Skip to main content

Implementing detection for proxyshell in ELASTIC SIEM

 Hi due to recent worldwide exploitation of exchange servers, we will implement monitoring for our exchange server.

 What we need:

1. Rule is based on process creation events. For that we need to collect sysmon event ID 1, windows security event ID 4688 or EDR events related to process creation (Elastic agent save this events under event.category:process and event.type:start).
2. Logs in index or alias what pass wildcard name winlogbeat-*
3. Running elastic stack instance (how to deply elasticsearch and kibana)
There is sigma rule available to download and process for our needs:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_webshell_detection.yml
I will use https://uncoder.io/ portal to convert rule to elastic siem rule.
Steps:
1. Copy raw content of rule from github
2. Make sure on left panel you have selected "SIGMA".
3. Paste content to left panel

4. Over right panel from drop down menu select "Elastic Rule"


5. Click red button "Translate"
6. Click button "Copy" to copy content to clipboard.
7. Save content to file with name "Webshell Detection With Command Line Keywords.ndjson"
8.Open file with any text editor. Join all lines in one line. In notepad++ just press CTRL+J.
Important:

If you are not transforming your data by your custom ingest pipelines it is important to change all ".keyword" to empty string. In notepad++ just press CTRL+H.

9. Open elastic siem web application.
10. Navigate with dropdown menu to security->Alerts
 

 11. On right side enter to rule manager by clicking button "Manage detection rules":

12. Click "Import rules" button:

13. Click in the middle of the window to choose file with the rule.

14. Click "import rule" button.
After that rule is imported and enabled:


How this rule works:

Rule check if there was ran process where parent executable process ends with one of (w3wp.exe, php-cgi.exe, nginx.exe, httpd.exe, apache, tomcat) and:

a) process executable ends with one of  net.exe, net1.exe and process has at least on of user, use, group in arguments

b)  process executable ends with ping.exe and has in arguments -n

c) process arguments has one of (&cd&echo, "cd /d")

d) process executable ends with wmic.exe and has in arguments "/node:"

e) process executable ends with one of (whoami.exe, systeminfo.exe, quser.exe, ipconfig.exe, pathping.exe, tracert.exe, netstat.exe, schtasks.exe, vssadmin.exe, wevtutil.exe, tasklist.exe)

f) process arguments has one of (Test-NetConnection, dir)

Labels:

Comments

  1. Anonymous25 January 2022 at 11:50

    Beginner's Guide to Baccarat - Welsh Football Association
    A beginner's guide on how choegocasino to play baccarat, and how to 바카라 사이트 play baccarat online. This หารายได้เสริม page outlines the steps that can be done to start playing baccarat.

    ReplyDelete
  2. ohniciojabaree31 October 2022 at 09:39

    스포츠 배당률을 포함한 웹사이트의 모든 컨텐츠 (데스크탑 및 모바일)는 독점 컨텐츠이며 Pinnacle의 명시적 동의 실시간카지노 없이 복제하거나 배포할 수 없습니다. 예, 첫 번째 구매시, 보증금의 보너스 머니 카지노 쿠폰이 추가됩니다. 또한 새로운 회원 서비스는 본사와 함께 각 기관마다 다릅니다.

    ReplyDelete
  3. Anonymous16 November 2022 at 15:16

    What is possible, however, is to maximise your chances to win and get better successful odds whenever you play blackjack on-line. Starting with the person to the left of the vendor, each player attempts to make greatest possible|the absolute best|the very best} hand by getting near 21 points. A player with a degree complete far less than 21 could ask the vendor for an additional card by saying, “Hit.” One card is then dealt to the player face-up. The player could continue to add cards until he thinks he has a good hand. If any added card sends the value of his hand greater than 21, the player has gone “bust” and he's now not eligible 1xbet korea to be a winner on that specific hand.

    ReplyDelete
  4. Veronica Davenport6 August 2024 at 02:27

    Thank yyou

    ReplyDelete
  5. Veronica Davenport7 August 2024 at 00:02

    Good reading this posst

    ReplyDelete

Post a Comment

Popular posts from this blog

Installing Elastic STACK

Fast elastic install script:    #!/bin/bash # Add users sudo addgroup operator_user sudo useradd operator_user-s /bin/bash -m -g operator_user -G sudo -p operator_password # add  APT keys and sources wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list    # apt update && install all components sudo apt-get update && sudo apt-get install -y apt-transport-https nano unzip ntpdate htop bwm-ng nfs-common   elasticsearch    && sudo apt upgrade -y   #restart service daemon sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable elasticsearch.service   # configure elastic host sudo mv /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.old echo " cluster.name: homenet node.name: $HOSTNAME node.attr.allocation: ...
2 comments
Read more

How to deply Elasticsearch and Kibana (elastic stack 7.14) in docker

How to deploy Elasticsearch and kibana in docker? I will use docker-compose to fast deploy Elastic stack version 7.14. 1'st step: Install docker on your machine :) 2'nd Step: Generate certificate using any tool with what you know how to use. I used CA cert and elastic host cert for both elasticsearch and kibana. Elastic provides tool to generate certificates called  elasticsearch-certutil and you can run it from location /usr/share/elasticsearch/bin (After installing elasticsearch). 3'rd step: After first run generate users and passwords. You can add new user with superuser role or use tool provided by elastic team ( /usr/share/elasticsearch/bin/elasticsearch-setup-passwords ). I used tool from elastic team because it can generate passwords for all built-in accounts. 4'th step: Create all paths: /docker/es01/data /docker/es01/config/ And files: ca.crt, pn.crt, pn.key 5'th step: Change IP address, passwords and keys in config: HOST_IP, Password_for_kibana_system, 32...
2 comments
Read more