Skip to content

Commit

Permalink
Merge pull request #9 from Ekitji/patch-1
Browse files Browse the repository at this point in the history
Update th_keywords_processnames_elk.txt
  • Loading branch information
mthcht authored Oct 5, 2023
2 parents 5f862d5 + 2c41cfb commit 17e05d2
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 7 deletions.
40 changes: 38 additions & 2 deletions elk/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,41 @@
Different lists to work with the Elastic Stack without using sigma rules by https://github.com/ekitji

## Guide
## Guide for detection in Windows logs
1. Download the th_keywords_elk.txt to your client where you have kibana access.

2. Go to Alerts (documentation) https://www.elastic.co/guide/en/security/7.17/detections-ui-exceptions.html
![image](https://github.com/Ekitji/ThreatHunting-Keywords/assets/41170494/8edf4151-5a14-4281-9ea3-58eb82020145)

3. Click on Upload Value lists
![image](https://github.com/Ekitji/ThreatHunting-Keywords/assets/41170494/d34a8cb0-77d9-4dde-b818-3c33d18e368b)

5. Upload your th_keywords_elk.txt (as a keyword list, which should be default selection by kibana)
6. Go to Create Rules (Rules → Detection rules (SIEM) → Create new rule. The Create new rule )

7. Select "Indicator Match"
![image](https://github.com/Ekitji/ThreatHunting-Keywords/assets/41170494/7f13d07c-bf3a-4f07-b415-44ff1bd62ba1)

8. NOTICE! Provided screenshot is only a example (documentation) https://www.elastic.co/guide/en/security/7.17/rules-ui-create.html#indicator-value-lists **change values as shown below (number 9-14)
![image](https://github.com/Ekitji/ThreatHunting-Keywords/assets/41170494/a8daaa41-44ee-434b-803a-8263ad1370cd)

9. **Source:** Choose your index for where you have your windows logs

10. **Custom query:** event.code (1 OR 4688)

11. **Indicator index patterns**: .items-{YOUR SPACE name}

12. **Indicator index query: list_id:** "th_keywords_elk.txt"

13. **Indicator mapping field:** process.command_line.text

14. **Indicator index field:** keyword

15. Go on and finish your rule creating according to your routines.


You can do the same with th_keywords_processnames_elk.txt.
Upload it and follow the same steps, at number 12 change the list_id to th_keywords_processnames_elk.txt
Then change the indicator mapping field to process.name instead.



`todo`
13 changes: 8 additions & 5 deletions elk/th_keywords_processnames_elk.txt
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ hcxdumptool.exe
beelogger.exe
proxyshell.exe
arpspoofing.exe
phoenix miner.exe
phoenix.exe
miner.exe
afrog.exe
pyexec.exe
darkarmour.exe
Expand Down Expand Up @@ -257,7 +258,8 @@ credphisher.exe
tokenvator.exe
pplkiller.exe
fakecmdline.exe
eqgrp tools.exe
eqgrp.exe
tools.exe
attifyos.exe
sudosnatch.exe
githubc2.exe
Expand Down Expand Up @@ -296,7 +298,8 @@ srdi.exe
tetanus.exe
sqlninja.exe
donpapi.exe
mars stealer.exe
mars.exe
stealer.exe
sshlooterc.exe
deathstar.exe
prt.exe
Expand Down Expand Up @@ -627,7 +630,7 @@ modproble.exe
unhookingpatch.exe
cobaltstrike.exe
nc.exe
pipeviewer .exe
pipeviewer.exe
spring4shell.exe
vscode.exe
sharpcollection.exe
Expand Down Expand Up @@ -822,7 +825,7 @@ bulletpassview.exe
inspectassembly.exe
linuxprivchecker.exe
bypassclm.exe
modlishka .exe
modlishka.exe
ruby.exe
wdextract.exe
brutesploit.exe
Expand Down

0 comments on commit 17e05d2

Please sign in to comment.