def get_queries(self) -> OneOrMany[ProcessQuery]:
return (ProcessQuery().with_process_name(eq='dns.exe').with_children(
ProcessQuery().with_process_name(eq='cmd.exe').with_process_name(
eq='mshta.exe').with_process_name(
eq='rundll32.exe').with_process_name(
eq='conhost.exe').with_process_name(
eq='dnscmd.exe').with_process_name(
eq='werfault.exe')).with_asset(
AssetQuery().with_hostname()))
def get_queries(self) -> OneOrMany[ProcessQuery]:
invalid_parents = [
Not("services.exe"),
Not("smss.exe"),
Not("ngentask.exe"),
Not("userinit.exe"),
Not("GoogleUpdate.exe"),
Not("conhost.exe"),
Not("MpCmdRun.exe"),
]
return (ProcessQuery().with_process_name(
eq=invalid_parents).with_children(ProcessQuery().with_process_name(
eq="svchost.exe")).with_asset(AssetQuery().with_hostname()))
def get_queries(self) -> OneOrMany[ProcessQuery]:
# TODO: We should be checking binary paths for these to ensure we handle impersonation
parent_whitelist = [
Not("svchost.exe"),
Not("RuntimeBroker.exe"),
Not("chrome.exe"),
Not("explorer.exe"),
Not("SIHClient.exe"),
Not("conhost.exe"),
Not("MpCmdRun.exe"),
Not("GoogleUpdateComRegisterShell64.exe"),
Not("GoogleUpdate.exe"),
Not("notepad.exe"),
Not("OneDrive.exe"),
Not("VBoxTray.exe"),
Not("Firefox Installer.exe"),
]
return (ProcessQuery().with_process_name(
eq=parent_whitelist).with_children(
ProcessQuery().with_process_name(eq="cmd.exe")).with_asset(
AssetQuery().with_hostname()))