mirror of https://github.com/infosecn1nja/HELK.git
135 lines
3.4 KiB
Plaintext
135 lines
3.4 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspect svchost Activity\n",
|
|
"It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space."
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspect svchost Activity\n",
|
|
" id: 16c37b52-b141-42a5-a3ea-bbe098444397\n",
|
|
" status: experimental\n",
|
|
" description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n",
|
|
" and is normally observed when a malicious process spawns the process and injects\n",
|
|
" code into the process memory space.\n",
|
|
" references:\n",
|
|
" - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n",
|
|
" author: David Burkett\n",
|
|
" date: 12/28/2019\n",
|
|
" tags:\n",
|
|
" - attack.t1055\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection1:\n",
|
|
" CommandLine: null\n",
|
|
" selection2:\n",
|
|
" Image: '*\\svchost.exe'\n",
|
|
" filter:\n",
|
|
" ParentImage:\n",
|
|
" - '*\\rpcnet.exe'\n",
|
|
" - '*\\rpcnetp.exe'\n",
|
|
" condition: (selection1 and selection2) and not filter\n",
|
|
" fields:\n",
|
|
" - CommandLine\n",
|
|
" - ParentCommandLine\n",
|
|
" falsepositives:\n",
|
|
" - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n",
|
|
" level: critical\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='((NOT _exists_:process_command_line AND process_path.keyword:*\\\\svchost.exe) AND (NOT (process_parent_path.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|