-
Notifications
You must be signed in to change notification settings - Fork 160
/
Copy pathwindows_new_dir_relevant_infection_path.conf
69 lines (69 loc) · 5.55 KB
/
windows_new_dir_relevant_infection_path.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
{
"platform": "windows",
"description": "ATT&CK: T1034,T1074,T1044,T1060,T1023",
"queries": {
"windows_new_directory": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\Windows\\%' AND f.type='directory';",
"interval": 1800,
"description": "Check suspicious directory creation under c:\\windows - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"windows_temp_new_directory": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\Windows\\temp\\%' AND f.type='directory';",
"interval": 1820,
"description": "Check suspicious directory creation under c:\\windows\\temp - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"AppData_Roaming_new_directory": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\users\\%\\AppData\\Roaming\\%' AND f.type='directory';",
"interval": 1840,
"description": "Check suspicious directory creation under %APPDATA% or %\\AppData\\Roaming - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"AppData_Local_new_directory": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\users\\%\\AppData\\Local\\%' AND f.type='directory';",
"interval": 1860,
"description": "Check suspicious directory creation under AppData\\Local - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"AppData_Local_temp": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\users\\%\\AppData\\local\\temp\\%' AND f.type='directory';",
"interval": 1880,
"description": "Check suspicious directory creation under %TEMP% or AppData\\Local\\Temp - ATT&CK T1034,T1074,T1044",
"platform": "windows",
"removed": false
},
"User_StartMenu_startup": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%' AND f.type='directory';",
"interval": 1860,
"description": "Check suspicious directory creation under Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup - ATT&CK T1060,T1023",
"platform": "windows",
"removed": false
},
"User_StartMenu_program": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%' AND f.type='directory';",
"interval": 1860,
"description": "Check suspicious directory creation under Roaming\\Microsoft\\Windows\\Start Menu\\Programs - ATT&CK T1060,T1023",
"platform": "windows",
"removed": false
},
"programmata_StartMenu": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\%' AND f.type='directory';",
"interval": 1860,
"description": "Check suspicious directory creation under ProgramData\\Microsoft\\Windows\\Start Menu - ATT&CK T1060,T1023",
"platform": "windows",
"removed": false
},
"programmata_StartMenu_program": {
"query": "select f.path,f.directory,u.username,f.hard_links,f.symlink,datetime(f.btime, 'unixepoch', 'UTC') as btime, datetime(f.atime, 'unixepoch', 'UTC') as atime, datetime(f.ctime, 'unixepoch', 'UTC') as ctime, datetime(f.mtime, 'unixepoch', 'UTC') as mtime from file f LEFT JOIN users u on f.uid=u.uid where f.path like 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\%' AND f.type='directory';",
"interval": 1860,
"description": "Check suspicious directory creation under ProgramData\\Microsoft\\Windows\\Start Menu\\Programs - ATT&CK T1060,T1023",
"platform": "windows",
"removed": false
}
}
}