HELK/docker/helk-jupyter/notebooks/sigma/win_alert_enable_weak_encry...

137 lines
3.3 KiB
Plaintext

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Weak Encryption Enabled and Kerberoast\n",
"Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Weak Encryption Enabled and Kerberoast\n",
" id: f6de9536-0441-4b3f-a646-f4e00f300ffd\n",
" description: Detects scenario where weak encryption is enabled for a user profile\n",
" which could be used for hash/password cracking.\n",
" references:\n",
" - https://adsecurity.org/?p=2053\n",
" - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/\n",
" author: '@neu5ron'\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.t1089\n",
" logsource:\n",
" product: windows\n",
" service: security\n",
" definition: 'Requirements: Audit Policy : Account Management > Audit User Account\n",
" Management, Group Policy : Computer Configuration\\Windows Settings\\Security\n",
" Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit\n",
" User Account Management'\n",
" category: null\n",
" detection:\n",
" selection:\n",
" EventID: 4738\n",
" keywords:\n",
" Message:\n",
" - '*DES*'\n",
" - '*Preauth*'\n",
" - '*Encrypted*'\n",
" filters:\n",
" Message:\n",
" - '*Enabled*'\n",
" condition: selection and keywords and filters\n",
" falsepositives:\n",
" - Unknown\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(event_id:\"4738\" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}