HELK/docker/helk-jupyter/notebooks/sigma/win_svcctl_remote_service.ipynb

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Remote Service Activity Detected via SVCCTL named pipe\n",
    "Detects remote remote service activity via remote access to the svcctl named pipe"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Remote Service Activity Detected via SVCCTL named pipe\n",
    "  id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3\n",
    "  description: Detects remote remote service activity via remote access to the svcctl\n",
    "    named pipe\n",
    "  author: Samir Bousseaden\n",
    "  references:\n",
    "  - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html\n",
    "  tags:\n",
    "  - attack.lateral_movement\n",
    "  - attack.persistence\n",
    "  logsource:\n",
    "    product: windows\n",
    "    service: security\n",
    "    description: The advanced audit policy setting \"Object Access > Audit Detailed\n",
    "      File Share\" must be configured for Success/Failure\n",
    "    category: null\n",
    "  detection:\n",
    "    selection:\n",
    "      EventID: 5145\n",
    "      ShareName: \\\\*\\IPC$\n",
    "      RelativeTargetName: svcctl\n",
    "      Accesses: '*WriteData*'\n",
    "    condition: selection\n",
    "  falsepositives:\n",
    "  - pentesting\n",
    "  level: medium\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='(event_id:\"5145\" AND share_name.keyword:\\\\*\\\\IPC$ AND share_relative_target_name:\"svcctl\" AND Accesses.keyword:*WriteData*)')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}