Created
July 1, 2020 14:50
-
-
Save jsecurity101/b61daa2b7f2d8a7aeec187a74ea83ab1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"cells": [ | |
{ | |
"cell_type": "markdown", | |
"metadata": {}, | |
"source": [ | |
"# Author: Jonathan Johnson (@jsecurity101)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 1, | |
"metadata": {}, | |
"outputs": [ | |
{ | |
"name": "stdout", | |
"output_type": "stream", | |
"text": [ | |
"Requirement already satisfied: splunk-sdk in /opt/conda/lib/python3.7/site-packages (1.6.13)\n", | |
"Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (1.0.5)\n", | |
"Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas) (2020.1)\n", | |
"Requirement already satisfied: numpy>=1.13.3 in /opt/conda/lib/python3.7/site-packages (from pandas) (1.19.0)\n", | |
"Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas) (2.8.1)\n", | |
"Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas) (1.14.0)\n", | |
"Requirement already satisfied: pandasql in /opt/conda/lib/python3.7/site-packages (0.7.3)\n", | |
"Requirement already satisfied: pandas in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.0.5)\n", | |
"Requirement already satisfied: sqlalchemy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.3.16)\n", | |
"Requirement already satisfied: numpy in /opt/conda/lib/python3.7/site-packages (from pandasql) (1.19.0)\n", | |
"Requirement already satisfied: pytz>=2017.2 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2020.1)\n", | |
"Requirement already satisfied: python-dateutil>=2.6.1 in /opt/conda/lib/python3.7/site-packages (from pandas->pandasql) (2.8.1)\n", | |
"Requirement already satisfied: six>=1.5 in /opt/conda/lib/python3.7/site-packages (from python-dateutil>=2.6.1->pandas->pandasql) (1.14.0)\n" | |
] | |
} | |
], | |
"source": [ | |
"!pip install splunk-sdk\n", | |
"!pip install pandas\n", | |
"!pip install pandasql\n", | |
"import pandas as pd\n", | |
"import pandasql\n", | |
"pd.set_option('display.max_columns', None) \n", | |
"pd.set_option('display.expand_frame_repr', False)\n", | |
"pd.set_option('max_colwidth', 0)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 2, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import splunklib.client as client\n", | |
"# Create a Service instance and log in \n", | |
"service = client.connect(\n", | |
" host='192.168.0.0', #Input your Splunk's IP here\n", | |
" port='8089',\n", | |
" username=\"admin\",\n", | |
" password=\"Changeme1!\",\n", | |
" scheme='https')" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 3, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import splunklib.results as results\n", | |
"#Second Query: \n", | |
"query = \"search index=main sourcetype=wineventlog:microsoft-windows-sysmon/operational EventCode=12 TargetObject!=*UserService* TargetObject!=*UserSvc* TargetObject!=*LanmanServer* TargetObject!=*NetLogon* TargetObject!=*Svc* TargetObject!=*UnistoreSvc* TargetObject!=*UserData* TargetObject!=*NTDS* TargetObject=*Services* Image!=*WebServices.exe Image=*services.exe | head 1000\"\n", | |
"query_results = service.jobs.oneshot(query, count=0)\n", | |
"reader = results.ResultsReader(query_results)\n", | |
"\n", | |
"results = []\n", | |
"\n", | |
"for result in reader:\n", | |
" results.append(result)\n", | |
" \n", | |
"df_EID_12=pd.DataFrame(results)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 4, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import splunklib.results as results\n", | |
"#First Query: \n", | |
"query = \"search index=main sourcetype=dce_rpc-too_small endpoint=svcctl | head 2000\"\n", | |
"query_results = service.jobs.oneshot(query, count=0)\n", | |
"reader = results.ResultsReader(query_results)\n", | |
"\n", | |
"results = []\n", | |
"\n", | |
"for result in reader:\n", | |
" results.append(result)\n", | |
" \n", | |
"df_rpc_svcctl=pd.DataFrame(results)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 7, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df2=df_rpc_svcctl._raw" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 8, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import json\n", | |
"dfj = [json.loads(j) for j in df2]\n", | |
"df2_rpc_svcctl = pd.DataFrame(dfj)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 9, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import splunklib.results as results\n", | |
"#Second Query: \n", | |
"query = \"search index=main index=main sourcetype=wineventlog:security EventCode=5156 (Application_Name!=*microsoft.activedirectory.webservices.exe AND Application_Name!=System AND Application_Name!=*launcher.exe AND Application_Name!=*googleupdate.exe AND Application_Name!=*backgrounddownload.exe AND Application_Name!=*splunk*.exe AND Application_Name!=*localbridge.exe AND Application_Name!=*microsoft.photos.exe AND Application_Name!=*hxtsr.exe AND Application_Name!=*svchost.exe AND Application_Name!=*lsass.exe AND Application_Name!=*dfsrs.exe AND Application_Name!=*searchui.exe AND Application_Name!=*dns.exe) | head 1000\"\n", | |
"query_results = service.jobs.oneshot(query, count=0)\n", | |
"reader = results.ResultsReader(query_results)\n", | |
"\n", | |
"results = []\n", | |
"\n", | |
"for result in reader:\n", | |
" results.append(result)\n", | |
" \n", | |
"df_EID_5156_Client=pd.DataFrame(results)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 10, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"import splunklib.results as results\n", | |
"#Second Query: \n", | |
"query = \"search index=main index=main sourcetype=wineventlog:security EventCode=5156 (Application_Name!=*microsoft.activedirectory.webservices.exe AND Application_Name!=System AND Application_Name!=*launcher.exe AND Application_Name!=*googleupdate.exe AND Application_Name!=*backgrounddownload.exe AND Application_Name!=*splunk*.exe AND Application_Name!=*localbridge.exe AND Application_Name!=*microsoft.photos.exe AND Application_Name!=*hxtsr.exe AND Application_Name!=*svchost.exe AND Application_Name!=*lsass.exe AND Application_Name!=*dfsrs.exe AND Application_Name!=*searchui.exe AND Application_Name!=*dns.exe) | head 1000\"\n", | |
"query_results = service.jobs.oneshot(query, count=0)\n", | |
"reader = results.ResultsReader(query_results)\n", | |
"\n", | |
"results = []\n", | |
"\n", | |
"for result in reader:\n", | |
" results.append(result)\n", | |
" \n", | |
"df_EID_5156_Server=pd.DataFrame(results)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 11, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df2_EID_5156_Client = df_EID_5156_Client.Message\n", | |
"df2_EID_5156_Server = df_EID_5156_Server.Message\n", | |
"df2_EID_12 = df_EID_12.Message" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 12, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df3_EID_12 = df2_EID_12.str.split('\\n')\n", | |
"df3_EID_5156_Client = df2_EID_5156_Client.str.split('\\n')\n", | |
"df3_EID_5156_Server = df2_EID_5156_Server.str.split('\\n')" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 13, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df4_EID_12 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID_12]\n", | |
"df4_EID_5156_Client = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID_5156_Client]\n", | |
"df4_EID_5156_Server = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID_5156_Server]" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 14, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"df5_EID_12 = pd.DataFrame(df4_EID_12)\n", | |
"df5_EID_5156_Client = pd.DataFrame(df4_EID_5156_Client)\n", | |
"df5_EID_5156_Server = pd.DataFrame(df4_EID_5156_Server)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 17, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"#Server Side Data\n", | |
"from pandasql import sqldf\n", | |
"Server_Side_df = pandasql.sqldf(\n", | |
"\"\"\"\n", | |
"SELECT \n", | |
"b.\"Source Address\",\n", | |
"a.\"Application Name\", \n", | |
"a.\"Source Port\",\n", | |
"a.\"Destination Port\",\n", | |
"b.\"Destination Address\",\n", | |
"b.\"Application Name\", \n", | |
"c.TargetObject\n", | |
"FROM df5_EID_5156_Client a\n", | |
"JOIN df5_EID_5156_Server b\n", | |
"ON a.\"Application Name\" != b.\"Application Name\"\n", | |
"AND a.\"Destination Port\" = b.\"Destination Port\"\n", | |
"AND b.Direction = \"Inbound\"\n", | |
"AND a.Direction = \"Outbound\"\n", | |
"JOIN df5_EID_12 c\n", | |
"ON b.\"Process Id\" = c.ProcessId\n", | |
"\n", | |
"\"\"\"\n", | |
"\n", | |
")" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 18, | |
"metadata": {}, | |
"outputs": [ | |
{ | |
"data": { | |
"text/html": [ | |
"<div>\n", | |
"<style scoped>\n", | |
" .dataframe tbody tr th:only-of-type {\n", | |
" vertical-align: middle;\n", | |
" }\n", | |
"\n", | |
" .dataframe tbody tr th {\n", | |
" vertical-align: top;\n", | |
" }\n", | |
"\n", | |
" .dataframe thead th {\n", | |
" text-align: right;\n", | |
" }\n", | |
"</style>\n", | |
"<table border=\"1\" class=\"dataframe\">\n", | |
" <thead>\n", | |
" <tr style=\"text-align: right;\">\n", | |
" <th></th>\n", | |
" <th>Source Address</th>\n", | |
" <th>Application Name</th>\n", | |
" <th>Source Port</th>\n", | |
" <th>Destination Port</th>\n", | |
" <th>Destination Address</th>\n", | |
" <th>Application Name</th>\n", | |
" <th>TargetObject</th>\n", | |
" </tr>\n", | |
" </thead>\n", | |
" <tbody>\n", | |
" <tr>\n", | |
" <th>0</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>1</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>2</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>3</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>4</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>...</th>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>963</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50199</td>\n", | |
" <td>49679</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>964</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50199</td>\n", | |
" <td>49679</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>965</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50199</td>\n", | |
" <td>49679</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>966</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50199</td>\n", | |
" <td>49679</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>967</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50199</td>\n", | |
" <td>49679</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" </tbody>\n", | |
"</table>\n", | |
"<p>968 rows × 7 columns</p>\n", | |
"</div>" | |
], | |
"text/plain": [ | |
" Source Address Application Name Source Port Destination Port Destination Address Application Name TargetObject\n", | |
"0 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"1 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"2 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"3 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"4 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
".. ... ... ... ... ... ... ...\n", | |
"963 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"964 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"965 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"966 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"967 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50199 49679 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"\n", | |
"[968 rows x 7 columns]" | |
] | |
}, | |
"metadata": {}, | |
"output_type": "display_data" | |
} | |
], | |
"source": [ | |
"display(Server_Side_df)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 19, | |
"metadata": {}, | |
"outputs": [], | |
"source": [ | |
"#Client + Server Side Data\n", | |
"from pandasql import sqldf\n", | |
"Client_Server_Side_df = pandasql.sqldf(\n", | |
"\"\"\"\n", | |
"SELECT \n", | |
"b.\"Source Address\",\n", | |
"a.\"Application Name\", \n", | |
"a.\"Source Port\",\n", | |
"e.operation,\n", | |
"a.\"Destination Port\",\n", | |
"b.\"Destination Address\",\n", | |
"b.\"Application Name\", \n", | |
"c.TargetObject\n", | |
"FROM df5_EID_5156_Client a\n", | |
"JOIN df5_EID_5156_Server b\n", | |
"ON a.\"Application Name\" != b.\"Application Name\"\n", | |
"AND a.\"Destination Port\" = b.\"Destination Port\"\n", | |
"AND b.Direction = \"Inbound\"\n", | |
"AND a.Direction = \"Outbound\"\n", | |
"JOIN df5_EID_12 c\n", | |
"ON b.\"Process Id\" = c.ProcessId\n", | |
"JOIN df2_rpc_svcctl e\n", | |
"ON e.\"id.resp_p\" = a.\"Destination Port\"\n", | |
"AND e.operation LIKE \"%CreateService%\"\n", | |
"\n", | |
"\"\"\"\n", | |
"\n", | |
")" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": 20, | |
"metadata": {}, | |
"outputs": [ | |
{ | |
"data": { | |
"text/html": [ | |
"<div>\n", | |
"<style scoped>\n", | |
" .dataframe tbody tr th:only-of-type {\n", | |
" vertical-align: middle;\n", | |
" }\n", | |
"\n", | |
" .dataframe tbody tr th {\n", | |
" vertical-align: top;\n", | |
" }\n", | |
"\n", | |
" .dataframe thead th {\n", | |
" text-align: right;\n", | |
" }\n", | |
"</style>\n", | |
"<table border=\"1\" class=\"dataframe\">\n", | |
" <thead>\n", | |
" <tr style=\"text-align: right;\">\n", | |
" <th></th>\n", | |
" <th>Source Address</th>\n", | |
" <th>Application Name</th>\n", | |
" <th>Source Port</th>\n", | |
" <th>operation</th>\n", | |
" <th>Destination Port</th>\n", | |
" <th>Destination Address</th>\n", | |
" <th>Application Name</th>\n", | |
" <th>TargetObject</th>\n", | |
" </tr>\n", | |
" </thead>\n", | |
" <tbody>\n", | |
" <tr>\n", | |
" <th>0</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>1</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>2</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>3</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>4</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>49824</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>...</th>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" <td>...</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>5847</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50246</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>5848</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50246</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>5849</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50246</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>5850</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50246</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" <tr>\n", | |
" <th>5851</th>\n", | |
" <td>192.168.146.6</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\sc.exe</td>\n", | |
" <td>50246</td>\n", | |
" <td>CreateServiceW</td>\n", | |
" <td>49678</td>\n", | |
" <td>192.168.146.3</td>\n", | |
" <td>\\device\\harddiskvolume2\\windows\\system32\\services.exe</td>\n", | |
" <td>HKLM\\System\\CurrentControlSet\\Services\\test</td>\n", | |
" </tr>\n", | |
" </tbody>\n", | |
"</table>\n", | |
"<p>5852 rows × 8 columns</p>\n", | |
"</div>" | |
], | |
"text/plain": [ | |
" Source Address Application Name Source Port operation Destination Port Destination Address Application Name TargetObject\n", | |
"0 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"1 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"2 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"3 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"4 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 49824 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"... ... ... ... ... ... ... ... ...\n", | |
"5847 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"5848 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"5849 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"5850 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"5851 192.168.146.6 \\device\\harddiskvolume2\\windows\\system32\\sc.exe 50246 CreateServiceW 49678 192.168.146.3 \\device\\harddiskvolume2\\windows\\system32\\services.exe HKLM\\System\\CurrentControlSet\\Services\\test\n", | |
"\n", | |
"[5852 rows x 8 columns]" | |
] | |
}, | |
"metadata": {}, | |
"output_type": "display_data" | |
} | |
], | |
"source": [ | |
"display(Client_Server_Side_df)" | |
] | |
}, | |
{ | |
"cell_type": "code", | |
"execution_count": null, | |
"metadata": {}, | |
"outputs": [], | |
"source": [] | |
} | |
], | |
"metadata": { | |
"kernelspec": { | |
"display_name": "Python 3", | |
"language": "python", | |
"name": "python3" | |
}, | |
"language_info": { | |
"codemirror_mode": { | |
"name": "ipython", | |
"version": 3 | |
}, | |
"file_extension": ".py", | |
"mimetype": "text/x-python", | |
"name": "python", | |
"nbconvert_exporter": "python", | |
"pygments_lexer": "ipython3", | |
"version": "3.7.6" | |
} | |
}, | |
"nbformat": 4, | |
"nbformat_minor": 4 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment