forked from teoseller/osquery-attck
-
Notifications
You must be signed in to change notification settings - Fork 0
/
windows-incorrect_parent_process.conf
72 lines (72 loc) · 6.34 KB
/
windows-incorrect_parent_process.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
{
"platform": "windows",
"description": "ATT&CK: T1173,T1086,T1204,T1183",
"queries": {
"services.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='wininit.exe') AND LOWER(name)='services.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='wininit.exe') AND LOWER(name)='services.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
},
"lsass.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='wininit.exe') AND LOWER(name)='lsass.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='wininit.exe') AND LOWER(name)='lsass.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
},
"svchost.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='services.exe') AND LOWER(name)='svchost.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='services.exe') AND LOWER(name)='svchost.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
},
"cmd.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='cmd.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='cmd.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1173,T1204",
"removed": false
},
"powershell.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='powershell.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='powershell.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1173,T1086,T1204",
"removed": false
},
"notepad++.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='notepad++.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='notepad++.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
},
"notepad.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='notepad.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='notepad.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
},
"iexplore.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='iexplore.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='iexplore.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
},
"firefox.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='firefox.exe') OR pid=(SELECT pid FROM processes WHERE parent!=(SELECT pid from processes where name='explorer.exe') AND LOWER(name)='firefox.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
},
"chrome.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent != (SELECT pid from processes where name='explorer.exe') AND LOWER(name)='chrome.exe') OR pid=(SELECT pid FROM processes WHERE parent != (SELECT pid from processes where name='explorer.exe') AND LOWER(name)='chrome.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
},
"conhost.exe_incorrect_parent_process": {
"query": "SELECT name as bad_parent_child_name, pid bad_parent_child_pid FROM processes WHERE pid=(SELECT parent FROM processes WHERE parent != (SELECT pid from processes where name='csrss.exe') AND LOWER(name)='conhost.exe') OR pid=(SELECT pid FROM processes WHERE parent != (SELECT pid from processes where name='csrss.exe') AND LOWER(name)='conhost.exe');",
"interval": 60,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1204",
"removed": false
}
}
}