mirror of https://github.com/infosecn1nja/HELK.git
140 lines
3.5 KiB
Plaintext
140 lines
3.5 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspicious Use of Procdump\n",
|
|
"Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable."
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspicious Use of Procdump\n",
|
|
" id: 5afee48e-67dd-4e03-a783-f74259dcf998\n",
|
|
" description: Detects suspicious uses of the SysInternals Procdump utility by using\n",
|
|
" a special command line parameter in combination with the lsass.exe process. This\n",
|
|
" way we're also able to catch cases in which the attacker has renamed the procdump\n",
|
|
" executable.\n",
|
|
" status: experimental\n",
|
|
" references:\n",
|
|
" - Internal Research\n",
|
|
" author: Florian Roth\n",
|
|
" date: 2018/10/30\n",
|
|
" modified: 2019/10/14\n",
|
|
" tags:\n",
|
|
" - attack.defense_evasion\n",
|
|
" - attack.t1036\n",
|
|
" - attack.credential_access\n",
|
|
" - attack.t1003\n",
|
|
" - car.2013-05-009\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection1:\n",
|
|
" CommandLine:\n",
|
|
" - '* -ma *'\n",
|
|
" selection2:\n",
|
|
" CommandLine:\n",
|
|
" - '* lsass*'\n",
|
|
" selection3:\n",
|
|
" CommandLine:\n",
|
|
" - '* -ma ls*'\n",
|
|
" condition: ( selection1 and selection2 ) or selection3\n",
|
|
" falsepositives:\n",
|
|
" - Unlikely, because no one should dump an lsass process memory\n",
|
|
" - Another tool that uses the command line switches of Procdump\n",
|
|
" level: medium\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='((process_command_line.keyword:(*\\ \\-ma\\ *) AND process_command_line.keyword:(*\\ lsass*)) OR process_command_line.keyword:(*\\ \\-ma\\ ls*))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|