-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathWin_Hunting.cfg
More file actions
274 lines (227 loc) · 11.7 KB
/
Win_Hunting.cfg
File metadata and controls
274 lines (227 loc) · 11.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
########################################################################
# This is the configuration file for the Carbon Black Reporter script
# designed to provide customizable output in the form of a customizable
# Excel Spreadsheet. The script allows you to customize the tab names
# and fields that you wish to display for binary, process and alerts.
########################################################################
# Format:
#
# [Tab Name]
# Type = binary|process|alert
# Fields = <query output fields to display per column>
# Query = <the Carbon Black query you want to run>
########################################################################
# Available Fields:
#
# Binary Search:
#
# digsig_result,observed_filename,product_version,legal_copyright,
# alliance_link_virustotal,private_build,is_executable_image,orig_mod_len,
# is_64bit,alliance_score_virustotal,group,file_version,comments,
# company_name,internal_name,product_name,alliance_data_virustotal,
# digsig_result_code,timestamp,alliance_updated_virustotal,copied_mod_len,
# server_added_timestamp,md5,endpoint,watchlists,signed,original_filename,
# cb_version,os_type,file_desc,last_seen
#
# Process Search:
#
# process_md5,sensor_id,modload_count,cmdline,last_update,id,parent_name,
# parent_md5,group,hostname,filemod_count,start,comms_ip,netconn_count,
# interface_ip,process_pid,username,process_name,path,regmod_count,parent_pid,
# crossproc_count,segment_id,host_type,os_type,childproc_count,unique_id
#
# Alert Search:
#
# modload_count,alert_type,sensor_criticality,report_score,watchlist_id,
# sensor_id,feed_name,created_time,report_ignored,ioc_type,crossproc_count,
# ioc_confidence,alert_severity,watchlist_name,group,hostname,filemod_count,
# comms_ip,netconn_count,interface_ip,username,process_path,description,
# process_name,process_id,link,ioc_value,regmod_count,md5,segment_id,
# total_hosts,feed_id,status,os_type,childproc_count,unique_id,feed_rating,
# status,username,hostname,feed_name,assigned_to,watchlist_name
########################################################################
# For a full description of the fields listed above please visit
# our developer website at https://developer.carbonblack.com/reference/enterprise-response/5.1/rest-api/#process-data:ec3e4958451e5256ed16afd222059e6d
# on the Carbon Black homepage. In the future fields may be added and
# available for use on this site.
########################################################################
[Unsigned Executions not C or D]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = -path:C* and -path:D* AND -digsig_result:'Signed'
[Registry Editor non-Explorer]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = -process_name:explorer.exe AND (childproc_name:regedit.exe OR childproc_name:regedt32.exe)
[Changes to Windows Firewall]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = (regmod:\registry\machine\SYSTEM\*\services\SharedAccess\*\FirewallPolicy\*\EnableFirewall AND -process_name:svchost.exe) OR (cmdline:netsh AND cmdline:advfirewall)
[VT gt 10 with Netconn]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = alliance_score_virustotal:[10 TO *] AND netconn_count:[1 TO *]
[Child Process PowerShell or CMD]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = childproc_name:powershell.exe OR childproc_name:cmd.exe
[Reg Adds]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = cmdline:"reg" AND cmdline:"add"
[SC Process Creation]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = cmdline:"sc create"
[Suspect CMD Creation]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = childproc_name:cmd.exe AND (parent_name:iexplore.exe OR parent_name:firefox.exe OR parent_name:chrome.exe OR parent_name:acrord32.exe OR parent_name:java.exe OR parent_name:javaw.exe OR parent_name:*flash*)
[Net Add command]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = cmdline:net AND (cmdline:user OR cmdline:localgroup) AND cmdline:/add
[Suspicious wininit Start ]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = -parent_name:smss.exe AND parent_name:* AND process_name:wininit.exe
[Use of Sysinternals Tools]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = digsig_prog_name:"Sysinternals Utilities"
[MS Programs not in Defualt]]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = digsig_publisher:"Microsoft Corporation" AND -path:windows* AND -path:program\ files*
[Log File Tampering]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = filemod:\(null\)_Post AND filemod:Logs/* AND filemod:cr-silent/* AND modload:open
[Sticky Key Tampering]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = filemod:windows/system32/sethc.exe OR filemod:windows/system32/utilman.exe
[RDP Connections]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = ipport:3389
[Non-Browser Connection to Web]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = ipport:80 AND ipport:443 AND ipport:8080 AND -process_name:chrome.exe AND -process_name:iexplore.exe
[Possible IE Exploit]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = modload:vgx.dll AND process_name:iexplore.exe AND modload:*.ocx AND childproc_name:*.dll
[Unsigned Binaries with Netconn]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = netconn_count:[1 to *] AND digsig_result:Unsigned
[Executables with Browser Parent]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = parent_name:chrome.exe OR parent_name:iexplore.exe OR parent_name:firefox.exe
[Scheduled Task Creation]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = parent_name:taskeng.exe OR process_name:at.exe OR process_name:schtasks.exe
[Office App with Child Proc]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = parent_name:winword.exe OR parent_name:excel.exe OR parent_name:powerpnt.exe OR parent_name:AcroRd32.exe
[Execution from Recycle Bin]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = path:RECYCLER/*.exe
[Modifcations to Sysvol]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = path:System\ Volume\ Information*
[Execution from IME]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = path:Windows/IME/*.exe
[Use of Quser]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = path:windows/system32/quser.exe
[Modification of Startup Folder]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = filemod:"Start Menu\Programs\Startup"
[File Extension Social Engineering]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:*.txt.exe OR process_name:*.pdf.exe OR process_name:*.rtf.exe OR process_name:*.jpg.exe OR process_name:*.xml.exe OR process_name:*.gif.exe OR process_name:*.htm.exe OR process_name:*.html.exe OR process_name:*.zip.exe
[Running Commandline Utilities]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:enum.exe OR process_name:sc.exe OR process_name:netsh.exe OR process_name:arp.exe OR process_name:nmap.exe OR process_name:tasklist.exe OR process_name:tracert.exe OR process_name:ping.exe OR process_name:netstat.exe
[shellex Modifications]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = regmod:"software\classes\*" AND regmod:"shellex\contextmenuhandlers"
[Unusual Process Names]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:isass.exe OR process_name:svch0st.exe OR process_name:svchost.dll OR process_name:lexplore.exe OR process_name:lexplorer.exe OR process_name:svchosts.exe OR process_name:csrsr.exe
[Notepad with a Child Process]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:notepad.exe AND childproc_name:*.exe
[Powershell Invoking dllhost]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:powershell.exe AND childproc_name:dllhost.exe
[Powershell with iex Option]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:powershell.exe AND cmdline:iex
[Powershell Invoking rundll32]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:powershell.exe AND parent_name:rundll32.exe
[User of the Runas Command]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:runas.exe OR cmdline:runas
[rundll32 Suspicious Activity]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:rundll32.exe AND cmdline:"mshtml,runhtmlapplication"
[Suspicious smss Launch]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:smss.exe AND parent_name:* AND -parent_name:smss.exe AND -parent_name:ntkrnlpa.exe AND -parent_name:ntoskrnl.exe
[Abnormal svchost Spawn]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:svchost.exe AND (-username:SYSTEM OR -username:"NETWORK SERVICE" OR -username:"LOCAL SERVICE")process_name:rar.exe
[Use of WMIC]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = process_name:wmic.exe
[Modification of Run Key]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = regmod:"software\microsoft\windows\currentversion\run"
[Modification of Runonce Key]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = regmod:"software\microsoft\windows\currentversion\runonce"
[Unsigned Binary Invoking svchost]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = digsig_result:"Unsigned" childproc_name:svchost.exe
[Attempting to run Hidden]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = regmod:\registry\user\*\software\microsoft\windows\CurrentVersion\Explorer\Advanced\Hidden And -process_name:explorer.exe
[Modifcation of Language Packages]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = regmod:control\MUI\UILanguages\*
[VirusTotal gt 4]
Type = process
Fields = process_md5,cmdline,last_update,hostname,start,username,process_name,path
Query = alliance_score_virustotal:[4 TO *]