mirror of https://github.com/infosecn1nja/HELK.git
143 lines
3.7 KiB
Plaintext
143 lines
3.7 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Bloodhound and Sharphound Hack Tool\n",
|
|
"Detects command line parameters used by Bloodhound and Sharphound hack tools"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Bloodhound and Sharphound Hack Tool\n",
|
|
" id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962\n",
|
|
" description: Detects command line parameters used by Bloodhound and Sharphound hack\n",
|
|
" tools\n",
|
|
" author: Florian Roth\n",
|
|
" references:\n",
|
|
" - https://github.com/BloodHoundAD/BloodHound\n",
|
|
" - https://github.com/BloodHoundAD/SharpHound\n",
|
|
" date: 2019/12/20\n",
|
|
" modified: 2019/12/21\n",
|
|
" tags:\n",
|
|
" - attack.discovery\n",
|
|
" - attack.t1087\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection1:\n",
|
|
" Image|contains:\n",
|
|
" - \\Bloodhound.exe\n",
|
|
" - \\SharpHound.exe\n",
|
|
" selection2:\n",
|
|
" CommandLine|contains:\n",
|
|
" - ' -CollectionMethod All '\n",
|
|
" - '.exe -c All -d '\n",
|
|
" - Invoke-Bloodhound\n",
|
|
" - Get-BloodHoundData\n",
|
|
" selection3:\n",
|
|
" CommandLine|contains|all:\n",
|
|
" - ' -JsonFolder '\n",
|
|
" - ' -ZipFileName '\n",
|
|
" selection4:\n",
|
|
" CommandLine|contains|all:\n",
|
|
" - ' DCOnly '\n",
|
|
" - ' --NoSaveCache '\n",
|
|
" condition: 1 of them\n",
|
|
" falsepositives:\n",
|
|
" - Other programs that use these command line option and accepts an 'All' parameter\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(process_path.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR process_command_line.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (process_command_line.keyword:*\\ \\-JsonFolder\\ * AND process_command_line.keyword:*\\ \\-ZipFileName\\ *) OR (process_command_line.keyword:*\\ DCOnly\\ * AND process_command_line.keyword:*\\ \\-\\-NoSaveCache\\ *))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|