infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/win_susp_vssadmin_ntds_acti...

139 lines
4.0 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Activity Related to NTDS.dit Domain Hash Retrieval\n",
"Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- title: Activity Related to NTDS.dit Domain Hash Retrieval\n",
" id: b932b60f-fdda-4d53-8eda-a170c1d97bbd\n",
" status: experimental\n",
" description: Detects suspicious commands that could be related to activity that\n",
" uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely\n",
" author: Florian Roth, Michael Haag\n",
" references:\n",
" - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n",
" - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n",
" - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/\n",
" - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n",
" - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\n",
" tags:\n",
" - attack.credential_access\n",
" - attack.t1003\n",
" logsource:\n",
" category: process_creation\n",
" product: windows\n",
" service: null\n",
" detection:\n",
" selection:\n",
" CommandLine:\n",
" - vssadmin.exe Delete Shadows\n",
" - 'vssadmin create shadow /for=C:'\n",
" - copy \\\\?\\GLOBALROOT\\Device\\\\*\\windows\\ntds\\ntds.dit\n",
" - copy \\\\?\\GLOBALROOT\\Device\\\\*\\config\\SAM\n",
" - 'vssadmin delete shadows /for=C:'\n",
" - 'reg SAVE HKLM\\SYSTEM '\n",
" - esentutl.exe /y /vss *\\ntds.dit*\n",
" condition: selection\n",
" fields:\n",
" - CommandLine\n",
" - ParentCommandLine\n",
" falsepositives:\n",
" - Administrative activity\n",
" level: high\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='process_command_line.keyword:(vssadmin.exe\\ Delete\\ Shadows OR vssadmin\\ create\\ shadow\\ \\/for\\=C\\: OR copy\\ \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\windows\\\\ntds\\\\ntds.dit OR copy\\ \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\config\\\\SAM OR vssadmin\\ delete\\ shadows\\ \\/for\\=C\\: OR reg\\ SAVE\\ HKLM\\\\SYSTEM\\ OR esentutl.exe\\ \\/y\\ \\/vss\\ *\\\\ntds.dit*)')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink