def get_queries(self) -> OneOrMany[ProcessQuery]: return ( ProcessQuery() .with_process_name(eq="firefox.exe") .with_process_name(eq="chrome.exe") .with_created_files( FileQuery() .with_file_path(contains=[Not("AppData"), Not("tmp")]) ) )
def get_queries(self) -> OneOrMany[ProcessQuery]: # Search for a process that executes cmd.exe, # where the process args references SetupComplete or PartnerSetupComplete # And the process is *not* executing from specific Windows directories return (ProcessQuery().with_children(ProcessQuery().with_bin_file( FileQuery().with_file_path(ends_with="cmd.exe")).with_arguments( contains=r"C:\Windows\Setup\Scripts\SetupComplete.cmd" ).with_arguments( contains=r"C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd" )).with_bin_file(FileQuery().with_file_path(contains=[ Not(r'C:\Windows\System32\\*'), Not(r'C:\Windows\SysWOW64\\*'), Not(r'C:\Windows\WinSxS\\*'), Not(r'C:\Windows\Setup\\*'), ])))
def get_queries(self) -> OneOrMany[ProcessQuery]: invalid_parents = [ Not("services.exe"), Not("smss.exe"), Not("ngentask.exe"), Not("userinit.exe"), Not("GoogleUpdate.exe"), Not("conhost.exe"), Not("MpCmdRun.exe"), ] return (ProcessQuery().with_process_name( eq=invalid_parents).with_children(ProcessQuery().with_process_name( eq="svchost.exe")).with_asset(AssetQuery().with_hostname()))
def get_queries(self) -> OneOrMany[ProcessQuery]: # TODO: We should be checking binary paths for these to ensure we handle impersonation parent_whitelist = [ Not("svchost.exe"), Not("RuntimeBroker.exe"), Not("chrome.exe"), Not("explorer.exe"), Not("SIHClient.exe"), Not("conhost.exe"), Not("MpCmdRun.exe"), Not("GoogleUpdateComRegisterShell64.exe"), Not("GoogleUpdate.exe"), Not("notepad.exe"), Not("OneDrive.exe"), Not("VBoxTray.exe"), Not("Firefox Installer.exe"), ] return (ProcessQuery().with_process_name( eq=parent_whitelist).with_children( ProcessQuery().with_process_name(eq="cmd.exe")).with_asset( AssetQuery().with_hostname()))
def get_queries(self) -> OneOrMany[ProcessQuery]: parent_whitelist = [ Not("svchost.exe"), Not("RuntimeBroker.exe"), Not("chrome.exe"), Not("explorer.exe"), Not("SIHClient.exe"), Not("conhost.exe"), Not("MpCmdRun.exe"), Not("GoogleUpdateComRegisterShell64.exe"), Not("GoogleUpdate.exe"), Not("notepad.exe"), Not("OneDrive.exe"), Not("VBoxTray.exe"), Not("Firefox Installer.exe"), ] return ( ProcessQuery() .with_process_name(eq=parent_whitelist) .with_children( ProcessQuery() .with_process_name(eq="cmd.exe") ) )