jsecurity101/DUMPING_LSASS_SPLUNK_SYSMON.ipynb

## DUMPING_LSASS_SPLUNK_SYSMON.ipynb
{
 "cells": [
  {
   "cell_type": "code",
   "execution_count": 1,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Requirement already satisfied: splunk-sdk in /opt/conda/lib/python3.7/site-packages (1.6.12)\n",
      "Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (1.0.3)\n",
      "Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas) (2.8.1)\n",
      "Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas) (2019.3)\n",
      "Requirement already satisfied: numpy>=1.13.3 in /opt/conda/lib/python3.7/site-packages (from pandas) (1.18.3)\n",
      "Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas) (1.14.0)\n",
      "Requirement already satisfied: pandasql in /opt/conda/lib/python3.7/site-packages (0.7.3)\n",
      "Requirement already satisfied: numpy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.18.3)\n",
      "Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.0.3)\n",
      "Requirement already satisfied: sqlalchemy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.3.16)\n",
      "Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2.8.1)\n",
      "Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2019.3)\n",
      "Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas->pandasql) (1.14.0)\n"
     ]
    }
   ],
   "source": [
    "!pip install splunk-sdk\n",
    "!pip install pandas\n",
    "!pip install pandasql\n",
    "import pandas as pd\n",
    "import pandasql"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "metadata": {},
   "outputs": [],
   "source": [
    "import splunklib.client as client\n",
    "# Create a Service instance and log in \n",
    "service = client.connect(\n",
    "    host='192.168.0.0', #Input your Splunk's IP here\n",
    "    port='8089',\n",
    "    username=\"admin\",\n",
    "    password=\"Changeme1!\",\n",
    "    scheme='https')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "metadata": {},
   "outputs": [],
   "source": [
    "import splunklib.results as results\n",
    "#First Query: \n",
    "query = \"search index=main sourcetype=wineventlog:microsoft-windows-sysmon/operational EventCode=11 | head 2000\"\n",
    "query_results = service.jobs.oneshot(query, count=0)\n",
    "reader = results.ResultsReader(query_results)\n",
    "\n",
    "results = []\n",
    "\n",
    "for result in reader:\n",
    "    results.append(result)\n",
    "    \n",
    "df_EID11=pd.DataFrame(results)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "metadata": {},
   "outputs": [],
   "source": [
    "import splunklib.results as results1\n",
    "\n",
    "#Second Query: \n",
    "query1 = \"search index=main sourcetype=wineventlog:microsoft-windows-sysmon/operational EventCode=10 TargetImage = *lsass.exe | head 2000\"\n",
    "query_results1 = service.jobs.oneshot(query1, count=0)\n",
    "reader1 = results1.ResultsReader(query_results1)\n",
    "\n",
    "\n",
    "results1 = []\n",
    "    \n",
    "for result in reader1:\n",
    "    results1.append(result)\n",
    "    \n",
    "df_EID10=pd.DataFrame(results1)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "metadata": {},
   "outputs": [],
   "source": [
    "df2_EID11 = df_EID11.Message\n",
    "df2_EID10 = df_EID10.Message"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 6,
   "metadata": {},
   "outputs": [],
   "source": [
    "df3_EID11 = df2_EID11.str.split('\\n')\n",
    "df3_EID10 = df2_EID10.str.split('\\n')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 7,
   "metadata": {},
   "outputs": [],
   "source": [
    "df4_EID11 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID11]\n",
    "df4_EID10 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID10]"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 8,
   "metadata": {},
   "outputs": [],
   "source": [
    "df5_EID11 = pd.DataFrame(df4_EID11)\n",
    "df5_EID10 = pd.DataFrame(df4_EID10)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 9,
   "metadata": {},
   "outputs": [],
   "source": [
    "df5_EID10['GrantedAccess'] = df5_EID10['GrantedAccess'].apply(int, base=16) #Converting GrantedAccess from hex to int"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 10,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pandasql import sqldf\n",
    "#Will join on ProcessGuid's to find image dumping lsass. \n",
    "Dumping_Lsass_EID10_EID11 = pandasql.sqldf(\n",
    "'''\n",
    "SELECT \n",
    "b.GrantedAccess,\n",
    "a.Image,\n",
    "b.TargetImage,\n",
    "a.TargetFilename\n",
    "FROM df5_EID11 a\n",
    "JOIN df5_EID10 b\n",
    "ON a.ProcessGuid = b.SourceProcessGuid\n",
    "AND (b.GrantedAccess & 5136) == 5136\n",
    "WHERE a.TargetFilename LIKE \"%.DMP\"\n",
    "\n",
    "\n",
    "'''\n",
    ")"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 11,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>GrantedAccess</th>\n",
       "      <th>Image</th>\n",
       "      <th>TargetImage</th>\n",
       "      <th>TargetFilename</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>2097151</td>\n",
       "      <td>C:\\Windows\\system32\\taskmgr.exe</td>\n",
       "      <td>C:\\Windows\\system32\\lsass.exe</td>\n",
       "      <td>C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>2097151</td>\n",
       "      <td>C:\\Windows\\system32\\taskmgr.exe</td>\n",
       "      <td>C:\\Windows\\system32\\lsass.exe</td>\n",
       "      <td>C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "   GrantedAccess                            Image  \\\n",
       "0        2097151  C:\\Windows\\system32\\taskmgr.exe   \n",
       "1        2097151  C:\\Windows\\system32\\taskmgr.exe   \n",
       "\n",
       "                     TargetImage  \\\n",
       "0  C:\\Windows\\system32\\lsass.exe   \n",
       "1  C:\\Windows\\system32\\lsass.exe   \n",
       "\n",
       "                                   TargetFilename  \n",
       "0  C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP  \n",
       "1  C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP  "
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "display(Dumping_Lsass_EID10_EID11)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": []
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.7.6"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
	{
	"cells": [
	{
	"cell_type": "code",
	"execution_count": 1,
	"metadata": {},
	"outputs": [
	{
	"name": "stdout",
	"output_type": "stream",
	"text": [
	"Requirement already satisfied: splunk-sdk in /opt/conda/lib/python3.7/site-packages (1.6.12)\n",
	"Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (1.0.3)\n",
	"Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas) (2.8.1)\n",
	"Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas) (2019.3)\n",
	"Requirement already satisfied: numpy>=1.13.3 in /opt/conda/lib/python3.7/site-packages (from pandas) (1.18.3)\n",
	"Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas) (1.14.0)\n",
	"Requirement already satisfied: pandasql in /opt/conda/lib/python3.7/site-packages (0.7.3)\n",
	"Requirement already satisfied: numpy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.18.3)\n",
	"Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.0.3)\n",
	"Requirement already satisfied: sqlalchemy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.3.16)\n",
	"Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2.8.1)\n",
	"Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2019.3)\n",
	"Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas->pandasql) (1.14.0)\n"
	]
	}
	],
	"source": [
	"!pip install splunk-sdk\n",
	"!pip install pandas\n",
	"!pip install pandasql\n",
	"import pandas as pd\n",
	"import pandasql"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 2,
	"metadata": {},
	"outputs": [],
	"source": [
	"import splunklib.client as client\n",
	"# Create a Service instance and log in \n",
	"service = client.connect(\n",
	" host='192.168.0.0', #Input your Splunk's IP here\n",
	" port='8089',\n",
	" username=\"admin\",\n",
	" password=\"Changeme1!\",\n",
	" scheme='https')"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 3,
	"metadata": {},
	"outputs": [],
	"source": [
	"import splunklib.results as results\n",
	"#First Query: \n",
	"query = \"search index=main sourcetype=wineventlog:microsoft-windows-sysmon/operational EventCode=11 \| head 2000\"\n",
	"query_results = service.jobs.oneshot(query, count=0)\n",
	"reader = results.ResultsReader(query_results)\n",
	"\n",
	"results = []\n",
	"\n",
	"for result in reader:\n",
	" results.append(result)\n",
	" \n",
	"df_EID11=pd.DataFrame(results)"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 4,
	"metadata": {},
	"outputs": [],
	"source": [
	"import splunklib.results as results1\n",
	"\n",
	"#Second Query: \n",
	"query1 = \"search index=main sourcetype=wineventlog:microsoft-windows-sysmon/operational EventCode=10 TargetImage = *lsass.exe \| head 2000\"\n",
	"query_results1 = service.jobs.oneshot(query1, count=0)\n",
	"reader1 = results1.ResultsReader(query_results1)\n",
	"\n",
	"\n",
	"results1 = []\n",
	" \n",
	"for result in reader1:\n",
	" results1.append(result)\n",
	" \n",
	"df_EID10=pd.DataFrame(results1)"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 5,
	"metadata": {},
	"outputs": [],
	"source": [
	"df2_EID11 = df_EID11.Message\n",
	"df2_EID10 = df_EID10.Message"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 6,
	"metadata": {},
	"outputs": [],
	"source": [
	"df3_EID11 = df2_EID11.str.split('\\n')\n",
	"df3_EID10 = df2_EID10.str.split('\\n')"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 7,
	"metadata": {},
	"outputs": [],
	"source": [
	"df4_EID11 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID11]\n",
	"df4_EID10 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID10]"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 8,
	"metadata": {},
	"outputs": [],
	"source": [
	"df5_EID11 = pd.DataFrame(df4_EID11)\n",
	"df5_EID10 = pd.DataFrame(df4_EID10)"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 9,
	"metadata": {},
	"outputs": [],
	"source": [
	"df5_EID10['GrantedAccess'] = df5_EID10['GrantedAccess'].apply(int, base=16) #Converting GrantedAccess from hex to int"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 10,
	"metadata": {},
	"outputs": [],
	"source": [
	"from pandasql import sqldf\n",
	"#Will join on ProcessGuid's to find image dumping lsass. \n",
	"Dumping_Lsass_EID10_EID11 = pandasql.sqldf(\n",
	"'''\n",
	"SELECT \n",
	"b.GrantedAccess,\n",
	"a.Image,\n",
	"b.TargetImage,\n",
	"a.TargetFilename\n",
	"FROM df5_EID11 a\n",
	"JOIN df5_EID10 b\n",
	"ON a.ProcessGuid = b.SourceProcessGuid\n",
	"AND (b.GrantedAccess & 5136) == 5136\n",
	"WHERE a.TargetFilename LIKE \"%.DMP\"\n",
	"\n",
	"\n",
	"'''\n",
	")"
	]
	},
	{
	"cell_type": "code",
	"execution_count": 11,
	"metadata": {},
	"outputs": [
	{
	"data": {
	"text/html": [
	"<div>\n",
	"<style scoped>\n",
	" .dataframe tbody tr th:only-of-type {\n",
	" vertical-align: middle;\n",
	" }\n",
	"\n",
	" .dataframe tbody tr th {\n",
	" vertical-align: top;\n",
	" }\n",
	"\n",
	" .dataframe thead th {\n",
	" text-align: right;\n",
	" }\n",
	"</style>\n",
	"<table border=\"1\" class=\"dataframe\">\n",
	" <thead>\n",
	" <tr style=\"text-align: right;\">\n",
	" <th></th>\n",
	" <th>GrantedAccess</th>\n",
	" <th>Image</th>\n",
	" <th>TargetImage</th>\n",
	" <th>TargetFilename</th>\n",
	" </tr>\n",
	" </thead>\n",
	" <tbody>\n",
	" <tr>\n",
	" <th>0</th>\n",
	" <td>2097151</td>\n",
	" <td>C:\\Windows\\system32\\taskmgr.exe</td>\n",
	" <td>C:\\Windows\\system32\\lsass.exe</td>\n",
	" <td>C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP</td>\n",
	" </tr>\n",
	" <tr>\n",
	" <th>1</th>\n",
	" <td>2097151</td>\n",
	" <td>C:\\Windows\\system32\\taskmgr.exe</td>\n",
	" <td>C:\\Windows\\system32\\lsass.exe</td>\n",
	" <td>C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP</td>\n",
	" </tr>\n",
	" </tbody>\n",
	"</table>\n",
	"</div>"
	],
	"text/plain": [
	" GrantedAccess Image \\\n",
	"0 2097151 C:\\Windows\\system32\\taskmgr.exe \n",
	"1 2097151 C:\\Windows\\system32\\taskmgr.exe \n",
	"\n",
	" TargetImage \\\n",
	"0 C:\\Windows\\system32\\lsass.exe \n",
	"1 C:\\Windows\\system32\\lsass.exe \n",
	"\n",
	" TargetFilename \n",
	"0 C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP \n",
	"1 C:\\Users\\loki\\AppData\\Local\\Temp\\lsass (3).DMP "
	]
	},
	"metadata": {},
	"output_type": "display_data"
	}
	],
	"source": [
	"display(Dumping_Lsass_EID10_EID11)"
	]
	},
	{
	"cell_type": "code",
	"execution_count": null,
	"metadata": {},
	"outputs": [],
	"source": []
	}
	],
	"metadata": {
	"kernelspec": {
	"display_name": "Python 3",
	"language": "python",
	"name": "python3"
	},
	"language_info": {
	"codemirror_mode": {
	"name": "ipython",
	"version": 3
	},
	"file_extension": ".py",
	"mimetype": "text/x-python",
	"name": "python",
	"nbconvert_exporter": "python",
	"pygments_lexer": "ipython3",
	"version": "3.7.6"
	}
	},
	"nbformat": 4,
	"nbformat_minor": 4
	}