mirror of https://github.com/infosecn1nja/HELK.git
143 lines
3.5 KiB
Plaintext
143 lines
3.5 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Webshell Detection With Command Line Keywords\n",
|
|
"Detects certain command line parameters often used during reconnaissance activity via web shells"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Webshell Detection With Command Line Keywords\n",
|
|
" id: bed2a484-9348-4143-8a8a-b801c979301c\n",
|
|
" description: Detects certain command line parameters often used during reconnaissance\n",
|
|
" activity via web shells\n",
|
|
" author: Florian Roth\n",
|
|
" reference:\n",
|
|
" - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\n",
|
|
" date: 2017/01/01\n",
|
|
" modified: 2019/10/26\n",
|
|
" tags:\n",
|
|
" - attack.privilege_escalation\n",
|
|
" - attack.persistence\n",
|
|
" - attack.t1100\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" ParentImage:\n",
|
|
" - '*\\apache*'\n",
|
|
" - '*\\tomcat*'\n",
|
|
" - '*\\w3wp.exe'\n",
|
|
" - '*\\php-cgi.exe'\n",
|
|
" - '*\\nginx.exe'\n",
|
|
" - '*\\httpd.exe'\n",
|
|
" CommandLine:\n",
|
|
" - '*whoami*'\n",
|
|
" - '*net user *'\n",
|
|
" - '*ping -n *'\n",
|
|
" - '*systeminfo'\n",
|
|
" - '*&cd&echo*'\n",
|
|
" - '*cd /d*'\n",
|
|
" condition: selection\n",
|
|
" fields:\n",
|
|
" - CommandLine\n",
|
|
" - ParentCommandLine\n",
|
|
" falsepositives:\n",
|
|
" - unknown\n",
|
|
" level: high\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(process_parent_path.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND process_command_line.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|