-
Notifications
You must be signed in to change notification settings - Fork 11
Analysis Modules
Analysis modules are used to filter collected data in a way that makes it easier to find known threats, suspicious behavior, and environmental anomalies. Additionally, the .csv files generated from the filtering can be consumed by another tool like Jupyter notebooks.
All analysis modules are automatically loaded from the windows\modules\analysis folder and ran offline against collected data sources based on matching module names. For example, all analysis modules that start with "analysis-tasks" will be ran against the "collect-tasks" data source. It's not very elegant, but it's functional and seems to make adding new modules easy as long as you name them correctly. :)
Analysis modules are broken into two types:
| Analysis Type | Description | Path |
|---|---|---|
| Search | These are analysis modules that perform detection of artifacts associated with known bad behavior. | windows\modules\analysis\search |
| Stack | These are analysis modules that perform anomaly detection via stacking or frequency analysis | windows\modules\analysis\stack |
By default, all analysis modules will be run. To run a subset of the analysis modules simply remove the modules you dont want to run.
Below is a summary of the currently supported analysis modules.
| Module Name |
Data Source | Mitre ATT&CK ID |
|---|---|---|
| analyze-events-4732-add-user-by-remotecomputer | collect-events-4732 | T1053.002 |
| analyze-events-4732-add-user-by-workgroup | collect-events-4732 | T1053.002 |
| analyze-events-4732-add-user-computeraccount | collect-events-4732 | T1053.002 |
| analyze-events-4732-add-user | collect-events-4732 | T1053.002 |
| analyze-installed-software-mgmt | collect-installed-software | T1219 |
| analyze-installed-software-offsec | collect-installed-software | T1505 |
| analyze-named-pipes-known-bad | collect-named-pipes | T1570 |
| analyze-services-badpath | collect-services | T1569.002 |
| analyze-services-dotnet | collect-services | T1569.002 |
| analyze-services-lolbas | collect-services | T1569.002 |
| analyze-services-mgmt-software | collect-services | T1219 |
| analyze-services-offsec-software | collect-services | T1569.002 |
| analyze-services-outlier-file-owner | collect-services | T1569.002 |
| analyze-services-unsigned | collect-services | T1569.002 |
| analyze-startup-files-allusers-dotnet | collect-startup-files-allusers | T1547.001 |
| analyze-startup-files-allusers-lolbas | collect-startup-files-allusers | T1547.001 |
| analyze-startup-files-allusers-mgmt-software | collect-startup-files-allusers | T1219 |
| analyze-startup-files-allusers-offsec-software | collect-startup-files-allusers | T1547.001 |
| analyze-startup-files-allusers-outlier-file-owner | collect-startup-files-allusers | T1547.001 |
| analyze-startup-files-allusers-unsigned | collect-startup-files-allusers | T1547.001 |
| analyze-startup-registry-run-badpath | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-dotnet | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-lolbas | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-mgmt-software | collect-startup-registry-run | T1219 |
| analyze-startup-registry-run-offsec-software | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-outlier-file-owner | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-unsigned | collect-startup-registry-run | T1547.001 |
| analyze-tasks-dotnet | collect-tasks | T1053.002 |
| analyze-tasks-lolbas | collect-tasks | T1053.002 |
| analyze-tasks-mgmt-software | collect-tasks | T1219 |
| analyze-tasks-offsec-software | collect-tasks | T1053.002 |
| analyze-tasks-outlier-file-owner | collect-tasks | T1053.002 |
| analyze-tasks-unsigned | collect-tasks | T1053.002 |
| analyze-wmi-bindings | collect-wmi-bindings | T1546.003 |
| analyze-wmi-bindings-creatorsid | collect-wmi-bindings | T1546.003 |