infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/win_susp_squirrel_lolbin.ipynb

160 lines
3.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Squirrel Lolbin\n",
"Detects Possible Squirrel Packages Manager as Lolbin"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Squirrel Lolbin\n",
" id: fa4b21c9-0057-4493-b289-2556416ae4d7\n",
" status: experimental\n",
" description: Detects Possible Squirrel Packages Manager as Lolbin\n",
" references:\n",
" - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n",
" - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\n",
" tags:\n",
" - attack.execution\n",
" author: Karneades / Markus Neis\n",
" falsepositives:\n",
" - 1Clipboard\n",
" - Beaker Browser\n",
" - Caret\n",
" - Collectie\n",
" - Discord\n",
" - Figma\n",
" - Flow\n",
" - Ghost\n",
" - GitHub Desktop\n",
" - GitKraken\n",
" - Hyper\n",
" - Insomnia\n",
" - JIBO\n",
" - Kap\n",
" - Kitematic\n",
" - Now Desktop\n",
" - Postman\n",
" - PostmanCanary\n",
" - Rambox\n",
" - Simplenote\n",
" - Skype\n",
" - Slack\n",
" - SourceTree\n",
" - Stride\n",
" - Svgsus\n",
" - WebTorrent\n",
" - WhatsApp\n",
" - WordPress.com\n",
" - atom\n",
" - gitkraken\n",
" - slack\n",
" - teams\n",
" level: high\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" Image:\n",
" - '*\\update.exe'\n",
" CommandLine:\n",
" - '*--processStart*.exe*'\n",
" - '*--processStartAndWait*.exe*'\n",
" - \"*\\u2013createShortcut*.exe*\"\n",
" condition: selection\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(process_path.keyword:(*\\\\update.exe) AND process_command_line.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *createShortcut*.exe*))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink