def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() rare_read_file = False for read_file in response.get_read_files(): count = self.counter.get_count_for( ProcessQuery().with_process_name(eq="osascript") .with_read_files( FileQuery().with_file_path(read_file.get_file_path()) ) ) if count < 4: rare_read_file = True break if rare_read_file: output.send( ExecutionHit( analyzer_name="Osascript Process Execution - Rare File Read", node_view=response, risk_score=5, lenses=asset_id, ) )
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Suspicious svchost", node_view=response, risk_score=75, lenses=[ ("hostname", asset_id), ], risky_node_keys=[ # the asset and the process response.get_asset().node_key, response.node_key, ], ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit(analyzer_name="Cmd Child Network", node_view=response, risk_score=5, lenses=asset_id))
def on_response(self, response: ProcessView, output: Any): hostname = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name='CmdChildOfDns', node_view=response, risk_score=100, lenses=[('hostname', hostname)], ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Python Process With Many Shells", node_view=response, risk_score=5, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Process Deletes Binary File", node_view=response, risk_score=20, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Powershell With Child Process", node_view=response, risk_score=25, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Exploiting SetupComplete.cmd CVE-2019-1378", node_view=response, risk_score=50, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Common Target Application With Child Process", node_view=response, risk_score=75, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Suspicious svchost", node_view=response, risk_score=75, lenses=asset_id ) )
def on_response(self, response: ProcessView, output: Any): print(f'Unpacked process: {response.get_process_name()}') asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Process Executing From Unpacked File", node_view=response, risk_score=15, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() output.send( ExecutionHit( analyzer_name="Browser Created File", node_view=response, risk_score=5, lenses=asset_id, ) )
def on_response(self, response: ProcessView, output: Any) -> None: count = self.counter.get_count_for( parent_process_name=response.get_process_name(), child_process_name="cmd.exe", ) asset_id = response.get_asset().get_hostname() if count <= 3: output.send( ExecutionHit( analyzer_name="Rare Parent of cmd.exe", node_view=response, risk_score=10, lenses=[("hostname", asset_id)], ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() count = self.counter.get_count_for( parent_process_name=output.get_parent().get_process_name(), child_process_name=output.get_process_name(), ) if count <= 2: output.send( ExecutionHit( analyzer_name="Unique Windows Builtin Execution", node_view=response, risk_score=15, lenses=asset_id, ))
def on_response(self, child: ProcessView, output: Any): asset_id = child.get_asset().get_hostname() parent = child.get_parent() child_user_id = get_user_id(child) parent_user_id = get_user_id(parent) if child_user_id != parent_user_id: output.send( ExecutionHit( analyzer_name="Parent Child User Mismatch", node_view=child, risk_score=25, lenses=asset_id, ))
def on_response(self, response: ProcessView, output: Any): asset_id = response.get_asset().get_hostname() count = self.counter.get_count_for( grand_parent_process_name=response.get_parent().get_parent(). get_process_name(), grand_child_process_name=response.get_process_name(), ) print(f'Counted {count} for parent -> ssh') if count <= 3: output.send( ExecutionHit( analyzer_name="Rare GrandParent of SSH", node_view=response, risk_score=5, lenses=asset_id, ))