Update process.py
This commit is contained in:
huoji
@@ -1,9 +1,9 @@
|
|||||||
rule = [
|
rule = [
|
||||||
{
|
{
|
||||||
'rules': [
|
'rules': [
|
||||||
'originalfilename =~ ".*taskill.exe.*"',
|
'originalfilename == "taskill.exe"',
|
||||||
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*stop.*"',
|
'originalfilename == "net.exe" and commandline =~ ".*stop.*"',
|
||||||
'originalfilename =~ ".*sc.exe.*" and commandline =~ ".*config.*" and commandline =~ ".*disabled.*"',
|
'originalfilename == "sc.exe" and commandline =~ ".*config.*" and commandline =~ ".*disabled.*"',
|
||||||
],
|
],
|
||||||
'attck_hit':['T1489'],
|
'attck_hit':['T1489'],
|
||||||
'score': 30,
|
'score': 30,
|
||||||
@@ -44,7 +44,7 @@ rule = [
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
'rules': [
|
'rules': [
|
||||||
'originalfilename =~ ".*vssadmin.exe.*" and commandline =~ ".*create.*"',
|
'originalfilename =~ ".*vssadmin.exe" and commandline =~ ".*create.*"',
|
||||||
],
|
],
|
||||||
'attck_hit':['T1003.003'],
|
'attck_hit':['T1003.003'],
|
||||||
'score': 30,
|
'score': 30,
|
||||||
@@ -52,7 +52,7 @@ rule = [
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
'rules': [
|
'rules': [
|
||||||
'originalfilename =~ ".*wbadmin.exe.*" and commandline =~ ".*delete.*"',
|
'originalfilename =~ ".*wbadmin.exe" and commandline =~ ".*delete.*"',
|
||||||
'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*recoveryenabled.*no.*"',
|
'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*recoveryenabled.*no.*"',
|
||||||
'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*bootstatuspolicy.*ignoreallfailures.*"',
|
'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*bootstatuspolicy.*ignoreallfailures.*"',
|
||||||
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*shadowcopy.*" and commandline =~ ".*delete.*"',
|
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*shadowcopy.*" and commandline =~ ".*delete.*"',
|
||||||
@@ -64,9 +64,9 @@ rule = [
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
'rules': [
|
'rules': [
|
||||||
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*view.*"',
|
'originalfilename == "net.exe" and commandline =~ ".*view.*"',
|
||||||
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*group.*"',
|
'originalfilename == "net.exe" and commandline =~ ".*group.*"',
|
||||||
'originalfilename =~ ".*ping.exe"',
|
'originalfilename == "ping.exe"',
|
||||||
|
|
||||||
],
|
],
|
||||||
'attck_hit':['T1018'],
|
'attck_hit':['T1018'],
|
||||||
@@ -75,7 +75,7 @@ rule = [
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
'rules': [
|
'rules': [
|
||||||
'originalfilename =~ ".*fsutil.exe.*" and commandline =~ ".*deletejournal.*"',
|
'originalfilename =~ ".*fsutil.exe" and commandline =~ ".*deletejournal.*"',
|
||||||
],
|
],
|
||||||
'attck_hit':['T1070.004'],
|
'attck_hit':['T1070.004'],
|
||||||
'score': 10,
|
'score': 10,
|
||||||
@@ -83,11 +83,11 @@ rule = [
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
'rules': [
|
'rules': [
|
||||||
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*user.*"',
|
'originalfilename == ".*net.exe" and commandline =~ ".*user.*"',
|
||||||
'originalfilename =~ ".*whoami.*"',
|
'originalfilename =~ ".*whoami.exe"',
|
||||||
'originalfilename =~ ".*query.exe"',
|
'originalfilename =~ ".*query.exe"',
|
||||||
'originalfilename =~ ".*setspn.exe"',
|
'originalfilename =~ ".*setspn.exe"',
|
||||||
'originalfilename =~ ".*cmdkey.exe.*"'
|
'originalfilename =~ ".*cmdkey.exe"'
|
||||||
],
|
],
|
||||||
'attck_hit':['T1087.001'],
|
'attck_hit':['T1087.001'],
|
||||||
'score': 30,
|
'score': 30,
|
||||||
|
|||||||
Reference in New Issue
Block a user