# Hunting with rules

## Killchain

* Reconnaissance
* Weaponization
* **Delivery**
* Exploitation
* Installation
* **Command and Control**
* **Actions on Objectives**

## Quick look

* Let's investigate a [SSLoad infection example](https://www.malware-traffic-analysis.net/2024/04/17/index.html);
* https://malpedia.caad.fkie.fraunhofer.de/details/win.ssload
* Eventual goal is to build timeline of an attack;
* First, let's see what we actually have;

In [None]:
import pandas as pd
import json

In [None]:
with open("./data/02/eve.json", "r") as handle:
    DF = pd.json_normalize([json.loads(l) for l in handle])

In [None]:
DF

## Quick overview of events

* Many event types;
* What protocols are even used?
* What started when?

In [None]:
(
    DF
    .groupby("event_type")
    .agg({"timestamp": ["min", "max", "count"]})
    .sort_values(by=[("timestamp", "min")])
)

## Quick look into alerts

* Which signatures fired?

In [None]:
DF["alert.signature"].unique()

## Alert timeline

* Remember aggregations;
* Group by signature;
* Sort by starting timestamp;
* List unique metadata fields;

In [None]:
(
    DF
    .groupby("alert.signature")
    .agg({
        "timestamp": ["min", "max", "count"],
        "flow_id": ["nunique"],
        "app_proto": ["unique"],
        "http.hostname": ["unique"],
        "http.url": ["unique"],
        "src_ip": ["unique"],
        "dest_ip": ["unique"],
        "tls.sni": ["unique"]
    })
    .sort_values(by=[("timestamp", "min")])
)