mirror of https://github.com/infosecn1nja/HELK.git
164 lines
5.5 KiB
Plaintext
164 lines
5.5 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Sticky Key Like Backdoor Usage\n",
|
|
"Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- action: global\n",
|
|
" title: Sticky Key Like Backdoor Usage\n",
|
|
" id: baca5663-583c-45f9-b5dc-ea96a22ce542\n",
|
|
" description: Detects the usage and installation of a backdoor that uses an option\n",
|
|
" to register a malicious debugger for built-in tools that are accessible in the\n",
|
|
" login screen\n",
|
|
" references:\n",
|
|
" - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\n",
|
|
" tags:\n",
|
|
" - attack.privilege_escalation\n",
|
|
" - attack.persistence\n",
|
|
" - attack.t1015\n",
|
|
" - car.2014-11-003\n",
|
|
" - car.2014-11-008\n",
|
|
" author: Florian Roth, @twjackomo\n",
|
|
" date: 2018/03/15\n",
|
|
" detection:\n",
|
|
" condition: 1 of them\n",
|
|
" falsepositives:\n",
|
|
" - Unlikely\n",
|
|
" level: critical\n",
|
|
"- logsource:\n",
|
|
" product: windows\n",
|
|
" service: sysmon\n",
|
|
" detection:\n",
|
|
" selection_registry:\n",
|
|
" EventID: 13\n",
|
|
" TargetObject:\n",
|
|
" - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger'\n",
|
|
" - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger'\n",
|
|
" - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger'\n",
|
|
" - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger'\n",
|
|
" - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger'\n",
|
|
" - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger'\n",
|
|
" EventType: SetValue\n",
|
|
"- logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" detection:\n",
|
|
" selection_process:\n",
|
|
" ParentImage:\n",
|
|
" - '*\\winlogon.exe'\n",
|
|
" CommandLine:\n",
|
|
" - '*cmd.exe sethc.exe *'\n",
|
|
" - '*cmd.exe utilman.exe *'\n",
|
|
" - '*cmd.exe osk.exe *'\n",
|
|
" - '*cmd.exe Magnify.exe *'\n",
|
|
" - '*cmd.exe Narrator.exe *'\n",
|
|
" - '*cmd.exe DisplaySwitch.exe *'\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(event_id:\"13\" AND registry_key_path.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe\\\\Debugger OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe\\\\Debugger OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe\\\\Debugger OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\Magnify.exe\\\\Debugger OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\Narrator.exe\\\\Debugger OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\DisplaySwitch.exe\\\\Debugger) AND event_type:\"SetValue\")')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(process_parent_path.keyword:(*\\\\winlogon.exe) AND process_command_line.keyword:(*cmd.exe\\ sethc.exe\\ * OR *cmd.exe\\ utilman.exe\\ * OR *cmd.exe\\ osk.exe\\ * OR *cmd.exe\\ Magnify.exe\\ * OR *cmd.exe\\ Narrator.exe\\ * OR *cmd.exe\\ DisplaySwitch.exe\\ *))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|