forked from teoseller/osquery-attck
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwindows-incorrect_path_process.conf
72 lines (72 loc) · 3.86 KB
/
windows-incorrect_path_process.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
{
"platform": "windows",
"description": "ATT&CK: T1034",
"queries": {
"conhost.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"crss.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='crss.exe' AND LOWER(path)!='c:\\windows\\system32\\crss.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"explorer.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='explorer.exe' AND LOWER(path)!='c:\\windows\\explorer.exe' AND LOWER(path)!='c:\\windows\\syswow64\\explorer.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"dllhost.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='dllhost.exe' AND LOWER(path)!='c:\\windows\\system32\\dllhost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\dllhost.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"lsass.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='lsass.exe' AND LOWER(path)!='c:\\windows\\system32\\lsass.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"services.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='services.exe' AND LOWER(path)!='c:\\windows\\system32\\services.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"smss.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='smss.exe' AND LOWER(path)!='c:\\windows\\system32\\smss.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"svchost.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='svchost.exe' AND LOWER(path)!='c:\\windows\\system32\\svchost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\svchost.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"wininit.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='wininit.exe' AND LOWER(path)!='c:\\windows\\system32\\wininit.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"winlogon.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='winlogon.exe' AND LOWER(path)!='c:\\windows\\system32\\winlogon.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
},
"wmiprvse.exe_incorrect_path": {
"query": "SELECT * FROM processes WHERE LOWER(name)='wmiprvse.exe' AND LOWER(path)!='c:\\windows\\system32\\wbem\\wmiprvse.exe' AND LOWER(path)!='c:\\windows\\syswow64\\wbem\\wmiprvse.exe' AND path!='';",
"interval": 3600,
"description": "Detect processes masquerading as legitimate Windows processes - ATT&CK T1034",
"removed": false
}
}
}