forked from teoseller/osquery-attck
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwindows_new_file_relevant_infection_path.conf
69 lines (69 loc) · 5.41 KB
/
windows_new_file_relevant_infection_path.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
{
"platform": "windows",
"description": "ATT&CK: T1034,T1074,T1044,T1060,T1023",
"queries": {
"windows_new_file": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\Windows\\%' and type='regular';",
"interval": 1800,
"description": "Check suspicious file creation under c:\\windows - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"windows_temp": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\Windows\\temp\\%' and type='regular';",
"interval": 1820,
"description": "Check suspicious file creation under c:\\windows\\temp - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"AppData_Roaming": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\users\\%\\AppData\\Roaming\\%' and type='regular';",
"interval": 1840,
"description": "Check suspicious file creation under %APPDATA% or %\\AppData\\Roaming - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"AppData_Local": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\users\\%\\AppData\\Local\\%' and type='regular';",
"interval": 1860,
"description": "Check suspicious file creation under AppData\\Local - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"AppData_Local_temp": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\users\\%\\AppData\\Local\\temp\\%' and type='regular';",
"interval": 1900,
"description": "Check suspicious file creation under %TEMP% or AppData\\Local\\Temp - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"User_StartMenu_startup": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%' AND type='regular';",
"interval": 1860,
"description": "Check suspicious file creation under Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup - ATT&CK T1060,T1023",
"platform": "windows",
"removed": false
},
"User_StartMenu_program": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%' AND type='regular';",
"interval": 1860,
"description": "Check suspicious file creation under Roaming\\Microsoft\\Windows\\Start Menu\\Programs - ATT&CK T1060,T1023",
"platform": "windows",
"removed": false
},
"Programmata_StartMenu": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\%' AND type='regular';",
"interval": 1860,
"description": "Check suspicious file creation under ProgramData\\Microsoft\\Windows\\Start Menu - ATT&CK T1060,T1023",
"platform": "windows",
"removed": false
},
"Programmata_StartMenu_program": {
"query": "SELECT hash.md5, path, file.filename, datetime(file.btime, 'unixepoch', 'UTC') as btime, datetime(file.atime, 'unixepoch', 'UTC') as atime, datetime(file.ctime, 'unixepoch', 'UTC') as ctime, datetime(file.mtime, 'unixepoch', 'UTC') as mtime FROM hash JOIN file USING (path) where path like 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\%' AND type='regular';",
"interval": 1860,
"description": "Check suspicious file creation under ProgramData\\Microsoft\\Windows\\Start Menu\\Programs - ATT&CK T1060,T1023",
"platform": "windows",
"removed": false
}
}
}