mirror of https://github.com/infosecn1nja/HELK.git
140 lines
3.6 KiB
Plaintext
140 lines
3.6 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# NotPetya Ransomware Activity\n",
|
|
"Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: NotPetya Ransomware Activity\n",
|
|
" id: 79aeeb41-8156-4fac-a0cd-076495ab82a1\n",
|
|
" status: experimental\n",
|
|
" description: Detects NotPetya ransomware activity in which the extracted passwords\n",
|
|
" are passed back to the main module via named pipe, the file system journal of\n",
|
|
" drive C is deleted and windows eventlogs are cleared using wevtutil\n",
|
|
" author: Florian Roth, Tom Ueltschi\n",
|
|
" references:\n",
|
|
" - https://securelist.com/schroedingers-petya/78870/\n",
|
|
" - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\n",
|
|
" tags:\n",
|
|
" - attack.execution\n",
|
|
" - attack.credential_access\n",
|
|
" - attack.defense_evasion\n",
|
|
" - attack.t1085\n",
|
|
" - attack.t1070\n",
|
|
" - attack.t1003\n",
|
|
" - car.2016-04-002\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" pipe_com:\n",
|
|
" CommandLine: '*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*'\n",
|
|
" rundll32_dash1:\n",
|
|
" Image: '*\\rundll32.exe'\n",
|
|
" CommandLine: '*.dat,#1'\n",
|
|
" perfc_keyword:\n",
|
|
" - '*\\perfc.dat*'\n",
|
|
" condition: 1 of them\n",
|
|
" fields:\n",
|
|
" - CommandLine\n",
|
|
" - ParentCommandLine\n",
|
|
" falsepositives:\n",
|
|
" - Admin activity\n",
|
|
" level: critical\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(process_command_line.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (process_path.keyword:*\\\\rundll32.exe AND process_command_line.keyword:*.dat,#1) OR *\\\\perfc.dat*)')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|