In [12]:
# MRCI Threat Hunting - Perform Threat Hunting On 2 Machines

# import dependencies
import pandas as pd
import pyarrow as pa
import pyarrow.parquet as pq

pd.set_option('display.max_colwidth', None)

# convert Parquet file into a dataset
# change backslashes in copied file path to forward slashes to prevent Unicode escape sequence errors 
# cannot use hyphens '-' in variable names
domainusers_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/domain_users.parquet')
loggedonusers_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/loggedonusers/0001LXQEN.parquet')
useraccounts_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/useraccounts/0001LXQEN.parquet')
w32drivers_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/w32drivers/0001LXQEN.parquet')
w32persistence_fileitems_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/w32persistencefileitems/0001LXQEN.parquet')
w32persistence_registryitems_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/w32persistenceregistryitems/0001LXQEN.parquet')
w32persistence_servicesitems_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/w32persistenceservicesitems/0001LXQEN.parquet')
w32processes_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/w32processes/0001LXQEN.parquet')
w32processes_memorysections_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/w32processesmemorysections/0001LXQEN.parquet')
w32services_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/w32services/0001LXQEN.parquet')
w32tasks_dataset = pq.ParquetDataset('C:/Users/bboyz/OneDrive/Desktop/MCSI Remote Cybersecurity Internship/Threat Hunting/mcsithreathunting2machines/w32tasks/0001LXQEN.parquet')

# convert dataset into pandas
domainusers = domainusers_dataset.read().to_pandas()
loggedonusers = loggedonusers_dataset.read().to_pandas()
useraccounts = useraccounts_dataset.read().to_pandas()
w32drivers = w32drivers_dataset.read().to_pandas()
w32persistence_fileitems = w32persistence_fileitems_dataset.read().to_pandas()
w32persistence_registryitems = w32persistence_registryitems_dataset.read().to_pandas()
w32persistence_servicesitems = w32persistence_servicesitems_dataset.read().to_pandas()
w32processes = w32processes_dataset.read().to_pandas()
w32processes_memorysections = w32processes_memorysections_dataset.read().to_pandas()
w32services = w32services_dataset.read().to_pandas()
w32tasks = w32tasks_dataset.read().to_pandas()

In [3]:
domainusers

Unnamed: 0,group,username
0,seoul,timotlopez
1,seoul,timotlopez
2,seoul,timotlopez
3,domain admins,timotlopez
4,domain admins,Administrator
5,enterprise admins,svc_lw


In [4]:
loggedonusers

Unnamed: 0,domain-user,hostname,local-user,username
0,False,0001LXQEN,True,svchost.exe
1,False,0001LXQEN,True,winlogon.exe
2,False,0001LXQEN,True,RuntimeBroker.exe
3,False,0001LXQEN,True,lsass.exe
4,False,0001LXQEN,True,dwm.exe
5,False,0001LXQEN,True,conhost.exe
6,False,0001LXQEN,True,LogonUI.exe
7,False,0001LXQEN,True,spoolsv.exe
8,False,0001LXQEN,True,dllhost.exe
9,False,0001LXQEN,True,msdtc.exe


In [5]:
useraccounts

Unnamed: 0,domain-admin,domain-user,hostname,local-admin,local-user,username
0,True,True,0001LXQEN,False,False,Administrator
1,True,True,0001LXQEN,True,False,timotlopez


In [10]:
# Filter rows where modulepath does not contain 'drivers'
non_driver_paths = w32drivers[~w32drivers['modulepath'].str.contains(r'\\drivers\\', na=False, case=False)]

print("Modules not in drivers folder:")
print(non_driver_paths)

Modules not in drivers folder:
      hostname        modulename  \
10   0001LXQEN    win32kfull.sys   
20   0001LXQEN  CompositeBus.sys   
24   0001LXQEN           cdd.dll   
25   0001LXQEN         kdcom.dll   
42   0001LXQEN         PSHED.dll   
47   0001LXQEN      ntoskrnl.exe   
54   0001LXQEN      mcupdate.dll   
73   0001LXQEN        RDPUDD.dll   
74   0001LXQEN    win32kbase.sys   
94   0001LXQEN        win32k.sys   
104  0001LXQEN         TSDDD.dll   
108  0001LXQEN       BOOTVID.dll   
109  0001LXQEN            CI.dll   
119  0001LXQEN           hal.dll   

                                            modulepath  
10                                C:\Windows\System32\  
20   C:\Windows\System32\DriverStore\FileRepository...  
24                                C:\Windows\System32\  
25                                   C:\Windows\system  
42                                C:\Windows\system32\  
47                                C:\Windows\system32\  
54                   C:\Windo

In [11]:
# Filter for suspicious drivers
suspicious_drivers_modulename = w32drivers[
    (w32drivers['modulename'].str.contains(r'(?:debug|hook|dump|malware|rootkit)', na=False, case=False))
]

print("Suspicious Drivers Module Names:")
print(suspicious_drivers_modulename)

Suspicious Drivers Module Names:
     hostname         modulename                    modulepath
13  0001LXQEN   dump_vioscsi.sys  C:\Windows\System32\Drivers\
72  0001LXQEN  dump_storport.sys  C:\Windows\System32\Drivers\


In [2]:
# List of suspicious executables
suspicious_executables = r'(?:narrator\.exe|sethc\.exe|utilman\.exe|osk\.exe|searchui\.exe|magnify\.exe|calculator\.exe)'

# Filter rows where the 'filename' column contains any of the suspicious executables
suspicious_files = w32persistence_fileitems[w32persistence_fileitems['filename'].str.contains(suspicious_executables, na=False, case=False)]

print("Suspicious Files:")
print(suspicious_files)

Suspicious Files:
Empty DataFrame
Columns: [drive, fileextension, filename, filepath, fullpath, hostname, username]
Index: []


In [13]:
# List of suspicious terms for registry analysis
suspicious_terms = r'(?:password)'

# Apply filtering on the dataframe
suspicious_registry_items = w32persistence_registryitems[
    w32persistence_registryitems.apply(lambda row: row.astype(str).str.contains(suspicious_terms, na=False, case=False).any(), axis=1)
]

# Print suspicious registry items
print("Suspicious Registry Items:")
print(suspicious_registry_items)

Suspicious Registry Items:
       hostname  \
567   0001LXQEN   
3260  0001LXQEN   

                                                                  keypath  \
567   Classes\CLSID\{9fb45d27-dfe3-4383-b117-ab631787649a}\InProcServer32   
3260  Classes\CLSID\{0fafd998-c8e8-42a1-86d7-7c10c664a415}\InProcServer32   

                                                                                                  path  \
567   HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9fb45d27-dfe3-4383-b117-ab631787649a}\InProcServer32\   
3260  HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0fafd998-c8e8-42a1-86d7-7c10c664a415}\InProcServer32\   

                                                      text           type  \
567   %SystemRoot%\system32\windows.ui.picturepassword.dll  REG_EXPAND_SZ   
3260  %SystemRoot%\system32\windows.ui.picturepassword.dll  REG_EXPAND_SZ   

                 username valuename  
567   NT AUTHORITY\SYSTEM            
3260  NT AUTHORITY\SYSTEM            


In [11]:
# List of suspicious terms
suspicious_terms = r'(?:reg\.exe|ServiceName|Reg query|HKCU|HKLM|Lsass\.exe|HKEY|PuTTY|SAM|kerberos)'

# Apply filtering on the dataframe
suspicious_processes = w32processes[
    w32processes.apply(lambda row: row.astype(str).str.contains(suspicious_terms, na=False, case=False).any(), axis=1)
]

# Print suspicious processes
print("Suspicious Processes:")
print(suspicious_processes)

Suspicious Processes:
                        arguments   hostname       name                 path  \
43  C:\Windows\system32\lsass.exe  0001LXQEN  lsass.exe  C:\Windows\system32   

     pid             username  
43  4636  NT AUTHORITY\SYSTEM  


In [16]:
# List of suspicious executables
suspicious_executables = r'(?:narrator\.exe|sethc\.exe|utilman\.exe|osk\.exe|searchui\.exe|magnify\.exe|calculator\.exe)'

# Filter rows in w32processes dataset
suspicious_processes = w32processes[
    w32processes['name'].str.contains(suspicious_executables, na=False, case=False)
]

print("Suspicious Processes:")
print(suspicious_processes)


Suspicious Processes:
                                                                                                                                      arguments  \
27  "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca   

     hostname          name  \
27  0001LXQEN  SearchUI.exe   

                                                             path   pid  \
27  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy  5868   

               username  
27  NT AUTHORITY\SYSTEM  


In [17]:
# List of suspicious executables
suspicious_executables = r'(?:narrator\.exe|sethc\.exe|utilman\.exe|osk\.exe|searchui\.exe|magnify\.exe|calculator\.exe)'

# Filter rows in w32drivers dataset
suspicious_drivers = w32drivers[
    w32drivers['modulename'].str.contains(suspicious_executables, na=False, case=False)
]

print("Suspicious Drivers:")
print(suspicious_drivers)

Suspicious Drivers:
Empty DataFrame
Columns: [hostname, modulename, modulepath]
Index: []


In [18]:
# List of suspicious executables
suspicious_executables = r'(?:narrator\.exe|sethc\.exe|utilman\.exe|osk\.exe|searchui\.exe|magnify\.exe|calculator\.exe)'

# Filter rows in w32persistence_fileitems dataset
suspicious_files = w32persistence_fileitems[
    w32persistence_fileitems['filename'].str.contains(suspicious_executables, na=False, case=False)
]

print("Suspicious Files:")
print(suspicious_files)

Suspicious Files:
Empty DataFrame
Columns: [drive, fileextension, filename, filepath, fullpath, hostname, username]
Index: []


In [19]:
# List of suspicious terms
suspicious_terms_registry = r'(?:sc|binPath|HKLM|ImagePath|FailureCommand|HKEY|svchost\.exe|winlogon\.exe|regedit\.exe)'

# Filter rows in w32persistence_registryitems dataset
suspicious_registry_items = w32persistence_registryitems[
    w32persistence_registryitems.apply(
        lambda row: row.astype(str).str.contains(suspicious_terms_registry, na=False, case=False).any(),
        axis=1
    )
]

# Print suspicious rows from the registry items
print("Suspicious Registry Items:")
print(suspicious_registry_items)

Suspicious Registry Items:
       hostname  \
0     0001LXQEN   
1     0001LXQEN   
2     0001LXQEN   
3     0001LXQEN   
4     0001LXQEN   
...         ...   
6099  0001LXQEN   
6100  0001LXQEN   
6101  0001LXQEN   
6102  0001LXQEN   
6103  0001LXQEN   

                                                                              keypath  \
0                 Classes\CLSID\{4be5c3b3-53a2-4f2f-af9d-d26a5327eb92}\InProcServer32   
1                 Classes\CLSID\{ed9d80b9-d157-457b-9192-0e7280313bf0}\InProcServer32   
2     Wow6432Node\Classes\CLSID\{3F037241-414E-11D1-A7CE-00A0C913F73C}\InProcServer32   
3                 Classes\CLSID\{46080CA7-7CB8-3A55-A72E-8E50ECA4D4FC}\InProcServer32   
4                 Classes\CLSID\{0C1A0EF4-B44F-4179-BDDD-31C27DE7A6D1}\InProcServer32   
...                                                                               ...   
6099              Classes\CLSID\{B92E345D-F52D-41F3-B562-081BC772E3B9}\InProcServer32   
6100              Classes\CLSID\

In [20]:
# List of suspicious terms
suspicious_terms_services = r'(?:sc|binPath|HKLM|ImagePath|FailureCommand|HKEY|svchost\.exe|winlogon\.exe|regedit\.exe)'

# Filter rows in w32services dataset
suspicious_services = w32services[
    w32services.apply(
        lambda row: row.astype(str).str.contains(suspicious_terms_services, na=False, case=False).any(),
        axis=1
    )
]

# Print suspicious rows from the services
print("Suspicious Services:")
print(suspicious_services)

Suspicious Services:
                                                              arguments  \
0                       C:\Windows\system32\svchost.exe -k LocalService   
4    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted   
5                       C:\Windows\system32\svchost.exe -k LocalService   
7       C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted   
9                       C:\Windows\System32\svchost.exe -k LocalService   
..                                                                  ...   
480                    C:\Windows\system32\svchost.exe -k AxInstSVGroup   
481     C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted   
484       C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe   
492                          C:\Windows\system32\svchost.exe -k netsvcs   
494                              \SystemRoot\System32\drivers\bxois.sys   

                                                                              

In [21]:
# List of suspicious terms
suspicious_terms_registry = r'(?:sc|binPath|HKLM|ImagePath|FailureCommand|HKEY|svchost\.exe|winlogon\.exe|regedit\.exe)'

# Filter rows in w32persistence_registryitems dataset
suspicious_registry_items = w32persistence_registryitems[
    w32persistence_registryitems.apply(
        lambda row: row.astype(str).str.contains(suspicious_terms_registry, na=False, case=False).any(),
        axis=1
    ) & (w32persistence_registryitems['username'] != 'NT AUTHORITY\\SYSTEM')  # Exclude rows with 'NT AUTHORITY\SYSTEM'
]

# Print suspicious rows from the registry items
print("Suspicious Registry Items (excluding NT AUTHORITY\SYSTEM):")
print(suspicious_registry_items)

Suspicious Registry Items (excluding NT AUTHORITY\SYSTEM):
       hostname  \
379   0001LXQEN   
1945  0001LXQEN   
2465  0001LXQEN   
2476  0001LXQEN   
2960  0001LXQEN   
3546  0001LXQEN   
3612  0001LXQEN   
3672  0001LXQEN   
3737  0001LXQEN   
4016  0001LXQEN   
4710  0001LXQEN   
5189  0001LXQEN   
5539  0001LXQEN   

                                                                              keypath  \
379               Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32   
1945                                         CurrentControlSet\Services\aswbIDSAgent\   
2465                                     CurrentControlSet\Services\avast! Antivirus\   
2476  Wow6432Node\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32   
2960                                               CurrentControlSet\Services\rdpbus\   
3546              Classes\CLSID\{9209B7D1-6DA5-43E4-BCD1-F2BE497635E7}\InProcServer32   
3612              Classes\CLSID\{5828227c-20cf-4408

In [22]:
# List of suspicious terms
suspicious_terms_processes = r'(?:tasklist|ipconfig|systeminfo|net|query|wmic|sc|rundll32|Powershell|mshta|netstat)'

# Filter rows in w32processes dataset
suspicious_processes = w32processes[
    w32processes.apply(
        lambda row: row.astype(str).str.contains(suspicious_terms_processes, na=False, case=False).any(),
        axis=1
    )
]

# Print suspicious processes
print("Suspicious Processes:")
print(suspicious_processes)

Suspicious Processes:
                                                                                                                                           arguments  \
2                                                                                   C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted   
11                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork   
13  "C:\Program Files\Windows Defender\\MpCmdRun.exe" SpyNetServiceDss -RestrictPrivileges -AccessKey 5BDCBEBD-E077-6957-0484-82901932C7EC -Reinvoke   
20                                                                                                "C:\Program Files\internet explorer\iexplore.exe"    
23                                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted   
31                                                                

In [23]:
# List of suspicious terms for filtering
suspicious_terms = r'(?:\.dll|Appinit_Dlls|AppCertDlls|Image File Executable Options|HKLM\\Software\\Microsoft\\Windows|HKLM\\Software\\Wow6432Node\\Microsoft\\Windows|AppInit_DLLs)'

# Filter rows in w32processes_memorysections dataset
suspicious_processes_memorysections = w32processes_memorysections[
    w32processes_memorysections.apply(
        lambda row: row.astype(str).str.contains(suspicious_terms, na=False, case=False).any(),
        axis=1
    )
]

# Print suspicious rows for w32processes_memorysections dataset
print("Suspicious Processes in w32processes_memorysections:")
print(suspicious_processes_memorysections.to_string(index=False))

Suspicious Processes in w32processes_memorysections:
                    certificateissuer certificatesubject                                        description  hostname                           md5sum                                                                                                                                     name  pid signatureexists signatureverified
   Microsoft Windows Verification PCA  Microsoft Windows The file is signed and the signature was verified. 0001LXQEN 53bd38835ef3aa35ae85dd8c630c4ecb                                                                                                         C:\Windows\System32\kernel32.dll 1252            true              true
   Microsoft Windows Verification PCA  Microsoft Windows The file is signed and the signature was verified. 0001LXQEN 5692c9048e4b24f0d6aa4fced2cae276                                                                                                           C:\Windows\System32\ws2_32.dll 3584 