def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_bin_file(
FileQuery().with_file_path(eq="/usr/bin/osascript")
)
.with_read_files(
FileQuery().with_file_path()
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
# Search for a process that executes cmd.exe,
# where the process args references SetupComplete or PartnerSetupComplete
# And the process is *not* executing from specific Windows directories
return (ProcessQuery().with_children(ProcessQuery().with_bin_file(
FileQuery().with_file_path(ends_with="cmd.exe")).with_arguments(
contains=r"C:\Windows\Setup\Scripts\SetupComplete.cmd"
).with_arguments(
contains=r"C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd"
)).with_bin_file(FileQuery().with_file_path(contains=[
Not(r'C:\Windows\System32\\*'),
Not(r'C:\Windows\SysWOW64\\*'),
Not(r'C:\Windows\WinSxS\\*'),
Not(r'C:\Windows\Setup\\*'),
])))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
rare_read_file = False
for read_file in response.get_read_files():
count = self.counter.get_count_for(
ProcessQuery().with_process_name(eq="osascript")
.with_read_files(
FileQuery().with_file_path(read_file.get_file_path())
)
)
if count < 4:
rare_read_file = True
break
if rare_read_file:
output.send(
ExecutionHit(
analyzer_name="Osascript Process Execution - Rare File Read",
node_view=response,
risk_score=5,
lenses=asset_id,
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_deleted_files(
FileQuery()
.with_spawned_from()
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_process_name()
.with_parent(
ProcessQuery()
.with_process_name()
.with_bin_file(
FileQuery()
)
)
.with_bin_file(
FileQuery()
.with_file_path(contains='Windows\\\\System32\\')
.with_file_path(contains='Windows\\\\SysWow64\\')
)
)
def get_queries(self) -> OneOrMany[IpcQuery]:
return (IpcQuery().with_ipc_creator(ProcessQuery().with_bin_file(
FileQuery().with_file_path(eq=[
Not("/usr/bin/ssh-add"),
Not("/bin/ssh"),
Not("/usr/bin/ssh")
]))).with_ipc_recipient(ProcessQuery().with_process_name(
eq='ssh-agent').with_process_name(eq='sshd')))
def get_queries(self) -> OneOrMany[ProcessQuery]:
unpacker_names = ["7zip.exe", "winrar.exe", "zip.exe"]
unpacker = ProcessQuery()
for name in unpacker_names:
unpacker.with_process_name(eq=name)
return (ProcessQuery().with_bin_file(
FileQuery().with_creator(unpacker)))
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_process_name(eq="firefox.exe")
.with_process_name(eq="chrome.exe")
.with_created_files(
FileQuery()
.with_file_path(contains=[Not("AppData"), Not("tmp")])
)
)
def get_queries(self) -> OneOrMany[ProcessQuery]:
return (
ProcessQuery()
.with_process_name(eq="python")
.with_children(
ProcessQuery()
.with_bin_file(
FileQuery()
.with_file_path(eq="/bin/sh")
.with_file_path(eq="/bin/bash")
)
)
)