windows_generic_detection.conf

{
    "platform": "windows",
    "description": "ATT&CK: T1136,T1078,T1116,T1075,T1097",
    "queries": {
    "system_info": {
        "query": "SELECT * FROM system_info;",
        "interval": 3600,
        "description": "System information for identification."
        },
    "system_info_snapshot": {
        "query": "SELECT * FROM system_info;",
        "interval": 28800,
        "description": "System info snapshot query",
        "snapshot": true
        },
    "uptime": {
        "query": "SELECT * FROM uptime;",
        "interval": 28800,
        "description": "System uptime",
        "snapshot": true
        },
    "programs": {
        "query": "SELECT * FROM users;",
        "interval": 3600,
        "description": "Local system users."
        },
    "programs_snapshot": {
        "query": "select * from programs;",
        "interval": 28800,
        "description": "Local system users.",
        "snapshot": true
        },
    "logged_in_users": {
        "query": "select * from logged_in_users;",
        "interval": 3600,
        "description": "Users with an active shell on the system. - ATT&CK T1075,T1097"
        },
    "users": {
        "query": "SELECT * FROM users;",
        "interval": 3600,
        "description": "Local system users. - ATT&CK T1136,T1078"
        },
    "users_snapshot": {
        "query": "SELECT * FROM users;",
        "interval": 28800,
        "description": "Users snapshot query - ATT&CK T1136,T1078",
        "snapshot": true
        },
    "certificates": {
        "query": "select * from certificates;",
        "interval": 3600,
        "description": "Local system users. - ATT&CK T1116,T1130"
        },
    "certificates_snapshot": {
        "query": "select * from certificates;",
        "interval": 28800,
        "description": "Users snapshot query - ATT&CK T1116,T1130",
        "snapshot": true
        },
    "windows_crashes": {
        "query": "SELECT * FROM windows_crashes;",
        "interval": 3600,
        "description": "Extracted information from Windows crash logs (Minidumps).",
        "removed": false
        }
    }
}