notebook.community

Edit and run

Suspicious File Characteristics due to Missing Fields

Detects Executables without FileVersion,Description,Product,Company likely created with py2exe

Rule Content

- title: Suspicious File Characteristics due to Missing Fields
  id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
  description: Detects Executables without FileVersion,Description,Product,Company
    likely created with py2exe
  status: experimental
  references:
  - https://securelist.com/muddywater/88059/
  - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
  author: Markus Neis
  date: 2018/11/22
  modified: 2019/11/09
  tags:
  - attack.defense_evasion
  - attack.execution
  - attack.t1064
  logsource:
    product: windows
    service: sysmon
    category: null
  detection:
    selection1:
      Description: \?
      FileVersion: \?
    selection2:
      Description: \?
      Product: \?
    selection3:
      Description: \?
      Company: \?
    condition: 1 of them
  fields:
  - CommandLine
  - ParentCommandLine
  falsepositives:
  - Unknown
  level: medium

Querying Elasticsearch

Import Libraries





In [ ]:



    


from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client





In [ ]:



    


es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')

Run Elasticsearch Query





In [ ]:



    


s = searchContext.query('query_string', query='(file_description:"\?" AND (file_version:"\?" OR file_product:"\?" OR file_company:"\?"))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results





In [ ]:



    


df.head()

Content source: Cyb3rWard0g/HELK

Similar notebooks:

notebook.community | gallery | about