Skip to content

Instantly share code, notes, and snippets.

@et0x
Last active November 6, 2019 00:03
Show Gist options
  • Save et0x/81ca297d55b61d659193ad04e96f69f6 to your computer and use it in GitHub Desktop.
Save et0x/81ca297d55b61d659193ad04e96f69f6 to your computer and use it in GitHub Desktop.
Quickly search through elasticsearch documents for oddly named fields (ex: isass.exe files impersonating lsass.exe)
import elasticsearch
# this will search for closely named permutations of strings ... IE a common attacker technique is to
# name binaries close to a legitimate binary (isass.exe vs lsass.exe) ... this will search through
# millions of ES documents very quickly, and only return the closely related permutations!
es = elasticsearch.Elasticsearch([{host="localhost", port=9200}])
es.search( index="files_index", body={ "query": { "bool": { "should": [ {"fuzzy": { "file_name":"svchost.exe" }} ], "must_not": [ {"match": { "file_name":"svchost.exe" }} ] } } })["hits"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment