infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/win_lm_namedpipe.ipynb

142 lines
3.7 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# First time seen remote named pipe\n",
"This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: First time seen remote named pipe\n",
" id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad\n",
" description: This detection excludes known namped pipes accessible remotely and\n",
" notify on newly observed ones, may help to detect lateral movement and remote\n",
" exec using named pipes\n",
" author: Samir Bousseaden\n",
" references:\n",
" - https://twitter.com/menasec1/status/1104489274387451904\n",
" tags:\n",
" - attack.lateral_movement\n",
" - attack.t1077\n",
" logsource:\n",
" product: windows\n",
" service: security\n",
" description: The advanced audit policy setting \"Object Access > Audit Detailed\n",
" File Share\" must be configured for Success/Failure\n",
" category: null\n",
" detection:\n",
" selection1:\n",
" EventID: 5145\n",
" ShareName: \\\\*\\IPC$\n",
" selection2:\n",
" EventID: 5145\n",
" ShareName: \\\\*\\IPC$\n",
" RelativeTargetName:\n",
" - atsvc\n",
" - samr\n",
" - lsarpc\n",
" - winreg\n",
" - netlogon\n",
" - srvsvc\n",
" - protected_storage\n",
" - wkssvc\n",
" - browser\n",
" - netdfs\n",
" condition: selection1 and not selection2\n",
" falsepositives:\n",
" - update the excluded named pipe to filter out any newly observed legit named pipe\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='((event_id:\"5145\" AND share_name.keyword:\\\\*\\\\IPC$) AND (NOT (event_id:\"5145\" AND share_name.keyword:\\\\*\\\\IPC$ AND share_relative_target_name:(\"atsvc\" OR \"samr\" OR \"lsarpc\" OR \"winreg\" OR \"netlogon\" OR \"srvsvc\" OR \"protected_storage\" OR \"wkssvc\" OR \"browser\" OR \"netdfs\"))))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink