mirror of https://github.com/infosecn1nja/HELK.git
138 lines
3.4 KiB
Plaintext
138 lines
3.4 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Suspicious WMI execution\n",
|
|
"Detects WMI executing suspicious commands"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Suspicious WMI execution\n",
|
|
" id: 526be59f-a573-4eea-b5f7-f0973207634d\n",
|
|
" status: experimental\n",
|
|
" description: Detects WMI executing suspicious commands\n",
|
|
" references:\n",
|
|
" - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\n",
|
|
" - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\n",
|
|
" - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\n",
|
|
" author: Michael Haag, Florian Roth, juju4\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" Image:\n",
|
|
" - '*\\wmic.exe'\n",
|
|
" CommandLine:\n",
|
|
" - '*/NODE:*process call create *'\n",
|
|
" - '* path AntiVirusProduct get *'\n",
|
|
" - '* path FirewallProduct get *'\n",
|
|
" - '* shadowcopy delete *'\n",
|
|
" condition: selection\n",
|
|
" fields:\n",
|
|
" - CommandLine\n",
|
|
" - ParentCommandLine\n",
|
|
" tags:\n",
|
|
" - attack.execution\n",
|
|
" - attack.t1047\n",
|
|
" - car.2016-03-002\n",
|
|
" falsepositives:\n",
|
|
" - Will need to be tuned\n",
|
|
" - If using Splunk, I recommend | stats count by Computer,CommandLine following for\n",
|
|
" easy hunting by Computer/CommandLine.\n",
|
|
" level: medium\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(process_path.keyword:(*\\\\wmic.exe) AND process_command_line.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|