diff --git a/HuntingQuery.md b/HuntingQuery.md new file mode 100644 index 00000000..24f8dee1 --- /dev/null +++ b/HuntingQuery.md @@ -0,0 +1,106 @@ +# Reference + +@HeirhabarovT +https://speakerdeck.com/heirhabarov/phdays-2018-threat-hunting-hands-on-lab + +## MSHTA Remote Download and Execute +` process_name: "mshta.exe" and (process_command_line: "http" or "https") ` + +## MSHTA Execute local or remote +` process_name: "mshta.exe" ` + +## Using MSI exec to execute msi by url +` process_command_line:"msiexec" AND process_command_line:"http" ` + +## Suspicious Processes Spawned From ms office +` event_id:("1" OR "4688") AND process_parent_path:(" \\\\excel.exe" or " \\\\winword.exe" or " \\\\powepnt.exe" or " \\\\msaccess.exe" or " \\\\mspub.exe" or " \\\\outook.exe") AND process_path:(" \\\\cmd.exe" or " \\\\powershell.exe" or " \\\\wscript.exe" or " \\\\cscript.exe" or " \\\\bitsadmin.exe" or " \\\\certutil.exe" or " \\\\schtasks.exe" or " \\\\rundll32.exe" or " \\\\regsvr32.exe" or " \\\\wmic.exe" or " \\\\mshta.exe" or " \\\\msiexec.exe" or " \\\\schtasks.exe" or " \\\\msbuild.exe" or "\\\\control.exe") ` + +## WMI Squid By Two Attack +` process_command_line:"wmic" AND process_command_line:"format" and process_command_line: ("http" or "https" or "ftp" or "xsl") ` + +## CMSTP Execution +` process_command_line: cmstp AND process_command_line: inf ` + +## Control Panel Items +` process_command_line: "cpl" and not process_path: "\\\\system32\\\\" ` + +## Regsvr32 squiblydoo attack +` process_command_line: regsvr32 AND process_command_line: scrobj ` + +## Suspicious Code Injection +` event_id:8 AND log_name:"Microsoft-Windows-Sysmon/Operational" AND not process_path:" \\\\VBoxTray.exe" AND process_target_path:" \\\\csrss.exe" AND not thread_start_function:EtwpNotificationThread AND process_path:" \\\\rundll32.exe" ` + +## Suspicious Powershell cmdline downloading +` process_command_line:(" powershell " or " pwsh " or " SyncAppvPublishingServer ") AND process_command_line:(" BitsTransfer " or " webclient " or " DownloadFile " or " downloadstring " or " wget " or " curl " or " WebRequest " or " WinHttpRequest " or " iwr " or " irm " or " internetExplorer.Application " or " Msxml2.XMLHTTP " or " MsXml2.ServerXmlHttp ") ` + +## Possible privilege escalation via weak service permissions +` process_path:" \\\\sc.exe" AND process_command_line:" config " AND process_command_line:" binPath " AND process_integrity_level: "Medium" ` + +## Using Certutil For Downloading +` process_command_line:" certutil " AND process_command_line:(" urlcach " or " url " or " ping ") AND process_command_line:(" http " or " ftp ") ` + +## Using certutil for file decoding +` process_command_line:" certutil " AND process_command_line:" decode " ` + +## Files named like system processes but in the wrong place +` (process_path:(" \\\\rundll32.exe" or " \\\\svchost.exe" or " \\\\wmiprvse.exe" or " \\\\wmiadap.exe" or " \\\\smss.exe" or " \\\\wininit.exe" or " \\\\taskhost.exe" or " \\\\lsass.exe" or " \\\\winlogon.exe" or " \\\\csrss.exe" or " \\\\services.exe" or " \\\\svchost.exe" or " \\\\lsm.exe" or " \\\\conhost.exe" or " \\\\dllhost.exe" or " \\\\dwm.exe" or " \\\\spoolsv.exe" or " \\\\wuauclt.exe" or " \\\\taskhost.exe" or " \\\\taskhostw.exe" or " \\\\fontdrvhost.exe" or " \\\\searchindexer.exe" or " \\\\searchprotocolhost.exe" or " \\\\searchfilterhost.exe" or " \\\\sihost.exe") AND not process_path:(" \\\\system32\\\\ " or " \\\\syswow64\\\\ " or " \\\\winsxs\\\\ ")) OR (file_name:(" \\\\rundll32.exe" or " \\\\svchost.exe" or " \\\\wmiprvse.exe" or " \\\\wmiadap.exe" or " \\\\smss.exe" or " \\\\wininit.exe" or " \\\\taskhost.exe" or " \\\\lsass.exe" or " \\\\winlogon.exe" or " \\\\csrss.exe" or " \\\\services.exe" or " \\\\svchost.exe" or " \\\\lsm.exe" or " \\\\conhost.exe" or " \\\\dllhost.exe" or " \\\\dwm.exe" or " \\\\spoolsv.exe" or " \\\\wuauclt.exe" or " \\\\taskhost.exe" or " \\\\taskhostw.exe" or " \\\\fontdrvhost.exe" or " \\\\searchindexer.exe" or " \\\\searchprotocolhost.exe" or " \\\\searchfilterhost.exe" or " \\\\sihost.exe")) ` + +## Mimikatz Commands Patterns +` process_command_line:(" mimikatz " or " mimidrv " or " mimilib " or " DumpCerts " or " DumpCreds ") OR (process_command_line:(" kerberos " or " sekurlsa " or " lsadump " or " dpapi " or " logonpasswords " or " privilege " or " rpc\\:\\:server " or " service\\:\\:me " or " token " or " vault ") AND process_command_line:" \\:\\: ") ` + +## Mimikatz Commands Metadata +` file_description:(" mimidrv " or " mimikatz " or " mimilib ") OR file_product:(" mimidrv " or " mimikatz " or " mimilib ") OR file_company:(" gentilkiwi " or " Benjamin DELPY ") OR signature:"Benjamin Delpy" ` + +## Using bits for downloading or uploading +` (process_command_line:" bitsadmin " AND process_command_line:(" transfer " or " addfile " or " Add-BitsFile " or " Start-BitsTransfer ")) OR (process_command_line:" powershell " AND process_command_line:(" Add-BitsFile " or " Start-BitsTransfer ")) ` + +## Run whoami as system +` process_path:" \\whoami.exe" AND (reporter_logon_id: 0x3e7 OR SubjectLogonId: 0x3e7 OR user_account:"NT AUTHORITY\\SYSTEM") ` + +## Remotely created scheduled task +` event_id:("4698" or "4702") AND logon_type:3 ` + +## Process Creation in network logon session +` event_id:1 AND log_name: Sysmon AND logon_type:3 ` + +## Using Net tool for connection to admin share +` process_command_line:" net " AND process_command_line:" use " AND process_command_line.keyword:" $ " ` + +## Using Net tool for connection to share +` process_command_line:" net " AND process_command_line:" use " ` + +## Privileged network logon +` event_id:4672 AND logon_type:3 AND (src_ip_addr: OR user_domain: ) ` + +## Suspicious dll load by lsass +` event_id:7 AND process_path:" \\\\lsass.exe" AND not signature:" Microsoft " ` + +## Replaced accessability features binary execution +` event_id:1 AND process_name:(" sethc " or " utilman " or " osk " or " narrator " or " magnify " or " displayswitch ") AND not file_description:("Display Switch" or "Accessibility shortcut keys" or "Screen Reader" or " Magnifier " or " Keyboard " or "Utility Manager") ` + +## Accessibility features binary replacement +` log_name:" Sysmon" AND event_id:"11" AND file_name:(" \\\\displayswitch.exe" or " \\\\sethc.exe" or " \\\\magnify.exe" or " \\\\narrator.exe" or " \\\\osk.exe" or " utilman.exe") ` + +## Suspicious lsass password filter was loaded +` event_id:4614 AND not NotificationPackageName:("scecli" or "rassfm" or "WDIGEST" or "KDCPw") ` + +## Suspicious_lsass ssp was loaded +` event_id:4622 AND not SecurityPackageName:(" pku2u" or " TSSSP" or " NTLM" or " Negotiate" or " NegoExtender" or " Schannel" or " Kerberos" or " Wdigest" or " Microsoft Unified Security Protocol Provider" or "cloudap") ` + +## Suspicious service that start interesting system binary +` event_id:("4697" or "7045") AND process_command_line:(" rundll32 " or " regsvr32 " or " msbuild " or " installutil " or " odbcconf " or " wmic " or " msiexec " or " cscript " or " wscript " or " cmd " or " powershell " or " comspec ") ` + +## Suspicious services credential dumping tools +` event_id:("4697" or "7045") AND (process_command_line:(" rpc::server " or " service::me " or " fgexec " or " servpw " or " cachedump " or " dumpsvc " or " mimidrv " or " mimikatz " or " wceservice " or " wce service " or " pwdump " or " gsecdump " or " cachedump ") OR service_name:(" fgexec " or " servpw " or " cachedump " or " dumpsvc " or " mimidrv " or " mimikatz " or " wceservice " or " wce" or "service " or " pwdump " or " gsecdump " or " cachedump ")) ` + +## Suspicious services remote execution_tools +` (event_id:("4697" or "7045") OR (log_name:Autoruns AND Category:Services)) AND (process_command_line:(" psexe " or " winexe " or " paexe " or " remcom ") OR service_name:(" BTOBTO " or " psexe " or " winexe " or " paexe " or " remcom ")) ` + + +## Suspicious powershell execution of encoded script +` process_command_line: powershell AND (process_command_line:(" -e " or " -en " or " -ec " or " -enc " or " -enco" or " -encod" or " -encode" or " -encoded" or " -encodedc" or " -encodedco" or " -encodedcom" or " -encodedcomm" or " -encodedcomma" or " -encodedcomman" or " -encodedcommand") OR process_command_line:(" StreamReader " or " GzipStream " or " Decompress " or " MemoryStream " or " FromBase64String ")) ` + +## UAC bypass via event viewer +` (event_id:("1" or "4688") AND process_parent_path:" \\\\eventvwr.exe" AND not process_name:" \\\\mmc.exe" ) OR (event_id:"13" AND registry_key_path:" mscfile" AND registry_key_path:" shell " AND registry_key_path:" open " AND registry_key_path:" command ") ` + + diff --git a/mitre/ATT&CK_windows_execution_matrix.xlsx b/mitre/ATT&CK_windows_execution_matrix.xlsx new file mode 100644 index 00000000..817fcfad Binary files /dev/null and b/mitre/ATT&CK_windows_execution_matrix.xlsx differ diff --git a/mitre/images/output.png b/mitre/images/output.png new file mode 100644 index 00000000..3673c575 Binary files /dev/null and b/mitre/images/output.png differ diff --git a/mitre/images/test b/mitre/images/test new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/mitre/images/test @@ -0,0 +1 @@ + diff --git a/mitre/mitre-ref.conf b/mitre/mitre-ref.conf new file mode 100644 index 00000000..9443314e --- /dev/null +++ b/mitre/mitre-ref.conf @@ -0,0 +1,298 @@ +#Execution + + +filter { + +#CMSTP + if "cmstp" in [process_command_line] and ".inf" in [process_command_line] { + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1191" + "mitreAttackDescription" => "CMSTP" + "mitreID" => "T1191" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } +} + +#Compiled HTML File + if ".chm" in [process_command_line] { + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1223" + "mitreAttackDescription" => "Compiled HTML File" + "mitreID" => "T1223" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } +} + +# Control Panel Item + if ".cpl" in [process_command_line] and "system32" not in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1196" + "mitreAttackDescription" => "Control Panel Item" + "mitreID" => "T1196" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } +} + +# Spearphishing Attachment, Dynamic Data Exchange +if [event_id] == 1 or [event_id] == 4688 { + if "excel.exe" in [process_parent_path] or "winword.exe" in [process_parent_path] or "powerpnt.exe" in [process_parent_path] or "msaccess.exe" in [process_parent_path] or "mspub.exe" in [process_parent_path] or "outlook.exe" in [process_parent_path]{ + if "cmd.exe" in [process_path] or "powershell.exe" in [process_path] or "wscript.exe" in [process_path] or "cscript.exe" in [process_path] or "bitsadmin.exe" in [process_path] or "certutil.exe" in [process_path] or "schtasks.exe" in [process_path] or "msbuild.exe" in [process_path]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1193,https://attack.mitre.org/techniques/T1193" + "mitreAttackDescription" => "Spearphishing Attachment, Dynamic Data Exchange" + "mitreID" => "T1193, T1173" + "mitreTatic" => "Initial Access, Execution" + "mitrePlatform" => "Windows" + } + } + } + } +} + +#MSHTA + if [process_name] == "mshta.exe" { + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1170" + "mitreAttackDescription" => "MSHTA" + "mitreID" => "T1170" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } +} + +#powershell +if "powershell" in [process_command_line] or "pwsh" in [process_command_line] or "SyncAppvPublishingServer" in [process_command_line]{ + if "BitsTransfer" in [process_command_line] or "webclient" in [process_command_line] or "DownloadFile" in [process_command_line] or "wget" in [process_command_line] or "curl" in [process_command_line] or "WebRequest" in [process_command_line] or "WinHttpRequest" in [process_command_line] or "iwr" in [process_command_line] or "irm" in [process_command_line] or "internetExplorer.Application" in [process_command_line] or "Msxml2.XMLHTTP" in [process_command_line] or "MsXml2.ServerXmlHttp" in [process_command_line] { + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1086" + "mitreAttackDescription" => "powershell" + "mitreID" => "T1086" + "mitreTatic" => "Execution" + "mitrePlatform" => "Windows" + } + } +} + +} + +#Regsvcs/Regasm + if [process_name] == "csc.exe" or [process_name] == "regasm.exe"{ + if "System.EnterpriseServices.dll" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1121" + "mitreAttackDescription" => "Regsvcs/Regasm" + "mitreID" => "T1121" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + else { + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1121" + "mitreAttackDescription" => "Regsvcs/Regasm" + "mitreID" => "T1121" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + + } +} + +#Regsvr32 + if "regsvr32" in [process_command_line] and "scrobj" in [process_command_line] { + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1117" + "mitreAttackDescription" => "Regsvr32" + "mitreID" => "T1117" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } +} + +#rundll32 + if [process_name] == "rundll32.exe" { + #Rundll32 execute JavaScript Remote Payload With GetObject + if "runhtmlapplication" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "Rundll32 execute JavaScript Remote Payload With GetObject" + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + + #Execute a DLL/EXE COM server payload or ScriptletURL code + if "-sta" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "Rundll32 execute a DLL/EXE COM server payload or ScriptletURL code" + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + + # Invoke an HTML Application via mshta.exe + if "mshtml.dll" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "Rundll32 execute via Microsoft HTML Viewer" + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + + # Launch executable by calling the LaunchApplication function + if "pcwutl.dll" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "Rundll32 execute by calling the LaunchApplication function" + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + + # Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). + if "setupapi.dll" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "Rundll32 execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file" + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + # Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. + if "openurl" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "Rundll32 execute payload via proxy through a(n) URL (information) file by calling OpenURL." + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + # Launch command line by calling the ShellExec_RunDLL function. + if "shellexec_rundll" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "Rundll32 execute payload by calling the ShellExec_RunDLL function" + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + # rundll 32 run inf file, may or may not be false positive + if ".inf" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "rundll 32 run inf file" + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + + # Launch an executable payload by calling RouteTheCall. + if "routethecall" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1085" + "mitreAttackDescription" => "rundll 32 execute payload by calling RouteTheCall" + "mitreID" => "T1085" + "mitreTatic" => "Defense Evasion, Execution" + "mitrePlatform" => "Windows" + } + } + } + +} + + # ScheduelTask + if [process_name] == "at.exe"{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1053" + "mitreAttackDescription" => "Scheduled Task" + "mitreID" => "T1053" + "mitreTatic" => "Execution, Persistence, Privilege Escalation" + "mitrePlatform" => "Windows" + } + } + } + # ScheduelTask + else if [process_name] == "schtasks.exe" and "c:\windows\system32\wsqmcons.exe" not in [process_parent_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1053" + "mitreAttackDescription" => "Scheduled Task" + "mitreID" => "T1053" + "mitreTatic" => "Execution, Persistence, Privilege Escalation" + "mitrePlatform" => "Windows" + } + } + } + # ScheduelTask + else if [process_name] == "schtasks.exe" and "/s" in [process_parent_command_line] and "/ru" in [process_parent_command_line] { + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1053" + "mitreAttackDescription" => "Scheduled Task remote payload" + "mitreID" => "T1053" + "mitreTatic" => "Execution, Persistence, Privilege Escalation" + "mitrePlatform" => "Windows" + } + } + } + # Service Execution + if [process_name] == "sc.exe" and "create" in [process_command_line] and "binpath" in [process_command_line]{ + mutate { + add_field => { + "mitreReference" => "https://attack.mitre.org/techniques/T1035" + "mitreAttackDescription" => "Service Execution" + "mitreID" => "T1035" + "mitreTatic" => "Execution" + "mitrePlatform" => "Windows" + } + } + } + +} diff --git a/mitre/readme.md b/mitre/readme.md new file mode 100644 index 00000000..2521e0a2 --- /dev/null +++ b/mitre/readme.md @@ -0,0 +1,8 @@ +# This folder contains mitre logstash config but need alots of work done. + +` mitre-rule.conf ` contains logstash rule. + +![Image of mitre output](images/output.png) + +` ATT&CK_windows_execution_matrix.xlsx ` file contains current defined rule. + diff --git a/ti/1531-winevent-sysmon-filter.conf b/ti/1531-winevent-sysmon-filter.conf new file mode 100644 index 00000000..94da8af4 --- /dev/null +++ b/ti/1531-winevent-sysmon-filter.conf @@ -0,0 +1,311 @@ +# HELK sysmon filter conf file +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 +# In line 254,262,269 change your destination file location +filter { + if [log_name] == "Microsoft-Windows-Sysmon/Operational"{ + mutate { add_field => { "z_logstash_pipeline" => "1531" } } + mutate { + rename => { + "[user][domain]" => "user_reporter_domain" + "[user][identifier]" => "user_reporter_sid" + "[user][name]" => "user_reporter_name" + "[user][type]" => "user_reporter_type" + "computer_name" => "host_name" + } + } + if [RuleName] { + kv { + source => "RuleName" + field_split => "," + value_split => "=" + prefix => "rule_" + transform_key => "lowercase" + } + } + if [Hashes] { + kv { + source => "Hashes" + field_split => "," + value_split => "=" + prefix => "hash_" + transform_key => "lowercase" + } + } + if [User] { + grok { + match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } + tag_on_failure => [ "_User__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + if [event_id] == 1 { + mutate { + add_field => { "action" => "processcreate" } + rename => { + "CommandLine" => "process_command_line" + "CurrentDirectory" => "process_current_directory" + "ParentCommandLine" => "process_parent_command_line" + "IntegrityLevel" => "process_integrity_level" + "LogonGuid" => "user_logon_guid" + "LogonId" => "user_logon_id" + "TerminalSessionId" => "user_session_id" + "FileVersion" => "file_version" + "Description" => "file_description" + "Product" => "file_product" + "Company" => "file_company" + "OriginalFileName " => "file_name_original" + } + } + } + if [event_id] == 2 { + mutate { + add_field => { "action" => "filecreatetime" } + rename => { "TargetFilename" => "file_name" } + } + } + if [event_id] == 3 { + mutate { + add_field => { "action" => "networkconnect" } + rename => { + "DestinationHostname" => "dst_host_name" + "DestinationPort" => "dst_port" + "DestinationPortName" => "dst_port_name" + "DestinationIsIpv6" => "dst_is_ipv6" + "Initiated" => "network_initiated" + "Protocol" => "network_protocol" + "SourceHostname" => "src_host_name" + "SourcePort" => "src_port" + "SourcePortName" => "src_port_name" + "SourceIsIpv6" => "src_is_ipv6" + } + } + translate { + field => "[dst_ip_addr]" + destination => "[ti][DestinationIP][otx]" + dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_ipv4_.csv' + } + } + if [event_id] == 4 { + mutate { + add_field => { "action" => "sysmonservicestatechanged" } + rename => { + "State" => "service_state" + "Version" => "sysmon_version" + "SchemaVersion" => "sysmon_schema_version" + } + } + } + if [event_id] == 6 { + mutate { + add_field => { "action" => "driverload" } + rename => { + "ImageLoaded" => "driver_loaded" + "Signature" => "signature" + "SignatureStatus" => "signature_status" + "Signed" => "signed" + } + } + } + if [event_id] == 7 { + mutate { + add_field => { "action" => "moduleload" } + rename => { + "ImageLoaded" => "module_loaded" + "Signature" => "signature" + "SignatureStatus" => "signature_status" + "Signed" => "signed" + "FileVersion" => "file_version" + "Description" => "file_description" + "Product" => "file_product" + "Company" => "file_company" + "OriginalFileName " => "file_name_original" + } + } + } + if [event_id] == 8 { + mutate { + add_field => { "action" => "createremotethread" } + rename => { + "NewThreadId" => "thread_new_id" + "StartAddress" => "thread_start_address" + "StartFunction" => "thread_start_function" + "StartModule" => "thread_start_module" + } + } + } + if [event_id] == 9 { + mutate { + add_field => { "action" => "rawaccessread" } + rename => { "Device" => "device_name" } + } + } + if [event_id] == 10 { + mutate { + add_field => { "action" => "processaccess" } + rename => { + "CallTrace" => "process_call_trace" + "GrantedAccess" => "process_granted_access" + "SourceThreadId" => "thread_id" + } + } + } + if [event_id] == 11 { + mutate { + add_field => { "action" => "filecreate" } + rename => { "TargetFilename" => "file_name" } + } + } + if [event_id] == 12 or [event_id] == 13 or [event_id] == 14 { + mutate { + add_field => { "action" => "registryevent" } + rename => { + "EventType" => "event_type" + "TargetObject" => "registry_key_path" + "Details" => "registry_key_value" + "NewName" => "registry_key_new_name" + } + } + } + if [event_id] == 15 { + mutate { + add_field => { "action" => "filecreatestreamhash" } + rename => { + "TargetFilename" => "file_name" + "Hash" => "hash" + } + } + } + if [event_id] == 16 { + kv { + source => "ConfigurationFileHash" + value_split => "=" + prefix => "sysmon_config_hash_" + transform_key => "lowercase" + } + mutate { + add_field => { "action" => "sysmonconfigstatechanged" } + rename => { + "State" => "sysmon_configuration_state" + "Configuration" => "sysmon_configuration" + } + } + } + if [event_id] == 18 or [event_id] == 17 { + mutate { + add_field => { "action" => "pipeevent" } + rename => { + "EventType" => "event_type" + "PipeName" => "pipe_name" + } + } + } + if [event_id] == 19 { + mutate { + add_field => { "action" => "wmievent" } + rename => { + "EventType" => "event_type" + "Operation" => "wmi_operation" + "EventNamespace" => "wmi_namespace" + "Name" => "wmi_filter_name" + "Query" => "wmi_query" + } + } + } + if [event_id] == 20 { + mutate { + add_field => { "action" => "wmievent" } + rename => { + "EventType" => "event_type" + "Operation" => "wmi_operation" + "Name" => "wmi_consumer_name" + "Type" => "wmi_consumer_type" + "Destination" => "wmi_consumer_destination" + } + } + } + if [event_id] == 21 { + mutate { + add_field => { "action" => "wmievent" } + rename => { + "EventType" => "event_type" + "Operation" => "wmi_operation" + "Consumer" => "wmi_consumer_path" + "Filter" => "wmi_filter_path" + } + } + } + + if [event_id] == 22 { + mutate { + add_field => { "action" => "dnsquery" } + rename => { + "QueryName" => "dns_query_name" + "QueryStatus" => "dns_query_status" + "QueryResults" => "dns_query_results" + } + } + rest { + request => { + url => "http://yourip:8002/domain/creation_date/%{[dns_query_name]}" + method => "get" + } + #sprintf => true + json => false + target => "[enrich][whois][DNS]" + } + } + + if [dns_query_name] { + translate { + field => "[dns_query_name]" + destination => "[ti][Domain][otx]" + dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/test/otx_domain_.csv' + } + } + + if [hash_sha256] { + translate { + field => "[hash_sha256]" + destination => "[ti][SHA256][otx]" + dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_sha256_.csv' + } + } + if [hash_md5] { +translate { + field => "[hash_md5]" + destination => "[ti][MD5][otx]" + dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_md5_.csv' + } + +} + date { + timezone => "UTC" + match => [ "UtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] + target=> "@event_date_creation" + tag_on_failure => [ "_sysmon_UtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + } + date { + timezone => "UTC" + match => [ "CreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] + target => "@file_date_creation" + tag_on_failure => [ "_sysmon_CreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + } + date { + timezone => "UTC" + match => [ "PreviousCreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] + target => "@file_previous_date_creation" + tag_on_failure => [ "_sysmon_PreviousCreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] + } + mutate { + rename => { "User" => "user_account" } + remove_field => [ + "Hashes", + "ConfigurationFileHash", + "UtcTime", + "CreationUtcTime", + "PreviousCreationUtcTime" + ] + } + } +} diff --git a/ti/helkOTX.py b/ti/helkOTX.py new file mode 100644 index 00000000..96b703ca --- /dev/null +++ b/ti/helkOTX.py @@ -0,0 +1,101 @@ +#!/usr/bin/env python + +# HELK script: helk_otx.py +# HELK script description: Pulling intelligence from OTX (AlienVault) +# HELK build version: 0.9 (Alpha) +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: BSD 3-Clause +# Since original python file didn't contain OTX Domain Data, so I made a little changes to this. + +from OTXv2 import OTXv2 +from pandas.io.json import json_normalize +from datetime import datetime +from datetime import timedelta + + +otx = OTXv2("a5389a7d96e237ca7af48901f7054d2af4c51af7c0302a4dd0b31f96c20dd003") +time_range = 30 +timedelta_days = timedelta(days=int(time_range)) +pull_time = (datetime.now() - timedelta_days).isoformat() + +def OTXEnrichment(): + pulses = otx.getsince(pull_time) + data = [] + object = {} + for p in pulses: + for i in p['indicators']: + object = { + 'industries': p['industries'], + 'tlp': p['tlp'], + 'description' : p['description'], + 'created' : p['created'], + 'pulse_name' : p['name'], + 'tags' : p['tags'], + 'author_name' : p['author_name'], + 'created': p['created'], + 'modified' : p['modified'], + 'targeted_countries' : p['targeted_countries'], + 'id' : p['id'], + 'extract_source' : p['extract_source'], + 'references' : p['references'], + 'adversary' : p['adversary'], + 'indicator_name': i['indicator'], + 'indicator_description': i['description'], + 'indicator_title': i['title'], + 'indicator_created': i['created'], + 'indicator_content': i['content'], + 'indicator_type': i['type'], + 'indicator_id': i['id'] + } + data.append(object) + + IPV4 = [] + IMPHASH = [] + MD5 = [] + SHA256 = [] + SHA1 = [] + DOMAIN = [] + #HOSTNAME = [] + def pull_indicators(lst, name): + object = { + 'indicator_name' : (i['indicator_name']).upper(), + 'pulse_name' : i['pulse_name'], + 'ioc_name': name + } + return object + + def pull_indicators_domain(lst, name): + object = { + 'indicator_name' : (i['indicator_name']).lower(), + 'pulse_name' : i['pulse_name'], + 'ioc_name': name + } + return object + + for i in data: + if i['indicator_type'] == "IPv4": + IPV4.append(pull_indicators(IPV4, 'ipv4')) + elif i['indicator_type'] == "FileHash-MD5": + MD5.append(pull_indicators(MD5, 'md5')) + elif i['indicator_type'] == "FileHash-SHA1": + SHA1.append(pull_indicators(SHA1, 'sha1')) + elif i['indicator_type'] == "FileHash-SHA256": + SHA256.append(pull_indicators(SHA256, 'sha256')) + elif i['indicator_type'] == "FileHash-IMPHASH": + IMPHASH.append(pull_indicators(IMPHASH, 'imphash')) + elif i['indicator_type'] == "domain": + DOMAIN.append(pull_indicators_domain(DOMAIN, 'domain')) + elif i['indicator_type'] == "hostname": + DOMAIN.append(pull_indicators_domain(DOMAIN, 'domain')) + + + iocs = [IPV4, IMPHASH, MD5, SHA1, SHA256, DOMAIN] + for i in iocs: + try: + df = json_normalize(i) + df.to_csv(('otx_'+i[0]['ioc_name']+'_.csv'), index=False, header=False, encoding='utf-8', columns=("indicator_name", "pulse_name")) + except: + print "Not available Intelligence for one indicator in the past 30 days" + +if __name__=="__main__": + OTXEnrichment() diff --git a/ti/image/dns.png b/ti/image/dns.png new file mode 100644 index 00000000..c325a88a Binary files /dev/null and b/ti/image/dns.png differ diff --git a/ti/image/images.md b/ti/image/images.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/ti/image/images.md @@ -0,0 +1 @@ + diff --git a/ti/image/otx.png b/ti/image/otx.png new file mode 100644 index 00000000..6524b7fd Binary files /dev/null and b/ti/image/otx.png differ diff --git a/ti/readme.md b/ti/readme.md new file mode 100644 index 00000000..1de56749 --- /dev/null +++ b/ti/readme.md @@ -0,0 +1,120 @@ +# Integrate OTX TI feeds and Domain registration date with HELK + +## Configuration file for integrating OTX Data with HELK + +### Install OTX python module and Download TI feeds +Install OTX python module with ` pip install OTXv2 ` (in your local server, not in docker). For more information please go, https://github.com/AlienVault-OTX/OTX-Python-SDK. + +Place helkOTX.py to /HELK/docker/helk-logstash/enrichments/cti/ folder.(in your local server, not in docker). Since HELK already mounted with your local system on helk-logstash/enrichments/cti folder. + +Run helkOTX.py with ` python helkOTX.py `. + +After running the python script, you will find these CSV files. +* otx_domain_.csv +* otx_ipv4_.csv +* otx_md5_.csv +* otx_sha1_.csv +* otx_sha256_.csv + +### Install pandas + +` pip install pandas ` + +### Configuring SYSMON logstash file + +Replace ` 1531-winevent-sysmon-filter.conf ` in ` /HELK/docker/helk-logstash/pipeline/ ` folder. + +After replacing ` 1531-winevent-sysmon-filter.conf ` file restart the helk-logstash with ` docker restart helk-logstash `. +Then refresh the index fields in Kibana ` (Management -> Index pattern -> refresh)` . + +Then browse some ips or domains which is included in ` otx_domain_.csv and otx_ipv4_.csv ` file. After that you can search using ` ti.DestinationIP.otx:* or ti.Domain.otx:* ` . + +### Configuration Details + +To fetch destination IP that is event id 3 with Alienvault OTX, TI feeds. +``` + translate { + field => "[dst_ip_addr]" + destination => "[ti][DestinationIP][otx]" + dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_ipv4_.csv' + } +``` +To fetch destination domain that is event id 22 with Alienvault OTX, TI feeds. + +``` + if [dns_query_name] { + translate { + field => "[dns_query_name]" + destination => "[ti][Domain][otx]" + dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/test/otx_domain_.csv' + } + } + +``` + +To fetch file checksum(SHA256) with Alienvault OTX, TI feeds. + +``` + + if [hash_sha256] { + translate { + field => "[hash_sha256]" + destination => "[ti][SHA256][otx]" + dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_sha256_.csv' + } +``` + +To fetch file checksum(MD5) with Alienvault OTX, TI feeds. + +``` + + if [hash_md5] { +translate { + field => "[hash_md5]" + destination => "[ti][MD5][otx]" + dictionary_path => '/usr/share/logstash/cti/AlientVault/OTX-Python-SDK/HELK_IOC/otx_md5_.csv' + } + +} + +``` + +![GitHub Logo](image/otx.png) + +## Get domain registration (Event id 22) for more detection + +The idea behind is if incoming or destination domain registered date is lower than six months, the client is most likely be phished or compromised. +Python script credit to @markbaggett. + +Clone domain status script from ` https://github.com/MarkBaggett/domain_stats `. Then run the server with ` python domain_stats.py -ip localip port `. Note: You need to keep it running. + +Then install rest plugin in logstash.` https://github.com/lucashenning/logstash-filter-rest` +Then change your logstash config file that is ` 1531-winevent-sysmon-filter.conf `. + +``` + if [event_id] == 22 { + mutate { + add_field => { "action" => "dnsquery" } + rename => { + "QueryName" => "dns_query_name" + "QueryStatus" => "dns_query_status" + "QueryResults" => "dns_query_results" + } + } + rest { + request => { + url => "http://serverhost:port/domain/creation_date/%{[dns_query_name]}" + method => "get" + } + #sprintf => true + json => false + target => "[enrich][whois][DNS]" + } + } + +``` + + +After that restart your logstash. You will see ` enrich.whois.DNS ` field in Kibana. Don't forget to refresh your index. + +![GitHub Logo](image/dns.png)