Exemplo n.º 1
0
 def get_queries(self) -> OneOrMany[ProcessQuery]:
     return (
         ProcessQuery()
         .with_bin_file(
             FileQuery().with_file_path(eq="/usr/bin/osascript")
         )
         .with_read_files(
             FileQuery().with_file_path()
         )
     )
Exemplo n.º 2
0
 def get_queries(self) -> OneOrMany[ProcessQuery]:
     # Search for a process that executes cmd.exe,
     # where the process args references SetupComplete or PartnerSetupComplete
     # And the process is *not* executing from specific Windows directories
     return (ProcessQuery().with_children(ProcessQuery().with_bin_file(
         FileQuery().with_file_path(ends_with="cmd.exe")).with_arguments(
             contains=r"C:\Windows\Setup\Scripts\SetupComplete.cmd"
         ).with_arguments(
             contains=r"C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd"
         )).with_bin_file(FileQuery().with_file_path(contains=[
             Not(r'C:\Windows\System32\\*'),
             Not(r'C:\Windows\SysWOW64\\*'),
             Not(r'C:\Windows\WinSxS\\*'),
             Not(r'C:\Windows\Setup\\*'),
         ])))
Exemplo n.º 3
0
    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        rare_read_file = False

        for read_file in response.get_read_files():
            count = self.counter.get_count_for(
                ProcessQuery().with_process_name(eq="osascript")
                .with_read_files(
                    FileQuery().with_file_path(read_file.get_file_path())
                )
            )
            if count < 4:
                rare_read_file = True
                break

        if rare_read_file:
            output.send(
                ExecutionHit(
                    analyzer_name="Osascript Process Execution - Rare File Read",
                    node_view=response,
                    risk_score=5,
                    lenses=asset_id,
                )
            )
Exemplo n.º 4
0
 def get_queries(self) -> OneOrMany[ProcessQuery]:
     return (
         ProcessQuery()
         .with_deleted_files(
             FileQuery()
             .with_spawned_from()
         )
     )
Exemplo n.º 5
0
 def get_queries(self) -> OneOrMany[ProcessQuery]:
     return (
         ProcessQuery()
         .with_process_name()
         .with_parent(
             ProcessQuery()
             .with_process_name()
             .with_bin_file(
                 FileQuery()
             )
         )
         .with_bin_file(
             FileQuery()
             .with_file_path(contains='Windows\\\\System32\\')
             .with_file_path(contains='Windows\\\\SysWow64\\')
         )
     )
Exemplo n.º 6
0
 def get_queries(self) -> OneOrMany[IpcQuery]:
     return (IpcQuery().with_ipc_creator(ProcessQuery().with_bin_file(
         FileQuery().with_file_path(eq=[
             Not("/usr/bin/ssh-add"),
             Not("/bin/ssh"),
             Not("/usr/bin/ssh")
         ]))).with_ipc_recipient(ProcessQuery().with_process_name(
             eq='ssh-agent').with_process_name(eq='sshd')))
Exemplo n.º 7
0
    def get_queries(self) -> OneOrMany[ProcessQuery]:
        unpacker_names = ["7zip.exe", "winrar.exe", "zip.exe"]

        unpacker = ProcessQuery()
        for name in unpacker_names:
            unpacker.with_process_name(eq=name)

        return (ProcessQuery().with_bin_file(
            FileQuery().with_creator(unpacker)))
Exemplo n.º 8
0
 def get_queries(self) -> OneOrMany[ProcessQuery]:
     return (
         ProcessQuery()
         .with_process_name(eq="firefox.exe")
         .with_process_name(eq="chrome.exe")
         .with_created_files(
             FileQuery()
             .with_file_path(contains=[Not("AppData"), Not("tmp")])
         )
     )
Exemplo n.º 9
0
 def get_queries(self) -> OneOrMany[ProcessQuery]:
     return (
         ProcessQuery()
         .with_process_name(eq="python")
         .with_children(
             ProcessQuery()
             .with_bin_file(
                 FileQuery()
                 .with_file_path(eq="/bin/sh")
                 .with_file_path(eq="/bin/bash")
             )
         )
     )