Last active
October 30, 2020 02:18
-
-
Save jsecurity101/0f6f0af9f788fe1c4be8b8373ce43a3c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "cells": [ | |
| { | |
| "cell_type": "markdown", | |
| "metadata": {}, | |
| "source": [ | |
| "# Author: Jonathan Johnson\n", | |
| "## Detection: Netsync\n", | |
| "### References: Andrew Schwartz (TrustedSec)" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": 3, | |
| "metadata": {}, | |
| "outputs": [], | |
| "source": [ | |
| "%%capture\n", | |
| "!pip install splunk-sdk\n", | |
| "!pip install pandas\n", | |
| "!pip install pandasql\n", | |
| "import matplotlib.pyplot as plt\n", | |
| "import pandas as pd\n", | |
| "import pandasql\n", | |
| "pd.set_option('display.max_columns', None) \n", | |
| "pd.set_option('display.expand_frame_repr', False)\n", | |
| "pd.set_option('max_colwidth', 0)" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": 4, | |
| "metadata": {}, | |
| "outputs": [], | |
| "source": [ | |
| "import splunklib.client as client\n", | |
| "# Create a Service instance and log in \n", | |
| "service = client.connect(\n", | |
| " host='192.0.0.0', #Input your Splunk's IP here\n", | |
| " port='8089',\n", | |
| " username=\"admin\",\n", | |
| " password=\"Password\",\n", | |
| " scheme='https')" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": 12, | |
| "metadata": {}, | |
| "outputs": [ | |
| { | |
| "data": { | |
| "application/vnd.jupyter.widget-view+json": { | |
| "model_id": "f4eb813e2f7542a3b01270ce81e40950", | |
| "version_major": 2, | |
| "version_minor": 0 | |
| }, | |
| "text/plain": [ | |
| "HBox(children=(HTML(value=''), FloatProgress(value=0.0, max=124.0), HTML(value='')))" | |
| ] | |
| }, | |
| "metadata": {}, | |
| "output_type": "display_data" | |
| }, | |
| { | |
| "name": "stdout", | |
| "output_type": "stream", | |
| "text": [ | |
| "\n" | |
| ] | |
| } | |
| ], | |
| "source": [ | |
| "import splunklib.results as results\n", | |
| "from tqdm.notebook import tqdm\n", | |
| "from time import sleep\n", | |
| "#Query: \n", | |
| "query = \"search index=Windows sourcetype=Security EventCode=5145 earliest=-60m\"\n", | |
| "\n", | |
| "query_results = service.jobs.oneshot(query, count=0)\n", | |
| "reader = results.ResultsReader(query_results)\n", | |
| "\n", | |
| "results = []\n", | |
| "\n", | |
| "for result in reader:\n", | |
| " results.append(result)\n", | |
| "\n", | |
| "for i in tqdm(results):\n", | |
| " sleep(0.01)\n", | |
| " df_EID_5145=pd.DataFrame(results)\n", | |
| " \n", | |
| "\n", | |
| "df2_EID_5145 = df_EID_5145.Message\n", | |
| "df3_EID_5145 = df2_EID_5145.str.split('\\n')\n", | |
| "df4_EID_5145 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID_5145]\n", | |
| "Network_Share = pd.DataFrame(df4_EID_5145)" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": 10, | |
| "metadata": {}, | |
| "outputs": [ | |
| { | |
| "data": { | |
| "application/vnd.jupyter.widget-view+json": { | |
| "model_id": "c7e359d07c844ab5821963a14646232c", | |
| "version_major": 2, | |
| "version_minor": 0 | |
| }, | |
| "text/plain": [ | |
| "HBox(children=(HTML(value=''), FloatProgress(value=0.0, max=257.0), HTML(value='')))" | |
| ] | |
| }, | |
| "metadata": {}, | |
| "output_type": "display_data" | |
| }, | |
| { | |
| "name": "stdout", | |
| "output_type": "stream", | |
| "text": [ | |
| "\n" | |
| ] | |
| } | |
| ], | |
| "source": [ | |
| "import splunklib.results as results\n", | |
| "#Query: \n", | |
| "query = \"search index=Windows sourcetype=Security EventCode=4624 earliest=-60m\"\n", | |
| "\n", | |
| "query_results = service.jobs.oneshot(query, count=0)\n", | |
| "reader = results.ResultsReader(query_results)\n", | |
| "\n", | |
| "results = []\n", | |
| "\n", | |
| "for result in reader:\n", | |
| " results.append(result)\n", | |
| "\n", | |
| "for i in tqdm(results):\n", | |
| " sleep(0.01)\n", | |
| " df_EID_4624=pd.DataFrame(results) \n", | |
| " \n", | |
| "\n", | |
| "df2_EID_4624 = df_EID_4624.Message\n", | |
| "df3_EID_4624 = df2_EID_4624.str.split('\\n')\n", | |
| "df4_EID_4624 = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID_4624]\n", | |
| "Logon_Events = pd.DataFrame(df4_EID_4624)" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": 39, | |
| "metadata": {}, | |
| "outputs": [], | |
| "source": [ | |
| "from pandasql import sqldf\n", | |
| "NetSync_df = pandasql.sqldf(\n", | |
| "\"\"\"\n", | |
| "SELECT \n", | |
| "a.\"Account Name\", \n", | |
| "a.\"Relative Target Name\", \n", | |
| "a.\"Logon ID\",\n", | |
| "a.\"Share Name\",\n", | |
| "a.\"Share Path\", \n", | |
| "a.\"Access Mask\", \n", | |
| "b.\"Logon Type\"\n", | |
| "FROM Network_Share a\n", | |
| "JOIN Logon_Events b\n", | |
| "ON a.\"Logon ID\" = b.\"Logon ID\"\n", | |
| "AND a.\"Access Mask\" = \"0x12019F\"\n", | |
| "AND a.\"Relative Target Name\" = \"NETLOGON\"\n", | |
| "AND b.\"Logon Type\" = \"3\"\n", | |
| "AND a.\"Share Name\" = \"\\\\\\*\\\\IPC$\"\n", | |
| "\"\"\"\n", | |
| "\n", | |
| ").drop_duplicates().reset_index().drop(\"index\", axis=1)" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": 40, | |
| "metadata": {}, | |
| "outputs": [ | |
| { | |
| "data": { | |
| "text/html": [ | |
| "<div>\n", | |
| "<style scoped>\n", | |
| " .dataframe tbody tr th:only-of-type {\n", | |
| " vertical-align: middle;\n", | |
| " }\n", | |
| "\n", | |
| " .dataframe tbody tr th {\n", | |
| " vertical-align: top;\n", | |
| " }\n", | |
| "\n", | |
| " .dataframe thead th {\n", | |
| " text-align: right;\n", | |
| " }\n", | |
| "</style>\n", | |
| "<table border=\"1\" class=\"dataframe\">\n", | |
| " <thead>\n", | |
| " <tr style=\"text-align: right;\">\n", | |
| " <th></th>\n", | |
| " <th>Account Name</th>\n", | |
| " <th>Relative Target Name</th>\n", | |
| " <th>Logon ID</th>\n", | |
| " <th>Share Name</th>\n", | |
| " <th>Share Path</th>\n", | |
| " <th>Access Mask</th>\n", | |
| " <th>Logon Type</th>\n", | |
| " </tr>\n", | |
| " </thead>\n", | |
| " <tbody>\n", | |
| " <tr>\n", | |
| " <th>0</th>\n", | |
| " <td>thor</td>\n", | |
| " <td>NETLOGON</td>\n", | |
| " <td>0x24D9A6</td>\n", | |
| " <td>\\\\*\\IPC$</td>\n", | |
| " <td>None</td>\n", | |
| " <td>0x12019F</td>\n", | |
| " <td>3</td>\n", | |
| " </tr>\n", | |
| " </tbody>\n", | |
| "</table>\n", | |
| "</div>" | |
| ], | |
| "text/plain": [ | |
| " Account Name Relative Target Name Logon ID Share Name Share Path Access Mask Logon Type\n", | |
| "0 thor NETLOGON 0x24D9A6 \\\\*\\IPC$ None 0x12019F 3 " | |
| ] | |
| }, | |
| "execution_count": 40, | |
| "metadata": {}, | |
| "output_type": "execute_result" | |
| } | |
| ], | |
| "source": [ | |
| "NetSync_df" | |
| ] | |
| } | |
| ], | |
| "metadata": { | |
| "kernelspec": { | |
| "display_name": "Python 3", | |
| "language": "python", | |
| "name": "python3" | |
| }, | |
| "language_info": { | |
| "codemirror_mode": { | |
| "name": "ipython", | |
| "version": 3 | |
| }, | |
| "file_extension": ".py", | |
| "mimetype": "text/x-python", | |
| "name": "python", | |
| "nbconvert_exporter": "python", | |
| "pygments_lexer": "ipython3", | |
| "version": "3.8.6" | |
| } | |
| }, | |
| "nbformat": 4, | |
| "nbformat_minor": 4 | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment