Skip to content

Latest commit

 

History

History
537 lines (261 loc) · 12.4 KB

process.md

File metadata and controls

537 lines (261 loc) · 12.4 KB

Process Search

process_name:explorer.exe AND netconn_count:[500 TO *]

process_name:explorer.exe (modload:"c:\windows\syswow64\taskschd.dll")

Behavior

-digsig_result_filemod:Signed process_name:rundll32.exe

process_name:cacls.exe cmdline:\startup\

-digsig_result_parent:Signed process_name:svchost.exe

DLL Hijack

c:\windows\system32\wbem\

filemod:"wbem\loadperf.dll" OR filemod:"wbem\bcrypt.dll"

process_name:svchost.exe cmdline:RemoteRegistry

process_name:explorer.exe filemod:temp1_*.zip filemod:request*.doc

process_name:winword.exe cmdline:request*.doc\"

process_name:explorer.exe filemod:temp1_*.zip filemod:request*.doc

process_name:mode.com

digsig_result_parent:Unsigned process_name:raserver.exe

scrobj load and behavior

process_name:regsvr32.exe (modload:scrobj.dll) AND childproc_name:powershell.exe

parent_name:powershell.exe AND process_name:nslookup.exe AND netconn_count:[1 TO *]

Java Embedded MSI files

process_name:java.exe cmdline:-classpath parent_name:javaw.exe (childproc_name:java.exe or childproc_name:conhost.exe)

process_name:java.exe cmdline:-classpath parent_name:javaw.exe (childproc_name:java.exe or childproc_name:conhost.exe) filemod:appdata\local\temp\*.class

API

uacbypass

Reference

regmod:"mscfile\shell\open\command"

parent_name:powershell.exe process_name:eventvwr.exe

PPID Spoofing - Explorer CLSID

process_name:rundll32.exe cmdline:Shell32.dll*  cmdline:SHCreateLocalServerRunDll cmdline:{c08afd90-f2a1-11d1-8455-00a0c91f3880}

Browser Broker

process_name:browser_broker.exe digsig_result_child:Unsigned

Emotet stuff

parent_name:userinit.exe digsig_result_process:Unsigned

Something new

parent_name:powershell.exe process_name:csc.exe

Some stuff here

reference

parent_name:powershell.exe process_name:nslookup.exe

csc spawns

(process_name:excel.exe OR process_name:winword.exe OR process_name:outlook.exe) childproc_name:csc.exe

(process_name:excel.exe OR process_name:winword.exe OR process_name:outlook.exe) filemod:.cs

Domain Enumeration

https://github.com/clr2of8/DPAT

process_name:ntdsutil.exe

process_name:dcdiag.exe

process_name:repadmin.exe

process_name:netdom.exe

company_name:"http://www.joeware.net"

EternalBlue - Miner

Reference

parent_name:wininit.exe process_name:spoolsv.exe

process_name:sc.exe cmdline:Snmpstorsrv

process_name:svchost.exe digsig_result_modload:unsigned

SQLi Dumper + spam

filemod:"url exploitables.xml"

filemod:"url list.txt"

process_name:"sqli dumper.exe"

process_name:"advanced mass sender.exe"

process_name:"turbomailer.exe"

modload:"appvirtdll64_advanced mass sender.dll"

process_name:storm.exe

CobaltStrike - Argue

(modload:"c:\windows\syswow64\ntmarta.dll") process_name:svchost.exe

(modload:"c:\windows\system32\wshtcpip.dll") digsig_result:Unsigned (modload:"c:\windows\system32\wship6.dll")

(modload:"c:\windows\syswow64\iertutil.dll" modload:"c:\windows\syswow64\ntmarta.dll") process_name:rundll32.exe

(modload:"c:\windows\syswow64\iertutil.dll" modload:"c:\windows\syswow64\ntmarta.dll") process_name:rundll32.exe AND netconn_count:[1 TO * ]

digsig_result_parent:Unsigned (process_name:svchost.exe -username:SYSTEM -username:"NETWORK SERVICE" -username:"LOCAL SERVICE" -cmdline:"UnistackSvcGroup")

digsig_result_parent:Unsigned process_name:svchost.exe

parent_name:rundll32.exe process_name:svchost.exe

Process

(regmod:"\registry\user\.default\software\microsoft\windows\currentversion\internet settings\proxyenable") digsig_result:Unsigned AND path:c:\windows\syswow64\*

process_name:procdump.exe cmdline:-accepteula

process_name:procdump.exe cmdline:lsass.exe

digsig_result_parent:Unsigned process_name:explorer.exe

process_name:schtasks.exe cmdline:/c

process_name:schtasks.exe cmdline:"cscript.exe"

process_name:schtasks.exe cmdline:"wscript.exe"

process_name:schtasks.exe cmdline:"powershell.exe"

crossproc_type:"remotethread" AND -process_name:wmiprvse.exe -process_name:svchost.exe -process_name:csrss.exe

klist

Reference

process_name:klist.exe

dfsvc/browser broker queries

parent_name:browser_broker.exe process_name:mshta.exe

parent_name:browser_broker.exe process_name:rundll32.exe

process_name:dfsvc.exe digsig_result_child:"Unsigned" OR digsig_result_child:"Untrusted Root"

process_name:rundll32.exe childproc_name:dfsvc.exe

is_executable_image_filewrite:True -path:google\chrome\* and -path:google\update\* -digsig_result_filewrite:Signed filemod:local\settings\* filemod:appdata\local\temp\*


process_name:lsass.exe digsig_result_filewrite:"Unsigned"

process_name:lsass.exe AND digsig_result_modload:"Unsigned"

filemod:Content.Outlook\*  and is_executable_image_filewrite:True

filemod:Content.Outlook\*  and -digsig_result_filewrite:Signed

process_name:winlogon.exe AND netconn_count:[1 TO *]

filemod: “Start Menu\Programs\Startup”

regmod:CurrentVersion\Run*

filemod:windows\system32\* digsig_result:unsigned digsig_result_filewrite:"Unsigned"

regmod:services\national* digsig_result:unsigned

regmod:services\svchostc* digsig_result:unsigned

path:windows\system32\* digsig_result:unsigned parent_name:services.exe childproc_count:1

(regmod:"\registry\user\s-1-5-21-348440682-330175067-1304115618-242891\software\microsoft\office\14.0\excel\security\accessvbom")

(process_name:cmd.exe OR process_name:powershell.exe OR process_name:wmic.exe OR process_name:msbuild.exe OR process_name:mshta.exe OR process_name:wscript.exe OR process_name:cscript.exe OR process_name:installutil.exe OR process_name:rundll32.exe OR process_name:regsvr32.exe OR process_name:msxsl.exe OR process_name:regasm.exe OR process_name:regsvcs.exe) (domain:pastebin.com OR domain:dl.dropboxusercontent.com OR domain:githubusercontent.com)

digsig_result_child:"Unsigned" ((parent_name:chrome.exe OR parent_name:firefox.exe OR parent_name:iexplore.exe OR parent_name:microsoftedge.exe OR parent_name:outlook.exe) is_executable_image_filewrite:"true")

digsig_result_process:"Unsigned" ((parent_name:chrome.exe OR parent_name:firefox.exe OR parent_name:iexplore.exe OR parent_name:microsoftedge.exe OR parent_name:outlook.exe) is_executable_image_filewrite:"true")

regmod:"keyboard layout\2"

(regmod:"\registry\machine\software\microsoft\windows nt\currentversion\image file execution options\cmd.exe\verifierdlls")

process_name:mshta.exe modload:mscoree.dll

(modload:mscoree.dll AND modload:system.management.automation.dll) -process_name:powershell_ise.exe -process_name:sdiagnhost.exe -process_name:mscorsvw.exe -process_name:powershell.exe -process_name:searchfilterhost.exe

process_name:netsh.exe cmdline:appdata/

(modload:mscoree.dll AND modload:system.management.automation.dll AND modload:mscorlib*) -process_name:powershell_ise.exe -process_name:sdiagnhost.exe -process_name:mscorsvw.exe -process_name:powershell.exe -process_name:searchfilterhost.exe

(cmdline:/user: OR cmdline:/pwd: OR cmdline:/username: OR cmdline:/password:)

process_name:notepad.exe (modload:vaultcli.dll AND modload:samlib.dll)

parent_name:explorer.exe process_name:lsass.exe

process_name:netsh.exe cmdline:ProgramData/

process_name:csc.exe netconn_count:[1 TO *]

path:programdata\* -path:programdata\*\* -process_name:chgservice.exe -process_name:userprofilemigrationservice.exe -process_name:mm.exe -process_name:mmimage.exe

process_name:rundll32.exe domain:.ru AND netconn_count:[1 TO *]

(process_name:powershell.exe OR internal_name:powershell) (modload:samlib.dll OR modload:vaultcli.dll)

parent_name:spoolsv.exe (process_name:cmd.exe OR process_name:powershell.exe)

digsig_result:Unsigned ipport:443 modload:winsta.dll path:appdata/local/temp/*

BloodHound detection - network

ipport:445 AND netconn_count:[150 TO *] AND -process_name:ntoskrnl.exe AND process_name:*

BloodHound detection - command line

cmdline:--ExcludeDC OR cmdline:LoggedOn OR cmdline:ObjectProps OR cmdline:GPOLocalGroup OR product_name:"SharpHound"

BloodHound detection - file modifications

filemod:sessions.csv OR filemod:acls.csv OR filemod:group_membership.csv OR filemod:local_admins.csv OR filemod:computer_props.csv OR filemod:user_props.csv

BloodHound detection - network pipe

filemod:\pipe\samr AND filemod:\pipe\lsarpc AND filemod:pipe\srvsvc

netconn_count:[100 TO *] AND ipport:445 AND (filemod:lsarpc OR filemod:samr OR filemod:srvsvc)

Squiblytwo

(process_name:wmic.exe OR internal_name:wmic.exe) (cmdline:format:\ AND cmdline:os)

(process_name:wmic.exe OR internal_name:wmic.exe) (cmdline:format:\ AND cmdline:os) AND netconn_count:[1 TO *]

(process_name:wmic.exe OR internal_name:wmic.exe) netconn_count:[1 TO *]

process_name:wmic.exe (modload:jscript.dll OR modload:vbscript.dll)

More

process_name:powershell.exe (filemod:c:\windows\temp\*)

process_name:powershell.exe ipport:445

process_name:powershell.exe AND netconn_count:[2 TO *] ipport:445

process_name:powershell.exe AND netconn_count:[2 TO *] (ipport:445 OR ipport:80 OR ipport:443 OR ipport:137 OR ipport:138 OR ipport:135 OR ipport:22)

(process_name:powershell.exe or process_name:powershell_ise.exe) AND netconn_count:[2 TO *] (ipport:445 OR ipport:80 OR ipport:443 OR ipport:137 OR ipport:138 OR ipport:135 OR ipport:22)

parent_name:explorer.exe process_name:mshta.exe (modload:jscript.dll OR modload:vbscript.dll) netconn_count:[1 TO *]

process_name:mshta.exe (modload:jscript.dll OR modload:vbscript.dll) netconn_count:[1 TO *]

process_name:php.exe childproc_name:cmd.exe

parent_name:php.exe process_name:cmd.exe

parent_name:php.exe process_name:cmd.exe digsig_result_child:"Unsigned"

(filemod:wwwroot\* or filemod:htdocs\*) and (filemod:.aspx or filemod:.jsp or filemod:.cfm or filemod:.asp or filemod:.php) AND host_type:"server"

parent_name:outlook.exe (process_name:iexplore.exe OR process_name:chrome.exe OR process_name:microsoftedge.exe OR process_name:firefox.exe)

domain:.ru -process_name:iexplore.exe OR -process_name:chrome.exe OR -process_name:microsoftedge.exe OR -process_name:microsoftedgecp.exe OR -process_name:firefox.exe OR -process_name:opera.exe digsig_result:Unsigned

Rogue DC

process_name:svchost.exe AND cmdline:"-k netsvcs -p -s gpsvc" AND domain:* AND -(ipaddr:172.20.1.200 OR ipaddr:10.100.12.4 OR ipaddr:172.20.0.117 OR ipaddr:10.100.86.75 OR ipaddr:10.254.1.120 OR ipaddr:10.254.1.69 OR ipaddr:10.254.1.121)

process_name:svchost.exe AND cmdline:"-k netsvcs -p -s gpsvc" AND domain:* AND -host_type:"domain_controller"

Coin Miner

digsig_result:"Unsigned" company_name:"Zhuhai Kingsoft Office Software Co.,Ltd"

parent_name:lsass.exe process_name:cmd.exe childproc_name:reg.exe

parent_name:lsass.exe process_name:cmd.exe childproc_name:schtasks.exe

process_name:net1.exe cmdline:"net1 user IISUSER_ACCOUNTXX /del"

process_name:lsass.exe digsig_result_filewrite:"Unsigned"

company_name:"TODO: <公司名>"

parent_name:conhost.exe digsig_result_parent:"Unsigned"

https://github.com/fireice-uk/xmr-stak


filemod:xmrstak_opencl_backend.dll

filemod:xmrstak_cuda_backend.dll

observed_filename:c:\windows\debug\

observed_filename:c:\windows\inf\

observed_filename:c:\windows\web\