infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/win_susp_certutil_command.i...

154 lines
4.3 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Suspicious Certutil Command\n",
"Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Suspicious Certutil Command\n",
" id: e011a729-98a6-4139-b5c4-bf6f6dd8239a\n",
" status: experimental\n",
" description: Detects a suspicious Microsoft certutil execution with sub commands\n",
" like 'decode' sub command, which is sometimes used to decode malicious code with\n",
" the built-in certutil utility\n",
" author: Florian Roth, juju4, keepwatch\n",
" modified: 2019/01/22\n",
" references:\n",
" - https://twitter.com/JohnLaTwC/status/835149808817991680\n",
" - https://twitter.com/subTee/status/888102593838362624\n",
" - https://twitter.com/subTee/status/888071631528235010\n",
" - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n",
" - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n",
" - https://twitter.com/egre55/status/1087685529016193025\n",
" - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" CommandLine:\n",
" - '* -decode *'\n",
" - '* /decode *'\n",
" - '* -decodehex *'\n",
" - '* /decodehex *'\n",
" - '* -urlcache *'\n",
" - '* /urlcache *'\n",
" - '* -verifyctl *'\n",
" - '* /verifyctl *'\n",
" - '* -encode *'\n",
" - '* /encode *'\n",
" - '*certutil* -URL*'\n",
" - '*certutil* /URL*'\n",
" - '*certutil* -ping*'\n",
" - '*certutil* /ping*'\n",
" condition: selection\n",
" fields:\n",
" - CommandLine\n",
" - ParentCommandLine\n",
" tags:\n",
" - attack.defense_evasion\n",
" - attack.t1140\n",
" - attack.t1105\n",
" - attack.s0189\n",
" - attack.g0007\n",
" falsepositives:\n",
" - False positives depend on scripts and administrative tools used in the monitored\n",
" environment\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink