mirror of https://github.com/infosecn1nja/HELK.git
142 lines
3.5 KiB
Plaintext
142 lines
3.5 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Relevant Anti-Virus Event\n",
|
|
"This detection method points out highly relevant Antivirus events"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Relevant Anti-Virus Event\n",
|
|
" id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8\n",
|
|
" description: This detection method points out highly relevant Antivirus events\n",
|
|
" author: Florian Roth\n",
|
|
" logsource:\n",
|
|
" product: windows\n",
|
|
" service: application\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" keywords:\n",
|
|
" Message:\n",
|
|
" - '*HTool*'\n",
|
|
" - '*Hacktool*'\n",
|
|
" - '*ASP/Backdoor*'\n",
|
|
" - '*JSP/Backdoor*'\n",
|
|
" - '*PHP/Backdoor*'\n",
|
|
" - '*Backdoor.ASP*'\n",
|
|
" - '*Backdoor.JSP*'\n",
|
|
" - '*Backdoor.PHP*'\n",
|
|
" - '*Webshell*'\n",
|
|
" - '*Portscan*'\n",
|
|
" - '*Mimikatz*'\n",
|
|
" - '*WinCred*'\n",
|
|
" - '*PlugX*'\n",
|
|
" - '*Korplug*'\n",
|
|
" - '*Pwdump*'\n",
|
|
" - '*Chopper*'\n",
|
|
" - '*WmiExec*'\n",
|
|
" - '*Xscan*'\n",
|
|
" - '*Clearlog*'\n",
|
|
" - '*ASPXSpy*'\n",
|
|
" filters:\n",
|
|
" Message:\n",
|
|
" - '*Keygen*'\n",
|
|
" - '*Crack*'\n",
|
|
" condition: keywords and not 1 of filters\n",
|
|
" falsepositives:\n",
|
|
" - Some software piracy tools (key generators, cracks) are classified as hack tools\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-endpoint-winevent-application-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\/Backdoor* OR *JSP\\/Backdoor* OR *PHP\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|