mirror of https://github.com/infosecn1nja/HELK.git
138 lines
3.4 KiB
Plaintext
138 lines
3.4 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspicious Double Extension\n",
|
|
"Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspicious Double Extension\n",
|
|
" id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\n",
|
|
" description: Detects suspicious use of an .exe extension after a non-executable\n",
|
|
" file extension like .pdf.exe, a set of spaces or underlines to cloak the executable\n",
|
|
" file in spear phishing campaigns\n",
|
|
" references:\n",
|
|
" - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\n",
|
|
" - https://twitter.com/blackorbird/status/1140519090961825792\n",
|
|
" author: Florian Roth (rule), @blu3_team (idea)\n",
|
|
" date: 2019/06/26\n",
|
|
" tags:\n",
|
|
" - attack.initial_access\n",
|
|
" - attack.t1193\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" Image:\n",
|
|
" - '*.doc.exe'\n",
|
|
" - '*.docx.exe'\n",
|
|
" - '*.xls.exe'\n",
|
|
" - '*.xlsx.exe'\n",
|
|
" - '*.ppt.exe'\n",
|
|
" - '*.pptx.exe'\n",
|
|
" - '*.rtf.exe'\n",
|
|
" - '*.pdf.exe'\n",
|
|
" - '*.txt.exe'\n",
|
|
" - '* .exe'\n",
|
|
" - '*______.exe'\n",
|
|
" condition: selection\n",
|
|
" falsepositives:\n",
|
|
" - Unknown\n",
|
|
" level: critical\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='process_path.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe)')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|