def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
rare_read_file = False
for read_file in response.get_read_files():
count = self.counter.get_count_for(
ProcessQuery().with_process_name(eq="osascript")
.with_read_files(
FileQuery().with_file_path(read_file.get_file_path())
)
)
if count < 4:
rare_read_file = True
break
if rare_read_file:
output.send(
ExecutionHit(
analyzer_name="Osascript Process Execution - Rare File Read",
node_view=response,
risk_score=5,
lenses=asset_id,
)
)
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Suspicious svchost",
node_view=response,
risk_score=75,
lenses=[
("hostname", asset_id),
],
risky_node_keys=[
# the asset and the process
response.get_asset().node_key,
response.node_key,
],
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(analyzer_name="Cmd Child Network",
node_view=response,
risk_score=5,
lenses=asset_id))
def on_response(self, response: ProcessView, output: Any):
hostname = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name='CmdChildOfDns',
node_view=response,
risk_score=100,
lenses=[('hostname', hostname)],
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Python Process With Many Shells",
node_view=response,
risk_score=5,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Process Deletes Binary File",
node_view=response,
risk_score=20,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Powershell With Child Process",
node_view=response,
risk_score=25,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Exploiting SetupComplete.cmd CVE-2019-1378",
node_view=response,
risk_score=50,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Common Target Application With Child Process",
node_view=response,
risk_score=75,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Suspicious svchost",
node_view=response,
risk_score=75,
lenses=asset_id
)
)
def on_response(self, response: ProcessView, output: Any):
print(f'Unpacked process: {response.get_process_name()}')
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Process Executing From Unpacked File",
node_view=response,
risk_score=15,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Browser Created File",
node_view=response,
risk_score=5,
lenses=asset_id,
)
)
def on_response(self, response: ProcessView, output: Any) -> None:
count = self.counter.get_count_for(
parent_process_name=response.get_process_name(),
child_process_name="cmd.exe",
)
asset_id = response.get_asset().get_hostname()
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of cmd.exe",
node_view=response,
risk_score=10,
lenses=[("hostname", asset_id)],
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
count = self.counter.get_count_for(
parent_process_name=output.get_parent().get_process_name(),
child_process_name=output.get_process_name(),
)
if count <= 2:
output.send(
ExecutionHit(
analyzer_name="Unique Windows Builtin Execution",
node_view=response,
risk_score=15,
lenses=asset_id,
))
def on_response(self, child: ProcessView, output: Any):
asset_id = child.get_asset().get_hostname()
parent = child.get_parent()
child_user_id = get_user_id(child)
parent_user_id = get_user_id(parent)
if child_user_id != parent_user_id:
output.send(
ExecutionHit(
analyzer_name="Parent Child User Mismatch",
node_view=child,
risk_score=25,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
count = self.counter.get_count_for(
grand_parent_process_name=response.get_parent().get_parent().
get_process_name(),
grand_child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare GrandParent of SSH",
node_view=response,
risk_score=5,
lenses=asset_id,
))