infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/win_bypass_squiblytwo.ipynb

140 lines
3.5 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# SquiblyTwo\n",
"Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: SquiblyTwo\n",
" id: 8d63dadf-b91b-4187-87b6-34a1114577ea\n",
" status: experimental\n",
" description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking\n",
" for imphash\n",
" references:\n",
" - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\n",
" - https://twitter.com/mattifestation/status/986280382042595328\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.t1047\n",
" author: Markus Neis / Florian Roth\n",
" falsepositives:\n",
" - Unknown\n",
" level: medium\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection1:\n",
" Image:\n",
" - '*\\wmic.exe'\n",
" CommandLine:\n",
" - wmic * *format:\\\"http*\n",
" - wmic * /format:'http\n",
" - wmic * /format:http*\n",
" selection2:\n",
" Imphash:\n",
" - 1B1A3F43BF37B5BFE60751F2EE2F326E\n",
" - 37777A96245A3C74EB217308F3546F4C\n",
" - 9D87C9D67CE724033C0B40CC4CA1B206\n",
" CommandLine:\n",
" - '* *format:\\\"http*'\n",
" - '* /format:''http'\n",
" - '* /format:http*'\n",
" condition: 1 of them\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((process_path.keyword:(*\\\\wmic.exe) AND process_command_line.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:'http OR wmic\\ *\\ \\/format\\:http*)) OR (hash_imphash:(\"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND process_command_line.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:'http OR *\\ \\/format\\:http*)))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink