def on_response(self, response: ProcessView, output: Any):
count = self.counter.get_count_for(
parent_process_name=response.get_parent().get_process_name(),
child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of SSH",
node_view=response,
risk_score=5,
))
def on_response(self, response: ProcessView, output: Any):
count = self.counter.get_count_for(
parent_process_name=response.get_process_name(),
child_process_name="cmd.exe",
)
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of cmd.exe",
node_view=response,
risk_score=5,
)
)
def on_response(self, response: ProcessView, output: Any) -> None:
count = self.counter.get_count_for(
parent_process_name=response.get_process_name(),
child_process_name="cmd.exe",
)
asset_id = response.get_asset().get_hostname()
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of cmd.exe",
node_view=response,
risk_score=10,
lenses=[("hostname", asset_id)],
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
count = self.counter.get_count_for(
grand_parent_process_name=response.get_parent().get_parent().
get_process_name(),
grand_child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare GrandParent of SSH",
node_view=response,
risk_score=5,
lenses=asset_id,
))