mirror of https://github.com/infosecn1nja/HELK.git
182 lines
7.0 KiB
Plaintext
182 lines
7.0 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspicious Process Creation\n",
|
|
"Detects suspicious process starts on Windows systems based on keywords"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspicious Process Creation\n",
|
|
" id: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3\n",
|
|
" description: Detects suspicious process starts on Windows systems based on keywords\n",
|
|
" status: experimental\n",
|
|
" references:\n",
|
|
" - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n",
|
|
" - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\n",
|
|
" - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n",
|
|
" - https://twitter.com/subTee/status/872244674609676288\n",
|
|
" - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\n",
|
|
" - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n",
|
|
" - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n",
|
|
" - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\n",
|
|
" - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\n",
|
|
" - https://twitter.com/vector_sec/status/896049052642533376\n",
|
|
" - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf\n",
|
|
" author: Florian Roth\n",
|
|
" modified: 2018/12/11\n",
|
|
" tags:\n",
|
|
" - car.2013-07-001\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" CommandLine:\n",
|
|
" - vssadmin.exe delete shadows*\n",
|
|
" - vssadmin delete shadows*\n",
|
|
" - vssadmin create shadow /for=C:*\n",
|
|
" - copy \\\\?\\GLOBALROOT\\Device\\\\*\\windows\\ntds\\ntds.dit*\n",
|
|
" - copy \\\\?\\GLOBALROOT\\Device\\\\*\\config\\SAM*\n",
|
|
" - reg SAVE HKLM\\SYSTEM *\n",
|
|
" - reg SAVE HKLM\\SAM *\n",
|
|
" - '* sekurlsa:*'\n",
|
|
" - net localgroup administrators * /add\n",
|
|
" - net group \"Domain Admins\" * /ADD /DOMAIN\n",
|
|
" - certutil.exe *-urlcache* http*\n",
|
|
" - certutil.exe *-urlcache* ftp*\n",
|
|
" - netsh advfirewall firewall *\\AppData\\\\*\n",
|
|
" - attrib +S +H +R *\\AppData\\\\*\n",
|
|
" - schtasks* /create *\\AppData\\\\*\n",
|
|
" - schtasks* /sc minute*\n",
|
|
" - '*\\Regasm.exe *\\AppData\\\\*'\n",
|
|
" - '*\\Regasm *\\AppData\\\\*'\n",
|
|
" - '*\\bitsadmin* /transfer*'\n",
|
|
" - '*\\certutil.exe * -decode *'\n",
|
|
" - '*\\certutil.exe * -decodehex *'\n",
|
|
" - '*\\certutil.exe -ping *'\n",
|
|
" - icacls * /grant Everyone:F /T /C /Q\n",
|
|
" - '* wmic shadowcopy delete *'\n",
|
|
" - '* wbadmin.exe delete catalog -quiet*'\n",
|
|
" - '*\\wscript.exe *.jse'\n",
|
|
" - '*\\wscript.exe *.js'\n",
|
|
" - '*\\wscript.exe *.vba'\n",
|
|
" - '*\\wscript.exe *.vbe'\n",
|
|
" - '*\\cscript.exe *.jse'\n",
|
|
" - '*\\cscript.exe *.js'\n",
|
|
" - '*\\cscript.exe *.vba'\n",
|
|
" - '*\\cscript.exe *.vbe'\n",
|
|
" - '*\\fodhelper.exe'\n",
|
|
" - '*waitfor*/s*'\n",
|
|
" - '*waitfor*/si persist*'\n",
|
|
" - '*remote*/s*'\n",
|
|
" - '*remote*/c*'\n",
|
|
" - '*remote*/q*'\n",
|
|
" - '*AddInProcess*'\n",
|
|
" - '* /stext *'\n",
|
|
" - '* /scomma *'\n",
|
|
" - '* /stab *'\n",
|
|
" - '* /stabular *'\n",
|
|
" - '* /shtml *'\n",
|
|
" - '* /sverhtml *'\n",
|
|
" - '* /sxml *'\n",
|
|
" condition: selection\n",
|
|
" falsepositives:\n",
|
|
" - False positives depend on scripts and administrative tools used in the monitored\n",
|
|
" environment\n",
|
|
" level: medium\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='process_command_line.keyword:(vssadmin.exe\\ delete\\ shadows* OR vssadmin\\ delete\\ shadows* OR vssadmin\\ create\\ shadow\\ \\/for\\=C\\:* OR copy\\ \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\windows\\\\ntds\\\\ntds.dit* OR copy\\ \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\config\\\\SAM* OR reg\\ SAVE\\ HKLM\\\\SYSTEM\\ * OR reg\\ SAVE\\ HKLM\\\\SAM\\ * OR *\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wmic\\ shadowcopy\\ delete\\ * OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *)')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|