-
Notifications
You must be signed in to change notification settings - Fork 11
Analysis Modules
Scott Sutherland edited this page Mar 21, 2022
·
15 revisions
Analysis modules are used to filter collected data in a way that makes it easier to find known threats, suspicious behavior, and environmental anomalies. Additionally, the .csv files generated from the filtering can be consumed by another tool like Jupyter notebooks.
All analysis modules are automatically loaded from the windows\modules\analysis folder and ran offline against collected data sources based on matching module names. For example, all analysis modules that start with "analysis-tasks" will be ran against the "collect-tasks" data source. It's not very elegant, but it'ss functional and seems to make adding new modules easy as long as you name them correctly. :)
| Module Name |
Module Description |
Data Source |
|---|---|---|
| analyze-services-lolbas | tbd | collect-services |
| analyze-services-mgmt-software | tbd | collect-services |
| analyze-services-offsec-software | tbd | collect-services |
| analyze-services-unsigned | tbd | collect-services |
| analyze-services-dotnet | tbd | collect-services |
| analyze-services-badpath | tbd | collect-services |
| analyze-services-outlier-filepath | tbd | collect-services |
| analyze-services-outlier-owner | tbd | collect-services |
| analyze-tasks-lolbas | tbd | collect-tasks |
| analyze-tasks-mgmt-software | tbd | collect-tasks |
| analyze-tasks-offsec-software | tbd | collect-tasks |
| analyze-tasks-unsigned | tbd | collect-tasks |
| analyze-tasks-dotnet | tbd | collect-tasks |
| analyze-tasks-badpath | tbd | collect-tasks |
| analyze-tasks-outlier-filepath | tbd | collect-tasks |
| analyze-tasks-outlier-owner | tbd | collect-tasks |
| analyze-startup-registry-run-lolbas | tbd | collect-startup-registry-run |
| analyze-startup-registry-run-mgmt-software | tbd | collect-startup-registry-run |
| analyze-startup-registry-run-offsec-software | tbd | collect-startup-registry-run |
| analyze-startup-registry-run-unsigned | tbd | collect-startup-registry-run |
| analyze-startup-registry-run-dotnet | tbd | collect-startup-registry-run |
| analyze-startup-registry-run-badpath | tbd | collect-startup-registry-run |
| analyze-startup-registry-run-outlier-owner | tbd | collect-startup-registry-run |
| analyze-startup-files-allusers-lolbas | tbd | collect-startup-files-allusers |
| analyze-startup-files-allusers-mgmt-software | tbd | collect-startup-files-allusers |
| analyze-startup-files-allusers-offsec-software | tbd | collect-startup-files-allusers |
| analyze-startup-files-allusers-unsigned | tbd | collect-startup-files-allusers |
| analyze-startup-files-allusers-dotnet | tbd | collect-startup-files-allusers |
| analyze-startup-files-allusers-badpath | tbd | collect-startup-files-allusers |
| analyze-startup-files-allusers-outlier-owner | tbd | collect-startup-files-allusers |
| analyze-installed-software-mgmt-software | tbd | collect-installed-software |
| analyze-installed-software-offsec-software | tbd | collect-installed-software |
| analyze-named-pipes-known-bad | tbd | collect-named-pipes |
| analyze-events-4732-add-user | tbd | collect-events-4732 |