Python script to detect anomalies in Elasticsearch depending on the given Red Team operational details.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
README.md
query.py
requirements.txt

README.md

Python Query Script

Installation

Install required packages:

apt-get install python-pip python2.7 virtualenv

Create virtual environment:

virtualenv -p /usr/bin/python2.7 ./venv

Activate the virtual environment.

source ./venv/bin/activate

Install required Python packages:

pip install -r requirements.txt

Set package path:

export PYTHONPATH=venv/lib/python2.7/site-packages/

Running

Usage: query.py [options]

Options:
  -h, --help            show this help message and exit
  --host=HOST           ES host [10.0.0.1]
  --port=PORT           ES port [9200]
  --index=INDEX         ES index [packetbeat-*]
  --refresh=REFRESH     Refresh every x seconds [60]
  --paths=PATH          C2 paths [/legit/communication/uri/to/filter/width/get
                        .php,/legit/communication/uri/to/filter/width/news.php
                        ,/legit/communication/uri/to/filter/width/login/proces
                        s.php]
  --path-prefix=PATH_PREFIX
                        C2 path prefix [/legit/*]
  --user_agent=USER_AGENT
                        C2 user agent [Mozilla/5.0 (Windows NT 6.1; WOW64;
                        Trident/7.0; rv:11.0) like Gecko]
  --geo-country=GEO     C2 country [Netherlands]
  --dns=DNS             C2 dns host name
                        [rt-1.very.legit.domain.tours.prac.os3.nl]
  --dns-prefix=DNS_PREFIX
                        C2 dns host name prefix root
                        [*.domain.tours.prac.os3.nl]