR *\\\\Get\\-VulnSchTask.ps1 OR *\\\\Get\\-UnattendedInstallFile.ps1 OR *\\\\Get\\-WebConfig.ps1 OR *\\\\Get\\-ApplicationHost.ps1 OR *\\\\Get\\-RegAlwaysInstallElevated.ps1 OR *\\\\Get\\-Unconstrained.ps1 OR *\\\\Add\\-RegBackdoor.ps1 OR *\\\\Add\\-ScrnSaveBackdoor.ps1 OR *\\\\Gupt\\-Backdoor.ps1 OR *\\\\Invoke\\-ADSBackdoor.ps1 OR *\\\\Enabled\\-DuplicateToken.ps1 OR *\\\\Invoke\\-PsUaCme.ps1 OR *\\\\Remove\\-Update.ps1 OR *\\\\Check\\-VM.ps1 OR *\\\\Get\\-LSASecret.ps1 OR *\\\\Get\\-PassHashes.ps1 OR *\\\\Show\\-TargetScreen.ps1 OR *\\\\Port\\-Scan.ps1 OR *\\\\Invoke\\-PoshRatHttp.ps1 OR *\\\\Invoke\\-PowerShellTCP.ps1 OR *\\\\Invoke\\-PowerShellWMI.ps1 OR *\\\\Add\\-Exfiltration.ps1 OR *\\\\Add\\-Persistence.ps1 OR *\\\\Do\\-Exfiltration.ps1 OR *\\\\Start\\-CaptureServer.ps1 OR *\\\\Invoke\\-ShellCode.ps1 OR *\\\\Get\\-ChromeDump.ps1 OR *\\\\Get\\-ClipboardContents.ps1 OR *\\\\Get\\-FoxDump.ps1 OR *\\\\Get\\-IndexedItem.ps1 OR *\\\\Get\\-Screenshot.ps1 OR *\\\\Invoke\\-Inveigh.ps1 OR *\\\\Invoke\\-NetRipper.ps1 OR *\\\\Invoke\\-EgressCheck.ps1 OR *\\\\Invoke\\-PostExfil.ps1 OR *\\\\Invoke\\-PSInject.ps1 OR *\\\\Invoke\\-RunAs.ps1 OR *\\\\MailRaider.ps1 OR *\\\\New\\-HoneyHash.ps1 OR *\\\\Set\\-MacAttribute.ps1 OR *\\\\Invoke\\-DCSync.ps1 OR *\\\\Invoke\\-PowerDump.ps1 OR *\\\\Exploit\\-Jboss.ps1 OR *\\\\Invoke\\-ThunderStruck.ps1 OR *\\\\Invoke\\-VoiceTroll.ps1 OR *\\\\Set\\-Wallpaper.ps1 OR *\\\\Invoke\\-InveighRelay.ps1 OR *\\\\Invoke\\-PsExec.ps1 OR *\\\\Invoke\\-SSHCommand.ps1 OR *\\\\Get\\-SecurityPackages.ps1 OR *\\\\Install\\-SSP.ps1 OR *\\\\Invoke\\-BackdoorLNK.ps1 OR *\\\\PowerBreach.ps1 OR *\\\\Get\\-SiteListPassword.ps1 OR *\\\\Get\\-System.ps1 OR *\\\\Invoke\\-BypassUAC.ps1 OR *\\\\Invoke\\-Tater.ps1 OR *\\\\Invoke\\-WScriptBypassUAC.ps1 OR *\\\\PowerUp.ps1 OR *\\\\PowerView.ps1 OR *\\\\Get\\-RickAstley.ps1 OR *\\\\Find\\-Fruit.ps1 OR *\\\\HTTP\\-Login.ps1 OR *\\\\Find\\-TrustedDocuments.ps1 OR *\\\\Invoke\\-Paranoia.ps1 OR *\\\\Invoke\\-WinEnum.ps1 OR *\\\\Invoke\\-ARPScan.ps1 OR *\\\\Invoke\\-PortScan.ps1 OR *\\\\Invoke\\-ReverseDNSLookup.ps1 OR *\\\\Invoke\\-SMBScanner.ps1 OR *\\\\Invoke\\-Mimikittenz.ps1))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|