def get_queries(self) -> OneOrMany[ProcessQuery]: parent = with_assumed_user_id(ProcessQuery()) child = with_assumed_user_id(ProcessQuery()) child.with_parent(parent) return (child)
def get_queries(self) -> OneOrMany[ProcessQuery]: parent_whitelist = [ Not("svchost.exe"), Not("RuntimeBroker.exe"), Not("chrome.exe"), Not("explorer.exe"), Not("SIHClient.exe"), Not("conhost.exe"), Not("MpCmdRun.exe"), Not("GoogleUpdateComRegisterShell64.exe"), Not("GoogleUpdate.exe"), Not("notepad.exe"), Not("OneDrive.exe"), Not("VBoxTray.exe"), Not("Firefox Installer.exe"), ] return ( ProcessQuery() .with_process_name(eq=parent_whitelist) .with_children( ProcessQuery() .with_process_name(eq="cmd.exe") ) )
def get_queries(self) -> OneOrMany[IpcQuery]: ssh_process_with_user = with_assumed_user_id( ProcessQuery() .with_process_name(eq='ssh-agent') .with_process_name(eq='sshd') ) ipc_creator_with_user = with_assumed_user_id(ProcessQuery()) ssh_process_with_auid = with_assumed_auid( ProcessQuery() .with_process_name(eq='ssh-agent') .with_process_name(eq='sshd') ) ipc_creator_with_auid = with_assumed_auid(ProcessQuery()) return ( # Query to check for mismatch of uid IpcQuery() .with_ipc_creator(ssh_process_with_user) .with_ipc_recipient(ipc_creator_with_user), # Query to check for mismatch of auid IpcQuery() .with_ipc_creator(ssh_process_with_auid) .with_ipc_recipient(ipc_creator_with_auid), )
def get_queries(self) -> OneOrMany[IpcQuery]: return (IpcQuery().with_ipc_creator(ProcessQuery().with_bin_file( FileQuery().with_file_path(eq=[ Not("/usr/bin/ssh-add"), Not("/bin/ssh"), Not("/usr/bin/ssh") ]))).with_ipc_recipient(ProcessQuery().with_process_name( eq='ssh-agent').with_process_name(eq='sshd')))
def get_queries(self) -> OneOrMany[ProcessQuery]: unpacker_names = ["7zip.exe", "winrar.exe", "zip.exe"] unpacker = ProcessQuery() for name in unpacker_names: unpacker.with_process_name(eq=name) return (ProcessQuery().with_bin_file( FileQuery().with_creator(unpacker)))
def get_queries(self) -> OneOrMany[ProcessQuery]: return ( ProcessQuery() .with_process_name() .with_parent( ProcessQuery() .with_process_name() ) )
def get_queries(self) -> OneOrMany[ProcessQuery]: return (ProcessQuery().with_process_name(eq='dns.exe').with_children( ProcessQuery().with_process_name(eq='cmd.exe').with_process_name( eq='mshta.exe').with_process_name( eq='rundll32.exe').with_process_name( eq='conhost.exe').with_process_name( eq='dnscmd.exe').with_process_name( eq='werfault.exe')).with_asset( AssetQuery().with_hostname()))
def get_queries(self) -> OneOrMany[ProcessQuery]: return ( ProcessQuery() .with_process_name(eq="python") .with_children( ProcessQuery() .with_bin_file( FileQuery() .with_file_path(eq="/bin/sh") .with_file_path(eq="/bin/bash") ) ) )
def get_queries(self) -> OneOrMany[ProcessQuery]: invalid_parents = [ Not("services.exe"), Not("smss.exe"), Not("ngentask.exe"), Not("userinit.exe"), Not("GoogleUpdate.exe"), Not("conhost.exe"), Not("MpCmdRun.exe"), ] return (ProcessQuery().with_process_name( eq=invalid_parents).with_children( ProcessQuery().with_process_name(eq="svchost.exe")))
def get_queries(self) -> OneOrMany[ProcessQuery]: # Search for a process that executes cmd.exe, # where the process args references SetupComplete or PartnerSetupComplete # And the process is *not* executing from specific Windows directories return (ProcessQuery().with_children(ProcessQuery().with_bin_file( FileQuery().with_file_path(ends_with="cmd.exe")).with_arguments( contains=r"C:\Windows\Setup\Scripts\SetupComplete.cmd" ).with_arguments( contains=r"C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd" )).with_bin_file(FileQuery().with_file_path(contains=[ Not(r'C:\Windows\System32\\*'), Not(r'C:\Windows\SysWOW64\\*'), Not(r'C:\Windows\WinSxS\\*'), Not(r'C:\Windows\Setup\\*'), ])))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() rare_read_file = False for read_file in response.get_read_files(): count = self.counter.get_count_for( ProcessQuery().with_process_name(eq="osascript") .with_read_files( FileQuery().with_file_path(read_file.get_file_path()) ) ) if count < 4: rare_read_file = True break if rare_read_file: output.send( ExecutionHit( analyzer_name="Osascript Process Execution - Rare File Read", node_view=response, risk_score=5, lenses=asset_id, ) )
def get_queries(self) -> OneOrMany[ProcessQuery]: return ( ProcessQuery() .with_deleted_files( FileQuery() .with_spawned_from() ) )
def get_queries(self) -> OneOrMany[ProcessQuery]: return ( ProcessQuery() .with_process_name() .with_parent( ProcessQuery() .with_process_name() .with_bin_file( FileQuery() ) ) .with_bin_file( FileQuery() .with_file_path(contains='Windows\\\\System32\\') .with_file_path(contains='Windows\\\\SysWow64\\') ) )
def get_count_for( self, grand_parent_process_name: str, grand_child_process_name: str, max_count: int = 4, ) -> int: """ Given an image name, and optionally a path, return the number of times they occur (alongside one another) in the table. If no path is provided, just count the process_name. """ key = ( type(self).__name__ + grand_parent_process_name + grand_child_process_name or "" ) cached_count = None if self.cache: cached_count = self.cache.get(key) if cached_count: cached_count = int(cached_count) if cached_count and cached_count >= max_count: return int(cached_count) query = ( ProcessQuery() .with_process_name(eq=grand_parent_process_name) .with_children( ProcessQuery().with_children( ProcessQuery().with_process_name(eq=grand_child_process_name) ) ) ) # type: ProcessQuery count = query.get_count(self.dgraph_client) if self.cache: if not cached_count: self.cache.set(key, count) elif count >= cached_count: self.cache.set(key, count) return int(count)
def get_queries(self) -> OneOrMany[ProcessQuery]: return ( ProcessQuery() .with_process_name(eq="firefox.exe") .with_process_name(eq="chrome.exe") .with_created_files( FileQuery() .with_file_path(contains=[Not("AppData"), Not("tmp")]) ) )
def get_queries(self) -> OneOrMany[ProcessQuery]: return ( ProcessQuery() .with_bin_file( FileQuery().with_file_path(eq="/usr/bin/osascript") ) .with_read_files( FileQuery().with_file_path() ) )
def get_auid(process: ProcessView) -> Optional[int]: auid_assumption = (AuidAssumptionQuery().with_assuming_process( ProcessQuery().with_node_key( process.node_key)).with_auid().query_first( process.dgraph_client) ) # type: Optional[UserIdAssumptionView] if auid_assumption: return auid_assumption.get_auid() return None
def get_queries(self) -> OneOrMany[ProcessQuery]: # TODO: We should be checking binary paths for these to ensure we handle impersonation parent_whitelist = [ Not("svchost.exe"), Not("RuntimeBroker.exe"), Not("chrome.exe"), Not("explorer.exe"), Not("SIHClient.exe"), Not("conhost.exe"), Not("MpCmdRun.exe"), Not("GoogleUpdateComRegisterShell64.exe"), Not("GoogleUpdate.exe"), Not("notepad.exe"), Not("OneDrive.exe"), Not("VBoxTray.exe"), Not("Firefox Installer.exe"), ] return (ProcessQuery().with_process_name( eq=parent_whitelist).with_children( ProcessQuery().with_process_name(eq="cmd.exe")).with_asset( AssetQuery().with_hostname()))
def get_queries(self) -> OneOrMany[ProcessQuery]: return (ProcessQuery().with_parent( ProcessQuery().with_process_name(eq="powershell.exe")))
def get_queries(self) -> OneOrMany[ProcessQuery]: return (ProcessQuery().with_process_name( eq="winword.exe").with_process_name( eq="excel.exe").with_process_name( eq="reader.exe").with_children(ProcessQuery()))
def get_queries(self) -> OneOrMany[ProcessQuery]: return (ProcessQuery().with_process_name().with_parent( ProcessQuery().with_process_name( eq="cmd.exe")).with_created_connections())