mirror of https://github.com/infosecn1nja/HELK.git
138 lines
3.8 KiB
Plaintext
138 lines
3.8 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Unauthorized System Time Modification\n",
|
|
"Detect scenarios where a potentially unauthorized application or user is modifying the system time."
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Unauthorized System Time Modification\n",
|
|
" id: faa031b5-21ed-4e02-8881-2591f98d82ed\n",
|
|
" status: experimental\n",
|
|
" description: Detect scenarios where a potentially unauthorized application or user\n",
|
|
" is modifying the system time.\n",
|
|
" author: '@neu5ron'\n",
|
|
" references:\n",
|
|
" - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)\n",
|
|
" - Live environment caused by malware\n",
|
|
" date: 2019/02/05\n",
|
|
" tags:\n",
|
|
" - attack.defense_evasion\n",
|
|
" - attack.t1099\n",
|
|
" logsource:\n",
|
|
" product: windows\n",
|
|
" service: security\n",
|
|
" definition: 'Requirements: Audit Policy : System > Audit Security State Change,\n",
|
|
" Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced\n",
|
|
" Audit Policy Configuration\\Audit Policies\\System\\Audit Security State Change'\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" EventID: 4616\n",
|
|
" filter1:\n",
|
|
" ProcessName: C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\n",
|
|
" filter2:\n",
|
|
" ProcessName: C:\\Windows\\System32\\VBoxService.exe\n",
|
|
" filter3:\n",
|
|
" ProcessName: C:\\Windows\\System32\\svchost.exe\n",
|
|
" SubjectUserSid: S-1-5-19\n",
|
|
" condition: selection and not ( filter1 or filter2 or filter3 )\n",
|
|
" falsepositives:\n",
|
|
" - HyperV or other virtualization technologies with binary not listed in filter portion\n",
|
|
" of detection\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(event_id:\"4616\" AND (NOT (((process_path:\"C\\:\\\\Program\\ Files\\\\VMware\\\\VMware\\ Tools\\\\vmtoolsd.exe\" OR process_path:\"C\\:\\\\Windows\\\\System32\\\\VBoxService.exe\") OR (process_path:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\" AND SubjectUserSid:\"S\\-1\\-5\\-19\")))))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|