mirror of https://github.com/infosecn1nja/HELK.git
136 lines
3.6 KiB
Plaintext
136 lines
3.6 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspicious PsExec execution\n",
|
|
"detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspicious PsExec execution\n",
|
|
" id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82\n",
|
|
" description: detects execution of psexec or paexec with renamed service name, this\n",
|
|
" rule helps to filter out the noise if psexec is used for legit purposes or if\n",
|
|
" attacker uses a different psexec client other than sysinternal one\n",
|
|
" author: Samir Bousseaden\n",
|
|
" references:\n",
|
|
" - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\n",
|
|
" tags:\n",
|
|
" - attack.lateral_movement\n",
|
|
" - attack.t1077\n",
|
|
" logsource:\n",
|
|
" product: windows\n",
|
|
" service: security\n",
|
|
" description: The advanced audit policy setting \"Object Access > Audit Detailed\n",
|
|
" File Share\" must be configured for Success/Failure\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection1:\n",
|
|
" EventID: 5145\n",
|
|
" ShareName: \\\\*\\IPC$\n",
|
|
" RelativeTargetName:\n",
|
|
" - '*-stdin'\n",
|
|
" - '*-stdout'\n",
|
|
" - '*-stderr'\n",
|
|
" selection2:\n",
|
|
" EventID: 5145\n",
|
|
" ShareName: \\\\*\\IPC$\n",
|
|
" RelativeTargetName: PSEXESVC*\n",
|
|
" condition: selection1 and not selection2\n",
|
|
" falsepositives:\n",
|
|
" - nothing observed so far\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='((event_id:\"5145\" AND share_name.keyword:\\\\*\\\\IPC$ AND share_relative_target_name.keyword:(*\\-stdin OR *\\-stdout OR *\\-stderr)) AND (NOT (event_id:\"5145\" AND share_name.keyword:\\\\*\\\\IPC$ AND share_relative_target_name.keyword:PSEXESVC*)))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|