mirror of https://github.com/infosecn1nja/HELK.git
138 lines
3.5 KiB
Plaintext
138 lines
3.5 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Reconnaissance Activity\n",
|
|
"Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\""
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Reconnaissance Activity\n",
|
|
" id: 968eef52-9cff-4454-8992-1e74b9cbad6c\n",
|
|
" status: experimental\n",
|
|
" description: Detects activity as \"net user administrator /domain\" and \"net group\n",
|
|
" domain admins /domain\"\n",
|
|
" references:\n",
|
|
" - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html\n",
|
|
" author: Florian Roth (rule), Jack Croock (method)\n",
|
|
" tags:\n",
|
|
" - attack.discovery\n",
|
|
" - attack.t1087\n",
|
|
" - attack.t1069\n",
|
|
" - attack.s0039\n",
|
|
" logsource:\n",
|
|
" product: windows\n",
|
|
" service: security\n",
|
|
" definition: The volume of Event ID 4661 is high on Domain Controllers and therefore\n",
|
|
" \"Audit SAM\" and \"Audit Kernel Object\" advanced audit policy settings are not\n",
|
|
" configured in the recommendations for server systems\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" - EventID: 4661\n",
|
|
" ObjectType: SAM_USER\n",
|
|
" ObjectName: S-1-5-21-*-500\n",
|
|
" AccessMask: '0x2d'\n",
|
|
" - EventID: 4661\n",
|
|
" ObjectType: SAM_GROUP\n",
|
|
" ObjectName: S-1-5-21-*-512\n",
|
|
" AccessMask: '0x2d'\n",
|
|
" condition: selection\n",
|
|
" falsepositives:\n",
|
|
" - Administrator activity\n",
|
|
" - Penetration tests\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(event_id:\"4661\" AND object_access_mask_requested:\"0x2d\" AND ((object_type:\"SAM_USER\" AND object_name.keyword:S\\-1\\-5\\-21\\-*\\-500) OR (object_type:\"SAM_GROUP\" AND object_name.keyword:S\\-1\\-5\\-21\\-*\\-512)))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|