Thursday, 22 March 2018

NXQL cheatsheet (Nexthink tables)

When tasked to write queries for NexThink using NXQL and the Web API V2 the first resource you should hit is.. the manual. Not a lot in there to be honest but it gives you some fundamentals to work with. What would also be useful to have from NexThink is the tables (which I will list below) and the relationships between them (I have not mapped them out yet!). Hopefully it will serve you as a quick reference guide on the available fields when attempting to write a rule.

I have made a freemind and PDF export and made it available here(freemind) and here(PDF), but am also listing the raw tables below for reference.




user executable web_request
database_usage application_company cardinality
department application_name connections_duration
distinguished_name database_usage end_time
first_seen description http_status
full_name first_seen id
id id incoming_traffic
job_title known_packages network_response_time
last_seen last_seen outgoing_traffic
name name protocol
number_of_days_since_last_seen platform protocol_version
seen_on_mac_os storage_policy service_related
seen_on_mobile total_active_days start_time
seen_on_windows web_request_duration
sid
total_active_days
type
execution application domain
average_memory_usage company database_usage
binary_path database_usage domain_category
cardinality description first_seen
duration first_seen hosting_country
end_time id hostname
id known_packages id
incoming_tcp_traffic last_seen internal_domain
incoming_udp_traffic name last_seen
outgoing_tcp_traffic platform name
outgoing_udp_traffic storage_policy protocol
privilege_level total_active_days response_size
start_time storage
status threat_level
total_cpu_time
connection binary device
cardinality application_category administrator_account_status
destination_ip_address application_company all_antispywares
device_ip_address application_name all_antiviruses
duration architecture all_firewalls
end_time average_cpu_usage antispyware_name
id average_memory_usage antispyware_rtp
incoming_bitrate average_number_of_graphical_handles antispyware_up_to_date
incoming_traffic company antivirus_name
network_interface_iana_code database_usage antivirus_rtp
network_interface_index description antivirus_up_to_date
network_interface_type executable_name audit_account_logon_events
network_response_time file_size audit_account_management
outgoing_bitrate first_seen audit_directory_service_access
outgoing_traffic hash audit_logon_events
start_time id audit_object_access
status last_seen audit_policy_change
type paths audit_privilege_use
platform audit_process_tracking
sha1 audit_system_events
storage_policy average_boot_duration
threat_level average_logon_duration
total_active_days bios_serial_number
user_interface chassis_serial_number
version collector_installation_log
collector_package_target_version
collector_status
collector_tag
collector_update_status
collector_version
cpu_frequency
cpu_model
database_usage
device (continued) device (continued) device (continued)
device_manufacturer last_seen number_of_firewalls
device_model last_seen_on_tcp number_of_graphical_cards
device_product_id last_system_boot number_of_monitors
device_product_version last_update os_architecture
device_serial_number last_update_status os_version_and_architecture
device_type last_updater_request password_complexity_requirements
device_uuid last_windows_update platform
disks_manufacturers logical_cpu_number privileges_of_last_logged_on_users
disks_smart_index logical_drives sid
distinguished_name local_administrators storage_policy
enforce_password_history local_power_users system_drive_capacity
entity mac_addresses system_drive_free_space
extended_logon_duration_baseline maximum_password_age system_drive_usage
firewall_name membership_type total_active_days
firewall_rtp minimum_password_age total_drive_capacity
first_seen minimum_password_length total_drive_free_space
graphical_card_ram monitor_models total_drive_usage
graphical_cards monitor_resolutions total_nonsystem_drive_capacity
group_name monitors total_nonsystem_drive_free_space
guest_account_status monitors_serial_numbers total_nonsystem_drive_usage
hard_disks name total_ram
id number_of_antispyware updater_error
internet_security_settings number_of_antiviruses updater_version
ip_addresses number_of_cores upgrade_group
last_boot_duration number_of_cpus user_account_control_status
last_extended_logon_duration number_of_days_since_first_seen windows_license_key
last_ip_address number_of_days_since_last_boot windows_updates_status
last_known_connection_status number_of_days_since_last_logon wmi_status
last_logged_on_user number_of_days_since_last_seen
last_logon_duration number_of_days_since_last_seen_on_tcp
last_logon_time
number_of_days_since_last_windows_update
network_scan printout printer
cardinality color_print first_seen
device_ip_address document_type host_name
duration duplex Id
end_time id last_seen
id number_of_printed_pages location
network page_size model
start_time print_quality name
status size real_name
type status type
time
port destination device_error
first_seen database_usage error_code
id first_seen error_label
last_seen id id
port_number ip_address start_time
port_type last_seen type
port_value name
device_warning execution_warning device_performance
duration duration average_cpu_usage
end_time end_time average_memory_usage
id id duration
info info end_time
start_time start_time id
type type read_bytes
value value read_operations
warning_duration warning_duration time
write_bytes
write_operations
installation url_path service
id id id
time path name
type
execution_error device_activity user_activity
id duration duration
info id id
time time real_duration
type type time
type
port_scan package
cardinality first_installation
destination_ip_address first_seen
device_ip_address id
duration name
end_time number_of_updates
first_scanned_port platform
id program
last_scanned_port publisher
start_time status
Status type
type version
windows_7_32bit_compatibility
windows_7_64bit_compatibility


Hope this helps.

Monday, 5 March 2018

Hunting cryptominers with NexThink

I know, its been a minute since my last post, nevertheless, Cryptominers is where the money is right now so following yesterday's post by Xavier Mertens (@xme) in the SANS Diary, I thought it would be cool to write something in NextThink to use the IOCs.. and yes next step will be getting the data in Splunk so we can alert on it properly. 

Going to NexThink world (Documentation here) you can use the NxQL Editor to confirm your logic for the API (if you are using Web API V2 which is kind of recommended). You can usually access that from the portal (newest version) or directly from the engine you want to query like so:

 https://nxtengine.mydomain.local:1671/2/editor/nxql_editor.html

I will post a breakdown of the tables and their fields on a later post but for the time being here is the rule based on the above IOCs with some added tuning on the side too.

(select ((binary (first_seen last_seen executable_name paths hash threat_level)))
   (from binary
       (where binary (eq executable_name (pattern "*AMDDriver64*")))
       (where binary (eq executable_name (pattern "*Silence*")))
       (where binary (eq executable_name (pattern "*Carbon*")))
       (where binary (eq executable_name (pattern "*xmrig32*")))
       (where binary (eq executable_name (pattern "*nscpucnminer64*")))
       (where binary (eq executable_name (pattern "*mrservicehost*")))
       (where binary (eq executable_name (pattern "*servisce*")))
       (where binary (eq executable_name (pattern "*svchosts3*")))
       (where binary (eq executable_name (pattern "*svhosts*")))
       (where binary (eq executable_name (pattern "*system64*")))
       (where binary (eq executable_name (pattern "*systemiissec*")))
       (where binary (eq executable_name (pattern "*winlogo*"))
            (ne paths (path "%System%/winlogon.exe")))
       (where binary (eq executable_name (pattern "*taskhost*"))
            (ne paths (path "%System%/taskhost.exe"))
            (ne paths (path "%System%/backgroundtaskhost.exe"))
            (ne paths (path "%System%/taskhostw.exe")))
       (where binary (eq executable_name (pattern "*vrmserver*")))
       (where binary (eq executable_name (pattern "*vshell*")))
       (where binary (eq executable_name (pattern "*winlogan*")))
       (where binary (eq executable_name (pattern "*logon*"))
            (ne paths (path "%System%/logonui.exe"))
            (ne paths (path "%System%/winlogon.exe")))
       (where binary (eq executable_name (pattern "*win1nit*")))
       (where binary (eq executable_name (pattern "*wininits*")))
       (where binary (eq executable_name (pattern "*winlnlts*")))
       (where binary (eq executable_name (pattern "*taskngr*")))
       (where binary (eq executable_name (pattern "*tasksvr*")))
       (where binary (eq executable_name (pattern "*mscl*")))
       (where binary (eq executable_name (pattern "*cpuminer*")))
       (where binary (eq executable_name (pattern "*sql31*")))
       (where binary (eq executable_name (pattern "*taskhots*")))
       (where binary (eq executable_name (pattern "*svchostx*")))
       (where binary (eq executable_name (pattern "*xmr86*")))
       (where binary (eq executable_name (pattern "*xmrig*")))
       (where binary (eq executable_name (pattern "*xmr*")))
       (where binary (eq executable_name (pattern "*win1ogin*")))
       (where binary (eq executable_name (pattern "*win1ogins*")))
       (where binary (eq executable_name (pattern "*ccsvchst*")))
       (where binary (eq executable_name (pattern "*nscpucnminer64*")))
       (where binary (eq executable_name (pattern "*update_windows*")))
       )
       (limit 1000))
This provides very few false positives in my environment so I would recommend giving it a try but also tune accordingly. 

To make that into your command line URL you need to take that request, put it in the CyberChef, URL Encode it and then run it like so:

curl -u myusername -k "https://nxtengine.mydomain.local:1671/2/query?query=<add_your_output_here>&platform=windows&format=json"

JSON is easier for Splunk to digest so thats why I have chosen it, its up to you if you want to choose csv. The result should look something like this:




That's all for now. I wish you all get 0 results.