def on_response(self, response: IpcView, output: Any) -> None: output.send( ExecutionHit( analyzer_name="SSH IPC", node_view=response, risk_score=75, ))
def on_response(self, response: ProcessView, output: Any): output.send( ExecutionHit( analyzer_name="Browser Created File", node_view=response, risk_score=5, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() rare_read_file = False for read_file in response.get_read_files(): count = self.counter.get_count_for( ProcessQuery().with_process_name(eq="osascript") .with_read_files( FileQuery().with_file_path(read_file.get_file_path()) ) ) if count < 4: rare_read_file = True break if rare_read_file: output.send( ExecutionHit( analyzer_name="Osascript Process Execution - Rare File Read", node_view=response, risk_score=5, lenses=asset_id, ) )
def on_response(self, response: ProcessView, output: Any): output.send( ExecutionHit( analyzer_name="Cmd Child Network", node_view=response, risk_score=5, ))
def on_response(self, response: ProcessView, output: Any): output.send( ExecutionHit( analyzer_name="Exploiting SetupComplete.cmd CVE-2019-1378", node_view=response, risk_score=50, ))
def on_response(self, response: ProcessView, output: Any): output.send( ExecutionHit( analyzer_name="Common Target Application With Child Process", node_view=response, risk_score=75, ))
def on_response(self, response: ProcessView, output: Any): output.send( ExecutionHit( analyzer_name="Suspicious svchost", node_view=response, risk_score=75, ))
def on_response(self, response: ProcessView, output: Any): output.send( ExecutionHit( analyzer_name="Powershell With Child Process", node_view=response, risk_score=25, ))
def on_response(self, response: ProcessView, output: Any): output.send( ExecutionHit( analyzer_name="Process Deletes Binary File", node_view=response, risk_score=20, ) )
def on_response(self, response: ProcessView, output: Any): print(f'Unpacked process: {response.get_process_name()}') output.send( ExecutionHit( analyzer_name="Process Executing From Unpacked File", node_view=response, risk_score=15, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit(analyzer_name="Cmd Child Network", node_view=response, risk_score=5, lenses=asset_id))
def on_response(self, response: ProcessView, output: Any): output.send( ExecutionHit( analyzer_name="Python Process With Many Shells", node_view=response, risk_score=5, ) )
def on_response(self, response: ProcessView, output: Any): hostname = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name='CmdChildOfDns', node_view=response, risk_score=100, lenses=[('hostname', hostname)], ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Python Process With Many Shells", node_view=response, risk_score=5, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Suspicious svchost", node_view=response, risk_score=75, lenses=[("hostname", asset_id)], ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Process Deletes Binary File", node_view=response, risk_score=20, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Common Target Application With Child Process", node_view=response, risk_score=75, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Powershell With Child Process", node_view=response, risk_score=25, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Exploiting SetupComplete.cmd CVE-2019-1378", node_view=response, risk_score=50, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Browser Created File", node_view=response, risk_score=5, lenses=asset_id, ) )
def on_response(self, response: IpcView, output: Any) -> None: asset_id = response.get_ipc_creator().get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="SSH IPC", node_view=response, risk_score=75, lenses=asset_id, ) )
def on_response(self, response: GuardDutyFindingView, output: Any): account_id = response.get_account_id() output.send( ExecutionHit( analyzer_name="GuardDuty Finding", node_view=response, risk_score=75, lenses=account_id, ) )
def on_response(self, response: ProcessView, output: Any): count = self.counter.get_count_for( parent_process_name=response.get_parent().get_process_name(), child_process_name=response.get_process_name(), ) print(f'Counted {count} for parent -> ssh') if count <= 3: output.send( ExecutionHit( analyzer_name="Rare Parent of SSH", node_view=response, risk_score=5, ))
def on_response(self, response: ProcessView, output: Any): count = self.counter.get_count_for( parent_process_name=response.get_process_name(), child_process_name="cmd.exe", ) if count <= 3: output.send( ExecutionHit( analyzer_name="Rare Parent of cmd.exe", node_view=response, risk_score=5, ) )
def on_response(self, child: ProcessView, output: Any): parent = child.get_parent() child_user_id = get_user_id(child) parent_user_id = get_user_id(parent) if child_user_id != parent_user_id: output.send( ExecutionHit( analyzer_name="Parent Child User Mismatch", node_view=child, risk_score=25, ))
def on_response(self, response: ProcessView, output: Any): count = self.counter.get_count_for( parent_process_name=output.get_parent().get_process_name(), child_process_name=output.get_process_name(), ) if count <= 2: output.send( ExecutionHit( analyzer_name="Unique Windows Builtin Execution", node_view=response, risk_score=15, ) )
def on_response(self, response: ProcessView, output: Any) -> None: count = self.counter.get_count_for( parent_process_name=response.get_process_name(), child_process_name="cmd.exe", ) asset_id = response.get_asset().get_hostname() if count <= 3: output.send( ExecutionHit( analyzer_name="Rare Parent of cmd.exe", node_view=response, risk_score=10, lenses=[("hostname", asset_id)], ))
def on_response(self, response: IpcView, output: Any): print(f'Received suspicious IPC view: {response.node_key}') src_uids, src_auids = get_uid_auid_lineage(response.get_ipc_creator()) tgt_uids, tgt_auids = get_uid_auid_lineage(response.get_ipc_recipient()) user_mismatch = (src_uids.issuperset(tgt_uids) or src_uids.issubset(tgt_uids)) auid_mismatch = (src_auids.issuperset(tgt_auids) or src_auids.issubset(tgt_auids)) if user_mismatch or auid_mismatch: output.send( ExecutionHit( analyzer_name="Ssh Agent Access: UID or AUID mismatch in lineage", node_view=response, risk_score=100, ) )
def on_response(self, response: IpcView, output: Any): print(f'Received suspicious IPC view: {response.node_key}') asset_id = response.get_ipc_creator().get_asset().get_hostname() ipc_creator = response.get_ipc_creator() ssh_agent = response.get_ipc_recipient() user_mismatch = get_user_id(ipc_creator) != get_user_id(ssh_agent) auid_mismatch = get_auid(ipc_creator) != get_auid(ssh_agent) if user_mismatch or auid_mismatch: output.send( ExecutionHit( analyzer_name="Ssh Agent Access: UID or AUID mismatch", node_view=response, risk_score=100, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() count = self.counter.get_count_for( grand_parent_process_name=response.get_parent().get_parent(). get_process_name(), grand_child_process_name=response.get_process_name(), ) print(f'Counted {count} for parent -> ssh') if count <= 3: output.send( ExecutionHit( analyzer_name="Rare GrandParent of SSH", node_view=response, risk_score=5, lenses=asset_id, ))