Last active
November 6, 2019 00:03
-
-
Save et0x/81ca297d55b61d659193ad04e96f69f6 to your computer and use it in GitHub Desktop.
Quickly search through elasticsearch documents for oddly named fields (ex: isass.exe files impersonating lsass.exe)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import elasticsearch | |
| # this will search for closely named permutations of strings ... IE a common attacker technique is to | |
| # name binaries close to a legitimate binary (isass.exe vs lsass.exe) ... this will search through | |
| # millions of ES documents very quickly, and only return the closely related permutations! | |
| es = elasticsearch.Elasticsearch([{host="localhost", port=9200}]) | |
| es.search( index="files_index", body={ "query": { "bool": { "should": [ {"fuzzy": { "file_name":"svchost.exe" }} ], "must_not": [ {"match": { "file_name":"svchost.exe" }} ] } } })["hits"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment