def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
rare_read_file = False
for read_file in response.get_read_files():
count = self.counter.get_count_for(
ProcessQuery().with_process_name(eq="osascript")
.with_read_files(
FileQuery().with_file_path(read_file.get_file_path())
)
)
if count < 4:
rare_read_file = True
break
if rare_read_file:
output.send(
ExecutionHit(
analyzer_name="Osascript Process Execution - Rare File Read",
node_view=response,
risk_score=5,
lenses=asset_id,
)
)
def on_response(self, response: ProcessView, output: Any):
count = self.counter.get_count_for(
parent_process_name=response.get_parent().get_process_name(),
child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of SSH",
node_view=response,
risk_score=5,
))
def on_response(self, response: ProcessView, output: Any) -> None:
count = self.counter.get_count_for(
parent_process_name=response.get_process_name(),
child_process_name="cmd.exe",
)
asset_id = response.get_asset().get_hostname()
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of cmd.exe",
node_view=response,
risk_score=10,
lenses=[("hostname", asset_id)],
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(analyzer_name="Cmd Child Network",
node_view=response,
risk_score=5,
lenses=asset_id))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Suspicious svchost",
node_view=response,
risk_score=75,
lenses=[
("hostname", asset_id),
],
risky_node_keys=[
# the asset and the process
response.get_asset().node_key,
response.node_key,
],
))
def on_response(self, child: ProcessView, output: Any):
asset_id = child.get_asset().get_hostname()
parent = child.get_parent()
child_user_id = get_user_id(child)
parent_user_id = get_user_id(parent)
if child_user_id != parent_user_id:
output.send(
ExecutionHit(
analyzer_name="Parent Child User Mismatch",
node_view=child,
risk_score=25,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
hostname = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name='CmdChildOfDns',
node_view=response,
risk_score=100,
lenses=[('hostname', hostname)],
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Common Target Application With Child Process",
node_view=response,
risk_score=75,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Exploiting SetupComplete.cmd CVE-2019-1378",
node_view=response,
risk_score=50,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Process Deletes Binary File",
node_view=response,
risk_score=20,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Python Process With Many Shells",
node_view=response,
risk_score=5,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
count = self.counter.get_count_for(
grand_parent_process_name=response.get_parent().get_parent().
get_process_name(),
grand_child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare GrandParent of SSH",
node_view=response,
risk_score=5,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Powershell With Child Process",
node_view=response,
risk_score=25,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
print(f'Unpacked process: {response.get_process_name()}')
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Process Executing From Unpacked File",
node_view=response,
risk_score=15,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Suspicious svchost",
node_view=response,
risk_score=75,
lenses=asset_id
)
)
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Browser Created File",
node_view=response,
risk_score=5,
lenses=asset_id,
)
)
def on_response(self, response: ProcessView, output: Any):
count = self.counter.get_count_for(
parent_process_name=response.get_process_name(),
child_process_name="cmd.exe",
)
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of cmd.exe",
node_view=response,
risk_score=5,
)
)
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
count = self.counter.get_count_for(
parent_process_name=output.get_parent().get_process_name(),
child_process_name=output.get_process_name(),
)
if count <= 2:
output.send(
ExecutionHit(
analyzer_name="Unique Windows Builtin Execution",
node_view=response,
risk_score=15,
lenses=asset_id,
))
def from_proto(graph_client: GraphClient, node) -> "BaseView":
from grapl_analyzerlib.prelude import (
AssetView,
ProcessView,
FileView,
IpConnectionView,
NetworkConnectionView,
IpPortView,
IpAddressView,
ProcessOutboundConnectionView,
ProcessInboundConnectionView,
)
if node.HasField("process_node"):
uid = get_uid(graph_client, node.process_node.node_key)
assert uid
return ProcessView(
graph_client=graph_client,
uid=uid,
node_key=node.process_node.node_key,
node_types={"Process"},
)
elif node.HasField("file_node"):
uid = get_uid(graph_client, node.file_node.node_key)
return FileView(
graph_client=graph_client,
uid=uid,
node_key=node.file_node.node_key,
node_types={"File"},
)
elif node.HasField("asset_node"):
uid = get_uid(graph_client, node.asset_node.node_key)
return AssetView(
uid, node.asset_node.node_key, graph_client, node_types={"Asset"}
)
elif node.HasField("ip_address_node"):
uid = get_uid(graph_client, node.ip_address_node.node_key)
return IpAddressView(
uid,
node.ip_address_node.node_key,
graph_client,
node_types={"IpAddress"},
)
elif node.HasField("ip_port_node"):
uid = get_uid(graph_client, node.ip_port_node.node_key)
return IpPortView(
uid, node.ip_port_node.node_key, graph_client, node_types={"IpPort"}
)
elif node.HasField("process_outbound_connection_node"):
uid = get_uid(graph_client, node.process_outbound_connection_node.node_key)
return ProcessOutboundConnectionView(
uid,
node.process_outbound_connection_node.node_key,
graph_client,
node_types={"ProcessOutboundConnection"},
)
elif node.HasField("process_inbound_connection_node"):
uid = get_uid(graph_client, node.process_inbound_connection_node.node_key)
return ProcessInboundConnectionView(
uid,
node.process_inbound_connection_node.node_key,
graph_client,
node_types={"ProcessInboundConnection"},
)
elif node.HasField("ip_connection_node"):
uid = get_uid(graph_client, node.ip_connection_node.node_key)
return IpConnectionView(
uid,
node.ip_connection_node.node_key,
graph_client,
node_types={"IpConnection"},
)
elif node.HasField("network_connection_node"):
uid = get_uid(graph_client, node.network_connection_node.node_key)
return NetworkConnectionView(
uid,
node.network_connection_node.node_key,
graph_client,
node_types={"NetworkConnection"},
)
elif node.HasField("dynamic_node"):
uid = get_uid(graph_client, node.dynamic_node.node_key)
return BaseView(
uid,
node.dynamic_node.node_key,
graph_client,
node_types={node.dynamic_node.node_type},
)
else:
raise Exception(f"Invalid Node Type : {node}")
def get_descendents(process: ProcessView) -> None:
children = process.get_children()
for child in children:
get_descendents(child)
def on_response(self, response: ProcessView, output: Any):
parent = response.get_parent()