mirror of https://github.com/infosecn1nja/HELK.git
140 lines
3.6 KiB
Plaintext
140 lines
3.6 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspicious Scripting in a WMI Consumer\n",
|
|
"Detects suspicious scripting in WMI Event Consumers"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspicious Scripting in a WMI Consumer\n",
|
|
" id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\n",
|
|
" status: experimental\n",
|
|
" description: Detects suspicious scripting in WMI Event Consumers\n",
|
|
" author: Florian Roth\n",
|
|
" references:\n",
|
|
" - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n",
|
|
" - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19\n",
|
|
" date: 2019/04/15\n",
|
|
" tags:\n",
|
|
" - attack.t1086\n",
|
|
" - attack.execution\n",
|
|
" logsource:\n",
|
|
" product: windows\n",
|
|
" service: sysmon\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" EventID: 20\n",
|
|
" Destination:\n",
|
|
" - '*new-object system.net.webclient).downloadstring(*'\n",
|
|
" - '*new-object system.net.webclient).downloadfile(*'\n",
|
|
" - '*new-object net.webclient).downloadstring(*'\n",
|
|
" - '*new-object net.webclient).downloadfile(*'\n",
|
|
" - '* iex(*'\n",
|
|
" - '*WScript.shell*'\n",
|
|
" - '* -nop *'\n",
|
|
" - '* -noprofile *'\n",
|
|
" - '* -decode *'\n",
|
|
" - '* -enc *'\n",
|
|
" condition: selection\n",
|
|
" fields:\n",
|
|
" - CommandLine\n",
|
|
" - ParentCommandLine\n",
|
|
" falsepositives:\n",
|
|
" - Administrative scripts\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(event_id:\"20\" AND wmi_consumer_destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|