Skip to content

Instantly share code, notes, and snippets.

@jsecurity101

jsecurity101/Remote_Service_Creation.ipynb

Created July 1, 2020 14:50
Show Gist options
  • Save jsecurity101/b61daa2b7f2d8a7aeec187a74ea83ab1 to your computer and use it in GitHub Desktop.
Save jsecurity101/b61daa2b7f2d8a7aeec187a74ea83ab1 to your computer and use it in GitHub Desktop.
Download ZIP
Display the source blob
Display the rendered blob
Raw
Remote_Service_Creation.ipynb
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Author: Jonathan Johnson (@jsecurity101)"
]
},
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Requirement already satisfied: splunk-sdk in /opt/conda/lib/python3.7/site-packages (1.6.13)\n",
"Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (1.0.5)\n",
"Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas) (2020.1)\n",
"Requirement already satisfied: numpy>=1.13.3 in /opt/conda/lib/python3.7/site-packages (from pandas) (1.19.0)\n",
"Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas) (2.8.1)\n",
"Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas) (1.14.0)\n",
"Requirement already satisfied: pandasql in /opt/conda/lib/python3.7/site-packages (0.7.3)\n",
"Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.0.5)\n",
"Requirement already satisfied: sqlalchemy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.3.16)\n",
"Requirement already satisfied: numpy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.19.0)\n",
"Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2020.1)\n",
"Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2.8.1)\n",
"Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas->pandasql) (1.14.0)\n"
]
}
],
"source": [
"!pip install splunk-sdk\n",
"!pip install pandas\n",
"!pip install pandasql\n",
"import pandas as pd\n",
"import pandasql\n",
"pd.set_option('display.max_columns', None) \n",
"pd.set_option('display.expand_frame_repr', False)\n",
"pd.set_option('max_colwidth', 0)"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"import splunklib.client as client\n",
"# Create a Service instance and log in \n",
"service = client.connect(\n",
" host='192.168.0.0', #Input your Splunk's IP here\n",
" port='8089',\n",
" username=\"admin\",\n",
" password=\"Changeme1!\",\n",
" scheme='https')"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
"import splunklib.results as results\n",
"#Second Query: \n",
"query = \"search index=main sourcetype=wineventlog:microsoft-windows-sysmon/operational EventCode=12 TargetObject!=*UserService* TargetObject!=*UserSvc* TargetObject!=*LanmanServer* TargetObject!=*NetLogon* TargetObject!=*Svc* TargetObject!=*UnistoreSvc* TargetObject!=*UserData* TargetObject!=*NTDS* TargetObject=*Services* Image!=*WebServices.exe Image=*services.exe | head 1000\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID_12=pd.DataFrame(results)"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [],
"source": [
"import splunklib.results as results\n",
"#First Query: \n",
"query = \"search index=main sourcetype=dce_rpc-too_small endpoint=svcctl | head 2000\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_rpc_svcctl=pd.DataFrame(results)"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [],
"source": [
"df2=df_rpc_svcctl._raw"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {},
"outputs": [],
"source": [
"import json\n",
"dfj = [json.loads(j) for j in df2]\n",
"df2_rpc_svcctl = pd.DataFrame(dfj)"
]
},
{
"cell_type": "code",
"execution_count": 9,
"metadata": {},
"outputs": [],
"source": [
"import splunklib.results as results\n",
"#Second Query: \n",
"query = \"search index=main index=main sourcetype=wineventlog:security EventCode=5156 (Application_Name!=*microsoft.activedirectory.webservices.exe AND Application_Name!=System AND Application_Name!=*launcher.exe AND Application_Name!=*googleupdate.exe AND Application_Name!=*backgrounddownload.exe AND Application_Name!=*splunk*.exe AND Application_Name!=*localbridge.exe AND Application_Name!=*microsoft.photos.exe AND Application_Name!=*hxtsr.exe AND Application_Name!=*svchost.exe AND Application_Name!=*lsass.exe AND Application_Name!=*dfsrs.exe AND Application_Name!=*searchui.exe AND Application_Name!=*dns.exe) | head 1000\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID_5156_Client=pd.DataFrame(results)"
]
},
{
"cell_type": "code",
"execution_count": 10,
"metadata": {},
"outputs": [],
"source": [
"import splunklib.results as results\n",
"#Second Query: \n",
"query = \"search index=main index=main sourcetype=wineventlog:security EventCode=5156 (Application_Name!=*microsoft.activedirectory.webservices.exe AND Application_Name!=System AND Application_Name!=*launcher.exe AND Application_Name!=*googleupdate.exe AND Application_Name!=*backgrounddownload.exe AND Application_Name!=*splunk*.exe AND Application_Name!=*localbridge.exe AND Application_Name!=*microsoft.photos.exe AND Application_Name!=*hxtsr.exe AND Application_Name!=*svchost.exe AND Application_Name!=*lsass.exe AND Application_Name!=*dfsrs.exe AND Application_Name!=*searchui.exe AND Application_Name!=*dns.exe) | head 1000\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID_5156_Server=pd.DataFrame(results)"
]
},
{
"cell_type": "code",
"execution_count": 11,
"metadata": {},
"outputs": [],
"source": [
"df2_EID_5156_Client = df_EID_5156_Client.Message\n",
"df2_EID_5156_Server = df_EID_5156_Server.Message\n",
"df2_EID_12 = df_EID_12.Message"
]
},
{
"cell_type": "code",
"execution_count": 12,
"metadata": {},
"outputs": [],
"source": [
"df3_EID_12 = df2_EID_12.str.split('\\n')\n",
"df3_EID_5156_Client = df2_EID_5156_Client.str.split('\\n')\n",
"df3_EID_5156_Server = df2_EID_5156_Server.str.split('\\n')"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [],
"source": [
"df4_EID_12 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID_12]\n",
"df4_EID_5156_Client = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID_5156_Client]\n",
"df4_EID_5156_Server = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID_5156_Server]"
]
},
{
"cell_type": "code",
"execution_count": 14,
"metadata": {},
"outputs": [],
"source": [
"df5_EID_12 = pd.DataFrame(df4_EID_12)\n",
"df5_EID_5156_Client = pd.DataFrame(df4_EID_5156_Client)\n",
"df5_EID_5156_Server = pd.DataFrame(df4_EID_5156_Server)"
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {},
"outputs": [],
"source": [
"#Server Side Data\n",
"from pandasql import sqldf\n",
"Server_Side_df = pandasql.sqldf(\n",
"\"\"\"\n",
"SELECT \n",
"b.\"Source Address\",\n",
"a.\"Application Name\", \n",
"a.\"Source Port\",\n",
"a.\"Destination Port\",\n",
"b.\"Destination Address\",\n",
"b.\"Application Name\", \n",
"c.TargetObject\n",
"FROM df5_EID_5156_Client a\n",
"JOIN df5_EID_5156_Server b\n",
"ON a.\"Application Name\" != b.\"Application Name\"\n",
"AND a.\"Destination Port\" = b.\"Destination Port\"\n",
"AND b.Direction = \"Inbound\"\n",
"AND a.Direction = \"Outbound\"\n",
"JOIN df5_EID_12 c\n",
"ON b.\"Process Id\" = c.ProcessId\n",
"\n",
"\"\"\"\n",
"\n",
")"
]
},
{
"cell_type": "code",
"execution_count": 18,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>Source Address</th>\n",
" <th>Application Name</th>\n",
" <th>Source Port</th>\n",
" <th>Destination Port</th>\n",
" <th>Destination Address</th>\n",
" <th>Application Name</th>\n",
" <th>TargetObject</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>...</th>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" </tr>\n",
" <tr>\n",
" <th>963</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50199</td>\n",
" <td>49679</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>964</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50199</td>\n",
" <td>49679</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>965</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50199</td>\n",
" <td>49679</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>966</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50199</td>\n",
" <td>49679</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>967</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50199</td>\n",
" <td>49679</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"<p>968 rows × 7 columns</p>\n",
"</div>"
],
"text/plain": [
" Source Address Application Name Source Port Destination Port Destination Address Application Name TargetObject\n",
"0 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"1 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"2 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"3 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"4 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
".. ... ... ... ... ... ... ...\n",
"963 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"964 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"965 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"966 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"967 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"\n",
"[968 rows x 7 columns]"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display(Server_Side_df)"
]
},
{
"cell_type": "code",
"execution_count": 19,
"metadata": {},
"outputs": [],
"source": [
"#Client + Server Side Data\n",
"from pandasql import sqldf\n",
"Client_Server_Side_df = pandasql.sqldf(\n",
"\"\"\"\n",
"SELECT \n",
"b.\"Source Address\",\n",
"a.\"Application Name\", \n",
"a.\"Source Port\",\n",
"e.operation,\n",
"a.\"Destination Port\",\n",
"b.\"Destination Address\",\n",
"b.\"Application Name\", \n",
"c.TargetObject\n",
"FROM df5_EID_5156_Client a\n",
"JOIN df5_EID_5156_Server b\n",
"ON a.\"Application Name\" != b.\"Application Name\"\n",
"AND a.\"Destination Port\" = b.\"Destination Port\"\n",
"AND b.Direction = \"Inbound\"\n",
"AND a.Direction = \"Outbound\"\n",
"JOIN df5_EID_12 c\n",
"ON b.\"Process Id\" = c.ProcessId\n",
"JOIN df2_rpc_svcctl e\n",
"ON e.\"id.resp_p\" = a.\"Destination Port\"\n",
"AND e.operation LIKE \"%CreateService%\"\n",
"\n",
"\"\"\"\n",
"\n",
")"
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>Source Address</th>\n",
" <th>Application Name</th>\n",
" <th>Source Port</th>\n",
" <th>operation</th>\n",
" <th>Destination Port</th>\n",
" <th>Destination Address</th>\n",
" <th>Application Name</th>\n",
" <th>TargetObject</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>49824</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>...</th>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" <td>...</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5847</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50246</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5848</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50246</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5849</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50246</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5850</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50246</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5851</th>\n",
" <td>192.168.146.6</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n",
" <td>50246</td>\n",
" <td>CreateServiceW</td>\n",
" <td>49678</td>\n",
" <td>192.168.146.3</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n",
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"<p>5852 rows × 8 columns</p>\n",
"</div>"
],
"text/plain": [
" Source Address Application Name Source Port operation Destination Port Destination Address Application Name TargetObject\n",
"0 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"1 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"2 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"3 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"4 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"... ... ... ... ... ... ... ... ...\n",
"5847 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"5848 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"5849 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"5850 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"5851 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n",
"\n",
"[5852 rows x 8 columns]"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display(Client_Server_Side_df)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.7.6"
}
},
"nbformat": 4,
"nbformat_minor": 4
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment