windows_anomaly_process-execution.conf

{
  "platform": "windows",
  "description": "ATT&CK: T1107,T1158,T1191,T1118,T1216,T1059,T1170,T1086,T1117,T1053,T1035,T1197,T1128,T1134,T1126,T1087,T1201,T1069,T1057,T1012,T1018,T1063,T1082,T1049,T1007,T1124,T1076,T1105,T1140,T1130",
  "queries": {
    "attrib.exe": {
		"query":"select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%attrib%';",
		"interval": 600,
		"description": "Attrib Execute, usaullay used to modify file attributes - ATT&CK T1158",
		"platform": "windows"
		},
    "schtasks.exe": {
		"query":"select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%schtasks%';",
		"interval": 600,
		"description": "Schtasks Execute, usaullay used to create a scheduled task - ATT&CK T1053,S0111",
		"platform": "windows"
		},
    "taskeng.exe": {
		"query":"select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%taskeng%';",
		"interval": 600,
		"description": "taskeng Execute, usaullay used to create a scheduled task - ATT&CK T1053",
		"platform": "windows"
        },    
    "tscon.exe": {
		"query":"select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%tscon%';",
		"interval": 600,
		"description": "tscon.exe Execute, usaullay used to Terminal Services Console - ATT&CK T1076",
		"platform": "windows"
        },
    "mstsc.exe": {
		"query":"select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%mstsc%';",
		"interval": 600,
		"description": "mstsc.exe Execute, usaullay used to perform a RDP Session  - ATT&CK T1076",
		"platform": "windows"
        },
    "at.exe": {
		"query":"select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%at.exe%';",
		"interval": 600,
		"description": "Schtasks Execute, usaullay used to create a scheduled task - ATT&CK T1053,S0110",
		"platform": "windows"
        },
    "tasklist.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%tasklist%';",
		"interval": 600,
		"description": "Tasklist Execute, usaullay used to list task - ATT&CK T1057,T1063,T1007,S0057",
		"platform": "windows"
        },
    "taskkill.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%taskkill%';",
		"interval": 600,
		"description": "Taskkill Execute, usaullay used to kill task ",
		"platform": "windows"
        },
    "mshta.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%mshta%';",
		"interval": 600,
		"description": "Mshta Execute, is a utility that executes Microsoft HTML Applications (HTA) - ATT&CK T1170",
		"platform": "windows"
        },
    "whoami.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%whoami%';",
		"interval": 600,
		"description": "Whoami Execute, used to prints the effective username of the current user",
		"platform": "windows"
        },
    "xcopy.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%xcopy%';",
		"interval": 600,
		"description": "Xcopy Execute, is used for copying multiple files or entire directory trees from one directory to another and for copying files across a network.",
		"platform": "windows"
        },
    "esentutl.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%esentutl%';",
		"interval": 600,
		"description": "Esentutl Execute, is a legitimate built-in command-line program it could be used to create a exe from dump raw source.",
		"platform": "windows"
        },
    "net.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%net.exe%';",
		"interval": 600,
		"description": "Net Execute, is used in command-line operations for control of users, groups, services, and network connections - ATT&CK T1126,T1087,T1201,T1069,S0039,T1018,T1007,T1124",
		"platform": "windows"
        },
    "vssadmin.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%vssadmin%';",
		"interval": 600,
		"description": "Vssadmin Execute, usaullay used to execute activity on Volume Shadow copy",
		"platform": "windows"
        },
    "InstallUtil.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%InstallUtil%';",
		"interval": 600,
		"description": "InstallUtil Execute, InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries - ATT&CK T1118",
		"platform": "windows"
        },
    "cmstp.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%CMSTP%';",
		"interval": 600,
		"description": "CMSTP Execute, The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. - ATT&CK T1191",
		"platform": "windows"
        },
    "cmd.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%CMD%';",
		"interval": 600,
		"description": "Command-Line Interface Execute, CMD execution - ATT&CK T1059",
		"platform": "windows"
        },
    "cscript.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%cscript%';",
		"interval": 600,
		"description": "Command-Line Interface Execute, Cscript execution starts a script so that it runs in a command-line environment. - ATT&CK T1216",
		"platform": "windows"
        },
    "powershell.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%POWERSHELL%';",
		"interval": 600,
		"description": "POWERSHELL Execute, is a powerful interactive command-line interface and scripting environment included in the Windows operating system - ATT&CK T1086",
		"platform": "windows"
        },
    "regsvr32.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%regsvr%';",
		"interval": 600,
		"description": "POWERSHELL Execute, is a powerful interactive command-line interface and scripting environment included in the Windows operating system - ATT&CK T1117",
		"platform": "windows"
        },	
    "PsExec.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%PsExec%';",
		"interval": 600,
		"description": "PsExec Execute, is a free Microsoft tool that can be used to execute a program on another computer. - ATT&CK T1035,S0029",
		"platform": "windows"
        },
    "runas.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%runas%';",
		"interval": 600,
		"description": "Runas Execute, Allows a user to run specific tools and programs with different permissions than the user's current logon provides. - ATT&CK T1134",
		"platform": "windows"
        },
    "bitsadmin.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%bitsadmin%';",
		"interval": 600,
		"description": "Bitsadmin Execute, Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM) - ATT&CK T1197,S0190",
		"platform": "windows"
        },
    "certutil.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%certutil%';",
		"interval": 600,
		"description": "Certutil Execute, Certutil.exe is a legitimate built-in command-line program to manage certificates in Windows - ATT&CK T1105,T1140,T1130,S0160",
		"platform": "windows"
        },	
    "netsh.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%netsh%';",
		"interval": 600,
		"description": "Netsh Execute, Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system - ATT&CK T1128,T1063,S0108",
		"platform": "windows"
        },	
    "netstat.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%netstat%';",
		"interval": 600,
		"description": "Netstat Execute,  is an operating system utility that displays active TCP connections, listening ports, and network statistics. - ATT&CK T1049,S0104",
		"platform": "windows"
        },
    "reg.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%reg%';",
		"interval": 600,
		"description": "Reg Execute, Reg is a Windows utility used to interact with the Windows Registry.  - ATT&CK T1214,T1012,T1063,S0075",
		"platform": "windows"
        },	
    "regedit.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%regedit%';",
		"interval": 600,
		"description": "Regedit Execute, is a Windows utility used to interact with the Windows Registry. - ATT&CK T1214",
		"platform": "windows"
        },
    "systeminfo.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%systeminfo%';",
		"interval": 600,
		"description": "Systeminfo Execute, Systeminfo is a Windows utility that can be used to gather detailed information about a computer. - ATT&CK T1082,S0096",
		"platform": "windows"
        },
    "sc.exe": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%sc%';",
		"interval": 600,
		"description": "SC.exe Execute, Service Control - Create, Start, Stop, Query or Delete any Windows SERVICE. . - ATT&CK T1007",
		"platform": "windows"
        },
    "Snaphost_Prefetch_File": {
		"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\';",
		"interval": 28800,
		 "description": "Snapshot Prefetach File Directory - ATT&CK T1107",
		"platform": "windows",
		 "snapshot": true
        },
    "svchost.exe_no_K_option": {
		"query": "select * from processes where name like 'svchost.exe' and cmdline not like '%-k%';",
		"interval": 600,
		"description": "SVCHOST Processes not using the -k [name] convention",
		"platform": "windows"
        }
    }
}