Last active
December 5, 2021 23:51
-
-
Save jsecurity101/45e4e7caf9207b30626f90b7b539145a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"cells": [ | |
{ | |
"cell_type": "code", | |
"execution_count": 1, | |
"metadata": {}, | |
"outputs": [ | |
{ | |
"name": "stdout", | |
"output_type": "stream", | |
"text": [ | |
"Requirement already satisfied: splunk-sdk in /opt/conda/lib/python3.7/site-packages (1.6.12)\n", | |
"Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (1.0.3)\n", | |
"Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas) (2.8.1)\n", | |
"Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas) (2019.3)\n", | |
"Requirement already satisfied: numpy>=1.13.3 in /opt/conda/lib/python3.7/site-packages (from pandas) (1.18.3)\n", | |
"Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas) (1.14.0)\n", | |
"Requirement already satisfied: pandasql in /opt/conda/lib/python3.7/site-packages (0.7.3)\n", | |
"Requirement already satisfied: numpy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.18.3)\n", | |
"Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.0.3)\n", | |
"Requirement already satisfied: sqlalchemy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.3.16)\n", | |
"Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2.8.1)\n", | |
"Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2019.3)\n", | |
"Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas->pandasql) (1.14.0)\n" | |
] | |
} | |
], | |
"source": [ | |
"!pip install splunk-sdk\n", | |
"!pip install pandas\n", | |
"!pip install pandasql\n", | |
"import pandas as pd\n", | |
"import pandasql" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 2, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import splunklib.client as client\n", | |
"# Create a Service instance and log in \n", | |
"service = client.connect(\n", | |
" host='192.168.0.0', #Input your Splunk's IP here\n", | |
" port='8089',\n", | |
" username=\"admin\",\n", | |
" password=\"Changeme1!\",\n", | |
" scheme='https')" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 3, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import splunklib.results as results\n", | |
"#First Query: \n", | |
"query = \"search index=main sourcetype=wineventlog:microsoft-windows-sysmon/operational EventCode=11 | head 2000\"\n", | |
"query_results = service.jobs.oneshot(query, count=0)\n", | |
"reader = results.ResultsReader(query_results)\n", | |
"\n", | |
"results = []\n", | |
"\n", | |
"for result in reader:\n", | |
" results.append(result)\n", | |
" \n", | |
"df_EID11=pd.DataFrame(results)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 4, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import splunklib.results as results1\n", | |
"\n", | |
"#Second Query: \n", | |
"query1 = \"search index=main sourcetype=wineventlog:microsoft-windows-sysmon/operational EventCode=10 TargetImage = *lsass.exe | head 2000\"\n", | |
"query_results1 = service.jobs.oneshot(query1, count=0)\n", | |
"reader1 = results1.ResultsReader(query_results1)\n", | |
"\n", | |
"\n", | |
"results1 = []\n", | |
" \n", | |
"for result in reader1:\n", | |
" results1.append(result)\n", | |
" \n", | |
"df_EID10=pd.DataFrame(results1)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 5, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df2_EID11 = df_EID11.Message\n", | |
"df2_EID10 = df_EID10.Message" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 6, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df3_EID11 = df2_EID11.str.split('\\n')\n", | |
"df3_EID10 = df2_EID10.str.split('\\n')" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 7, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df4_EID11 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID11]\n", | |
"df4_EID10 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID10]" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 8, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df5_EID11 = pd.DataFrame(df4_EID11)\n", | |
"df5_EID10 = pd.DataFrame(df4_EID10)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 9, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df5_EID10['GrantedAccess'] = df5_EID10['GrantedAccess'].apply(int, base=16) #Converting GrantedAccess from hex to int" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 10, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"from pandasql import sqldf\n", | |
"#Will join on ProcessGuid's to find image dumping lsass. \n", | |
"Dumping_Lsass_EID10_EID11 = pandasql.sqldf(\n", | |
"'''\n", | |
"SELECT \n", | |
"b.GrantedAccess,\n", | |
"a.Image,\n", | |
"b.TargetImage,\n", | |
"a.TargetFilename\n", | |
"FROM df5_EID11 a\n", | |
"JOIN df5_EID10 b\n", | |
"ON a.ProcessGuid = b.SourceProcessGuid\n", | |
"AND (b.GrantedAccess & 5136) == 5136\n", | |
"WHERE a.TargetFilename LIKE \"%.DMP\"\n", | |
"\n", | |
"\n", | |
"'''\n", | |
")" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 11, | |
"metadata": {}, | |
"outputs": [ | |
{ | |
"data": { | |
"text/html": [ | |
"<div>\n", | |
"<style scoped>\n", | |
" .dataframe tbody tr th:only-of-type {\n", | |
" vertical-align: middle;\n", | |
" }\n", | |
"\n", | |
" .dataframe tbody tr th {\n", | |
" vertical-align: top;\n", | |
" }\n", | |
"\n", | |
" .dataframe thead th {\n", | |
" text-align: right;\n", | |
" }\n", | |
"</style>\n", | |
"<table border=\"1\" class=\"dataframe\">\n", | |
" <thead>\n", | |
" <tr style=\"text-align: right;\">\n", | |
" <th></th>\n", | |
" <th>GrantedAccess</th>\n", | |
" <th>Image</th>\n", | |
" <th>TargetImage</th>\n", | |
" <th>TargetFilename</th>\n", | |
" </tr>\n", | |
" </thead>\n", | |
" <tbody>\n", | |
" <tr>\n", | |
" <th>0</th>\n", | |
" <td>2097151</td>\n", | |
" <td>C:\\Windows\\system32\\taskmgr.exe</td>\n", | |
" <td>C:\\Windows\\system32\\lsass.exe</td>\n", | |
" <td>C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>1</th>\n", | |
" <td>2097151</td>\n", | |
" <td>C:\\Windows\\system32\\taskmgr.exe</td>\n", | |
" <td>C:\\Windows\\system32\\lsass.exe</td>\n", | |
" <td>C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP</td>\n", | |
" </tr>\n", | |
" </tbody>\n", | |
"</table>\n", | |
"</div>" | |
], | |
"text/plain": [ | |
" GrantedAccess Image \\\n", | |
"0 2097151 C:\\Windows\\system32\\taskmgr.exe \n", | |
"1 2097151 C:\\Windows\\system32\\taskmgr.exe \n", | |
"\n", | |
" TargetImage \\\n", | |
"0 C:\\Windows\\system32\\lsass.exe \n", | |
"1 C:\\Windows\\system32\\lsass.exe \n", | |
"\n", | |
" TargetFilename \n", | |
"0 C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP \n", | |
"1 C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP " | |
] | |
}, | |
"metadata": {}, | |
"output_type": "display_data" | |
} | |
], | |
"source": [ | |
"display(Dumping_Lsass_EID10_EID11)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": null, | |
"metadata": {}, | |
"outputs": [], | |
"source": [] | |
} | |
], | |
"metadata": { | |
"kernelspec": { | |
"display_name": "Python 3", | |
"language": "python", | |
"name": "python3" | |
}, | |
"language_info": { | |
"codemirror_mode": { | |
"name": "ipython", | |
"version": 3 | |
}, | |
"file_extension": ".py", | |
"mimetype": "text/x-python", | |
"name": "python", | |
"nbconvert_exporter": "python", | |
"pygments_lexer": "ipython3", | |
"version": "3.7.6" | |
} | |
}, | |
"nbformat": 4, | |
"nbformat_minor": 4 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment