HELK/docker/helk-jupyter/notebooks/sigma/win_susp_cmd_http_appdata.ipynb

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Command Line Execution with suspicious URL and AppData Strings\n",
    "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Command Line Execution with suspicious URL and AppData Strings\n",
    "  id: 1ac8666b-046f-4201-8aba-1951aaec03a3\n",
    "  status: experimental\n",
    "  description: Detects a suspicious command line execution that includes an URL and\n",
    "    AppData string in the command line parameters as used by several droppers (js/vbs\n",
    "    > powershell)\n",
    "  references:\n",
    "  - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\n",
    "  - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\n",
    "  author: Florian Roth\n",
    "  tags:\n",
    "  - attack.execution\n",
    "  - attack.t1059\n",
    "  logsource:\n",
    "    category: process_creation\n",
    "    product: windows\n",
    "    service: null\n",
    "  detection:\n",
    "    selection:\n",
    "      CommandLine:\n",
    "      - cmd.exe /c *http://*%AppData%\n",
    "      - cmd.exe /c *https://*%AppData%\n",
    "    condition: selection\n",
    "  fields:\n",
    "  - CommandLine\n",
    "  - ParentCommandLine\n",
    "  falsepositives:\n",
    "  - High\n",
    "  level: medium\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='process_command_line.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%)')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}