Suspicious Commandline Escape

Detects suspicious process that use escape characters

Rule Content

- title: Suspicious Commandline Escape
  id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
  description: Detects suspicious process that use escape characters
  status: experimental
  references:
  - https://twitter.com/vysecurity/status/885545634958385153
  - https://twitter.com/Hexacorn/status/885553465417756673
  - https://twitter.com/Hexacorn/status/885570278637678592
  - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
  - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
  author: juju4
  modified: 2018/12/11
  tags:
  - attack.defense_evasion
  - attack.t1140
  logsource:
    category: process_creation
    product: windows
    service: null
  detection:
    selection:
      CommandLine:
      - ^h^t^t^p
      - h"t"t"p
    condition: selection
  falsepositives:
  - False positives depend on scripts and administrative tools used in the monitored
    environment
  level: low

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='process_command_line:("\^h\^t\^t\^p" OR "h\"t\"t\"p")')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()