Suspicious HWP Sub Processes

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Rule Content

- title: Suspicious HWP Sub Processes
  id: 023394c4-29d5-46ab-92b8-6a534c6f447b
  description: Detects suspicious Hangul Word Processor (Hanword) sub processes that
    could indicate an exploitation
  status: experimental
  references:
  - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
  - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
  - https://twitter.com/cyberwar_15/status/1187287262054076416
  - https://blog.alyac.co.kr/1901
  - https://en.wikipedia.org/wiki/Hangul_(word_processor)
  tags:
  - attack.execution
  - attack.defense_evasion
  - attack.initial_access
  - attack.t1059
  - attack.t1202
  - attack.t1193
  - attack.g0032
  author: Florian Roth
  date: 2019/10/24
  logsource:
    category: process_creation
    product: windows
    service: null
  detection:
    selection:
      ParentImage: '*\Hwp.exe'
      Image: '*\gbb.exe'
    condition: selection
  falsepositives:
  - Unknown
  level: high

Querying Elasticsearch

Import Libraries


In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client


In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query


In [ ]:
s = searchContext.query('query_string', query='(process_parent_path.keyword:*\\Hwp.exe AND process_path.keyword:*\\gbb.exe)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results


In [ ]:
df.head()