Created
August 14, 2023 23:39
-
-
Save josehelps/f4b66f38f681b25d5cb3e9f2826d55be to your computer and use it in GitHub Desktop.
generates lql policy from loldriver malicious hashes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import textwrap | |
def fetch_hashes(url): | |
response = requests.get(url) | |
if response.status_code != 200: | |
print("Error fetching data.") | |
return None | |
return response.text.strip().split("\n") | |
def generate_lql(hashes): | |
hashes_condition = "\n OR ".join(f"files.FILEDATA_HASH = '{hash_}'" for hash_ in hashes) | |
query = textwrap.dedent(f"""\ | |
queryId: LOLDriver_Malicious_Hashes | |
queryText: |- | |
{{ | |
source {{ | |
LW_HE_FILES files | |
}} | |
filter {{ | |
{hashes_condition} | |
}} | |
return distinct {{ | |
files.FILEDATA_HASH, | |
files.FILE_ACCESSED_TIME, | |
files.FILE_CREATED_TIME, | |
files.FILE_MODIFIED_TIME, | |
files.FILE_NAME, | |
files.FILE_PERMISSIONS, | |
files.FILE_TYPE, | |
files.HARD_LINK_COUNT, | |
files.LINK_ABS_DEST_PATH, | |
files.LINK_DEST_PATH, | |
files.MID, | |
files.OWNER_GID, | |
files.OWNER_UID, | |
files.OWNER_USERNAME, | |
files.PATH, | |
files.RECORD_CREATED_TIME, | |
files.SIZE | |
}} | |
}}""") | |
with open('LOLDriver_Malicious_Hashes.yaml', 'w') as file: | |
file.write(query) | |
print("Query saved to 'LOLDriver_Malicious_Hashes.yaml'.") | |
url = 'https://raw.githubusercontent.com/magicsword-io/LOLDrivers/main/detections/hashes/samples_malicious.sha256' | |
hashes = fetch_hashes(url) | |
if hashes: | |
generate_lql(hashes) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Run
lacework query run --start "-120d@d" --end "@h" -f LOLDriver_Malicious_Hashes.yaml
Generated LQL policy: