mirror of https://github.com/infosecn1nja/HELK.git
135 lines
3.5 KiB
Plaintext
135 lines
3.5 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspicious eventlog clear or configuration using wevtutil\n",
|
|
"Detects clearing or configuration of eventlogs uwing wevtutil. Might be used by ransomwares during the attack (seen by NotPetya and others)"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspicious eventlog clear or configuration using wevtutil\n",
|
|
" id: cc36992a-4671-4f21-a91d-6c2b72a2edf5\n",
|
|
" description: Detects clearing or configuration of eventlogs uwing wevtutil. Might\n",
|
|
" be used by ransomwares during the attack (seen by NotPetya and others)\n",
|
|
" author: Ecco\n",
|
|
" date: 2019/09/26\n",
|
|
" tags:\n",
|
|
" - attack.execution\n",
|
|
" - attack.t1070\n",
|
|
" - car.2016-04-002\n",
|
|
" level: high\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection_binary_1:\n",
|
|
" Image: '*\\wevtutil.exe'\n",
|
|
" selection_binary_2:\n",
|
|
" OriginalFileName: wevtutil.exe\n",
|
|
" selection_clear_1:\n",
|
|
" CommandLine: '* cl *'\n",
|
|
" selection_clear_2:\n",
|
|
" CommandLine: '* clear-log *'\n",
|
|
" selection_disable_1:\n",
|
|
" CommandLine: '* sl *'\n",
|
|
" selection_disable_2:\n",
|
|
" CommandLine: '* set-log *'\n",
|
|
" condition: (1 of selection_binary_*) and (1 of selection_clear_* or 1 of selection_disable_*)\n",
|
|
" falsepositives:\n",
|
|
" - Admin activity\n",
|
|
" - Scripts and administrative tools used in the monitored environment\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='((process_path.keyword:*\\\\wevtutil.exe OR file_name_original:\"wevtutil.exe\") AND (process_command_line.keyword:*\\ cl\\ * OR process_command_line.keyword:*\\ clear\\-log\\ * OR process_command_line.keyword:*\\ sl\\ * OR process_command_line.keyword:*\\ set\\-log\\ *))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|