mirror of https://github.com/infosecn1nja/HELK.git
140 lines
3.3 KiB
Plaintext
140 lines
3.3 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Hacktool Ruler\n",
|
|
"This events that are generated when using the hacktool Ruler by Sensepost"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Hacktool Ruler\n",
|
|
" id: 24549159-ac1b-479c-8175-d42aea947cae\n",
|
|
" description: This events that are generated when using the hacktool Ruler by Sensepost\n",
|
|
" author: Florian Roth\n",
|
|
" date: 2017/05/31\n",
|
|
" modified: 2019/07/26\n",
|
|
" references:\n",
|
|
" - https://github.com/sensepost/ruler\n",
|
|
" - https://github.com/sensepost/ruler/issues/47\n",
|
|
" - https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427\n",
|
|
" - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776\n",
|
|
" - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624\n",
|
|
" tags:\n",
|
|
" - attack.discovery\n",
|
|
" - attack.execution\n",
|
|
" - attack.t1087\n",
|
|
" - attack.t1075\n",
|
|
" - attack.t1114\n",
|
|
" - attack.t1059\n",
|
|
" logsource:\n",
|
|
" product: windows\n",
|
|
" service: security\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection1:\n",
|
|
" EventID:\n",
|
|
" - 4776\n",
|
|
" Workstation: RULER\n",
|
|
" selection2:\n",
|
|
" EventID:\n",
|
|
" - 4624\n",
|
|
" - 4625\n",
|
|
" WorkstationName: RULER\n",
|
|
" condition: (1 of selection*)\n",
|
|
" falsepositives:\n",
|
|
" - Go utilities that use staaldraad awesome NTLM library\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(src_host_name:\"RULER\" AND (event_id:(\"4776\") OR event_id:(\"4624\" OR \"4625\")))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|