def get_queries(self) -> OneOrMany[ProcessQuery]:
parent = with_assumed_user_id(ProcessQuery())
child = with_assumed_user_id(ProcessQuery())
child.with_parent(parent)
return (child)
def get_queries(self) -> OneOrMany[ProcessQuery]:
parent_whitelist = [
Not("svchost.exe"),
Not("RuntimeBroker.exe"),
Not("chrome.exe"),
Not("explorer.exe"),
Not("SIHClient.exe"),
Not("conhost.exe"),
Not("MpCmdRun.exe"),
Not("GoogleUpdateComRegisterShell64.exe"),
Not("GoogleUpdate.exe"),
Not("notepad.exe"),
Not("OneDrive.exe"),
Not("VBoxTray.exe"),
Not("Firefox Installer.exe"),
]
return (
ProcessQuery()
.with_process_name(eq=parent_whitelist)
.with_children(
ProcessQuery()
.with_process_name(eq="cmd.exe")
)
)
def get_queries(self) -> OneOrMany[IpcQuery]:
ssh_process_with_user = with_assumed_user_id(
ProcessQuery()
.with_process_name(eq='ssh-agent')
.with_process_name(eq='sshd')
)
ipc_creator_with_user = with_assumed_user_id(ProcessQuery())
ssh_process_with_auid = with_assumed_auid(
ProcessQuery()
.with_process_name(eq='ssh-agent')
.with_process_name(eq='sshd')
)
ipc_creator_with_auid = with_assumed_auid(ProcessQuery())
return (
# Query to check for mismatch of uid
IpcQuery()
.with_ipc_creator(ssh_process_with_user)
.with_ipc_recipient(ipc_creator_with_user),
# Query to check for mismatch of auid
IpcQuery()
.with_ipc_creator(ssh_process_with_auid)
.with_ipc_recipient(ipc_creator_with_auid),
)
def get_queries(self) -> OneOrMany[IpcQuery]:
return (IpcQuery().with_ipc_creator(ProcessQuery().with_bin_file(
FileQuery().with_file_path(eq=[
Not("/usr/bin/ssh-add"),
Not("/bin/ssh"),
Not("/usr/bin/ssh")
]))).with_ipc_recipient(ProcessQuery().with_process_name(
eq='ssh-agent').with_process_name(eq='sshd')))
def get_queries(self) -> OneOrMany[ProcessQuery]:
unpacker_names = ["7zip.exe", "winrar.exe", "zip.exe"]
unpacker = ProcessQuery()
for name in unpacker_names:
unpacker.with_process_name(eq=name)
return (ProcessQuery().with_bin_file(
FileQuery().with_creator(unpacker)))
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_process_name()
.with_parent(
ProcessQuery()
.with_process_name()
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (ProcessQuery().with_process_name(eq='dns.exe').with_children(
ProcessQuery().with_process_name(eq='cmd.exe').with_process_name(
eq='mshta.exe').with_process_name(
eq='rundll32.exe').with_process_name(
eq='conhost.exe').with_process_name(
eq='dnscmd.exe').with_process_name(
eq='werfault.exe')).with_asset(
AssetQuery().with_hostname()))
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_process_name(eq="python")
.with_children(
ProcessQuery()
.with_bin_file(
FileQuery()
.with_file_path(eq="/bin/sh")
.with_file_path(eq="/bin/bash")
)
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
invalid_parents = [
Not("services.exe"),
Not("smss.exe"),
Not("ngentask.exe"),
Not("userinit.exe"),
Not("GoogleUpdate.exe"),
Not("conhost.exe"),
Not("MpCmdRun.exe"),
]
return (ProcessQuery().with_process_name(
eq=invalid_parents).with_children(
ProcessQuery().with_process_name(eq="svchost.exe")))
def get_queries(self) -> OneOrMany[ProcessQuery]:
# Search for a process that executes cmd.exe,
# where the process args references SetupComplete or PartnerSetupComplete
# And the process is *not* executing from specific Windows directories
return (ProcessQuery().with_children(ProcessQuery().with_bin_file(
FileQuery().with_file_path(ends_with="cmd.exe")).with_arguments(
contains=r"C:\Windows\Setup\Scripts\SetupComplete.cmd"
).with_arguments(
contains=r"C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd"
)).with_bin_file(FileQuery().with_file_path(contains=[
Not(r'C:\Windows\System32\\*'),
Not(r'C:\Windows\SysWOW64\\*'),
Not(r'C:\Windows\WinSxS\\*'),
Not(r'C:\Windows\Setup\\*'),
])))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
rare_read_file = False
for read_file in response.get_read_files():
count = self.counter.get_count_for(
ProcessQuery().with_process_name(eq="osascript")
.with_read_files(
FileQuery().with_file_path(read_file.get_file_path())
)
)
if count < 4:
rare_read_file = True
break
if rare_read_file:
output.send(
ExecutionHit(
analyzer_name="Osascript Process Execution - Rare File Read",
node_view=response,
risk_score=5,
lenses=asset_id,
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_deleted_files(
FileQuery()
.with_spawned_from()
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_process_name()
.with_parent(
ProcessQuery()
.with_process_name()
.with_bin_file(
FileQuery()
)
)
.with_bin_file(
FileQuery()
.with_file_path(contains='Windows\\\\System32\\')
.with_file_path(contains='Windows\\\\SysWow64\\')
)
)
def get_count_for(
self,
grand_parent_process_name: str,
grand_child_process_name: str,
max_count: int = 4,
) -> int:
"""
Given an image name, and optionally a path, return the number of times
they occur (alongside one another) in the table.
If no path is provided, just count the process_name.
"""
key = (
type(self).__name__ + grand_parent_process_name + grand_child_process_name
or ""
)
cached_count = None
if self.cache:
cached_count = self.cache.get(key)
if cached_count:
cached_count = int(cached_count)
if cached_count and cached_count >= max_count:
return int(cached_count)
query = (
ProcessQuery()
.with_process_name(eq=grand_parent_process_name)
.with_children(
ProcessQuery().with_children(
ProcessQuery().with_process_name(eq=grand_child_process_name)
)
)
) # type: ProcessQuery
count = query.get_count(self.dgraph_client)
if self.cache:
if not cached_count:
self.cache.set(key, count)
elif count >= cached_count:
self.cache.set(key, count)
return int(count)
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_process_name(eq="firefox.exe")
.with_process_name(eq="chrome.exe")
.with_created_files(
FileQuery()
.with_file_path(contains=[Not("AppData"), Not("tmp")])
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_bin_file(
FileQuery().with_file_path(eq="/usr/bin/osascript")
)
.with_read_files(
FileQuery().with_file_path()
)
)
def get_auid(process: ProcessView) -> Optional[int]:
auid_assumption = (AuidAssumptionQuery().with_assuming_process(
ProcessQuery().with_node_key(
process.node_key)).with_auid().query_first(
process.dgraph_client)
) # type: Optional[UserIdAssumptionView]
if auid_assumption:
return auid_assumption.get_auid()
return None
def get_queries(self) -> OneOrMany[ProcessQuery]:
# TODO: We should be checking binary paths for these to ensure we handle impersonation
parent_whitelist = [
Not("svchost.exe"),
Not("RuntimeBroker.exe"),
Not("chrome.exe"),
Not("explorer.exe"),
Not("SIHClient.exe"),
Not("conhost.exe"),
Not("MpCmdRun.exe"),
Not("GoogleUpdateComRegisterShell64.exe"),
Not("GoogleUpdate.exe"),
Not("notepad.exe"),
Not("OneDrive.exe"),
Not("VBoxTray.exe"),
Not("Firefox Installer.exe"),
]
return (ProcessQuery().with_process_name(
eq=parent_whitelist).with_children(
ProcessQuery().with_process_name(eq="cmd.exe")).with_asset(
AssetQuery().with_hostname()))
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (ProcessQuery().with_parent(
ProcessQuery().with_process_name(eq="powershell.exe")))
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (ProcessQuery().with_process_name(
eq="winword.exe").with_process_name(
eq="excel.exe").with_process_name(
eq="reader.exe").with_children(ProcessQuery()))
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (ProcessQuery().with_process_name().with_parent(
ProcessQuery().with_process_name(
eq="cmd.exe")).with_created_connections())