{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# MSTICpy - Mordor data provider and browser\n",
"\n",
"### Description\n",
"This notebook provides a guided example of using the Mordor data provider and browser included with MSTICpy.\n",
"\n",
"For more information on the Mordor data sets see the [Open Threat Research Forge Mordor GitHub repo](https://github.com/OTRF/mordor)\n",
"\n",
"You must have msticpy installed to run this notebook:\n",
"```\n",
"%pip install --upgrade msticpy\n",
"```\n",
"\n",
"MSTICpy versions >= 0.8.5\n",
"\n",
"### Contents:\n",
"- Using the Mordor data provider to retrieve data sets\n",
" - Listing queries\n",
" - Running a query to retrieve data\n",
" - Optional parameters\n",
" - Searching for queries by Mordor property\n",
"- Mordor Browser\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Using the Data Provider to download datasets\n",
"\n",
"Using the data provider you can download and render event data as a pandas DataFrame.\n",
"\n",
"> **Note** - Mordor includes both host event data and network capture data.
\n",
"> Although Capture files can be downloaded and unpacked
\n",
"> they currently cannot be populated into a pandas DataFrame.\n",
"> This is the case for most `network` datasets.
\n",
"> `Host` event data is retrieved and populated into DataFrames.\n"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Retrieving Mitre data...\n",
"Retrieving Mordor data...\n"
]
}
],
"source": [
"from msticpy.data import QueryProvider\n",
"\n",
"CACHE_FOLDER = \"~/.msticpy/mordor\"\n",
"mdr_data = QueryProvider(\"Mordor\", save_folder=CACHE_FOLDER)\n",
"mdr_data.connect()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### List Queries\n",
"\n",
"> Note: Many Mordor data entries have multiple data sets, so we see more queries than Mordor entries.\n",
"\n",
"(Only first 15 shown)"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['atomic.aws.collection.ec2_proxy_s3_exfiltration',\n",
" 'atomic.linux.defense_evasion.host.sh_binary_padding_dd',\n",
" 'atomic.linux.discovery.host.sh_arp_cache',\n",
" 'atomic.linux.initial_access.network.log4jshell_reversheshell_netcat',\n",
" 'atomic.windows.collection.host.msf_record_mic',\n",
" 'atomic.windows.credential_access.host.cmd_lsass_memory_dumpert_syscalls',\n",
" 'atomic.windows.credential_access.host.cmd_psexec_lsa_secrets_dump',\n",
" 'atomic.windows.credential_access.host.cmd_sam_copy_esentutl',\n",
" 'atomic.windows.credential_access.host.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges',\n",
" 'atomic.windows.credential_access.host.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges',\n",
" 'atomic.windows.credential_access.host.empire_mimikatz_backupkeys_dcerpc_smb_lsarpc',\n",
" 'atomic.windows.credential_access.host.empire_mimikatz_extract_keys',\n",
" 'atomic.windows.credential_access.host.empire_mimikatz_logonpasswords',\n",
" 'atomic.windows.credential_access.host.empire_mimikatz_lsadump_patch',\n",
" 'atomic.windows.credential_access.host.empire_mimikatz_sam_access']"
]
},
"execution_count": 3,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mdr_data.list_queries()[:15]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Retrieving/querying a data set"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip\n",
"Extracting covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges_2020-08-05020926.json\n"
]
},
{
"data": {
"text/html": [
"
\n", " | @version | \n", "Keywords | \n", "ThreadID | \n", "Version | \n", "DestAddress | \n", "host | \n", "LayerRTID | \n", "Message | \n", "SourceModuleName | \n", "SourceName | \n", "... | \n", "Properties | \n", "OperationType | \n", "QueryName | \n", "QueryResults | \n", "QueryStatus | \n", "PipeName | \n", "DisabledPrivilegeList | \n", "EnabledPrivilegeList | \n", "ShareLocalPath | \n", "RelativeTargetName | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "1 | \n", "-9214364837600034816 | \n", "4888 | \n", "1 | \n", "239.255.255.250 | \n", "wec.internal.cloudapp.net | \n", "44.0 | \n", "The Windows Filtering Platform has permitted a... | \n", "eventlog | \n", "Microsoft-Windows-Security-Auditing | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "1 | \n", "-9223372036854775808 | \n", "4452 | \n", "2 | \n", "NaN | \n", "wec.internal.cloudapp.net | \n", "NaN | \n", "File created:\\r\\nRuleName: -\\r\\nUtcTime: 2020-... | \n", "eventlog | \n", "Microsoft-Windows-Sysmon | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 | \n", "1 | \n", "-9223372036854775808 | \n", "4452 | \n", "2 | \n", "NaN | \n", "wec.internal.cloudapp.net | \n", "NaN | \n", "RawAccessRead detected:\\r\\nRuleName: -\\r\\nUtcT... | \n", "eventlog | \n", "Microsoft-Windows-Sysmon | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
3 rows × 145 columns
\n", "\n", " | @version | \n", "Keywords | \n", "ThreadID | \n", "Version | \n", "DestAddress | \n", "host | \n", "LayerRTID | \n", "Message | \n", "SourceModuleName | \n", "SourceName | \n", "... | \n", "Properties | \n", "OperationType | \n", "QueryName | \n", "QueryResults | \n", "QueryStatus | \n", "PipeName | \n", "DisabledPrivilegeList | \n", "EnabledPrivilegeList | \n", "ShareLocalPath | \n", "RelativeTargetName | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "1 | \n", "-9214364837600034816 | \n", "4888 | \n", "1 | \n", "239.255.255.250 | \n", "wec.internal.cloudapp.net | \n", "44.0 | \n", "The Windows Filtering Platform has permitted a... | \n", "eventlog | \n", "Microsoft-Windows-Security-Auditing | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "1 | \n", "-9223372036854775808 | \n", "4452 | \n", "2 | \n", "NaN | \n", "wec.internal.cloudapp.net | \n", "NaN | \n", "File created:\\r\\nRuleName: -\\r\\nUtcTime: 2020-... | \n", "eventlog | \n", "Microsoft-Windows-Sysmon | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 rows × 145 columns
\n", ""
],
"text/plain": [
" Parameters Query Example {QueryProvider}[.QueryPath].QueryName(params...)
\n",
"> passed to the query - these are not needed and ignored."
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "cb323a2e318048f398fdad41a831eeb2",
"version_major": 2,
"version_minor": 0
},
"text/plain": [
"VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"
"
],
"text/plain": [
"AWS Cloud Bank Breach S3
https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datase\n",
" ts/atomic/aws/collection/ec2_proxy_s3_exfiltration.zip
\n",
" qry_prov.atomic.aws.collection.ec2_proxy_s3_exfiltration(start=start, end=end, hostname=host)
\n",
" "
],
"text/plain": [
"