- elasticsearch/
elasticsearch Elasticsearch查询DSL多个“;查询「;s
elasticsearch Elasticsearch查询DSL多个“;查询「;s
这项工作:
{
“查询”:{
“固定分数”:{
“过滤器”:{
“布尔”:{
“必须”:[
{
“匹配短语”:{
“EventID”:“4732”
}
}
]
}
}
}
}
}
“EventID”:“4732”“EventID”:“4728”{
"query": {
"bool": {
"should": [
{
"match_phrase": {
"data.win.system.eventID": "4732"
}
},
{
"match_phrase": {
"data.win.system.eventID": "4728"
}
}
],
"minimum_should_match": 1
}
}
}
[
{
“查询”:{
“固定分数”:{
“过滤器”:{
“布尔”:{
“必须”:[
{
“匹配短语”:{
“EventID”:“4732”
}
}
]
}
}
}
}
},
{
“查询”:{
“固定分数”:{
“过滤器”:{
“布尔”:{
“必须”:[
{
“匹配短语”:{
“EventID”:“4728”
}
}
]
}
}
}
}
}
]
[parsing_exception]未知查询[query],带有{line=1&col=1065}{
"0": {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
"1": {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
}
“原因”:“在[0]中启动\u对象的密钥未知”,{
"query": {
"bool": {
"should": [
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4732"
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "4728"
}
}
]
}
}
}
}
}
],
"minimum_should_match": 1
}
}
}
[parsing_exception]未知查询[query],带有{line=1&col=1065}“原因”:“未知查询[查询]”[
{
"query": {
"constant_score": {
"filter": {
"bool": {
"should": [
{
"bool": {
"should": [
{
"wildcard": {
"CommandLine.keyword": "* -NoP *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -W Hidden *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -decode *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* /decode *"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* JAB*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* SUVYI*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* SQBFAFgA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* aWV4I*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* IAB*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* PAA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -e* aQBlAHgA*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*vssadmin delete shadows*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*reg SAVE HKLM\\\\SAM*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* -ma *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*.downloadstring(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*.downloadfile(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* /ticket:*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* sekurlsa*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* p::d *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*;iex(*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*schtasks* /create *AppData*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* comsvcs.dll,MiniDump*"
}
},
{
"wildcard": {
"CommandLine.keyword": "* comsvcs.dll,#24*"
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"ParentImage.keyword": "*\\\\WINWORD.EXE*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\EXCEL.EXE*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\POWERPNT.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\MSPUB.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\VISIO.exe*"
}
},
{
"wildcard": {
"ParentImage.keyword": "*\\\\OUTLOOK.EXE*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"Image.keyword": "*\\\\cmd.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\powershell.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\wscript.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\cscript.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\schtasks.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\scrcons.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\regsvr32.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\hh.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\wmic.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\mshta.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\msiexec.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\forfiles.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\AppData\\\\*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"Image.keyword": "*\\\\apache*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\tomcat*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\w3wp.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\php-cgi.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\nginx.exe*"
}
},
{
"wildcard": {
"Image.keyword": "*\\\\httpd.exe*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"CommandLine.keyword": "*whoami*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*net user *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*ping -n *"
}
},
{
"wildcard": {
"CommandLine.keyword": "*systeminfo*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*&cd&echo*"
}
},
{
"wildcard": {
"CommandLine.keyword": "*cd /d *"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"wildcard": {
"Image.keyword": "*\\\\whoami.exe*"
}
},
{
"match_phrase": {
"User": "NT AUTHORITY\\SYSTEM"
}
}
]
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventLog": "Microsoft-Windows-Sysmon"
}
},
{
"bool": {
"should": [
{
"bool": {
"must": [
{
"match_phrase": {
"EventID": "11"
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetFilename.keyword": "*.dmp*"
}
},
{
"wildcard": {
"TargetFilename.keyword": "*Desktop\\\\how*"
}
},
{
"wildcard": {
"TargetFilename.keyword": "*Desktop\\\\decrypt*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"EventID": "12"
}
},
{
"match_phrase": {
"EventID": "13"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetObject.keyword": "*UserInitMprLogonScript*"
}
},
{
"wildcard": {
"TargetObject.keyword": "*\\\\CurrentVersion\\\\Image File Execution Options\\\\*"
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"EventID": "12"
}
},
{
"match_phrase": {
"EventID": "13"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"TargetObject.keyword": "*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*"
}
},
{
"wildcard": {
"TargetObject.keyword": "*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"Details.keyword": "*AppData*"
}
},
{
"wildcard": {
"Details.keyword": "*\\\\Users\\\\Public\\\\*"
}
},
{
"wildcard": {
"Details.keyword": "*\\\\Temp\\\\*"
}
},
{
"wildcard": {
"Details.keyword": "*powershell*"
}
},
{
"wildcard": {
"Details.keyword": "*wscript*"
}
},
{
"wildcard": {
"Details.keyword": "*cscript*"
}
}
]
}
}
]
}
}
]
}
}
]
}
}
}
}
},
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"match_phrase": {
"EventID": "7045"
}
},
{
"bool": {
"should": [
{
"wildcard": {
"ServiceName.keyword": "*WCESERVICE*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*WCE SERVICE*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*winexesvc*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*DumpSvc*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*pwdump*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*gsecdump*"
}
},
{
"wildcard": {
"ServiceName.keyword": "*cachedump*"
}
}
]
}
}
]
}
}
}
}
}
]
最简单的方法是使用
terms问题是它不适用于更复杂的脚本。我已经在我的第一篇文章中添加了
godmode“查询”{
"query": {
"bool": {
"filter": [
{
"terms": {
"EventID": [
"4732", "4728"
]
}
}
]
}
}
}