├── README.md └── evm.cloud.src /README.md: -------------------------------------------------------------------------------- 1 | # OpenEDRRules 2 | -------------------------------------------------------------------------------- /evm.cloud.src: -------------------------------------------------------------------------------- 1 | { 2 | "Events":{ 3 | "RB1":[ 4 | { 5 | "BaseEventType":9, 6 | "EventType":null 7 | } 8 | ], 9 | "RB2":[ 10 | { 11 | "BaseEventType":9, 12 | "EventType":null 13 | } 14 | ], 15 | "RB3":[ 16 | { 17 | "BaseEventType":9, 18 | "EventType":null 19 | } 20 | ], 21 | "RB4":[ 22 | { 23 | "BaseEventType":9, 24 | "EventType":null 25 | } 26 | ], 27 | "RD11":[ 28 | { 29 | "BaseEventType":18, 30 | "EventType":null 31 | } 32 | ], 33 | "RD15":[ 34 | { 35 | "BaseEventType":19, 36 | "Condition":{ 37 | "BooleanOperator":"And", 38 | "Conditions":[ 39 | { 40 | "BooleanOperator":"And", 41 | "Conditions":[ 42 | { 43 | "Field":"parentVerdict", 44 | "Operator":"!Equal", 45 | "Value":1 46 | }, 47 | { 48 | "Field":"targetName", 49 | "Operator":"Match", 50 | "Value":"%windir%\\*" 51 | } 52 | ] 53 | }, 54 | { 55 | "BooleanOperator":"And", 56 | "Conditions":[ 57 | { 58 | "BooleanOperator":"Or", 59 | "Conditions":[ 60 | { 61 | "Field":"parentVerdict", 62 | "Operator":"!Equal", 63 | "Value":1 64 | }, 65 | { 66 | "Field":"parentProcessPath", 67 | "Operator":"Match", 68 | "Value":"*\\powershell.exe" 69 | } 70 | ] 71 | }, 72 | { 73 | "Field":"targetName", 74 | "Operator":"Match", 75 | "Value":"*\\lsass.exe" 76 | } 77 | ] 78 | } 79 | ] 80 | }, 81 | "EventType":"aed59f052d794a489a792e8aa257587d" 82 | }, 83 | { 84 | "BaseEventType":19, 85 | "Condition":{ 86 | "BooleanOperator":"And", 87 | "Conditions":[ 88 | { 89 | "Field":"parentVerdict", 90 | "Operator":"!Equal", 91 | "Value":1 92 | }, 93 | { 94 | "Field":"targetName", 95 | "Operator":"Match", 96 | "Value":"%windir%\\*" 97 | } 98 | ] 99 | }, 100 | "EventType":null 101 | } 102 | ], 103 | "RD16":[ 104 | { 105 | "BaseEventType":20, 106 | "Condition":{ 107 | "Field":"parentProcessPath", 108 | "Operator":"Match", 109 | "Value":"*" 110 | }, 111 | "EventType":"3901cf50d77845df94b3ae55831bbc84" 112 | }, 113 | { 114 | "BaseEventType":20, 115 | "EventType":null 116 | } 117 | ], 118 | "RD17":[ 119 | { 120 | "BaseEventType":21, 121 | "Condition":{ 122 | "Field":"parentProcessPath", 123 | "Operator":"Match", 124 | "Value":"*" 125 | }, 126 | "EventType":"18d0a4eae356423bb5be802d213e7318" 127 | }, 128 | { 129 | "BaseEventType":21, 130 | "EventType":null 131 | } 132 | ], 133 | "RD20":[ 134 | { 135 | "BaseEventType":22, 136 | "Condition":{ 137 | "BooleanOperator":"And", 138 | "Conditions":[ 139 | { 140 | "BooleanOperator":"And", 141 | "Conditions":[ 142 | { 143 | "Field":"parentVerdict", 144 | "Operator":"!Equal", 145 | "Value":1 146 | }, 147 | { 148 | "Field":"targetName", 149 | "Operator":"Match", 150 | "Value":"%windir%\\*" 151 | } 152 | ] 153 | }, 154 | { 155 | "Field":"targetName", 156 | "Operator":"Match", 157 | "Value":"*lsass.exe" 158 | } 159 | ] 160 | }, 161 | "EventType":"cc51cb01ab35467281b71fcb405d6a3e" 162 | }, 163 | { 164 | "BaseEventType":22, 165 | "Condition":{ 166 | "BooleanOperator":"And", 167 | "Conditions":[ 168 | { 169 | "Field":"parentVerdict", 170 | "Operator":"!Equal", 171 | "Value":1 172 | }, 173 | { 174 | "Field":"targetName", 175 | "Operator":"Match", 176 | "Value":"%windir%\\*" 177 | } 178 | ] 179 | }, 180 | "EventType":null 181 | } 182 | ], 183 | "RD6":[ 184 | { 185 | "BaseEventType":15, 186 | "EventType":null 187 | } 188 | ], 189 | "RD7":[ 190 | { 191 | "BaseEventType":16, 192 | "Condition":{ 193 | "Field":"parentProcessPath", 194 | "Operator":"Match", 195 | "Value":"*" 196 | }, 197 | "EventType":"dc1f8f7cdbb64cb99f61751d507fc83c" 198 | }, 199 | { 200 | "BaseEventType":16, 201 | "EventType":null 202 | } 203 | ], 204 | "RD8":[ 205 | { 206 | "BaseEventType":17, 207 | "EventType":null 208 | } 209 | ], 210 | "RF1":[ 211 | 212 | ], 213 | "RF10":[ 214 | { 215 | "BaseEventType":12, 216 | "Condition":{ 217 | "BooleanOperator":"And", 218 | "Conditions":[ 219 | { 220 | "Field":"parentProcessPath", 221 | "Operator":"MatchInList", 222 | "Value":"EmailPaths" 223 | }, 224 | { 225 | "Field":"path", 226 | "Operator":"!Match", 227 | "Value":"%appdata%\\*" 228 | }, 229 | { 230 | "Field":"path", 231 | "Operator":"!Match", 232 | "Value":"%localappdata%\\*" 233 | }, 234 | { 235 | "Field":"path", 236 | "Operator":"!Match", 237 | "Value":"%userprofile%\\AppData\\*" 238 | } 239 | ] 240 | }, 241 | "EventType":null 242 | }, 243 | { 244 | "BaseEventType":7, 245 | "Condition":{ 246 | "BooleanOperator":"And", 247 | "Conditions":[ 248 | { 249 | "BooleanOperator":"Or", 250 | "Conditions":[ 251 | { 252 | "Field":"parentProcessPath", 253 | "Operator":"MatchInList", 254 | "Value":"WriteFileWhiteList" 255 | }, 256 | { 257 | "Field":"parentVerdict", 258 | "Operator":"!Equal", 259 | "Value":1 260 | }, 261 | { 262 | "BooleanOperator":"And", 263 | "Conditions":[ 264 | { 265 | "Field":"parentProcessPath", 266 | "Operator":"!MatchInList", 267 | "Value":"WriteFileBlackList" 268 | }, 269 | { 270 | "Field":"parentProcessPath", 271 | "Operator":"!Match", 272 | "Value":"%systemroot%\\*" 273 | }, 274 | { 275 | "BooleanOperator":"Or", 276 | "Conditions":[ 277 | { 278 | "Field":"ftype", 279 | "Operator":"Equal", 280 | "Value":"PORTABLE_EXECUTABLE" 281 | }, 282 | { 283 | "Field":"path", 284 | "Operator":"MatchInList", 285 | "Value":"InfectibleFiles" 286 | } 287 | ] 288 | } 289 | ] 290 | } 291 | ] 292 | }, 293 | { 294 | "BooleanOperator":"And", 295 | "Conditions":[ 296 | { 297 | "Field":"path", 298 | "Operator":"Match", 299 | "Value":"*mimikatz*" 300 | }, 301 | { 302 | "Field":"path", 303 | "Operator":"Match", 304 | "Value":"*golden_ticket*" 305 | }, 306 | { 307 | "Field":"path", 308 | "Operator":"Match", 309 | "Value":"*lsadump*" 310 | }, 311 | { 312 | "Field":"path", 313 | "Operator":"Match", 314 | "Value":"*fgdump*" 315 | }, 316 | { 317 | "Field":"path", 318 | "Operator":"Match", 319 | "Value":"*lsasecrets*" 320 | }, 321 | { 322 | "Field":"path", 323 | "Operator":"Match", 324 | "Value":"*mimilib*" 325 | }, 326 | { 327 | "Field":"path", 328 | "Operator":"Match", 329 | "Value":"*mimilove*" 330 | }, 331 | { 332 | "Field":"path", 333 | "Operator":"Match", 334 | "Value":"*pwdump*" 335 | }, 336 | { 337 | "Field":"path", 338 | "Operator":"Match", 339 | "Value":"*pwhashes*" 340 | }, 341 | { 342 | "Field":"path", 343 | "Operator":"Match", 344 | "Value":"*lsass.dmp*" 345 | }, 346 | { 347 | "Field":"path", 348 | "Operator":"Match", 349 | "Value":"*cachedump*" 350 | } 351 | ] 352 | } 353 | ] 354 | }, 355 | "EventType":"2ae984ad4195477985db788a990be2ed" 356 | }, 357 | { 358 | "BaseEventType":7, 359 | "Condition":{ 360 | "BooleanOperator":"And", 361 | "Conditions":[ 362 | { 363 | "BooleanOperator":"Or", 364 | "Conditions":[ 365 | { 366 | "Field":"parentProcessPath", 367 | "Operator":"MatchInList", 368 | "Value":"WriteFileWhiteList" 369 | }, 370 | { 371 | "Field":"parentVerdict", 372 | "Operator":"!Equal", 373 | "Value":1 374 | }, 375 | { 376 | "BooleanOperator":"And", 377 | "Conditions":[ 378 | { 379 | "Field":"parentProcessPath", 380 | "Operator":"!MatchInList", 381 | "Value":"WriteFileBlackList" 382 | }, 383 | { 384 | "Field":"parentProcessPath", 385 | "Operator":"!Match", 386 | "Value":"%systemroot%\\*" 387 | }, 388 | { 389 | "BooleanOperator":"Or", 390 | "Conditions":[ 391 | { 392 | "Field":"ftype", 393 | "Operator":"Equal", 394 | "Value":"PORTABLE_EXECUTABLE" 395 | }, 396 | { 397 | "Field":"path", 398 | "Operator":"MatchInList", 399 | "Value":"InfectibleFiles" 400 | } 401 | ] 402 | } 403 | ] 404 | } 405 | ] 406 | }, 407 | { 408 | "BooleanOperator":"Or", 409 | "Conditions":[ 410 | { 411 | "Field":"path", 412 | "Operator":"Match", 413 | "Value":"*svch0st.exe" 414 | }, 415 | { 416 | "Field":"path", 417 | "Operator":"Match", 418 | "Value":"*scvhost.exe" 419 | }, 420 | { 421 | "Field":"path", 422 | "Operator":"Match", 423 | "Value":"*svchots.exe" 424 | }, 425 | { 426 | "Field":"path", 427 | "Operator":"Match", 428 | "Value":"*scvh0st.exe" 429 | }, 430 | { 431 | "Field":"path", 432 | "Operator":"Match", 433 | "Value":"*svhost.exe" 434 | }, 435 | { 436 | "Field":"path", 437 | "Operator":"Match", 438 | "Value":"*schost.exe" 439 | }, 440 | { 441 | "Field":"path", 442 | "Operator":"Match", 443 | "Value":"*svchosts.exe" 444 | }, 445 | { 446 | "Field":"path", 447 | "Operator":"Match", 448 | "Value":"*swchost.exe" 449 | }, 450 | { 451 | "Field":"path", 452 | "Operator":"Match", 453 | "Value":"*svshost.exe" 454 | }, 455 | { 456 | "Field":"path", 457 | "Operator":"Match", 458 | "Value":"*svcnost.exe" 459 | }, 460 | { 461 | "Field":"path", 462 | "Operator":"Match", 463 | "Value":"*syshost.exe" 464 | }, 465 | { 466 | "Field":"path", 467 | "Operator":"Match", 468 | "Value":"*svchsot.exe" 469 | } 470 | ] 471 | } 472 | ] 473 | }, 474 | "EventType":"0673857066a945d88f18bc5e4a4e4959" 475 | }, 476 | { 477 | "BaseEventType":7, 478 | "Condition":{ 479 | "BooleanOperator":"And", 480 | "Conditions":[ 481 | { 482 | "BooleanOperator":"Or", 483 | "Conditions":[ 484 | { 485 | "Field":"parentProcessPath", 486 | "Operator":"MatchInList", 487 | "Value":"WriteFileWhiteList" 488 | }, 489 | { 490 | "Field":"parentVerdict", 491 | "Operator":"!Equal", 492 | "Value":1 493 | }, 494 | { 495 | "BooleanOperator":"And", 496 | "Conditions":[ 497 | { 498 | "Field":"parentProcessPath", 499 | "Operator":"!MatchInList", 500 | "Value":"WriteFileBlackList" 501 | }, 502 | { 503 | "Field":"parentProcessPath", 504 | "Operator":"!Match", 505 | "Value":"%systemroot%\\*" 506 | }, 507 | { 508 | "BooleanOperator":"Or", 509 | "Conditions":[ 510 | { 511 | "Field":"ftype", 512 | "Operator":"Equal", 513 | "Value":"PORTABLE_EXECUTABLE" 514 | }, 515 | { 516 | "Field":"path", 517 | "Operator":"MatchInList", 518 | "Value":"InfectibleFiles" 519 | } 520 | ] 521 | } 522 | ] 523 | } 524 | ] 525 | }, 526 | { 527 | "BooleanOperator":"And", 528 | "Conditions":[ 529 | { 530 | "Field":"path", 531 | "Operator":"Match", 532 | "Value":"*\\\\windows\\\\temp*" 533 | }, 534 | { 535 | "Field":"path", 536 | "Operator":"Match", 537 | "Value":"*debug.bin" 538 | } 539 | ] 540 | } 541 | ] 542 | }, 543 | "EventType":"ee995091a1984308b1a50e8f30c2465e" 544 | }, 545 | { 546 | "BaseEventType":7, 547 | "Condition":{ 548 | "BooleanOperator":"And", 549 | "Conditions":[ 550 | { 551 | "BooleanOperator":"Or", 552 | "Conditions":[ 553 | { 554 | "Field":"parentProcessPath", 555 | "Operator":"MatchInList", 556 | "Value":"WriteFileWhiteList" 557 | }, 558 | { 559 | "Field":"parentVerdict", 560 | "Operator":"!Equal", 561 | "Value":1 562 | }, 563 | { 564 | "BooleanOperator":"And", 565 | "Conditions":[ 566 | { 567 | "Field":"parentProcessPath", 568 | "Operator":"!MatchInList", 569 | "Value":"WriteFileBlackList" 570 | }, 571 | { 572 | "Field":"parentProcessPath", 573 | "Operator":"!Match", 574 | "Value":"%systemroot%\\*" 575 | }, 576 | { 577 | "BooleanOperator":"Or", 578 | "Conditions":[ 579 | { 580 | "Field":"ftype", 581 | "Operator":"Equal", 582 | "Value":"PORTABLE_EXECUTABLE" 583 | }, 584 | { 585 | "Field":"path", 586 | "Operator":"MatchInList", 587 | "Value":"InfectibleFiles" 588 | } 589 | ] 590 | } 591 | ] 592 | } 593 | ] 594 | }, 595 | { 596 | "BooleanOperator":"And", 597 | "Conditions":[ 598 | { 599 | "Field":"parentProcessPath", 600 | "Operator":"Match", 601 | "Value":"*windows*" 602 | }, 603 | { 604 | "Field":"path", 605 | "Operator":"Match", 606 | "Value":"*memory.dmp" 607 | } 608 | ] 609 | } 610 | ] 611 | }, 612 | "EventType":"3b88a84d13254e96bc31733807a04b7f" 613 | }, 614 | { 615 | "BaseEventType":7, 616 | "Condition":{ 617 | "BooleanOperator":"And", 618 | "Conditions":[ 619 | { 620 | "BooleanOperator":"Or", 621 | "Conditions":[ 622 | { 623 | "Field":"parentProcessPath", 624 | "Operator":"MatchInList", 625 | "Value":"WriteFileWhiteList" 626 | }, 627 | { 628 | "Field":"parentVerdict", 629 | "Operator":"!Equal", 630 | "Value":1 631 | }, 632 | { 633 | "BooleanOperator":"And", 634 | "Conditions":[ 635 | { 636 | "Field":"parentProcessPath", 637 | "Operator":"!MatchInList", 638 | "Value":"WriteFileBlackList" 639 | }, 640 | { 641 | "Field":"parentProcessPath", 642 | "Operator":"!Match", 643 | "Value":"%systemroot%\\*" 644 | }, 645 | { 646 | "BooleanOperator":"Or", 647 | "Conditions":[ 648 | { 649 | "Field":"ftype", 650 | "Operator":"Equal", 651 | "Value":"PORTABLE_EXECUTABLE" 652 | }, 653 | { 654 | "Field":"path", 655 | "Operator":"MatchInList", 656 | "Value":"InfectibleFiles" 657 | } 658 | ] 659 | } 660 | ] 661 | } 662 | ] 663 | }, 664 | { 665 | "BooleanOperator":"And", 666 | "Conditions":[ 667 | { 668 | "Field":"parentProcessPath", 669 | "Operator":"Match", 670 | "Value":"*excavator.exe" 671 | }, 672 | { 673 | "Field":"path", 674 | "Operator":"Match", 675 | "Value":"*memory.dmp" 676 | } 677 | ] 678 | } 679 | ] 680 | }, 681 | "EventType":"6e218a32ad814d0290dfa206812e529b" 682 | }, 683 | { 684 | "BaseEventType":7, 685 | "Condition":{ 686 | "BooleanOperator":"And", 687 | "Conditions":[ 688 | { 689 | "BooleanOperator":"Or", 690 | "Conditions":[ 691 | { 692 | "Field":"parentProcessPath", 693 | "Operator":"MatchInList", 694 | "Value":"WriteFileWhiteList" 695 | }, 696 | { 697 | "Field":"parentVerdict", 698 | "Operator":"!Equal", 699 | "Value":1 700 | }, 701 | { 702 | "BooleanOperator":"And", 703 | "Conditions":[ 704 | { 705 | "Field":"parentProcessPath", 706 | "Operator":"!MatchInList", 707 | "Value":"WriteFileBlackList" 708 | }, 709 | { 710 | "Field":"parentProcessPath", 711 | "Operator":"!Match", 712 | "Value":"%systemroot%\\*" 713 | }, 714 | { 715 | "BooleanOperator":"Or", 716 | "Conditions":[ 717 | { 718 | "Field":"ftype", 719 | "Operator":"Equal", 720 | "Value":"PORTABLE_EXECUTABLE" 721 | }, 722 | { 723 | "Field":"path", 724 | "Operator":"MatchInList", 725 | "Value":"InfectibleFiles" 726 | } 727 | ] 728 | } 729 | ] 730 | } 731 | ] 732 | }, 733 | { 734 | "BooleanOperator":"And", 735 | "Conditions":[ 736 | { 737 | "BooleanOperator":"Or", 738 | "Conditions":[ 739 | { 740 | "Field":"parentProcessPath", 741 | "Operator":"Match", 742 | "Value":"*wscript.exe" 743 | }, 744 | { 745 | "Field":"parentProcessPath", 746 | "Operator":"Match", 747 | "Value":"*cscript.exe" 748 | } 749 | ] 750 | }, 751 | { 752 | "Field":"path", 753 | "Operator":"Match", 754 | "Value":"*\\start menu\\programs\\startup*" 755 | } 756 | ] 757 | } 758 | ] 759 | }, 760 | "EventType":"2eb42f82cc534183ad605bf62286f5a8" 761 | }, 762 | { 763 | "BaseEventType":7, 764 | "Condition":{ 765 | "BooleanOperator":"And", 766 | "Conditions":[ 767 | { 768 | "BooleanOperator":"Or", 769 | "Conditions":[ 770 | { 771 | "Field":"parentProcessPath", 772 | "Operator":"MatchInList", 773 | "Value":"WriteFileWhiteList" 774 | }, 775 | { 776 | "Field":"parentVerdict", 777 | "Operator":"!Equal", 778 | "Value":1 779 | }, 780 | { 781 | "BooleanOperator":"And", 782 | "Conditions":[ 783 | { 784 | "Field":"parentProcessPath", 785 | "Operator":"!MatchInList", 786 | "Value":"WriteFileBlackList" 787 | }, 788 | { 789 | "Field":"parentProcessPath", 790 | "Operator":"!Match", 791 | "Value":"%systemroot%\\*" 792 | }, 793 | { 794 | "BooleanOperator":"Or", 795 | "Conditions":[ 796 | { 797 | "Field":"ftype", 798 | "Operator":"Equal", 799 | "Value":"PORTABLE_EXECUTABLE" 800 | }, 801 | { 802 | "Field":"path", 803 | "Operator":"MatchInList", 804 | "Value":"InfectibleFiles" 805 | } 806 | ] 807 | } 808 | ] 809 | } 810 | ] 811 | }, 812 | { 813 | "Field":"path", 814 | "Operator":"Equal", 815 | "Value":"%systemroot%\\system32\\drivers\\etc\\hosts" 816 | } 817 | ] 818 | }, 819 | "EventType":"e5f2004c86be4397acd5be606de6b9f0" 820 | }, 821 | { 822 | "BaseEventType":7, 823 | "Condition":{ 824 | "BooleanOperator":"And", 825 | "Conditions":[ 826 | { 827 | "BooleanOperator":"Or", 828 | "Conditions":[ 829 | { 830 | "Field":"parentProcessPath", 831 | "Operator":"MatchInList", 832 | "Value":"WriteFileWhiteList" 833 | }, 834 | { 835 | "Field":"parentVerdict", 836 | "Operator":"!Equal", 837 | "Value":1 838 | }, 839 | { 840 | "BooleanOperator":"And", 841 | "Conditions":[ 842 | { 843 | "Field":"parentProcessPath", 844 | "Operator":"!MatchInList", 845 | "Value":"WriteFileBlackList" 846 | }, 847 | { 848 | "Field":"parentProcessPath", 849 | "Operator":"!Match", 850 | "Value":"%systemroot%\\*" 851 | }, 852 | { 853 | "BooleanOperator":"Or", 854 | "Conditions":[ 855 | { 856 | "Field":"ftype", 857 | "Operator":"Equal", 858 | "Value":"PORTABLE_EXECUTABLE" 859 | }, 860 | { 861 | "Field":"path", 862 | "Operator":"MatchInList", 863 | "Value":"InfectibleFiles" 864 | } 865 | ] 866 | } 867 | ] 868 | } 869 | ] 870 | }, 871 | { 872 | "BooleanOperator":"Or", 873 | "Conditions":[ 874 | { 875 | "Field":"path", 876 | "Operator":"Match", 877 | "Value":"%systemroot%\\System32\\Tasks*" 878 | }, 879 | { 880 | "Field":"path", 881 | "Operator":"Match", 882 | "Value":"%systemroot%\\Tasks*" 883 | } 884 | ] 885 | } 886 | ] 887 | }, 888 | "EventType":"830d52dec2ac455a8d453b2b708e8da7" 889 | }, 890 | { 891 | "BaseEventType":7, 892 | "Condition":{ 893 | "BooleanOperator":"And", 894 | "Conditions":[ 895 | { 896 | "BooleanOperator":"Or", 897 | "Conditions":[ 898 | { 899 | "Field":"parentProcessPath", 900 | "Operator":"MatchInList", 901 | "Value":"WriteFileWhiteList" 902 | }, 903 | { 904 | "Field":"parentVerdict", 905 | "Operator":"!Equal", 906 | "Value":1 907 | }, 908 | { 909 | "BooleanOperator":"And", 910 | "Conditions":[ 911 | { 912 | "Field":"parentProcessPath", 913 | "Operator":"!MatchInList", 914 | "Value":"WriteFileBlackList" 915 | }, 916 | { 917 | "Field":"parentProcessPath", 918 | "Operator":"!Match", 919 | "Value":"%systemroot%\\*" 920 | }, 921 | { 922 | "BooleanOperator":"Or", 923 | "Conditions":[ 924 | { 925 | "Field":"ftype", 926 | "Operator":"Equal", 927 | "Value":"PORTABLE_EXECUTABLE" 928 | }, 929 | { 930 | "Field":"path", 931 | "Operator":"MatchInList", 932 | "Value":"InfectibleFiles" 933 | } 934 | ] 935 | } 936 | ] 937 | } 938 | ] 939 | }, 940 | { 941 | "BooleanOperator":"And", 942 | "Conditions":[ 943 | { 944 | "Field":"parentVerdict", 945 | "Operator":"!Equal", 946 | "Value":1 947 | }, 948 | { 949 | "Field":"ftype", 950 | "Operator":"Equal", 951 | "Value":"PORTABLE_EXECUTABLE" 952 | } 953 | ] 954 | } 955 | ] 956 | }, 957 | "EventType":"8eec359729ae43ce943823debeaf2ded" 958 | }, 959 | { 960 | "BaseEventType":7, 961 | "Condition":{ 962 | "BooleanOperator":"And", 963 | "Conditions":[ 964 | { 965 | "BooleanOperator":"Or", 966 | "Conditions":[ 967 | { 968 | "Field":"parentProcessPath", 969 | "Operator":"MatchInList", 970 | "Value":"WriteFileWhiteList" 971 | }, 972 | { 973 | "Field":"parentVerdict", 974 | "Operator":"!Equal", 975 | "Value":1 976 | }, 977 | { 978 | "BooleanOperator":"And", 979 | "Conditions":[ 980 | { 981 | "Field":"parentProcessPath", 982 | "Operator":"!MatchInList", 983 | "Value":"WriteFileBlackList" 984 | }, 985 | { 986 | "Field":"parentProcessPath", 987 | "Operator":"!Match", 988 | "Value":"%systemroot%\\*" 989 | }, 990 | { 991 | "BooleanOperator":"Or", 992 | "Conditions":[ 993 | { 994 | "Field":"ftype", 995 | "Operator":"Equal", 996 | "Value":"PORTABLE_EXECUTABLE" 997 | }, 998 | { 999 | "Field":"path", 1000 | "Operator":"MatchInList", 1001 | "Value":"InfectibleFiles" 1002 | } 1003 | ] 1004 | } 1005 | ] 1006 | } 1007 | ] 1008 | }, 1009 | { 1010 | "BooleanOperator":"Or", 1011 | "Conditions":[ 1012 | { 1013 | "Field":"path", 1014 | "Operator":"Match", 1015 | "Value":"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" 1016 | }, 1017 | { 1018 | "Field":"path", 1019 | "Operator":"Match", 1020 | "Value":"%programdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" 1021 | }, 1022 | { 1023 | "Field":"path", 1024 | "Operator":"Match", 1025 | "Value":"%systemroot%\\system\\iosubsys\\*" 1026 | }, 1027 | { 1028 | "Field":"path", 1029 | "Operator":"Match", 1030 | "Value":"%systemroot%\\system\\vmm32\\*" 1031 | }, 1032 | { 1033 | "Field":"path", 1034 | "Operator":"Match", 1035 | "Value":"%systemroot%\\Tasks\\*" 1036 | }, 1037 | { 1038 | "Field":"path", 1039 | "Operator":"Equal", 1040 | "Value":"%systemdrive%\\autoexec.bat" 1041 | }, 1042 | { 1043 | "Field":"path", 1044 | "Operator":"Equal", 1045 | "Value":"%systemdrive%\\config.sys" 1046 | }, 1047 | { 1048 | "Field":"path", 1049 | "Operator":"Equal", 1050 | "Value":"%systemroot%\\wininit.ini" 1051 | }, 1052 | { 1053 | "Field":"path", 1054 | "Operator":"Equal", 1055 | "Value":"%systemroot%\\winstart.bat" 1056 | }, 1057 | { 1058 | "Field":"path", 1059 | "Operator":"Equal", 1060 | "Value":"%systemroot%\\win.ini" 1061 | }, 1062 | { 1063 | "Field":"path", 1064 | "Operator":"Equal", 1065 | "Value":"%systemroot%\\system.ini" 1066 | }, 1067 | { 1068 | "Field":"path", 1069 | "Operator":"Equal", 1070 | "Value":"%systemroot%\\dosstart.bat" 1071 | } 1072 | ] 1073 | } 1074 | ] 1075 | }, 1076 | "EventType":"891c444fba4d4ac8b579e5be334c61af" 1077 | }, 1078 | { 1079 | "BaseEventType":7, 1080 | "Condition":{ 1081 | "BooleanOperator":"And", 1082 | "Conditions":[ 1083 | { 1084 | "BooleanOperator":"Or", 1085 | "Conditions":[ 1086 | { 1087 | "Field":"parentProcessPath", 1088 | "Operator":"MatchInList", 1089 | "Value":"WriteFileWhiteList" 1090 | }, 1091 | { 1092 | "Field":"parentVerdict", 1093 | "Operator":"!Equal", 1094 | "Value":1 1095 | }, 1096 | { 1097 | "BooleanOperator":"And", 1098 | "Conditions":[ 1099 | { 1100 | "Field":"parentProcessPath", 1101 | "Operator":"!MatchInList", 1102 | "Value":"WriteFileBlackList" 1103 | }, 1104 | { 1105 | "Field":"parentProcessPath", 1106 | "Operator":"!Match", 1107 | "Value":"%systemroot%\\*" 1108 | }, 1109 | { 1110 | "BooleanOperator":"Or", 1111 | "Conditions":[ 1112 | { 1113 | "Field":"ftype", 1114 | "Operator":"Equal", 1115 | "Value":"PORTABLE_EXECUTABLE" 1116 | }, 1117 | { 1118 | "Field":"path", 1119 | "Operator":"MatchInList", 1120 | "Value":"InfectibleFiles" 1121 | } 1122 | ] 1123 | } 1124 | ] 1125 | } 1126 | ] 1127 | }, 1128 | { 1129 | "Field":"path", 1130 | "Operator":"Match", 1131 | "Value":"*.exe" 1132 | } 1133 | ] 1134 | }, 1135 | "EventType":"da049d853bbd44fc9d121de733800af1" 1136 | }, 1137 | { 1138 | "BaseEventType":7, 1139 | "Condition":{ 1140 | "BooleanOperator":"And", 1141 | "Conditions":[ 1142 | { 1143 | "BooleanOperator":"Or", 1144 | "Conditions":[ 1145 | { 1146 | "Field":"parentProcessPath", 1147 | "Operator":"MatchInList", 1148 | "Value":"WriteFileWhiteList" 1149 | }, 1150 | { 1151 | "Field":"parentVerdict", 1152 | "Operator":"!Equal", 1153 | "Value":1 1154 | }, 1155 | { 1156 | "BooleanOperator":"And", 1157 | "Conditions":[ 1158 | { 1159 | "Field":"parentProcessPath", 1160 | "Operator":"!MatchInList", 1161 | "Value":"WriteFileBlackList" 1162 | }, 1163 | { 1164 | "Field":"parentProcessPath", 1165 | "Operator":"!Match", 1166 | "Value":"%systemroot%\\*" 1167 | }, 1168 | { 1169 | "BooleanOperator":"Or", 1170 | "Conditions":[ 1171 | { 1172 | "Field":"ftype", 1173 | "Operator":"Equal", 1174 | "Value":"PORTABLE_EXECUTABLE" 1175 | }, 1176 | { 1177 | "Field":"path", 1178 | "Operator":"MatchInList", 1179 | "Value":"InfectibleFiles" 1180 | } 1181 | ] 1182 | } 1183 | ] 1184 | } 1185 | ] 1186 | }, 1187 | { 1188 | "Field":"path", 1189 | "Operator":"Match", 1190 | "Value":".cmd" 1191 | } 1192 | ] 1193 | }, 1194 | "EventType":"fb8abd2d071c4066892faf2389c5ed66" 1195 | }, 1196 | { 1197 | "BaseEventType":7, 1198 | "Condition":{ 1199 | "BooleanOperator":"And", 1200 | "Conditions":[ 1201 | { 1202 | "BooleanOperator":"Or", 1203 | "Conditions":[ 1204 | { 1205 | "Field":"parentProcessPath", 1206 | "Operator":"MatchInList", 1207 | "Value":"WriteFileWhiteList" 1208 | }, 1209 | { 1210 | "Field":"parentVerdict", 1211 | "Operator":"!Equal", 1212 | "Value":1 1213 | }, 1214 | { 1215 | "BooleanOperator":"And", 1216 | "Conditions":[ 1217 | { 1218 | "Field":"parentProcessPath", 1219 | "Operator":"!MatchInList", 1220 | "Value":"WriteFileBlackList" 1221 | }, 1222 | { 1223 | "Field":"parentProcessPath", 1224 | "Operator":"!Match", 1225 | "Value":"%systemroot%\\*" 1226 | }, 1227 | { 1228 | "BooleanOperator":"Or", 1229 | "Conditions":[ 1230 | { 1231 | "Field":"ftype", 1232 | "Operator":"Equal", 1233 | "Value":"PORTABLE_EXECUTABLE" 1234 | }, 1235 | { 1236 | "Field":"path", 1237 | "Operator":"MatchInList", 1238 | "Value":"InfectibleFiles" 1239 | } 1240 | ] 1241 | } 1242 | ] 1243 | } 1244 | ] 1245 | }, 1246 | { 1247 | "Field":"path", 1248 | "Operator":"Match", 1249 | "Value":"*.cert" 1250 | } 1251 | ] 1252 | }, 1253 | "EventType":"c5c70bd1fafc4bbea6d562d43a305b81" 1254 | }, 1255 | { 1256 | "BaseEventType":7, 1257 | "Condition":{ 1258 | "BooleanOperator":"And", 1259 | "Conditions":[ 1260 | { 1261 | "BooleanOperator":"Or", 1262 | "Conditions":[ 1263 | { 1264 | "Field":"parentProcessPath", 1265 | "Operator":"MatchInList", 1266 | "Value":"WriteFileWhiteList" 1267 | }, 1268 | { 1269 | "Field":"parentVerdict", 1270 | "Operator":"!Equal", 1271 | "Value":1 1272 | }, 1273 | { 1274 | "BooleanOperator":"And", 1275 | "Conditions":[ 1276 | { 1277 | "Field":"parentProcessPath", 1278 | "Operator":"!MatchInList", 1279 | "Value":"WriteFileBlackList" 1280 | }, 1281 | { 1282 | "Field":"parentProcessPath", 1283 | "Operator":"!Match", 1284 | "Value":"%systemroot%\\*" 1285 | }, 1286 | { 1287 | "BooleanOperator":"Or", 1288 | "Conditions":[ 1289 | { 1290 | "Field":"ftype", 1291 | "Operator":"Equal", 1292 | "Value":"PORTABLE_EXECUTABLE" 1293 | }, 1294 | { 1295 | "Field":"path", 1296 | "Operator":"MatchInList", 1297 | "Value":"InfectibleFiles" 1298 | } 1299 | ] 1300 | } 1301 | ] 1302 | } 1303 | ] 1304 | }, 1305 | { 1306 | "BooleanOperator":"Or", 1307 | "Conditions":[ 1308 | { 1309 | "Field":"path", 1310 | "Operator":"Match", 1311 | "Value":"%systemroot%\\system32\\grouppolicy\\*" 1312 | }, 1313 | { 1314 | "Field":"path", 1315 | "Operator":"Match", 1316 | "Value":"%systemroot%\\Sysvol\\sysvol\\*\\Policies\\*" 1317 | } 1318 | ] 1319 | } 1320 | ] 1321 | }, 1322 | "EventType":"c04f8af3bab54d029834e66b94e7b966" 1323 | }, 1324 | { 1325 | "BaseEventType":7, 1326 | "Condition":{ 1327 | "BooleanOperator":"And", 1328 | "Conditions":[ 1329 | { 1330 | "BooleanOperator":"Or", 1331 | "Conditions":[ 1332 | { 1333 | "Field":"parentProcessPath", 1334 | "Operator":"MatchInList", 1335 | "Value":"WriteFileWhiteList" 1336 | }, 1337 | { 1338 | "Field":"parentVerdict", 1339 | "Operator":"!Equal", 1340 | "Value":1 1341 | }, 1342 | { 1343 | "BooleanOperator":"And", 1344 | "Conditions":[ 1345 | { 1346 | "Field":"parentProcessPath", 1347 | "Operator":"!MatchInList", 1348 | "Value":"WriteFileBlackList" 1349 | }, 1350 | { 1351 | "Field":"parentProcessPath", 1352 | "Operator":"!Match", 1353 | "Value":"%systemroot%\\*" 1354 | }, 1355 | { 1356 | "BooleanOperator":"Or", 1357 | "Conditions":[ 1358 | { 1359 | "Field":"ftype", 1360 | "Operator":"Equal", 1361 | "Value":"PORTABLE_EXECUTABLE" 1362 | }, 1363 | { 1364 | "Field":"path", 1365 | "Operator":"MatchInList", 1366 | "Value":"InfectibleFiles" 1367 | } 1368 | ] 1369 | } 1370 | ] 1371 | } 1372 | ] 1373 | }, 1374 | { 1375 | "Field":"path", 1376 | "Operator":"Match", 1377 | "Value":"*.bat" 1378 | } 1379 | ] 1380 | }, 1381 | "EventType":"b7951c3ece94475db9d55d4a39443939" 1382 | }, 1383 | { 1384 | "BaseEventType":7, 1385 | "Condition":{ 1386 | "BooleanOperator":"And", 1387 | "Conditions":[ 1388 | { 1389 | "BooleanOperator":"Or", 1390 | "Conditions":[ 1391 | { 1392 | "Field":"parentProcessPath", 1393 | "Operator":"MatchInList", 1394 | "Value":"WriteFileWhiteList" 1395 | }, 1396 | { 1397 | "Field":"parentVerdict", 1398 | "Operator":"!Equal", 1399 | "Value":1 1400 | }, 1401 | { 1402 | "BooleanOperator":"And", 1403 | "Conditions":[ 1404 | { 1405 | "Field":"parentProcessPath", 1406 | "Operator":"!MatchInList", 1407 | "Value":"WriteFileBlackList" 1408 | }, 1409 | { 1410 | "Field":"parentProcessPath", 1411 | "Operator":"!Match", 1412 | "Value":"%systemroot%\\*" 1413 | }, 1414 | { 1415 | "BooleanOperator":"Or", 1416 | "Conditions":[ 1417 | { 1418 | "Field":"ftype", 1419 | "Operator":"Equal", 1420 | "Value":"PORTABLE_EXECUTABLE" 1421 | }, 1422 | { 1423 | "Field":"path", 1424 | "Operator":"MatchInList", 1425 | "Value":"InfectibleFiles" 1426 | } 1427 | ] 1428 | } 1429 | ] 1430 | } 1431 | ] 1432 | }, 1433 | { 1434 | "Field":"path", 1435 | "Operator":"Match", 1436 | "Value":"*.dll" 1437 | } 1438 | ] 1439 | }, 1440 | "EventType":"a02fd5fc871946268191721320e433a8" 1441 | }, 1442 | { 1443 | "BaseEventType":7, 1444 | "Condition":{ 1445 | "BooleanOperator":"And", 1446 | "Conditions":[ 1447 | { 1448 | "BooleanOperator":"Or", 1449 | "Conditions":[ 1450 | { 1451 | "Field":"parentProcessPath", 1452 | "Operator":"MatchInList", 1453 | "Value":"WriteFileWhiteList" 1454 | }, 1455 | { 1456 | "Field":"parentVerdict", 1457 | "Operator":"!Equal", 1458 | "Value":1 1459 | }, 1460 | { 1461 | "BooleanOperator":"And", 1462 | "Conditions":[ 1463 | { 1464 | "Field":"parentProcessPath", 1465 | "Operator":"!MatchInList", 1466 | "Value":"WriteFileBlackList" 1467 | }, 1468 | { 1469 | "Field":"parentProcessPath", 1470 | "Operator":"!Match", 1471 | "Value":"%systemroot%\\*" 1472 | }, 1473 | { 1474 | "BooleanOperator":"Or", 1475 | "Conditions":[ 1476 | { 1477 | "Field":"ftype", 1478 | "Operator":"Equal", 1479 | "Value":"PORTABLE_EXECUTABLE" 1480 | }, 1481 | { 1482 | "Field":"path", 1483 | "Operator":"MatchInList", 1484 | "Value":"InfectibleFiles" 1485 | } 1486 | ] 1487 | } 1488 | ] 1489 | } 1490 | ] 1491 | }, 1492 | { 1493 | "Field":"path", 1494 | "Operator":"Match", 1495 | "Value":".sys" 1496 | } 1497 | ] 1498 | }, 1499 | "EventType":"9589d76e7cf84e3887afed92030265c1" 1500 | }, 1501 | { 1502 | "BaseEventType":7, 1503 | "Condition":{ 1504 | "BooleanOperator":"And", 1505 | "Conditions":[ 1506 | { 1507 | "BooleanOperator":"Or", 1508 | "Conditions":[ 1509 | { 1510 | "Field":"parentProcessPath", 1511 | "Operator":"MatchInList", 1512 | "Value":"WriteFileWhiteList" 1513 | }, 1514 | { 1515 | "Field":"parentVerdict", 1516 | "Operator":"!Equal", 1517 | "Value":1 1518 | }, 1519 | { 1520 | "BooleanOperator":"And", 1521 | "Conditions":[ 1522 | { 1523 | "Field":"parentProcessPath", 1524 | "Operator":"!MatchInList", 1525 | "Value":"WriteFileBlackList" 1526 | }, 1527 | { 1528 | "Field":"parentProcessPath", 1529 | "Operator":"!Match", 1530 | "Value":"%systemroot%\\*" 1531 | }, 1532 | { 1533 | "BooleanOperator":"Or", 1534 | "Conditions":[ 1535 | { 1536 | "Field":"ftype", 1537 | "Operator":"Equal", 1538 | "Value":"PORTABLE_EXECUTABLE" 1539 | }, 1540 | { 1541 | "Field":"path", 1542 | "Operator":"MatchInList", 1543 | "Value":"InfectibleFiles" 1544 | } 1545 | ] 1546 | } 1547 | ] 1548 | } 1549 | ] 1550 | }, 1551 | { 1552 | "BooleanOperator":"And", 1553 | "Conditions":[ 1554 | { 1555 | "Field":"parentProcessPath", 1556 | "Operator":"!Match", 1557 | "Value":"*PSScriptPolicyTest*" 1558 | }, 1559 | { 1560 | "BooleanOperator":"Or", 1561 | "Conditions":[ 1562 | { 1563 | "Field":"path", 1564 | "Operator":"Match", 1565 | "Value":"*.ps1" 1566 | }, 1567 | { 1568 | "Field":"path", 1569 | "Operator":"Match", 1570 | "Value":"*.psm1" 1571 | } 1572 | ] 1573 | } 1574 | ] 1575 | } 1576 | ] 1577 | }, 1578 | "EventType":"3e754a26ae4a48da96519fb891bee53c" 1579 | }, 1580 | { 1581 | "BaseEventType":7, 1582 | "Condition":{ 1583 | "BooleanOperator":"And", 1584 | "Conditions":[ 1585 | { 1586 | "BooleanOperator":"Or", 1587 | "Conditions":[ 1588 | { 1589 | "Field":"parentProcessPath", 1590 | "Operator":"MatchInList", 1591 | "Value":"WriteFileWhiteList" 1592 | }, 1593 | { 1594 | "Field":"parentVerdict", 1595 | "Operator":"!Equal", 1596 | "Value":1 1597 | }, 1598 | { 1599 | "BooleanOperator":"And", 1600 | "Conditions":[ 1601 | { 1602 | "Field":"parentProcessPath", 1603 | "Operator":"!MatchInList", 1604 | "Value":"WriteFileBlackList" 1605 | }, 1606 | { 1607 | "Field":"parentProcessPath", 1608 | "Operator":"!Match", 1609 | "Value":"%systemroot%\\*" 1610 | }, 1611 | { 1612 | "BooleanOperator":"Or", 1613 | "Conditions":[ 1614 | { 1615 | "Field":"ftype", 1616 | "Operator":"Equal", 1617 | "Value":"PORTABLE_EXECUTABLE" 1618 | }, 1619 | { 1620 | "Field":"path", 1621 | "Operator":"MatchInList", 1622 | "Value":"InfectibleFiles" 1623 | } 1624 | ] 1625 | } 1626 | ] 1627 | } 1628 | ] 1629 | }, 1630 | { 1631 | "Field":"path", 1632 | "Operator":"Match", 1633 | "Value":"*.jar" 1634 | } 1635 | ] 1636 | }, 1637 | "EventType":"0fcf32c71112477b92377f65a8f23566" 1638 | }, 1639 | { 1640 | "BaseEventType":7, 1641 | "Condition":{ 1642 | "BooleanOperator":"And", 1643 | "Conditions":[ 1644 | { 1645 | "BooleanOperator":"Or", 1646 | "Conditions":[ 1647 | { 1648 | "Field":"parentProcessPath", 1649 | "Operator":"MatchInList", 1650 | "Value":"WriteFileWhiteList" 1651 | }, 1652 | { 1653 | "Field":"parentVerdict", 1654 | "Operator":"!Equal", 1655 | "Value":1 1656 | }, 1657 | { 1658 | "BooleanOperator":"And", 1659 | "Conditions":[ 1660 | { 1661 | "Field":"parentProcessPath", 1662 | "Operator":"!MatchInList", 1663 | "Value":"WriteFileBlackList" 1664 | }, 1665 | { 1666 | "Field":"parentProcessPath", 1667 | "Operator":"!Match", 1668 | "Value":"%systemroot%\\*" 1669 | }, 1670 | { 1671 | "BooleanOperator":"Or", 1672 | "Conditions":[ 1673 | { 1674 | "Field":"ftype", 1675 | "Operator":"Equal", 1676 | "Value":"PORTABLE_EXECUTABLE" 1677 | }, 1678 | { 1679 | "Field":"path", 1680 | "Operator":"MatchInList", 1681 | "Value":"InfectibleFiles" 1682 | } 1683 | ] 1684 | } 1685 | ] 1686 | } 1687 | ] 1688 | }, 1689 | { 1690 | "Field":"path", 1691 | "Operator":"Match", 1692 | "Value":"*.sfx" 1693 | } 1694 | ] 1695 | }, 1696 | "EventType":"075d820a2d6641d296461d94ba41c8ab" 1697 | }, 1698 | { 1699 | "BaseEventType":7, 1700 | "Condition":{ 1701 | "BooleanOperator":"Or", 1702 | "Conditions":[ 1703 | { 1704 | "Field":"parentProcessPath", 1705 | "Operator":"MatchInList", 1706 | "Value":"WriteFileWhiteList" 1707 | }, 1708 | { 1709 | "Field":"parentVerdict", 1710 | "Operator":"!Equal", 1711 | "Value":1 1712 | }, 1713 | { 1714 | "BooleanOperator":"And", 1715 | "Conditions":[ 1716 | { 1717 | "Field":"parentProcessPath", 1718 | "Operator":"!MatchInList", 1719 | "Value":"WriteFileBlackList" 1720 | }, 1721 | { 1722 | "Field":"parentProcessPath", 1723 | "Operator":"!Match", 1724 | "Value":"%systemroot%\\*" 1725 | }, 1726 | { 1727 | "BooleanOperator":"Or", 1728 | "Conditions":[ 1729 | { 1730 | "Field":"ftype", 1731 | "Operator":"Equal", 1732 | "Value":"PORTABLE_EXECUTABLE" 1733 | }, 1734 | { 1735 | "Field":"path", 1736 | "Operator":"MatchInList", 1737 | "Value":"InfectibleFiles" 1738 | } 1739 | ] 1740 | } 1741 | ] 1742 | } 1743 | ] 1744 | }, 1745 | "EventType":null 1746 | } 1747 | ], 1748 | "RF11":[ 1749 | { 1750 | "BaseEventType":10, 1751 | "EventType":null 1752 | } 1753 | ], 1754 | "RF12":[ 1755 | { 1756 | "BaseEventType":11, 1757 | "EventType":null 1758 | } 1759 | ], 1760 | "RF13":[ 1761 | { 1762 | "BaseEventType":13, 1763 | "Condition":{ 1764 | "BooleanOperator":"Or", 1765 | "Conditions":[ 1766 | { 1767 | "Field":"path", 1768 | "Operator":"Match", 1769 | "Value":"*.lnk" 1770 | }, 1771 | { 1772 | "Field":"path", 1773 | "Operator":"Match", 1774 | "Value":"*.wsf" 1775 | }, 1776 | { 1777 | "Field":"path", 1778 | "Operator":"Match", 1779 | "Value":"*.hta" 1780 | }, 1781 | { 1782 | "Field":"path", 1783 | "Operator":"Match", 1784 | "Value":"*.mhtml" 1785 | }, 1786 | { 1787 | "Field":"path", 1788 | "Operator":"Match", 1789 | "Value":"*.html" 1790 | }, 1791 | { 1792 | "Field":"path", 1793 | "Operator":"Match", 1794 | "Value":"*.doc" 1795 | }, 1796 | { 1797 | "Field":"path", 1798 | "Operator":"Match", 1799 | "Value":"*.docm" 1800 | }, 1801 | { 1802 | "Field":"path", 1803 | "Operator":"Match", 1804 | "Value":"*.xls" 1805 | }, 1806 | { 1807 | "Field":"path", 1808 | "Operator":"Match", 1809 | "Value":"*.xlsm" 1810 | }, 1811 | { 1812 | "Field":"path", 1813 | "Operator":"Match", 1814 | "Value":"*.ppt" 1815 | }, 1816 | { 1817 | "Field":"path", 1818 | "Operator":"Match", 1819 | "Value":"*.pptm" 1820 | }, 1821 | { 1822 | "Field":"path", 1823 | "Operator":"Match", 1824 | "Value":"*.chm" 1825 | }, 1826 | { 1827 | "Field":"path", 1828 | "Operator":"Match", 1829 | "Value":"*.vbs" 1830 | }, 1831 | { 1832 | "Field":"path", 1833 | "Operator":"Match", 1834 | "Value":"*.js" 1835 | }, 1836 | { 1837 | "Field":"path", 1838 | "Operator":"Match", 1839 | "Value":"*.bat" 1840 | }, 1841 | { 1842 | "Field":"path", 1843 | "Operator":"Match", 1844 | "Value":"*.pif" 1845 | }, 1846 | { 1847 | "Field":"path", 1848 | "Operator":"Match", 1849 | "Value":"*.pdf" 1850 | }, 1851 | { 1852 | "Field":"path", 1853 | "Operator":"Match", 1854 | "Value":"*.jar" 1855 | }, 1856 | { 1857 | "Field":"path", 1858 | "Operator":"Match", 1859 | "Value":"*.sys" 1860 | } 1861 | ] 1862 | }, 1863 | "EventType":"c31b7646ef5244c893998266532cb53a" 1864 | }, 1865 | { 1866 | "BaseEventType":13, 1867 | "Condition":{ 1868 | "Field":"ftype", 1869 | "Operator":"Equal", 1870 | "Value":"PORTABLE_EXECUTABLE" 1871 | }, 1872 | "EventType":"7231096a33aa4720ae4a3ea6445aef7a" 1873 | }, 1874 | { 1875 | "BaseEventType":13, 1876 | "EventType":null 1877 | } 1878 | ], 1879 | "RF14":[ 1880 | { 1881 | "BaseEventType":14, 1882 | "EventType":null 1883 | } 1884 | ], 1885 | "RF2":[ 1886 | 1887 | ], 1888 | "RF3":[ 1889 | 1890 | ], 1891 | "RF4":[ 1892 | { 1893 | "BaseEventType":8, 1894 | "Condition":{ 1895 | "BooleanOperator":"And", 1896 | "Conditions":[ 1897 | { 1898 | "Field":"path", 1899 | "Operator":"!Match", 1900 | "Value":"\\Device\\HarddiskVolumeShadowCopy*" 1901 | }, 1902 | { 1903 | "BooleanOperator":"Or", 1904 | "Conditions":[ 1905 | { 1906 | "Field":"parentProcessPath", 1907 | "Operator":"MatchInList", 1908 | "Value":"DeleteFileWhiteList" 1909 | }, 1910 | { 1911 | "Field":"path", 1912 | "Operator":"MatchInList", 1913 | "Value":"DeleteFileExtensions" 1914 | } 1915 | ] 1916 | } 1917 | ] 1918 | }, 1919 | "EventType":null 1920 | } 1921 | ], 1922 | "RF5":[ 1923 | 1924 | ], 1925 | "RF6":[ 1926 | 1927 | ], 1928 | "RF7":[ 1929 | 1930 | ], 1931 | "RF8":[ 1932 | 1933 | ], 1934 | "RF9":[ 1935 | 1936 | ], 1937 | "RN1":[ 1938 | { 1939 | "BaseEventType":2, 1940 | "Condition":{ 1941 | "BooleanOperator":"Or", 1942 | "Conditions":[ 1943 | { 1944 | "Field":"parentVerdict", 1945 | "Operator":"!Equal", 1946 | "Value":1 1947 | }, 1948 | { 1949 | "Field":"parentProcessPath", 1950 | "Operator":"Match", 1951 | "Value":"*\\powershell.exe" 1952 | } 1953 | ] 1954 | }, 1955 | "EventType":null 1956 | } 1957 | ], 1958 | "RN2":[ 1959 | { 1960 | "BaseEventType":3, 1961 | "Condition":{ 1962 | "BooleanOperator":"And", 1963 | "Conditions":[ 1964 | { 1965 | "BooleanOperator":"Or", 1966 | "Conditions":[ 1967 | { 1968 | "Field":"parentVerdict", 1969 | "Operator":"!Equal", 1970 | "Value":1 1971 | }, 1972 | { 1973 | "Field":"parentProcessPath", 1974 | "Operator":"Match", 1975 | "Value":"*\\powershell.exe" 1976 | } 1977 | ] 1978 | }, 1979 | { 1980 | "Field":"parentProcessPath", 1981 | "Operator":"Match", 1982 | "Value":"*verclsid.exe" 1983 | } 1984 | ] 1985 | }, 1986 | "EventType":"a2ca46c629a24841aa0bb704fd5fe605" 1987 | }, 1988 | { 1989 | "BaseEventType":3, 1990 | "Condition":{ 1991 | "BooleanOperator":"And", 1992 | "Conditions":[ 1993 | { 1994 | "BooleanOperator":"Or", 1995 | "Conditions":[ 1996 | { 1997 | "Field":"parentVerdict", 1998 | "Operator":"!Equal", 1999 | "Value":1 2000 | }, 2001 | { 2002 | "Field":"parentProcessPath", 2003 | "Operator":"Match", 2004 | "Value":"*\\powershell.exe" 2005 | } 2006 | ] 2007 | }, 2008 | { 2009 | "BooleanOperator":"Or", 2010 | "Conditions":[ 2011 | { 2012 | "Field":"transProto", 2013 | "Operator":"Equal", 2014 | "Value":0 2015 | }, 2016 | { 2017 | "Field":"transProto", 2018 | "Operator":"Equal", 2019 | "Value":1 2020 | }, 2021 | { 2022 | "Field":"transProto", 2023 | "Operator":"Equal", 2024 | "Value":2 2025 | } 2026 | ] 2027 | } 2028 | ] 2029 | }, 2030 | "EventType":"25c0e7ab30244b61a00dc3835e28a0da" 2031 | }, 2032 | { 2033 | "BaseEventType":3, 2034 | "Condition":{ 2035 | "BooleanOperator":"And", 2036 | "Conditions":[ 2037 | { 2038 | "BooleanOperator":"Or", 2039 | "Conditions":[ 2040 | { 2041 | "Field":"parentVerdict", 2042 | "Operator":"!Equal", 2043 | "Value":1 2044 | }, 2045 | { 2046 | "Field":"parentProcessPath", 2047 | "Operator":"Match", 2048 | "Value":"*\\powershell.exe" 2049 | } 2050 | ] 2051 | }, 2052 | { 2053 | "BooleanOperator":"And", 2054 | "Conditions":[ 2055 | { 2056 | "Field":"parentProcessPath", 2057 | "Operator":"Match", 2058 | "Value":"putty*" 2059 | }, 2060 | { 2061 | "BooleanOperator":"Or", 2062 | "Conditions":[ 2063 | { 2064 | "Field":"SrcPort", 2065 | "Operator":"Equal", 2066 | "Value":22 2067 | }, 2068 | { 2069 | "Field":"SrcPort", 2070 | "Operator":"Equal", 2071 | "Value":23 2072 | }, 2073 | { 2074 | "Field":"SrcPort", 2075 | "Operator":"Equal", 2076 | "Value":443 2077 | } 2078 | ] 2079 | } 2080 | ] 2081 | } 2082 | ] 2083 | }, 2084 | "EventType":"cf071d44a43f4653ac4e3d28dcd30577" 2085 | }, 2086 | { 2087 | "BaseEventType":3, 2088 | "Condition":{ 2089 | "BooleanOperator":"Or", 2090 | "Conditions":[ 2091 | { 2092 | "Field":"parentVerdict", 2093 | "Operator":"!Equal", 2094 | "Value":1 2095 | }, 2096 | { 2097 | "Field":"parentProcessPath", 2098 | "Operator":"Match", 2099 | "Value":"*\\powershell.exe" 2100 | } 2101 | ] 2102 | }, 2103 | "EventType":null 2104 | } 2105 | ], 2106 | "RP1":[ 2107 | { 2108 | "BaseEventType":1, 2109 | "Condition":{ 2110 | "BooleanOperator":"And", 2111 | "Conditions":[ 2112 | { 2113 | "BooleanOperator":"Or", 2114 | "Conditions":[ 2115 | { 2116 | "Field":"parentProcessPath", 2117 | "Operator":"Match", 2118 | "Value":"*reg.exe" 2119 | }, 2120 | { 2121 | "Field":"path", 2122 | "Operator":"Match", 2123 | "Value":"*reg.exe" 2124 | } 2125 | ] 2126 | }, 2127 | { 2128 | "BooleanOperator":"Or", 2129 | "Conditions":[ 2130 | { 2131 | "Field":"prcs_cmd_line", 2132 | "Operator":"Match", 2133 | "Value":"*save hklm\\security*" 2134 | }, 2135 | { 2136 | "Field":"prcs_cmd_line", 2137 | "Operator":"Match", 2138 | "Value":"*save hklm\\sam*" 2139 | }, 2140 | { 2141 | "Field":"prcs_cmd_line", 2142 | "Operator":"Match", 2143 | "Value":"*save hklm\\system*" 2144 | }, 2145 | { 2146 | "Field":"prcs_cmd_line", 2147 | "Operator":"Match", 2148 | "Value":"*save hklm\\software*" 2149 | } 2150 | ] 2151 | } 2152 | ] 2153 | }, 2154 | "EventType":"ee372297b0254f56a1307bb07930b22f" 2155 | }, 2156 | { 2157 | "BaseEventType":1, 2158 | "Condition":{ 2159 | "BooleanOperator":"And", 2160 | "Conditions":[ 2161 | { 2162 | "BooleanOperator":"Or", 2163 | "Conditions":[ 2164 | { 2165 | "Field":"path", 2166 | "Operator":"Match", 2167 | "Value":"*cmd.exe" 2168 | }, 2169 | { 2170 | "Field":"path", 2171 | "Operator":"Match", 2172 | "Value":"*w3wp.exe" 2173 | } 2174 | ] 2175 | }, 2176 | { 2177 | "Field":"prcs_cmd_line", 2178 | "Operator":"Match", 2179 | "Value":"*&cd&echo*" 2180 | } 2181 | ] 2182 | }, 2183 | "EventType":"bcdc9face6984eb09b556dbda04788ef" 2184 | }, 2185 | { 2186 | "BaseEventType":1, 2187 | "Condition":{ 2188 | "BooleanOperator":"And", 2189 | "Conditions":[ 2190 | { 2191 | "Field":"path", 2192 | "Operator":"Match", 2193 | "Value":"*cmd.exe" 2194 | }, 2195 | { 2196 | "Field":"parentProcessPath", 2197 | "Operator":"Match", 2198 | "Value":"*w3wp.exe" 2199 | } 2200 | ] 2201 | }, 2202 | "EventType":"9b6f4229f62f442aaf20c9e39b8bb047" 2203 | }, 2204 | { 2205 | "BaseEventType":1, 2206 | "Condition":{ 2207 | "Field":"path", 2208 | "Operator":"Match", 2209 | "Value":"*dginfect*" 2210 | }, 2211 | "EventType":"8f67e773e28c42cba051d4e69900f1c5" 2212 | }, 2213 | { 2214 | "BaseEventType":1, 2215 | "Condition":{ 2216 | "BooleanOperator":"And", 2217 | "Conditions":[ 2218 | { 2219 | "BooleanOperator":"Or", 2220 | "Conditions":[ 2221 | { 2222 | "Field":"parentProcessPath", 2223 | "Operator":"Match", 2224 | "Value":"*findstr.exe" 2225 | }, 2226 | { 2227 | "Field":"path", 2228 | "Operator":"Match", 2229 | "Value":"*findstr.exe" 2230 | } 2231 | ] 2232 | }, 2233 | { 2234 | "BooleanOperator":"And", 2235 | "Conditions":[ 2236 | { 2237 | "Field":"prcs_cmd_line", 2238 | "Operator":"Match", 2239 | "Value":"*cpassword*" 2240 | }, 2241 | { 2242 | "Field":"prcs_cmd_line", 2243 | "Operator":"Match", 2244 | "Value":"*sysvol*" 2245 | } 2246 | ] 2247 | } 2248 | ] 2249 | }, 2250 | "EventType":"4b33b1eff6b34a1aacc43a6c8c77397b" 2251 | }, 2252 | { 2253 | "BaseEventType":1, 2254 | "Condition":{ 2255 | "BooleanOperator":"And", 2256 | "Conditions":[ 2257 | { 2258 | "Field":"path", 2259 | "Operator":"Match", 2260 | "Value":"*regsvr32.exe" 2261 | }, 2262 | { 2263 | "Field":"prcs_cmd_line", 2264 | "Operator":"Match", 2265 | "Value":"*.jpg*" 2266 | } 2267 | ] 2268 | }, 2269 | "EventType":"47067e1c3c4f4cc6bdd7e625fd7f8e22" 2270 | }, 2271 | { 2272 | "BaseEventType":1, 2273 | "Condition":{ 2274 | "BooleanOperator":"And", 2275 | "Conditions":[ 2276 | { 2277 | "Field":"path", 2278 | "Operator":"Match", 2279 | "Value":"*wevtutil.exe" 2280 | }, 2281 | { 2282 | "Field":"prcs_cmd_line", 2283 | "Operator":"Match", 2284 | "Value":"* cl *" 2285 | } 2286 | ] 2287 | }, 2288 | "EventType":"2b5a51f982a44c21aa8aa1a9bde87a0c" 2289 | }, 2290 | { 2291 | "BaseEventType":1, 2292 | "Condition":{ 2293 | "BooleanOperator":"Or", 2294 | "Conditions":[ 2295 | { 2296 | "Field":"prcs_cmd_line", 2297 | "Operator":"Match", 2298 | "Value":"*\\-ma lsass*" 2299 | }, 2300 | { 2301 | "Field":"prcs_cmd_line", 2302 | "Operator":"Match", 2303 | "Value":"*\\-mp lsass*" 2304 | } 2305 | ] 2306 | }, 2307 | "EventType":"2489b9cb998f4880a94908d10effc191" 2308 | }, 2309 | { 2310 | "BaseEventType":1, 2311 | "Condition":{ 2312 | "BooleanOperator":"And", 2313 | "Conditions":[ 2314 | { 2315 | "Field":"path", 2316 | "Operator":"Match", 2317 | "Value":"*regsvr32.exe" 2318 | }, 2319 | { 2320 | "Field":"prcs_cmd_line", 2321 | "Operator":"Match", 2322 | "Value":"*.pdf*" 2323 | } 2324 | ] 2325 | }, 2326 | "EventType":"2165ddff5cce4d5ca138274666a00242" 2327 | }, 2328 | { 2329 | "BaseEventType":1, 2330 | "Condition":{ 2331 | "BooleanOperator":"Or", 2332 | "Conditions":[ 2333 | { 2334 | "Field":"path", 2335 | "Operator":"Match", 2336 | "Value":"*g64*.exe" 2337 | }, 2338 | { 2339 | "Field":"path", 2340 | "Operator":"Match", 2341 | "Value":"*g32*.exe" 2342 | }, 2343 | { 2344 | "Field":"path", 2345 | "Operator":"Match", 2346 | "Value":"*pwdump*.exe" 2347 | }, 2348 | { 2349 | "Field":"path", 2350 | "Operator":"Match", 2351 | "Value":"*dumpsvc.exe" 2352 | }, 2353 | { 2354 | "Field":"path", 2355 | "Operator":"Match", 2356 | "Value":"*gsecdump.exe" 2357 | }, 2358 | { 2359 | "Field":"path", 2360 | "Operator":"Match", 2361 | "Value":"*Lz77.exe" 2362 | }, 2363 | { 2364 | "Field":"path", 2365 | "Operator":"Match", 2366 | "Value":"*wcex*.exe" 2367 | }, 2368 | { 2369 | "Field":"path", 2370 | "Operator":"Match", 2371 | "Value":"*cachedump.exe" 2372 | }, 2373 | { 2374 | "Field":"path", 2375 | "Operator":"Match", 2376 | "Value":"*lslsass.exe" 2377 | }, 2378 | { 2379 | "Field":"path", 2380 | "Operator":"Match", 2381 | "Value":"*wce.dll" 2382 | }, 2383 | { 2384 | "Field":"path", 2385 | "Operator":"Match", 2386 | "Value":"*fgdump.exe" 2387 | }, 2388 | { 2389 | "Field":"path", 2390 | "Operator":"Match", 2391 | "Value":"*fgdump*.exe" 2392 | }, 2393 | { 2394 | "Field":"path", 2395 | "Operator":"Match", 2396 | "Value":"*wca.dll" 2397 | }, 2398 | { 2399 | "Field":"path", 2400 | "Operator":"Match", 2401 | "Value":"*mimikatz*" 2402 | }, 2403 | { 2404 | "Field":"path", 2405 | "Operator":"Match", 2406 | "Value":"*mimilove*" 2407 | }, 2408 | { 2409 | "Field":"path", 2410 | "Operator":"Match", 2411 | "Value":"*samdump*" 2412 | }, 2413 | { 2414 | "Field":"path", 2415 | "Operator":"Match", 2416 | "Value":"*creddump*" 2417 | }, 2418 | { 2419 | "Field":"path", 2420 | "Operator":"Match", 2421 | "Value":"*cachedump*.exe" 2422 | }, 2423 | { 2424 | "Field":"path", 2425 | "Operator":"Match", 2426 | "Value":"*servpw64.exe" 2427 | }, 2428 | { 2429 | "Field":"path", 2430 | "Operator":"Match", 2431 | "Value":"*servpw*.exe" 2432 | }, 2433 | { 2434 | "Field":"path", 2435 | "Operator":"Match", 2436 | "Value":"*adpasshunt.exe" 2437 | }, 2438 | { 2439 | "Field":"path", 2440 | "Operator":"Match", 2441 | "Value":"*dumpert.exe" 2442 | }, 2443 | { 2444 | "Field":"path", 2445 | "Operator":"Match", 2446 | "Value":"*nanodump*.exe" 2447 | }, 2448 | { 2449 | "Field":"path", 2450 | "Operator":"Match", 2451 | "Value":"*xordump.exe" 2452 | } 2453 | ] 2454 | }, 2455 | "EventType":"10c912ba281147f1828acf70a315bc34" 2456 | }, 2457 | { 2458 | "BaseEventType":1, 2459 | "Condition":{ 2460 | "BooleanOperator":"And", 2461 | "Conditions":[ 2462 | { 2463 | "Field":"path", 2464 | "Operator":"Match", 2465 | "Value":"*java.exe" 2466 | }, 2467 | { 2468 | "Field":"prcs_cmd_line", 2469 | "Operator":"Match", 2470 | "Value":"*metasploit*" 2471 | } 2472 | ] 2473 | }, 2474 | "EventType":"ef61169a95ce404588890662fe03d311" 2475 | }, 2476 | { 2477 | "BaseEventType":1, 2478 | "Condition":{ 2479 | "BooleanOperator":"And", 2480 | "Conditions":[ 2481 | { 2482 | "Field":"path", 2483 | "Operator":"Match", 2484 | "Value":"taskeng.exe" 2485 | }, 2486 | { 2487 | "BooleanOperator":"And", 2488 | "Conditions":[ 2489 | { 2490 | "Field":"prcs_cmd_line", 2491 | "Operator":"Match", 2492 | "Value":"*.vbs*" 2493 | }, 2494 | { 2495 | "Field":"prcs_cmd_line", 2496 | "Operator":"Match", 2497 | "Value":"*.js*" 2498 | } 2499 | ] 2500 | } 2501 | ] 2502 | }, 2503 | "EventType":"fe16732594394b5e844e46c7157ee90b" 2504 | }, 2505 | { 2506 | "BaseEventType":1, 2507 | "Condition":{ 2508 | "BooleanOperator":"And", 2509 | "Conditions":[ 2510 | { 2511 | "Field":"path", 2512 | "Operator":"Match", 2513 | "Value":"*rundll32.exe" 2514 | }, 2515 | { 2516 | "BooleanOperator":"Or", 2517 | "Conditions":[ 2518 | { 2519 | "Field":"prcs_cmd_line", 2520 | "Operator":"Match", 2521 | "Value":"*-export dll_u*" 2522 | }, 2523 | { 2524 | "Field":"prcs_cmd_line", 2525 | "Operator":"Match", 2526 | "Value":"*,dll_u*" 2527 | } 2528 | ] 2529 | } 2530 | ] 2531 | }, 2532 | "EventType":"fdcc941d585249af90c48a231a0ba929" 2533 | }, 2534 | { 2535 | "BaseEventType":1, 2536 | "Condition":{ 2537 | "BooleanOperator":"And", 2538 | "Conditions":[ 2539 | { 2540 | "Field":"path", 2541 | "Operator":"Match", 2542 | "Value":"*xcopy.exe" 2543 | }, 2544 | { 2545 | "Field":"prcs_cmd_line", 2546 | "Operator":"Match", 2547 | "Value":"*/S /E /C /Q /H*" 2548 | } 2549 | ] 2550 | }, 2551 | "EventType":"e6c9c1b6f0e2485195c7be87aaa961ff" 2552 | }, 2553 | { 2554 | "BaseEventType":1, 2555 | "Condition":{ 2556 | "BooleanOperator":"And", 2557 | "Conditions":[ 2558 | { 2559 | "Field":"path", 2560 | "Operator":"Match", 2561 | "Value":"*reg.exe" 2562 | }, 2563 | { 2564 | "Field":"parentProcessPath", 2565 | "Operator":"!Match", 2566 | "Value":"*ir_agent.exe" 2567 | }, 2568 | { 2569 | "Field":"prcs_cmd_line", 2570 | "Operator":"!Match", 2571 | "Value":"*Rapid7*" 2572 | }, 2573 | { 2574 | "BooleanOperator":"Or", 2575 | "Conditions":[ 2576 | { 2577 | "BooleanOperator":"And", 2578 | "Conditions":[ 2579 | { 2580 | "Field":"prcs_cmd_line", 2581 | "Operator":"Match", 2582 | "Value":"*reg query*" 2583 | }, 2584 | { 2585 | "Field":"prcs_cmd_line", 2586 | "Operator":"Match", 2587 | "Value":"*/f password*" 2588 | } 2589 | ] 2590 | }, 2591 | { 2592 | "BooleanOperator":"Or", 2593 | "Conditions":[ 2594 | { 2595 | "Field":"prcs_cmd_line", 2596 | "Operator":"Match", 2597 | "Value":"*reg.exe save*" 2598 | }, 2599 | { 2600 | "Field":"prcs_cmd_line", 2601 | "Operator":"Match", 2602 | "Value":"*reg save*" 2603 | } 2604 | ] 2605 | } 2606 | ] 2607 | } 2608 | ] 2609 | }, 2610 | "EventType":"df28b50c87434b87ae5c3ed49ae17b98" 2611 | }, 2612 | { 2613 | "BaseEventType":1, 2614 | "Condition":{ 2615 | "BooleanOperator":"Or", 2616 | "Conditions":[ 2617 | { 2618 | "Field":"prcs_cmd_line", 2619 | "Operator":"Match", 2620 | "Value":"*impacket*" 2621 | }, 2622 | { 2623 | "Field":"prcs_cmd_line", 2624 | "Operator":"Match", 2625 | "Value":"*psexec.py*" 2626 | } 2627 | ] 2628 | }, 2629 | "EventType":"da328e5953024e8da0fdad6309e91383" 2630 | }, 2631 | { 2632 | "BaseEventType":1, 2633 | "Condition":{ 2634 | "BooleanOperator":"And", 2635 | "Conditions":[ 2636 | { 2637 | "Field":"path", 2638 | "Operator":"Match", 2639 | "Value":"*wmic.exe" 2640 | }, 2641 | { 2642 | "Field":"prcs_cmd_line", 2643 | "Operator":"Match", 2644 | "Value":"*process where*" 2645 | }, 2646 | { 2647 | "Field":"prcs_cmd_line", 2648 | "Operator":"Match", 2649 | "Value":"*delete" 2650 | } 2651 | ] 2652 | }, 2653 | "EventType":"c6ba63f3266745c9b88c8883f624d616" 2654 | }, 2655 | { 2656 | "BaseEventType":1, 2657 | "Condition":{ 2658 | "BooleanOperator":"And", 2659 | "Conditions":[ 2660 | { 2661 | "Field":"prcs_cmd_line", 2662 | "Operator":"Match", 2663 | "Value":"*powershell $*" 2664 | }, 2665 | { 2666 | "Field":"prcs_cmd_line", 2667 | "Operator":"Match", 2668 | "Value":"*http*" 2669 | } 2670 | ] 2671 | }, 2672 | "EventType":"c4e3153705044f30bcb827d750c355b2" 2673 | }, 2674 | { 2675 | "BaseEventType":1, 2676 | "Condition":{ 2677 | "BooleanOperator":"Or", 2678 | "Conditions":[ 2679 | { 2680 | "Field":"path", 2681 | "Operator":"Match", 2682 | "Value":"*shamwow.exe" 2683 | }, 2684 | { 2685 | "Field":"path", 2686 | "Operator":"Match", 2687 | "Value":"*seatbelt.exe" 2688 | }, 2689 | { 2690 | "Field":"path", 2691 | "Operator":"Match", 2692 | "Value":"*beltalowda.exe" 2693 | } 2694 | ] 2695 | }, 2696 | "EventType":"c20ae8e455d648d6993a6f2a5a09273e" 2697 | }, 2698 | { 2699 | "BaseEventType":1, 2700 | "Condition":{ 2701 | "BooleanOperator":"And", 2702 | "Conditions":[ 2703 | { 2704 | "Field":"path", 2705 | "Operator":"Match", 2706 | "Value":"*wscript.exe" 2707 | }, 2708 | { 2709 | "Field":"prcs_cmd_line", 2710 | "Operator":"Match", 2711 | "Value":"*jscript*" 2712 | } 2713 | ] 2714 | }, 2715 | "EventType":"bc495e7b5326460a8bbbab8c88a4178b" 2716 | }, 2717 | { 2718 | "BaseEventType":1, 2719 | "Condition":{ 2720 | "BooleanOperator":"And", 2721 | "Conditions":[ 2722 | { 2723 | "BooleanOperator":"Or", 2724 | "Conditions":[ 2725 | { 2726 | "Field":"parentProcessPath", 2727 | "Operator":"Match", 2728 | "Value":"*\\cmd.exe" 2729 | }, 2730 | { 2731 | "Field":"parentProcessPath", 2732 | "Operator":"Match", 2733 | "Value":"*\\winword.exe" 2734 | } 2735 | ] 2736 | }, 2737 | { 2738 | "BooleanOperator":"Or", 2739 | "Conditions":[ 2740 | { 2741 | "Field":"prcs_cmd_line", 2742 | "Operator":"Match", 2743 | "Value":"*powershell*-nop*" 2744 | }, 2745 | { 2746 | "Field":"prcs_cmd_line", 2747 | "Operator":"Match", 2748 | "Value":"*powershell*-w*" 2749 | }, 2750 | { 2751 | "Field":"prcs_cmd_line", 2752 | "Operator":"Match", 2753 | "Value":"*powershell*-command*" 2754 | }, 2755 | { 2756 | "Field":"prcs_cmd_line", 2757 | "Operator":"Match", 2758 | "Value":"*powershell*-nol*" 2759 | }, 2760 | { 2761 | "Field":"prcs_cmd_line", 2762 | "Operator":"Match", 2763 | "Value":"*powershell*-inputformat*" 2764 | }, 2765 | { 2766 | "Field":"prcs_cmd_line", 2767 | "Operator":"Match", 2768 | "Value":"*powershell*-enc*" 2769 | }, 2770 | { 2771 | "Field":"prcs_cmd_line", 2772 | "Operator":"Match", 2773 | "Value":"*powershell*-noni*" 2774 | }, 2775 | { 2776 | "Field":"prcs_cmd_line", 2777 | "Operator":"Match", 2778 | "Value":"*powershell*-file*" 2779 | } 2780 | ] 2781 | } 2782 | ] 2783 | }, 2784 | "EventType":"a67817303f07435da6f901161ff3f990" 2785 | }, 2786 | { 2787 | "BaseEventType":1, 2788 | "Condition":{ 2789 | "BooleanOperator":"And", 2790 | "Conditions":[ 2791 | { 2792 | "BooleanOperator":"Or", 2793 | "Conditions":[ 2794 | { 2795 | "Field":"path", 2796 | "Operator":"Match", 2797 | "Value":"*net.exe" 2798 | }, 2799 | { 2800 | "Field":"path", 2801 | "Operator":"Match", 2802 | "Value":"net1.exe" 2803 | }, 2804 | { 2805 | "Field":"path", 2806 | "Operator":"Match", 2807 | "Value":"runas.exe" 2808 | } 2809 | ] 2810 | }, 2811 | { 2812 | "Field":"prcs_cmd_line", 2813 | "Operator":"Match", 2814 | "Value":"*/savecred*" 2815 | } 2816 | ] 2817 | }, 2818 | "EventType":"a523f5f07d8a4720b206e08a8cf80e41" 2819 | }, 2820 | { 2821 | "BaseEventType":1, 2822 | "Condition":{ 2823 | "BooleanOperator":"And", 2824 | "Conditions":[ 2825 | { 2826 | "Field":"path", 2827 | "Operator":"Match", 2828 | "Value":"*rundll32.exe" 2829 | }, 2830 | { 2831 | "Field":"prcs_cmd_line", 2832 | "Operator":"Match", 2833 | "Value":"*MyStart*" 2834 | } 2835 | ] 2836 | }, 2837 | "EventType":"99d497d8a4024c43a454fa465033f10a" 2838 | }, 2839 | { 2840 | "BaseEventType":1, 2841 | "Condition":{ 2842 | "BooleanOperator":"And", 2843 | "Conditions":[ 2844 | { 2845 | "BooleanOperator":"Or", 2846 | "Conditions":[ 2847 | { 2848 | "Field":"path", 2849 | "Operator":"Match", 2850 | "Value":"*sc.exe" 2851 | }, 2852 | { 2853 | "Field":"path", 2854 | "Operator":"Match", 2855 | "Value":"*schtasks.exe" 2856 | } 2857 | ] 2858 | }, 2859 | { 2860 | "BooleanOperator":"Or", 2861 | "Conditions":[ 2862 | { 2863 | "Field":"prcs_cmd_line", 2864 | "Operator":"Match", 2865 | "Value":"*/create*" 2866 | }, 2867 | { 2868 | "Field":"prcs_cmd_line", 2869 | "Operator":"Match", 2870 | "Value":"*mshta*" 2871 | }, 2872 | { 2873 | "Field":"prcs_cmd_line", 2874 | "Operator":"Match", 2875 | "Value":"*http*" 2876 | } 2877 | ] 2878 | } 2879 | ] 2880 | }, 2881 | "EventType":"98a5e97e63ce47929bf4c7aae8c4e04c" 2882 | }, 2883 | { 2884 | "BaseEventType":1, 2885 | "Condition":{ 2886 | "BooleanOperator":"And", 2887 | "Conditions":[ 2888 | { 2889 | "Field":"path", 2890 | "Operator":"Match", 2891 | "Value":"*wmic.exe" 2892 | }, 2893 | { 2894 | "BooleanOperator":"Or", 2895 | "Conditions":[ 2896 | { 2897 | "Field":"prcs_cmd_line", 2898 | "Operator":"Match", 2899 | "Value":"*process call create*" 2900 | }, 2901 | { 2902 | "Field":"prcs_cmd_line", 2903 | "Operator":"Match", 2904 | "Value":"*/format:\\\"https*" 2905 | } 2906 | ] 2907 | }, 2908 | { 2909 | "Field":"prcs_cmd_line", 2910 | "Operator":"!Match", 2911 | "Value":"*hexainstaller.vbs*" 2912 | } 2913 | ] 2914 | }, 2915 | "EventType":"983308da47f649c8ad30dec646ca3c8e" 2916 | }, 2917 | { 2918 | "BaseEventType":1, 2919 | "Condition":{ 2920 | "BooleanOperator":"And", 2921 | "Conditions":[ 2922 | { 2923 | "Field":"path", 2924 | "Operator":"Match", 2925 | "Value":"*powershell.exe" 2926 | }, 2927 | { 2928 | "BooleanOperator":"Or", 2929 | "Conditions":[ 2930 | { 2931 | "Field":"prcs_cmd_line", 2932 | "Operator":"Match", 2933 | "Value":"*powershell -noP -sta -w 1*" 2934 | }, 2935 | { 2936 | "Field":"prcs_cmd_line", 2937 | "Operator":"Match", 2938 | "Value":"*-NoP -NonI -W Hidden -Enc*" 2939 | }, 2940 | { 2941 | "Field":"prcs_cmd_line", 2942 | "Operator":"Match", 2943 | "Value":"*-nop -noni -w hidden -enc*" 2944 | }, 2945 | { 2946 | "Field":"prcs_cmd_line", 2947 | "Operator":"Match", 2948 | "Value":"*powershell -nop -sta -w 1*" 2949 | } 2950 | ] 2951 | } 2952 | ] 2953 | }, 2954 | "EventType":"9628c3967a4d4affbcc55ab959df68f9" 2955 | }, 2956 | { 2957 | "BaseEventType":1, 2958 | "Condition":{ 2959 | "BooleanOperator":"And", 2960 | "Conditions":[ 2961 | { 2962 | "Field":"path", 2963 | "Operator":"Match", 2964 | "Value":"*msra.exe" 2965 | }, 2966 | { 2967 | "Field":"prcs_cmd_line", 2968 | "Operator":"Match", 2969 | "Value":"*.exe\\\"" 2970 | } 2971 | ] 2972 | }, 2973 | "EventType":"663876baa41741e28e38dd6e6b092927" 2974 | }, 2975 | { 2976 | "BaseEventType":1, 2977 | "Condition":{ 2978 | "BooleanOperator":"And", 2979 | "Conditions":[ 2980 | { 2981 | "Field":"path", 2982 | "Operator":"Match", 2983 | "Value":"*regsrv32.exe" 2984 | }, 2985 | { 2986 | "BooleanOperator":"And", 2987 | "Conditions":[ 2988 | { 2989 | "Field":"prcs_cmd_line", 2990 | "Operator":"Match", 2991 | "Value":"*http:*" 2992 | }, 2993 | { 2994 | "Field":"prcs_cmd_line", 2995 | "Operator":"Match", 2996 | "Value":"*https:*" 2997 | } 2998 | ] 2999 | }, 3000 | { 3001 | "BooleanOperator":"And", 3002 | "Conditions":[ 3003 | { 3004 | "Field":"prcs_cmd_line", 3005 | "Operator":"!Match", 3006 | "Value":"*Winhttp.dll*" 3007 | }, 3008 | { 3009 | "Field":"prcs_cmd_line", 3010 | "Operator":"!Match", 3011 | "Value":"*Wizard2.ocx*" 3012 | }, 3013 | { 3014 | "Field":"prcs_cmd_line", 3015 | "Operator":"!Match", 3016 | "Value":"*ChilkatHttp.dll*" 3017 | } 3018 | ] 3019 | } 3020 | ] 3021 | }, 3022 | "EventType":"60ab8637e1eb4957b1b6e67a6a197d6f" 3023 | }, 3024 | { 3025 | "BaseEventType":1, 3026 | "Condition":{ 3027 | "BooleanOperator":"And", 3028 | "Conditions":[ 3029 | { 3030 | "Field":"parentProcessPath", 3031 | "Operator":"Match", 3032 | "Value":"*tstheme.exe" 3033 | }, 3034 | { 3035 | "BooleanOperator":"Or", 3036 | "Conditions":[ 3037 | { 3038 | "Field":"path", 3039 | "Operator":"Match", 3040 | "Value":"*cmd.exe" 3041 | }, 3042 | { 3043 | "Field":"path", 3044 | "Operator":"Match", 3045 | "Value":"*powershell.exe" 3046 | }, 3047 | { 3048 | "Field":"path", 3049 | "Operator":"Match", 3050 | "Value":"*nslookup.exe" 3051 | } 3052 | ] 3053 | } 3054 | ] 3055 | }, 3056 | "EventType":"52f441a361b9478daba8adcd5561419e" 3057 | }, 3058 | { 3059 | "BaseEventType":1, 3060 | "Condition":{ 3061 | "BooleanOperator":"And", 3062 | "Conditions":[ 3063 | { 3064 | "BooleanOperator":"Or", 3065 | "Conditions":[ 3066 | { 3067 | "Field":"parentProcessPath", 3068 | "Operator":"Match", 3069 | "Value":"*cmd.exe" 3070 | }, 3071 | { 3072 | "Field":"parentProcessPath", 3073 | "Operator":"Match", 3074 | "Value":"*powershell.exe" 3075 | } 3076 | ] 3077 | }, 3078 | { 3079 | "BooleanOperator":"Or", 3080 | "Conditions":[ 3081 | { 3082 | "Field":"path", 3083 | "Operator":"Match", 3084 | "Value":"*dll_injector*" 3085 | }, 3086 | { 3087 | "Field":"path", 3088 | "Operator":"Match", 3089 | "Value":"*dllrefresher*" 3090 | }, 3091 | { 3092 | "Field":"path", 3093 | "Operator":"Match", 3094 | "Value":"*injector*" 3095 | }, 3096 | { 3097 | "Field":"path", 3098 | "Operator":"Match", 3099 | "Value":"*pd64*" 3100 | }, 3101 | { 3102 | "Field":"path", 3103 | "Operator":"Match", 3104 | "Value":"*NVTDLLUnInjector*" 3105 | }, 3106 | { 3107 | "Field":"path", 3108 | "Operator":"Match", 3109 | "Value":"*nvtdlluninjector*" 3110 | }, 3111 | { 3112 | "Field":"path", 3113 | "Operator":"Match", 3114 | "Value":"*inject*" 3115 | }, 3116 | { 3117 | "Field":"path", 3118 | "Operator":"Match", 3119 | "Value":"*dllrefresher*" 3120 | } 3121 | ] 3122 | } 3123 | ] 3124 | }, 3125 | "EventType":"501ba034fa3d4909a18cb8e32c5dd024" 3126 | }, 3127 | { 3128 | "BaseEventType":1, 3129 | "Condition":{ 3130 | "BooleanOperator":"And", 3131 | "Conditions":[ 3132 | { 3133 | "Field":"path", 3134 | "Operator":"Match", 3135 | "Value":"*schtasks.exe" 3136 | }, 3137 | { 3138 | "Field":"prcs_cmd_line", 3139 | "Operator":"Match", 3140 | "Value":"*ScheduledDefrag*" 3141 | } 3142 | ] 3143 | }, 3144 | "EventType":"4f65d1e3be0e463fa9fc2f9e11738d96" 3145 | }, 3146 | { 3147 | "BaseEventType":1, 3148 | "Condition":{ 3149 | "BooleanOperator":"And", 3150 | "Conditions":[ 3151 | { 3152 | "Field":"path", 3153 | "Operator":"Match", 3154 | "Value":"*certutil.exe" 3155 | }, 3156 | { 3157 | "BooleanOperator":"Or", 3158 | "Conditions":[ 3159 | { 3160 | "Field":"prcs_cmd_line", 3161 | "Operator":"Match", 3162 | "Value":"*-encode*" 3163 | }, 3164 | { 3165 | "Field":"prcs_cmd_line", 3166 | "Operator":"Match", 3167 | "Value":"*-encrypt*" 3168 | }, 3169 | { 3170 | "Field":"prcs_cmd_line", 3171 | "Operator":"Match", 3172 | "Value":"*-decrypt*" 3173 | }, 3174 | { 3175 | "Field":"prcs_cmd_line", 3176 | "Operator":"Match", 3177 | "Value":"*-urlcache*" 3178 | }, 3179 | { 3180 | "Field":"prcs_cmd_line", 3181 | "Operator":"Match", 3182 | "Value":"*-decode*" 3183 | } 3184 | ] 3185 | } 3186 | ] 3187 | }, 3188 | "EventType":"4a096b050c154acfaa07900170c3496a" 3189 | }, 3190 | { 3191 | "BaseEventType":1, 3192 | "Condition":{ 3193 | "BooleanOperator":"And", 3194 | "Conditions":[ 3195 | { 3196 | "Field":"prcs_cmd_line", 3197 | "Operator":"Match", 3198 | "Value":"*2>&1*" 3199 | }, 3200 | { 3201 | "Field":"path", 3202 | "Operator":"Match", 3203 | "Value":"*wmiapsrv.exe" 3204 | } 3205 | ] 3206 | }, 3207 | "EventType":"4882c3390df0479083fb0d94b721931b" 3208 | }, 3209 | { 3210 | "BaseEventType":1, 3211 | "Condition":{ 3212 | "BooleanOperator":"And", 3213 | "Conditions":[ 3214 | { 3215 | "Field":"path", 3216 | "Operator":"Match", 3217 | "Value":"*cscript.exe" 3218 | }, 3219 | { 3220 | "Field":"prcs_cmd_line", 3221 | "Operator":"Match", 3222 | "Value":"*.vbs /shell*" 3223 | } 3224 | ] 3225 | }, 3226 | "EventType":"2f2f5f5b53844b6088609d8acf0d8835" 3227 | }, 3228 | { 3229 | "BaseEventType":1, 3230 | "Condition":{ 3231 | "BooleanOperator":"And", 3232 | "Conditions":[ 3233 | { 3234 | "BooleanOperator":"Or", 3235 | "Conditions":[ 3236 | { 3237 | "Field":"path", 3238 | "Operator":"Match", 3239 | "Value":"*vssadmin.exe" 3240 | }, 3241 | { 3242 | "Field":"path", 3243 | "Operator":"Match", 3244 | "Value":"*wmic.exe" 3245 | }, 3246 | { 3247 | "Field":"path", 3248 | "Operator":"Match", 3249 | "Value":"*powershell.exe" 3250 | } 3251 | ] 3252 | }, 3253 | { 3254 | "BooleanOperator":"Or", 3255 | "Conditions":[ 3256 | { 3257 | "Field":"prcs_cmd_line", 3258 | "Operator":"Match", 3259 | "Value":"*delete shadow*" 3260 | }, 3261 | { 3262 | "Field":"prcs_cmd_line", 3263 | "Operator":"Match", 3264 | "Value":"*Delete Shadow*" 3265 | }, 3266 | { 3267 | "Field":"prcs_cmd_line", 3268 | "Operator":"Match", 3269 | "Value":"*resize shadowstorage*" 3270 | }, 3271 | { 3272 | "Field":"prcs_cmd_line", 3273 | "Operator":"Match", 3274 | "Value":"*shadowcopy delete*" 3275 | }, 3276 | { 3277 | "Field":"prcs_cmd_line", 3278 | "Operator":"Match", 3279 | "Value":"*Get-WMIObject Win32_ShadowCopy*" 3280 | } 3281 | ] 3282 | } 3283 | ] 3284 | }, 3285 | "EventType":"283f97e94417475c8e9313739cbc686b" 3286 | }, 3287 | { 3288 | "BaseEventType":1, 3289 | "Condition":{ 3290 | "BooleanOperator":"And", 3291 | "Conditions":[ 3292 | { 3293 | "Field":"path", 3294 | "Operator":"Match", 3295 | "Value":"*bitsadmin.exe" 3296 | }, 3297 | { 3298 | "BooleanOperator":"Or", 3299 | "Conditions":[ 3300 | { 3301 | "Field":"prcs_cmd_line", 3302 | "Operator":"Match", 3303 | "Value":"*/transfer*" 3304 | }, 3305 | { 3306 | "Field":"prcs_cmd_line", 3307 | "Operator":"Match", 3308 | "Value":"*/download*" 3309 | }, 3310 | { 3311 | "Field":"prcs_cmd_line", 3312 | "Operator":"Match", 3313 | "Value":"*/Download*" 3314 | }, 3315 | { 3316 | "Field":"prcs_cmd_line", 3317 | "Operator":"Match", 3318 | "Value":"*/Transfer*" 3319 | }, 3320 | { 3321 | "Field":"prcs_cmd_line", 3322 | "Operator":"Match", 3323 | "Value":"*/addfile*" 3324 | }, 3325 | { 3326 | "Field":"prcs_cmd_line", 3327 | "Operator":"Match", 3328 | "Value":"*/resume*" 3329 | }, 3330 | { 3331 | "Field":"prcs_cmd_line", 3332 | "Operator":"Match", 3333 | "Value":"*/Resume*" 3334 | }, 3335 | { 3336 | "Field":"prcs_cmd_line", 3337 | "Operator":"Match", 3338 | "Value":"*/upload*" 3339 | }, 3340 | { 3341 | "Field":"prcs_cmd_line", 3342 | "Operator":"Match", 3343 | "Value":"*/Upload*" 3344 | } 3345 | ] 3346 | } 3347 | ] 3348 | }, 3349 | "EventType":"26d34c0bcc0e4d9caa50664f0cd5c58b" 3350 | }, 3351 | { 3352 | "BaseEventType":1, 3353 | "Condition":{ 3354 | "BooleanOperator":"And", 3355 | "Conditions":[ 3356 | { 3357 | "Field":"path", 3358 | "Operator":"Match", 3359 | "Value":"*reg.exe" 3360 | }, 3361 | { 3362 | "Field":"prcs_cmd_line", 3363 | "Operator":"Match", 3364 | "Value":"*CredentialManager*" 3365 | }, 3366 | { 3367 | "BooleanOperator":"Or", 3368 | "Conditions":[ 3369 | { 3370 | "Field":"prcs_cmd_line", 3371 | "Operator":"Match", 3372 | "Value":"*add*" 3373 | }, 3374 | { 3375 | "Field":"prcs_cmd_line", 3376 | "Operator":"Match", 3377 | "Value":"*ADD*" 3378 | } 3379 | ] 3380 | } 3381 | ] 3382 | }, 3383 | "EventType":"2295b030613f4d31ad2c4f9243ed666e" 3384 | }, 3385 | { 3386 | "BaseEventType":1, 3387 | "Condition":{ 3388 | "BooleanOperator":"And", 3389 | "Conditions":[ 3390 | { 3391 | "BooleanOperator":"Or", 3392 | "Conditions":[ 3393 | { 3394 | "Field":"parentProcessPath", 3395 | "Operator":"Match", 3396 | "Value":"*excel.exe" 3397 | }, 3398 | { 3399 | "Field":"parentProcessPath", 3400 | "Operator":"Match", 3401 | "Value":"*winword.exe" 3402 | } 3403 | ] 3404 | }, 3405 | { 3406 | "BooleanOperator":"Or", 3407 | "Conditions":[ 3408 | { 3409 | "Field":"path", 3410 | "Operator":"Match", 3411 | "Value":"*cscript.exe" 3412 | }, 3413 | { 3414 | "Field":"path", 3415 | "Operator":"Match", 3416 | "Value":"*wscript.exe" 3417 | } 3418 | ] 3419 | } 3420 | ] 3421 | }, 3422 | "EventType":"1874b8918aa64decb1695263ec2c6ae1" 3423 | }, 3424 | { 3425 | "BaseEventType":1, 3426 | "Condition":{ 3427 | "BooleanOperator":"And", 3428 | "Conditions":[ 3429 | { 3430 | "BooleanOperator":"Or", 3431 | "Conditions":[ 3432 | { 3433 | "Field":"path", 3434 | "Operator":"Match", 3435 | "Value":"*cmd.exe" 3436 | }, 3437 | { 3438 | "Field":"path", 3439 | "Operator":"Match", 3440 | "Value":"*cscript.exe" 3441 | } 3442 | ] 3443 | }, 3444 | { 3445 | "BooleanOperator":"Or", 3446 | "Conditions":[ 3447 | { 3448 | "Field":"prcs_cmd_line", 3449 | "Operator":"Match", 3450 | "Value":"*winrm.vbs*" 3451 | }, 3452 | { 3453 | "Field":"prcs_cmd_line", 3454 | "Operator":"Match", 3455 | "Value":"*winrm.cmd*" 3456 | } 3457 | ] 3458 | }, 3459 | { 3460 | "BooleanOperator":"And", 3461 | "Conditions":[ 3462 | { 3463 | "Field":"prcs_cmd_line", 3464 | "Operator":"!Match", 3465 | "Value":"*quickconfig*" 3466 | }, 3467 | { 3468 | "Field":"prcs_cmd_line", 3469 | "Operator":"!Match", 3470 | "Value":"*System.Collections.Hashtable*" 3471 | }, 3472 | { 3473 | "Field":"prcs_cmd_line", 3474 | "Operator":"!Match", 3475 | "Value":"*help config*" 3476 | }, 3477 | { 3478 | "Field":"prcs_cmd_line", 3479 | "Operator":"!Match", 3480 | "Value":"*backgroundintelligenttransfer*" 3481 | }, 3482 | { 3483 | "Field":"prcs_cmd_line", 3484 | "Operator":"!Match", 3485 | "Value":"*TrustedHosts*" 3486 | }, 3487 | { 3488 | "Field":"prcs_cmd_line", 3489 | "Operator":"!Match", 3490 | "Value":"*nologo*" 3491 | } 3492 | ] 3493 | } 3494 | ] 3495 | }, 3496 | "EventType":"1453b664685844049ab1f54dc8566627" 3497 | }, 3498 | { 3499 | "BaseEventType":1, 3500 | "Condition":{ 3501 | "BooleanOperator":"Or", 3502 | "Conditions":[ 3503 | { 3504 | "BooleanOperator":"Or", 3505 | "Conditions":[ 3506 | { 3507 | "Field":"path", 3508 | "Operator":"Match", 3509 | "Value":"anchor_x64.exe" 3510 | }, 3511 | { 3512 | "Field":"path", 3513 | "Operator":"Match", 3514 | "Value":"*anchorasjuster_x64.exe" 3515 | }, 3516 | { 3517 | "Field":"path", 3518 | "Operator":"Match", 3519 | "Value":"*ts_1.硥ep" 3520 | } 3521 | ] 3522 | }, 3523 | { 3524 | "BooleanOperator":"And", 3525 | "Conditions":[ 3526 | { 3527 | "Field":"path", 3528 | "Operator":"Match", 3529 | "Value":"*esentutl.exe" 3530 | }, 3531 | { 3532 | "Field":"prcs_cmd_line", 3533 | "Operator":"Match", 3534 | "Value":"*grabber_temp.edb*" 3535 | } 3536 | ] 3537 | }, 3538 | { 3539 | "BooleanOperator":"And", 3540 | "Conditions":[ 3541 | { 3542 | "BooleanOperator":"Or", 3543 | "Conditions":[ 3544 | { 3545 | "Field":"path", 3546 | "Operator":"Match", 3547 | "Value":"*cmd.exe" 3548 | }, 3549 | { 3550 | "Field":"path", 3551 | "Operator":"Match", 3552 | "Value":"*powershell.exe" 3553 | } 3554 | ] 3555 | }, 3556 | { 3557 | "Field":"prcs_cmd_line", 3558 | "Operator":"Match", 3559 | "Value":"*timeout 3 && del*" 3560 | } 3561 | ] 3562 | } 3563 | ] 3564 | }, 3565 | "EventType":"0b4b246599d1415a85a8b15a943f9ac7" 3566 | }, 3567 | { 3568 | "BaseEventType":1, 3569 | "Condition":{ 3570 | "BooleanOperator":"And", 3571 | "Conditions":[ 3572 | { 3573 | "Field":"path", 3574 | "Operator":"Match", 3575 | "Value":"*cmd.exe" 3576 | }, 3577 | { 3578 | "Field":"prcs_cmd_line", 3579 | "Operator":"Match", 3580 | "Value":"*NavShExt.dll*" 3581 | } 3582 | ] 3583 | }, 3584 | "EventType":"012d88585b534856ad6c77c9a2d114da" 3585 | }, 3586 | { 3587 | "BaseEventType":1, 3588 | "Condition":{ 3589 | "BooleanOperator":"And", 3590 | "Conditions":[ 3591 | { 3592 | "Field":"path", 3593 | "Operator":"Match", 3594 | "Value":"*rundll32.exe" 3595 | }, 3596 | { 3597 | "BooleanOperator":"Or", 3598 | "Conditions":[ 3599 | { 3600 | "Field":"prcs_cmd_line", 3601 | "Operator":"Match", 3602 | "Value":"*RegisterOCX*" 3603 | }, 3604 | { 3605 | "Field":"prcs_cmd_line", 3606 | "Operator":"Match", 3607 | "Value":"*RouteTheCall*" 3608 | } 3609 | ] 3610 | } 3611 | ] 3612 | }, 3613 | "EventType":"eae5ebfd49994126a51274e8560fd40e" 3614 | }, 3615 | { 3616 | "BaseEventType":1, 3617 | "Condition":{ 3618 | "BooleanOperator":"And", 3619 | "Conditions":[ 3620 | { 3621 | "Field":"path", 3622 | "Operator":"Match", 3623 | "Value":"*net.exe" 3624 | }, 3625 | { 3626 | "BooleanOperator":"And", 3627 | "Conditions":[ 3628 | { 3629 | "Field":"prcs_cmd_line", 3630 | "Operator":"Match", 3631 | "Value":"*guest*" 3632 | }, 3633 | { 3634 | "Field":"prcs_cmd_line", 3635 | "Operator":"Match", 3636 | "Value":"*active:yes*" 3637 | } 3638 | ] 3639 | } 3640 | ] 3641 | }, 3642 | "EventType":"e96712b8b62648f09be42cc4939aa517" 3643 | }, 3644 | { 3645 | "BaseEventType":1, 3646 | "Condition":{ 3647 | "BooleanOperator":"And", 3648 | "Conditions":[ 3649 | { 3650 | "Field":"path", 3651 | "Operator":"Match", 3652 | "Value":"*wbadmin.exe" 3653 | }, 3654 | { 3655 | "BooleanOperator":"Or", 3656 | "Conditions":[ 3657 | { 3658 | "Field":"prcs_cmd_line", 3659 | "Operator":"Match", 3660 | "Value":"*delete*" 3661 | }, 3662 | { 3663 | "Field":"prcs_cmd_line", 3664 | "Operator":"Match", 3665 | "Value":"*stop*" 3666 | } 3667 | ] 3668 | } 3669 | ] 3670 | }, 3671 | "EventType":"e83578f45c84483588e3c3f4227d48c6" 3672 | }, 3673 | { 3674 | "BaseEventType":1, 3675 | "Condition":{ 3676 | "BooleanOperator":"And", 3677 | "Conditions":[ 3678 | { 3679 | "Field":"path", 3680 | "Operator":"Match", 3681 | "Value":"*rundll32.exe" 3682 | }, 3683 | { 3684 | "BooleanOperator":"Or", 3685 | "Conditions":[ 3686 | { 3687 | "Field":"prcs_cmd_line", 3688 | "Operator":"Match", 3689 | "Value":"*javascript*" 3690 | }, 3691 | { 3692 | "Field":"prcs_cmd_line", 3693 | "Operator":"Match", 3694 | "Value":"*writeToTempFile*" 3695 | } 3696 | ] 3697 | } 3698 | ] 3699 | }, 3700 | "EventType":"e58a2e6ba9e04bf589c750de6d934bc4" 3701 | }, 3702 | { 3703 | "BaseEventType":1, 3704 | "Condition":{ 3705 | "BooleanOperator":"And", 3706 | "Conditions":[ 3707 | { 3708 | "BooleanOperator":"And", 3709 | "Conditions":[ 3710 | { 3711 | "Field":"prcs_cmd_line", 3712 | "Operator":"Match", 3713 | "Value":"*ntdomain*" 3714 | }, 3715 | { 3716 | "Field":"prcs_cmd_line", 3717 | "Operator":"Match", 3718 | "Value":"*get*" 3719 | }, 3720 | { 3721 | "BooleanOperator":"Or", 3722 | "Conditions":[ 3723 | { 3724 | "Field":"prcs_cmd_line", 3725 | "Operator":"Match", 3726 | "Value":"*DomainControllerAddress*" 3727 | }, 3728 | { 3729 | "Field":"prcs_cmd_line", 3730 | "Operator":"Match", 3731 | "Value":"*domaincontrolleraddress*" 3732 | } 3733 | ] 3734 | } 3735 | ] 3736 | }, 3737 | { 3738 | "BooleanOperator":"Or", 3739 | "Conditions":[ 3740 | { 3741 | "Field":"path", 3742 | "Operator":"Match", 3743 | "Value":"*WMIC.exe" 3744 | }, 3745 | { 3746 | "Field":"parentProcessPath", 3747 | "Operator":"Match", 3748 | "Value":"*cmd.exe" 3749 | } 3750 | ] 3751 | } 3752 | ] 3753 | }, 3754 | "EventType":"e10c63e50b064c71ab13968917f16e29" 3755 | }, 3756 | { 3757 | "BaseEventType":1, 3758 | "Condition":{ 3759 | "BooleanOperator":"And", 3760 | "Conditions":[ 3761 | { 3762 | "Field":"path", 3763 | "Operator":"Match", 3764 | "Value":"*schtasks.exe" 3765 | }, 3766 | { 3767 | "BooleanOperator":"Or", 3768 | "Conditions":[ 3769 | { 3770 | "Field":"prcs_cmd_line", 3771 | "Operator":"Match", 3772 | "Value":"*temp*.exe*" 3773 | }, 3774 | { 3775 | "Field":"prcs_cmd_line", 3776 | "Operator":"Match", 3777 | "Value":"*temp*.tmp*" 3778 | }, 3779 | { 3780 | "Field":"prcs_cmd_line", 3781 | "Operator":"Match", 3782 | "Value":"*temp*.bat*" 3783 | }, 3784 | { 3785 | "Field":"prcs_cmd_line", 3786 | "Operator":"Match", 3787 | "Value":"*TEMP*.exe*" 3788 | }, 3789 | { 3790 | "Field":"prcs_cmd_line", 3791 | "Operator":"Match", 3792 | "Value":"*TEMP*.tmp*" 3793 | }, 3794 | { 3795 | "Field":"prcs_cmd_line", 3796 | "Operator":"Match", 3797 | "Value":"*TEMP*.bat*" 3798 | } 3799 | ] 3800 | } 3801 | ] 3802 | }, 3803 | "EventType":"db6fe0cfdd4148cdac8c0ade06d45b2b" 3804 | }, 3805 | { 3806 | "BaseEventType":1, 3807 | "Condition":{ 3808 | "BooleanOperator":"And", 3809 | "Conditions":[ 3810 | { 3811 | "BooleanOperator":"And", 3812 | "Conditions":[ 3813 | { 3814 | "Field":"path", 3815 | "Operator":"Match", 3816 | "Value":"*mavinject.exe" 3817 | }, 3818 | { 3819 | "Field":"prcs_cmd_line", 3820 | "Operator":"Match", 3821 | "Value":"*system32*" 3822 | } 3823 | ] 3824 | }, 3825 | { 3826 | "BooleanOperator":"Or", 3827 | "Conditions":[ 3828 | { 3829 | "Field":"prcs_cmd_line", 3830 | "Operator":"Match", 3831 | "Value":"INJECTRUNNING" 3832 | }, 3833 | { 3834 | "Field":"prcs_cmd_line", 3835 | "Operator":"Match", 3836 | "Value":"injectrunning" 3837 | } 3838 | ] 3839 | } 3840 | ] 3841 | }, 3842 | "EventType":"d341b20d22db4480919dea5571ee6aa1" 3843 | }, 3844 | { 3845 | "BaseEventType":1, 3846 | "Condition":{ 3847 | "BooleanOperator":"And", 3848 | "Conditions":[ 3849 | { 3850 | "Field":"path", 3851 | "Operator":"Match", 3852 | "Value":"*.regsvcs.exe" 3853 | }, 3854 | { 3855 | "Field":"prcs_cmd_line", 3856 | "Operator":"Match", 3857 | "Value":"*.dll*" 3858 | }, 3859 | { 3860 | "BooleanOperator":"And", 3861 | "Conditions":[ 3862 | { 3863 | "Field":"prcs_cmd_line", 3864 | "Operator":"!Match", 3865 | "Value":"*bootstrap*" 3866 | }, 3867 | { 3868 | "Field":"prcs_cmd_line", 3869 | "Operator":"!Match", 3870 | "Value":"*Program Files*" 3871 | } 3872 | ] 3873 | } 3874 | ] 3875 | }, 3876 | "EventType":"c710cbc602134518a51ba85870fee52c" 3877 | }, 3878 | { 3879 | "BaseEventType":1, 3880 | "Condition":{ 3881 | "BooleanOperator":"And", 3882 | "Conditions":[ 3883 | { 3884 | "Field":"path", 3885 | "Operator":"Match", 3886 | "Value":"*regsvr32.exe" 3887 | }, 3888 | { 3889 | "BooleanOperator":"And", 3890 | "Conditions":[ 3891 | { 3892 | "Field":"prcs_cmd_line", 3893 | "Operator":"Match", 3894 | "Value":"*scrobj.dll*" 3895 | }, 3896 | { 3897 | "Field":"prcs_cmd_line", 3898 | "Operator":"Match", 3899 | "Value":"*http*" 3900 | } 3901 | ] 3902 | } 3903 | ] 3904 | }, 3905 | "EventType":"c5adf7a81e104a9486516605f889ffdc" 3906 | }, 3907 | { 3908 | "BaseEventType":1, 3909 | "Condition":{ 3910 | "BooleanOperator":"And", 3911 | "Conditions":[ 3912 | { 3913 | "Field":"path", 3914 | "Operator":"Match", 3915 | "Value":"*cmstp.exe" 3916 | }, 3917 | { 3918 | "Field":"prcs_cmd_line", 3919 | "Operator":"Match", 3920 | "Value":"*.inf*" 3921 | } 3922 | ] 3923 | }, 3924 | "EventType":"c33a346ee5ad428e993f415fd560d570" 3925 | }, 3926 | { 3927 | "BaseEventType":1, 3928 | "Condition":{ 3929 | "BooleanOperator":"And", 3930 | "Conditions":[ 3931 | { 3932 | "Field":"path", 3933 | "Operator":"Match", 3934 | "Value":"*colorcpl.exe" 3935 | }, 3936 | { 3937 | "BooleanOperator":"Or", 3938 | "Conditions":[ 3939 | { 3940 | "Field":"parentProcessPath", 3941 | "Operator":"Match", 3942 | "Value":"*cscript.exe" 3943 | }, 3944 | { 3945 | "Field":"parentProcessPath", 3946 | "Operator":"Match", 3947 | "Value":"*wscript.exe" 3948 | }, 3949 | { 3950 | "Field":"parentProcessPath", 3951 | "Operator":"Match", 3952 | "Value":"*mshta.exe" 3953 | }, 3954 | { 3955 | "Field":"parentProcessPath", 3956 | "Operator":"Match", 3957 | "Value":"*winword.exe" 3958 | }, 3959 | { 3960 | "Field":"parentProcessPath", 3961 | "Operator":"Match", 3962 | "Value":"*excel.exe" 3963 | }, 3964 | { 3965 | "Field":"parentProcessPath", 3966 | "Operator":"Match", 3967 | "Value":"*cmd.exe" 3968 | }, 3969 | { 3970 | "Field":"parentProcessPath", 3971 | "Operator":"Match", 3972 | "Value":"*nslookup.exe" 3973 | } 3974 | ] 3975 | } 3976 | ] 3977 | }, 3978 | "EventType":"bd9369bd5d2f47fe9435058569679f95" 3979 | }, 3980 | { 3981 | "BaseEventType":1, 3982 | "Condition":{ 3983 | "BooleanOperator":"And", 3984 | "Conditions":[ 3985 | { 3986 | "Field":"path", 3987 | "Operator":"Match", 3988 | "Value":"*msiexec.exe" 3989 | }, 3990 | { 3991 | "Field":"prcs_cmd_line", 3992 | "Operator":"Match", 3993 | "Value":"*http*" 3994 | }, 3995 | { 3996 | "BooleanOperator":"And", 3997 | "Conditions":[ 3998 | { 3999 | "Field":"parentProcessPath", 4000 | "Operator":"!Match", 4001 | "Value":"*skype meetings*" 4002 | }, 4003 | { 4004 | "Field":"prcs_cmd_line", 4005 | "Operator":"!Match", 4006 | "Value":"*AppData\\\\Local\\\\Temp\\\\SkypeMeetingsApp.msi*" 4007 | }, 4008 | { 4009 | "Field":"prcs_cmd_line", 4010 | "Operator":"!Match", 4011 | "Value":"*SkypeMeetingsApp*" 4012 | }, 4013 | { 4014 | "Field":"prcs_cmd_line", 4015 | "Operator":"!Match", 4016 | "Value":"*meeturl=*" 4017 | }, 4018 | { 4019 | "Field":"prcs_cmd_line", 4020 | "Operator":"!Match", 4021 | "Value":"*https_*" 4022 | }, 4023 | { 4024 | "Field":"prcs_cmd_line", 4025 | "Operator":"!Match", 4026 | "Value":"*https-*" 4027 | }, 4028 | { 4029 | "Field":"prcs_cmd_line", 4030 | "Operator":"!Match", 4031 | "Value":"*httpd-*" 4032 | } 4033 | ] 4034 | } 4035 | ] 4036 | }, 4037 | "EventType":"bbaa056b72e6477091c9df12f16ef552" 4038 | }, 4039 | { 4040 | "BaseEventType":1, 4041 | "Condition":{ 4042 | "BooleanOperator":"And", 4043 | "Conditions":[ 4044 | { 4045 | "Field":"path", 4046 | "Operator":"Match", 4047 | "Value":"*rundll32.exe" 4048 | }, 4049 | { 4050 | "Field":"prcs_cmd_line", 4051 | "Operator":"Match", 4052 | "Value":"*.dat*" 4053 | }, 4054 | { 4055 | "BooleanOperator":"And", 4056 | "Conditions":[ 4057 | { 4058 | "Field":"prcs_cmd_line", 4059 | "Operator":"!Match", 4060 | "Value":"*shell32.dll*" 4061 | }, 4062 | { 4063 | "Field":"prcs_cmd_line", 4064 | "Operator":"!Match", 4065 | "Value":"*DavSetCookie*" 4066 | }, 4067 | { 4068 | "Field":"prcs_cmd_line", 4069 | "Operator":"!Match", 4070 | "Value":"*Thunder Network*" 4071 | }, 4072 | { 4073 | "Field":"prcs_cmd_line", 4074 | "Operator":"!Match", 4075 | "Value":"*winmail.dat*" 4076 | }, 4077 | { 4078 | "Field":"prcs_cmd_line", 4079 | "Operator":"!Match", 4080 | "Value":"*printui.dll*" 4081 | }, 4082 | { 4083 | "Field":"prcs_cmd_line", 4084 | "Operator":"!Match", 4085 | "Value":"*CanonBJ*" 4086 | }, 4087 | { 4088 | "Field":"prcs_cmd_line", 4089 | "Operator":"!Match", 4090 | "Value":"*FirewallControlPanel*" 4091 | } 4092 | ] 4093 | } 4094 | ] 4095 | }, 4096 | "EventType":"b4ec56297c5e4d5582ab3302fb3aa539" 4097 | }, 4098 | { 4099 | "BaseEventType":1, 4100 | "Condition":{ 4101 | "BooleanOperator":"And", 4102 | "Conditions":[ 4103 | { 4104 | "Field":"path", 4105 | "Operator":"Match", 4106 | "Value":"*powershell.exe" 4107 | }, 4108 | { 4109 | "Field":"prcs_cmd_line", 4110 | "Operator":"Match", 4111 | "Value":"*\\\\temp\\\\*" 4112 | }, 4113 | { 4114 | "BooleanOperator":"Or", 4115 | "Conditions":[ 4116 | { 4117 | "Field":"prcs_cmd_line", 4118 | "Operator":"Match", 4119 | "Value":"*.exe" 4120 | }, 4121 | { 4122 | "Field":"prcs_cmd_line", 4123 | "Operator":"Match", 4124 | "Value":"*.exe'\\\"" 4125 | }, 4126 | { 4127 | "Field":"prcs_cmd_line", 4128 | "Operator":"Match", 4129 | "Value":"*.exe\\\"" 4130 | } 4131 | ] 4132 | } 4133 | ] 4134 | }, 4135 | "EventType":"a1c7d7b50ab94db3b387df688777ba20" 4136 | }, 4137 | { 4138 | "BaseEventType":1, 4139 | "Condition":{ 4140 | "BooleanOperator":"And", 4141 | "Conditions":[ 4142 | { 4143 | "Field":"path", 4144 | "Operator":"Match", 4145 | "Value":"*rundll32.exe" 4146 | }, 4147 | { 4148 | "BooleanOperator":"Or", 4149 | "Conditions":[ 4150 | { 4151 | "Field":"prcs_cmd_line", 4152 | "Operator":"Match", 4153 | "Value":"*EntryPoint*" 4154 | }, 4155 | { 4156 | "Field":"prcs_cmd_line", 4157 | "Operator":"Match", 4158 | "Value":"*entrypoint*" 4159 | } 4160 | ] 4161 | }, 4162 | { 4163 | "BooleanOperator":"And", 4164 | "Conditions":[ 4165 | { 4166 | "Field":"prcs_cmd_line", 4167 | "Operator":"!Match", 4168 | "Value":"*uninstall*" 4169 | }, 4170 | { 4171 | "Field":"prcs_cmd_line", 4172 | "Operator":"!Match", 4173 | "Value":"*UNINSTALL*" 4174 | }, 4175 | { 4176 | "Field":"prcs_cmd_line", 4177 | "Operator":"!Match", 4178 | "Value":"*installer.dll\\\",UninstallJREEntryPoint*" 4179 | } 4180 | ] 4181 | } 4182 | ] 4183 | }, 4184 | "EventType":"9c42ee639fbd4f77a1802947cbbdbdb5" 4185 | }, 4186 | { 4187 | "BaseEventType":1, 4188 | "Condition":{ 4189 | "BooleanOperator":"And", 4190 | "Conditions":[ 4191 | { 4192 | "Field":"path", 4193 | "Operator":"Match", 4194 | "Value":"*regsvr32.exe" 4195 | }, 4196 | { 4197 | "BooleanOperator":"And", 4198 | "Conditions":[ 4199 | { 4200 | "Field":"prcs_cmd_line", 4201 | "Operator":"Match", 4202 | "Value":"*/i:file:*" 4203 | }, 4204 | { 4205 | "Field":"prcs_cmd_line", 4206 | "Operator":"Match", 4207 | "Value":"*.sct*" 4208 | }, 4209 | { 4210 | "Field":"prcs_cmd_line", 4211 | "Operator":"Match", 4212 | "Value":"*scrobj.dll*" 4213 | } 4214 | ] 4215 | }, 4216 | { 4217 | "Field":"prcs_cmd_line", 4218 | "Operator":"!Match", 4219 | "Value":"*http*" 4220 | } 4221 | ] 4222 | }, 4223 | "EventType":"9c0c0c7a8d37448082c7e66ca529cf81" 4224 | }, 4225 | { 4226 | "BaseEventType":1, 4227 | "Condition":{ 4228 | "BooleanOperator":"And", 4229 | "Conditions":[ 4230 | { 4231 | "BooleanOperator":"Or", 4232 | "Conditions":[ 4233 | { 4234 | "Field":"path", 4235 | "Operator":"Match", 4236 | "Value":"*cmd.exe" 4237 | }, 4238 | { 4239 | "Field":"path", 4240 | "Operator":"Match", 4241 | "Value":"*wscript.exe" 4242 | }, 4243 | { 4244 | "Field":"path", 4245 | "Operator":"Match", 4246 | "Value":"*node.exe" 4247 | } 4248 | ] 4249 | }, 4250 | { 4251 | "BooleanOperator":"And", 4252 | "Conditions":[ 4253 | { 4254 | "Field":"prcs_cmd_line", 4255 | "Operator":"Match", 4256 | "Value":"*app.js*" 4257 | }, 4258 | { 4259 | "Field":"prcs_cmd_line", 4260 | "Operator":"Match", 4261 | "Value":"*==*" 4262 | } 4263 | ] 4264 | }, 4265 | { 4266 | "BooleanOperator":"Or", 4267 | "Conditions":[ 4268 | { 4269 | "Field":"prcs_cmd_line", 4270 | "Operator":"Match", 4271 | "Value":"*.hta\\\" &exit 1" 4272 | }, 4273 | { 4274 | "Field":"prcs_cmd_line", 4275 | "Operator":"Match", 4276 | "Value":"*sall.js*" 4277 | } 4278 | ] 4279 | } 4280 | ] 4281 | }, 4282 | "EventType":"89e061caa4eb413389a4131ad6f71131" 4283 | }, 4284 | { 4285 | "BaseEventType":1, 4286 | "Condition":{ 4287 | "BooleanOperator":"And", 4288 | "Conditions":[ 4289 | { 4290 | "BooleanOperator":"Or", 4291 | "Conditions":[ 4292 | { 4293 | "Field":"path", 4294 | "Operator":"Match", 4295 | "Value":"*adexplorer.exe" 4296 | }, 4297 | { 4298 | "Field":"path", 4299 | "Operator":"Match", 4300 | "Value":"*adexplorer64.exe" 4301 | }, 4302 | { 4303 | "Field":"path", 4304 | "Operator":"Match", 4305 | "Value":"*adexplorer64a.exe" 4306 | } 4307 | ] 4308 | }, 4309 | { 4310 | "Field":"prcs_cmd_line", 4311 | "Operator":"Match", 4312 | "Value":"*-snapshot*" 4313 | } 4314 | ] 4315 | }, 4316 | "EventType":"7a97b704e619403eb8cb2b87d18e572e" 4317 | }, 4318 | { 4319 | "BaseEventType":1, 4320 | "Condition":{ 4321 | "BooleanOperator":"And", 4322 | "Conditions":[ 4323 | { 4324 | "Field":"path", 4325 | "Operator":"Match", 4326 | "Value":"*wscript.exe" 4327 | }, 4328 | { 4329 | "BooleanOperator":"Or", 4330 | "Conditions":[ 4331 | { 4332 | "Field":"prcs_cmd_line", 4333 | "Operator":"Match", 4334 | "Value":"*AppData\\Local\\Temp\\7z*" 4335 | }, 4336 | { 4337 | "Field":"prcs_cmd_line", 4338 | "Operator":"Match", 4339 | "Value":"*AppData\\Local\\Temp\\RarSFX*" 4340 | }, 4341 | { 4342 | "Field":"prcs_cmd_line", 4343 | "Operator":"Match", 4344 | "Value":"*AppData\\Local\\Temp\\Temp*" 4345 | } 4346 | ] 4347 | }, 4348 | { 4349 | "BooleanOperator":"And", 4350 | "Conditions":[ 4351 | { 4352 | "Field":"prcs_cmd_line", 4353 | "Operator":"!Match", 4354 | "Value":"*run.vbs*" 4355 | }, 4356 | { 4357 | "Field":"prcs_cmd_line", 4358 | "Operator":"!Match", 4359 | "Value":"*setup.vbs*" 4360 | }, 4361 | { 4362 | "Field":"prcs_cmd_line", 4363 | "Operator":"!Match", 4364 | "Value":"*install.vbs*" 4365 | } 4366 | ] 4367 | } 4368 | ] 4369 | }, 4370 | "EventType":"6c88ff244dc349c4bc63a60680ba6053" 4371 | }, 4372 | { 4373 | "BaseEventType":1, 4374 | "Condition":{ 4375 | "BooleanOperator":"And", 4376 | "Conditions":[ 4377 | { 4378 | "Field":"parentProcessPath", 4379 | "Operator":"Match", 4380 | "Value":"searchprotocolhost.exe" 4381 | }, 4382 | { 4383 | "BooleanOperator":"Or", 4384 | "Conditions":[ 4385 | { 4386 | "Field":"path", 4387 | "Operator":"Match", 4388 | "Value":"*cmd.exe" 4389 | }, 4390 | { 4391 | "Field":"path", 4392 | "Operator":"Match", 4393 | "Value":"*powershell.exe" 4394 | }, 4395 | { 4396 | "Field":"path", 4397 | "Operator":"Match", 4398 | "Value":"*whoami.exe" 4399 | }, 4400 | { 4401 | "Field":"path", 4402 | "Operator":"Match", 4403 | "Value":"*nslookup.exe" 4404 | }, 4405 | { 4406 | "Field":"path", 4407 | "Operator":"Match", 4408 | "Value":"*hostname.exe" 4409 | }, 4410 | { 4411 | "Field":"path", 4412 | "Operator":"Match", 4413 | "Value":"*net.exe" 4414 | } 4415 | ] 4416 | } 4417 | ] 4418 | }, 4419 | "EventType":"62e7cf2323b44b2b9d841ac9ca65befb" 4420 | }, 4421 | { 4422 | "BaseEventType":1, 4423 | "Condition":{ 4424 | "BooleanOperator":"And", 4425 | "Conditions":[ 4426 | { 4427 | "BooleanOperator":"Or", 4428 | "Conditions":[ 4429 | { 4430 | "Field":"prcs_cmd_line", 4431 | "Operator":"Match", 4432 | "Value":"*programdata*" 4433 | }, 4434 | { 4435 | "Field":"prcs_cmd_line", 4436 | "Operator":"Match", 4437 | "Value":"*PROGRAMDATA*" 4438 | } 4439 | ] 4440 | }, 4441 | { 4442 | "BooleanOperator":"Or", 4443 | "Conditions":[ 4444 | { 4445 | "Field":"prcs_cmd_line", 4446 | "Operator":"Match", 4447 | "Value":"*.vbs*" 4448 | }, 4449 | { 4450 | "Field":"prcs_cmd_line", 4451 | "Operator":"Match", 4452 | "Value":"*.js*" 4453 | }, 4454 | { 4455 | "Field":"prcs_cmd_line", 4456 | "Operator":"Match", 4457 | "Value":"*.bat*" 4458 | }, 4459 | { 4460 | "Field":"prcs_cmd_line", 4461 | "Operator":"Match", 4462 | "Value":"*.ps1*" 4463 | } 4464 | ] 4465 | } 4466 | ] 4467 | }, 4468 | "EventType":"4758d0c407824641b97b1656337dc9f7" 4469 | }, 4470 | { 4471 | "BaseEventType":1, 4472 | "Condition":{ 4473 | "BooleanOperator":"And", 4474 | "Conditions":[ 4475 | { 4476 | "Field":"path", 4477 | "Operator":"Match", 4478 | "Value":"*reg.exe" 4479 | }, 4480 | { 4481 | "BooleanOperator":"Or", 4482 | "Conditions":[ 4483 | { 4484 | "Field":"prcs_cmd_line", 4485 | "Operator":"Match", 4486 | "Value":"*reg add*" 4487 | }, 4488 | { 4489 | "Field":"prcs_cmd_line", 4490 | "Operator":"Match", 4491 | "Value":"*REG ADD*" 4492 | } 4493 | ] 4494 | }, 4495 | { 4496 | "BooleanOperator":"Or", 4497 | "Conditions":[ 4498 | { 4499 | "Field":"prcs_cmd_line", 4500 | "Operator":"Match", 4501 | "Value":"*osk.exe*" 4502 | }, 4503 | { 4504 | "Field":"prcs_cmd_line", 4505 | "Operator":"Match", 4506 | "Value":"*sethc.exe*" 4507 | }, 4508 | { 4509 | "Field":"prcs_cmd_line", 4510 | "Operator":"Match", 4511 | "Value":"*utilman.exe*" 4512 | }, 4513 | { 4514 | "Field":"prcs_cmd_line", 4515 | "Operator":"Match", 4516 | "Value":"*magnify.exe*" 4517 | }, 4518 | { 4519 | "Field":"prcs_cmd_line", 4520 | "Operator":"Match", 4521 | "Value":"*narrator.exe*" 4522 | } 4523 | ] 4524 | }, 4525 | { 4526 | "BooleanOperator":"Or", 4527 | "Conditions":[ 4528 | { 4529 | "Field":"prcs_cmd_line", 4530 | "Operator":"Match", 4531 | "Value":"*Image File Execution Options*" 4532 | }, 4533 | { 4534 | "Field":"prcs_cmd_line", 4535 | "Operator":"Match", 4536 | "Value":"*image file execution options*" 4537 | } 4538 | ] 4539 | } 4540 | ] 4541 | }, 4542 | "EventType":"27ae482e72ec446cb6326aaad307787b" 4543 | }, 4544 | { 4545 | "BaseEventType":1, 4546 | "Condition":{ 4547 | "BooleanOperator":"And", 4548 | "Conditions":[ 4549 | { 4550 | "BooleanOperator":"Or", 4551 | "Conditions":[ 4552 | { 4553 | "Field":"path", 4554 | "Operator":"Match", 4555 | "Value":"*cmd.exe" 4556 | }, 4557 | { 4558 | "Field":"path", 4559 | "Operator":"Match", 4560 | "Value":"*powershell.exe" 4561 | } 4562 | ] 4563 | }, 4564 | { 4565 | "BooleanOperator":"Or", 4566 | "Conditions":[ 4567 | { 4568 | "Field":"prcs_cmd_line", 4569 | "Operator":"Match", 4570 | "Value":"*^&*" 4571 | }, 4572 | { 4573 | "Field":"prcs_cmd_line", 4574 | "Operator":"Match", 4575 | "Value":"*^ ^*" 4576 | }, 4577 | { 4578 | "Field":"prcs_cmd_line", 4579 | "Operator":"Match", 4580 | "Value":"*^*^*^*" 4581 | } 4582 | ] 4583 | } 4584 | ] 4585 | }, 4586 | "EventType":"170286b86ebf46bba212be0f529936de" 4587 | }, 4588 | { 4589 | "BaseEventType":1, 4590 | "Condition":{ 4591 | "BooleanOperator":"And", 4592 | "Conditions":[ 4593 | { 4594 | "BooleanOperator":"Or", 4595 | "Conditions":[ 4596 | { 4597 | "Field":"path", 4598 | "Operator":"Match", 4599 | "Value":"*sc.exe" 4600 | }, 4601 | { 4602 | "Field":"path", 4603 | "Operator":"Match", 4604 | "Value":"*tscon.exe" 4605 | } 4606 | ] 4607 | }, 4608 | { 4609 | "BooleanOperator":"Or", 4610 | "Conditions":[ 4611 | { 4612 | "Field":"prcs_cmd_line", 4613 | "Operator":"Match", 4614 | "Value":"*cmd.exe /k*" 4615 | }, 4616 | { 4617 | "Field":"prcs_cmd_line", 4618 | "Operator":"Match", 4619 | "Value":"*cmd.exe /c*" 4620 | }, 4621 | { 4622 | "Field":"prcs_cmd_line", 4623 | "Operator":"Match", 4624 | "Value":"*sesshijack*" 4625 | } 4626 | ] 4627 | }, 4628 | { 4629 | "Field":"prcs_cmd_line", 4630 | "Operator":"Match", 4631 | "Value":"*/dest:console*" 4632 | } 4633 | ] 4634 | }, 4635 | "EventType":"128f8ed928154547be08fd1b175f161c" 4636 | }, 4637 | { 4638 | "BaseEventType":1, 4639 | "Condition":{ 4640 | "BooleanOperator":"Or", 4641 | "Conditions":[ 4642 | { 4643 | "Field":"path", 4644 | "Operator":"Match", 4645 | "Value":"*powershell.exe" 4646 | }, 4647 | { 4648 | "Field":"path", 4649 | "Operator":"Match", 4650 | "Value":"*cmd.exe" 4651 | }, 4652 | { 4653 | "BooleanOperator":"Or", 4654 | "Conditions":[ 4655 | { 4656 | "BooleanOperator":"And", 4657 | "Conditions":[ 4658 | { 4659 | "Field":"prcs_cmd_line", 4660 | "Operator":"Match", 4661 | "Value":".*1\\\\> \\\\\\\\\\\\\\\\127\\\\.0\\\\.0\\\\.1\\\\\\\\C\\\\$\\\\\\\\.*" 4662 | }, 4663 | { 4664 | "Field":"prcs_cmd_line", 4665 | "Operator":"Match", 4666 | "Value":".*2\\\\>\\\\&1.*" 4667 | } 4668 | ] 4669 | }, 4670 | { 4671 | "BooleanOperator":"Or", 4672 | "Conditions":[ 4673 | { 4674 | "Field":"prcs_cmd_line", 4675 | "Operator":"Match", 4676 | "Value":"*echo [a-z]{6} > \\\\\\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\[a-z]{6}.*" 4677 | }, 4678 | { 4679 | "Field":"prcs_cmd_line", 4680 | "Operator":"Match", 4681 | "Value":"*-nop -w hidden -noni*" 4682 | } 4683 | ] 4684 | } 4685 | ] 4686 | } 4687 | ] 4688 | }, 4689 | "EventType":"ffc20ff7793b48ec8940dbdef5c44c9c" 4690 | }, 4691 | { 4692 | "BaseEventType":1, 4693 | "Condition":{ 4694 | "BooleanOperator":"And", 4695 | "Conditions":[ 4696 | { 4697 | "Field":"path", 4698 | "Operator":"Match", 4699 | "Value":"*cmd.exe" 4700 | }, 4701 | { 4702 | "BooleanOperator":"Or", 4703 | "Conditions":[ 4704 | { 4705 | "Field":"prcs_cmd_line", 4706 | "Operator":"Match", 4707 | "Value":"*/c dir \\\\\\\\*" 4708 | }, 4709 | { 4710 | "Field":"prcs_cmd_line", 4711 | "Operator":"Match", 4712 | "Value":"*/C dir \\\\\\\\*" 4713 | }, 4714 | { 4715 | "Field":"prcs_cmd_line", 4716 | "Operator":"Match", 4717 | "Value":"*/C type \\\\\\\\*" 4718 | }, 4719 | { 4720 | "Field":"prcs_cmd_line", 4721 | "Operator":"Match", 4722 | "Value":"*/c type \\\\\\\\*" 4723 | } 4724 | ] 4725 | } 4726 | ] 4727 | }, 4728 | "EventType":"fee8a4b445e5442e9f404aad01586971" 4729 | }, 4730 | { 4731 | "BaseEventType":1, 4732 | "Condition":{ 4733 | "BooleanOperator":"And", 4734 | "Conditions":[ 4735 | { 4736 | "Field":"path", 4737 | "Operator":"Match", 4738 | "Value":"*rundll32.exe" 4739 | }, 4740 | { 4741 | "Field":"prcs_cmd_line", 4742 | "Operator":"Match", 4743 | "Value":"*runhtmlapplication*" 4744 | } 4745 | ] 4746 | }, 4747 | "EventType":"ec69f2a8968c44a98b3e3e9dcaa596a0" 4748 | }, 4749 | { 4750 | "BaseEventType":1, 4751 | "Condition":{ 4752 | "BooleanOperator":"And", 4753 | "Conditions":[ 4754 | { 4755 | "BooleanOperator":"Or", 4756 | "Conditions":[ 4757 | { 4758 | "Field":"path", 4759 | "Operator":"Match", 4760 | "Value":"*dsquery.exe" 4761 | }, 4762 | { 4763 | "Field":"prcs_cmd_line", 4764 | "Operator":"Match", 4765 | "Value":"*-filter*" 4766 | }, 4767 | { 4768 | "Field":"prcs_cmd_line", 4769 | "Operator":"Match", 4770 | "Value":"*trustedDomain*" 4771 | } 4772 | ] 4773 | }, 4774 | { 4775 | "BooleanOperator":"And", 4776 | "Conditions":[ 4777 | { 4778 | "Field":"path", 4779 | "Operator":"Match", 4780 | "Value":"*nltest.exe" 4781 | }, 4782 | { 4783 | "BooleanOperator":"Or", 4784 | "Conditions":[ 4785 | { 4786 | "Field":"prcs_cmd_line", 4787 | "Operator":"Match", 4788 | "Value":"*/domain_trusts*" 4789 | }, 4790 | { 4791 | "Field":"prcs_cmd_line", 4792 | "Operator":"Match", 4793 | "Value":"*/dsgetdc: /kdc /force*" 4794 | }, 4795 | { 4796 | "Field":"prcs_cmd_line", 4797 | "Operator":"Match", 4798 | "Value":"*/trusted_domains*" 4799 | }, 4800 | { 4801 | "Field":"prcs_cmd_line", 4802 | "Operator":"Match", 4803 | "Value":"*/dclist*" 4804 | }, 4805 | { 4806 | "BooleanOperator":"And", 4807 | "Conditions":[ 4808 | { 4809 | "Field":"prcs_cmd_line", 4810 | "Operator":"Match", 4811 | "Value":"*/DSADDRESSTOSITE*" 4812 | }, 4813 | { 4814 | "Field":"prcs_cmd_line", 4815 | "Operator":"Match", 4816 | "Value":"*/dsgetsite*" 4817 | } 4818 | ] 4819 | } 4820 | ] 4821 | } 4822 | ] 4823 | } 4824 | ] 4825 | }, 4826 | "EventType":"e76e85b62edb44599a8382be5c9700c5" 4827 | }, 4828 | { 4829 | "BaseEventType":1, 4830 | "Condition":{ 4831 | "BooleanOperator":"And", 4832 | "Conditions":[ 4833 | { 4834 | "BooleanOperator":"Or", 4835 | "Conditions":[ 4836 | { 4837 | "Field":"parentProcessPath", 4838 | "Operator":"Match", 4839 | "Value":"*wscript.exe" 4840 | }, 4841 | { 4842 | "Field":"parentProcessPath", 4843 | "Operator":"Match", 4844 | "Value":"*cscript.exe" 4845 | }, 4846 | { 4847 | "Field":"parentProcessPath", 4848 | "Operator":"Match", 4849 | "Value":"*mshta.exe" 4850 | } 4851 | ] 4852 | }, 4853 | { 4854 | "BooleanOperator":"Or", 4855 | "Conditions":[ 4856 | { 4857 | "Field":"path", 4858 | "Operator":"Match", 4859 | "Value":"*userinit.exe" 4860 | }, 4861 | { 4862 | "Field":"path", 4863 | "Operator":"Match", 4864 | "Value":"*colorcpl.exe" 4865 | } 4866 | ] 4867 | } 4868 | ] 4869 | }, 4870 | "EventType":"dfb99cb077624a398880dce0255a8eb6" 4871 | }, 4872 | { 4873 | "BaseEventType":1, 4874 | "Condition":{ 4875 | "BooleanOperator":"And", 4876 | "Conditions":[ 4877 | { 4878 | "Field":"path", 4879 | "Operator":"Match", 4880 | "Value":"*wmic.exe" 4881 | }, 4882 | { 4883 | "Field":"prcs_cmd_line", 4884 | "Operator":"Match", 4885 | "Value":"*.xsl*" 4886 | }, 4887 | { 4888 | "Field":"parentProcessPath", 4889 | "Operator":"Match", 4890 | "Value":"*node.exe" 4891 | }, 4892 | { 4893 | "BooleanOperator":"Or", 4894 | "Conditions":[ 4895 | { 4896 | "Field":"prcs_cmd_line", 4897 | "Operator":"Match", 4898 | "Value":"*/format*" 4899 | }, 4900 | { 4901 | "Field":"prcs_cmd_line", 4902 | "Operator":"Match", 4903 | "Value":"*/FORMAT*" 4904 | } 4905 | ] 4906 | } 4907 | ] 4908 | }, 4909 | "EventType":"d43ae1b53a8c4898a232186a11e8e547" 4910 | }, 4911 | { 4912 | "BaseEventType":1, 4913 | "Condition":{ 4914 | "BooleanOperator":"And", 4915 | "Conditions":[ 4916 | { 4917 | "Field":"parentVerdict", 4918 | "Operator":"!Equal", 4919 | "Value":1 4920 | }, 4921 | { 4922 | "Field":"path", 4923 | "Operator":"Match", 4924 | "Value":"%systemroot%\\*" 4925 | } 4926 | ] 4927 | }, 4928 | "EventType":"d1ae282393824e2198eae3a425112494" 4929 | }, 4930 | { 4931 | "BaseEventType":1, 4932 | "Condition":{ 4933 | "BooleanOperator":"And", 4934 | "Conditions":[ 4935 | { 4936 | "Field":"path", 4937 | "Operator":"Match", 4938 | "Value":"*exportrsa.exe" 4939 | }, 4940 | { 4941 | "Field":"prcs_cmd_line", 4942 | "Operator":"Match", 4943 | "Value":"*exportrsa*" 4944 | } 4945 | ] 4946 | }, 4947 | "EventType":"d1953c0271fe4f4cb9566666464eecd0" 4948 | }, 4949 | { 4950 | "BaseEventType":1, 4951 | "Condition":{ 4952 | "BooleanOperator":"And", 4953 | "Conditions":[ 4954 | { 4955 | "BooleanOperator":"Or", 4956 | "Conditions":[ 4957 | { 4958 | "Field":"path", 4959 | "Operator":"Match", 4960 | "Value":"*WMIC.exe" 4961 | }, 4962 | { 4963 | "Field":"path", 4964 | "Operator":"Match", 4965 | "Value":"*net.exe" 4966 | }, 4967 | { 4968 | "Field":"path", 4969 | "Operator":"Match", 4970 | "Value":"*net1.exe" 4971 | }, 4972 | { 4973 | "Field":"parentProcessPath", 4974 | "Operator":"Match", 4975 | "Value":"*cmd.exe" 4976 | }, 4977 | { 4978 | "Field":"path", 4979 | "Operator":"Match", 4980 | "Value":"*wmic.exe" 4981 | } 4982 | ] 4983 | }, 4984 | { 4985 | "BooleanOperator":"Or", 4986 | "Conditions":[ 4987 | { 4988 | "BooleanOperator":"And", 4989 | "Conditions":[ 4990 | { 4991 | "Field":"prcs_cmd_line", 4992 | "Operator":"Match", 4993 | "Value":"*SET*" 4994 | }, 4995 | { 4996 | "Field":"prcs_cmd_line", 4997 | "Operator":"Match", 4998 | "Value":"*PASSWORD*" 4999 | }, 5000 | { 5001 | "Field":"prcs_cmd_line", 5002 | "Operator":"Match", 5003 | "Value":"*FALSE*" 5004 | } 5005 | ] 5006 | }, 5007 | { 5008 | "BooleanOperator":"And", 5009 | "Conditions":[ 5010 | { 5011 | "Field":"prcs_cmd_line", 5012 | "Operator":"Match", 5013 | "Value":"*set*" 5014 | }, 5015 | { 5016 | "Field":"prcs_cmd_line", 5017 | "Operator":"Match", 5018 | "Value":"*password*" 5019 | }, 5020 | { 5021 | "Field":"prcs_cmd_line", 5022 | "Operator":"Match", 5023 | "Value":"*false*" 5024 | } 5025 | ] 5026 | }, 5027 | { 5028 | "BooleanOperator":"And", 5029 | "Conditions":[ 5030 | { 5031 | "Field":"prcs_cmd_line", 5032 | "Operator":"Match", 5033 | "Value":"*EXPIRES*" 5034 | }, 5035 | { 5036 | "Field":"prcs_cmd_line", 5037 | "Operator":"Match", 5038 | "Value":"*NEVER*" 5039 | } 5040 | ] 5041 | }, 5042 | { 5043 | "BooleanOperator":"And", 5044 | "Conditions":[ 5045 | { 5046 | "Field":"prcs_cmd_line", 5047 | "Operator":"Match", 5048 | "Value":"*expires*" 5049 | }, 5050 | { 5051 | "Field":"prcs_cmd_line", 5052 | "Operator":"Match", 5053 | "Value":"*never*" 5054 | } 5055 | ] 5056 | } 5057 | ] 5058 | } 5059 | ] 5060 | }, 5061 | "EventType":"d00d075592584b178c24501279d53913" 5062 | }, 5063 | { 5064 | "BaseEventType":1, 5065 | "Condition":{ 5066 | "BooleanOperator":"And", 5067 | "Conditions":[ 5068 | { 5069 | "Field":"path", 5070 | "Operator":"Match", 5071 | "Value":"*rundll32.exe" 5072 | }, 5073 | { 5074 | "Field":"parentProcessPath", 5075 | "Operator":"Match", 5076 | "Value":"*powershell.exe" 5077 | }, 5078 | { 5079 | "Field":"prcs_cmd_line", 5080 | "Operator":"!Match", 5081 | "Value":"*C:\\\\Windows\\\\ccm\\\\PrepDrv.inf" 5082 | }, 5083 | { 5084 | "Field":"prcs_cmd_line", 5085 | "Operator":"!Match", 5086 | "Value":"*Follow Me Queue*" 5087 | }, 5088 | { 5089 | "Field":"prcs_cmd_line", 5090 | "Operator":"!Match", 5091 | "Value":"*cryptext.dll,CryptExtOpenCER*" 5092 | }, 5093 | { 5094 | "Field":"prcs_cmd_line", 5095 | "Operator":"!Match", 5096 | "Value":"C:\\\\ProgramData\\\\Lenovo\\\\ImController\\\\Plugins\\\\LenovoBatteryGaugePackage\\\\x64\\\\LenovoBatteryGaugePackage.dll*" 5097 | }, 5098 | { 5099 | "Field":"prcs_cmd_line", 5100 | "Operator":"!Match", 5101 | "Value":"\\\"C:\\\\Windows\\\\system32\\\\rundll32.exe\\\" C:\\\\ProgramData\\\\Lenovo\\\\ImController\\\\Plugins\\\\LenovoBatteryGaugePackage\\\\x64\\\\LenovoBatteryGaugePackage.dll, LaunchPinVantageToolbarToast" 5102 | } 5103 | ] 5104 | }, 5105 | "EventType":"c54981745f11465a95eb7326cacd2c76" 5106 | }, 5107 | { 5108 | "BaseEventType":1, 5109 | "Condition":{ 5110 | "BooleanOperator":"And", 5111 | "Conditions":[ 5112 | { 5113 | "Field":"parentProcessPath", 5114 | "Operator":"Match", 5115 | "Value":"*winzip*" 5116 | }, 5117 | { 5118 | "Field":"path", 5119 | "Operator":"Match", 5120 | "Value":"*wscript.exe" 5121 | } 5122 | ] 5123 | }, 5124 | "EventType":"ac379b82a2e042a3bf91ce9b3b2ce09f" 5125 | }, 5126 | { 5127 | "BaseEventType":1, 5128 | "Condition":{ 5129 | "BooleanOperator":"And", 5130 | "Conditions":[ 5131 | { 5132 | "BooleanOperator":"Or", 5133 | "Conditions":[ 5134 | { 5135 | "Field":"parentProcessPath", 5136 | "Operator":"Match", 5137 | "Value":"*winword.exe" 5138 | }, 5139 | { 5140 | "Field":"parentProcessPath", 5141 | "Operator":"Match", 5142 | "Value":"*powerpnt.exe" 5143 | }, 5144 | { 5145 | "Field":"parentProcessPath", 5146 | "Operator":"Match", 5147 | "Value":"*excel.exe" 5148 | } 5149 | ] 5150 | }, 5151 | { 5152 | "Field":"path", 5153 | "Operator":"Match", 5154 | "Value":"*powershell.exe" 5155 | } 5156 | ] 5157 | }, 5158 | "EventType":"ab996615c55a49bb8c567eb18ea9d7ef" 5159 | }, 5160 | { 5161 | "BaseEventType":1, 5162 | "Condition":{ 5163 | "BooleanOperator":"And", 5164 | "Conditions":[ 5165 | { 5166 | "Field":"path", 5167 | "Operator":"Match", 5168 | "Value":"*$recycle.bin*" 5169 | }, 5170 | { 5171 | "BooleanOperator":"Or", 5172 | "Conditions":[ 5173 | { 5174 | "Field":"path", 5175 | "Operator":"!Match", 5176 | "Value":"*printermanager.exe" 5177 | }, 5178 | { 5179 | "Field":"path", 5180 | "Operator":"!Match", 5181 | "Value":"*chrome.exe" 5182 | } 5183 | ] 5184 | } 5185 | ] 5186 | }, 5187 | "EventType":"75bc56960c004a2db87a85f189dd763f" 5188 | }, 5189 | { 5190 | "BaseEventType":1, 5191 | "Condition":{ 5192 | "BooleanOperator":"And", 5193 | "Conditions":[ 5194 | { 5195 | "BooleanOperator":"Or", 5196 | "Conditions":[ 5197 | { 5198 | "Field":"path", 5199 | "Operator":"Match", 5200 | "Value":"*control.exe" 5201 | }, 5202 | { 5203 | "Field":"path", 5204 | "Operator":"Match", 5205 | "Value":"*rundll32.exe" 5206 | } 5207 | ] 5208 | }, 5209 | { 5210 | "Field":"prcs_cmd_line", 5211 | "Operator":"Match", 5212 | "Value":"*.cpl*" 5213 | }, 5214 | { 5215 | "Field":"prcs_cmd_line", 5216 | "Operator":"!Match", 5217 | "Value":"*intl.cpl*" 5218 | }, 5219 | { 5220 | "BooleanOperator":"Or", 5221 | "Conditions":[ 5222 | { 5223 | "Field":"prcs_cmd_line", 5224 | "Operator":"Match", 5225 | "Value":"*temp*" 5226 | }, 5227 | { 5228 | "Field":"prcs_cmd_line", 5229 | "Operator":"Match", 5230 | "Value":"*C:\\\\Users\\\\Public*" 5231 | } 5232 | ] 5233 | } 5234 | ] 5235 | }, 5236 | "EventType":"7172d6686a22414d960b1baf2c0c2222" 5237 | }, 5238 | { 5239 | "BaseEventType":1, 5240 | "Condition":{ 5241 | "BooleanOperator":"And", 5242 | "Conditions":[ 5243 | { 5244 | "Field":"path", 5245 | "Operator":"Match", 5246 | "Value":"*cmdkey.exe" 5247 | }, 5248 | { 5249 | "Field":"parentProcessPath", 5250 | "Operator":"!Match", 5251 | "Value":"*microsoft.sara.exe" 5252 | }, 5253 | { 5254 | "BooleanOperator":"Or", 5255 | "Conditions":[ 5256 | { 5257 | "Field":"prcs_cmd_line", 5258 | "Operator":"Match", 5259 | "Value":"*/list" 5260 | }, 5261 | { 5262 | "Field":"prcs_cmd_line", 5263 | "Operator":"Match", 5264 | "Value":"*/list:" 5265 | } 5266 | ] 5267 | } 5268 | ] 5269 | }, 5270 | "EventType":"6e09797dea344c41a5de8f64f6b90ddb" 5271 | }, 5272 | { 5273 | "BaseEventType":1, 5274 | "Condition":{ 5275 | "BooleanOperator":"And", 5276 | "Conditions":[ 5277 | { 5278 | "Field":"path", 5279 | "Operator":"Match", 5280 | "Value":"*netsh.exe" 5281 | }, 5282 | { 5283 | "Field":"prcs_cmd_line", 5284 | "Operator":"Match", 5285 | "Value":"*add*" 5286 | }, 5287 | { 5288 | "Field":"prcs_cmd_line", 5289 | "Operator":"Match", 5290 | "Value":"*helper*" 5291 | } 5292 | ] 5293 | }, 5294 | "EventType":"5153a551dd154d8dacfd7fe0d78c4d69" 5295 | }, 5296 | { 5297 | "BaseEventType":1, 5298 | "Condition":{ 5299 | "BooleanOperator":"And", 5300 | "Conditions":[ 5301 | { 5302 | "Field":"path", 5303 | "Operator":"Match", 5304 | "Value":"*netsh.exe" 5305 | }, 5306 | { 5307 | "Field":"prcs_cmd_line", 5308 | "Operator":"Match", 5309 | "Value":"*wlan*" 5310 | }, 5311 | { 5312 | "Field":"prcs_cmd_line", 5313 | "Operator":"Match", 5314 | "Value":".*key.clear.*" 5315 | }, 5316 | { 5317 | "Field":"prcs_cmd_line", 5318 | "Operator":"Match", 5319 | "Value":".*show.profiles.*" 5320 | } 5321 | ] 5322 | }, 5323 | "EventType":"4e9fa6d2e6c34871a7971edf05ed2fc7" 5324 | }, 5325 | { 5326 | "BaseEventType":1, 5327 | "Condition":{ 5328 | "BooleanOperator":"And", 5329 | "Conditions":[ 5330 | { 5331 | "Field":"path", 5332 | "Operator":"Match", 5333 | "Value":"*cmd.exe" 5334 | }, 5335 | { 5336 | "BooleanOperator":"Or", 5337 | "Conditions":[ 5338 | { 5339 | "Field":"prcs_cmd_line", 5340 | "Operator":"Match", 5341 | "Value":"*/V /C \\\"set x=*" 5342 | }, 5343 | { 5344 | "Field":"prcs_cmd_line", 5345 | "Operator":"Match", 5346 | "Value":"*/S /D /c\\\" echo %x:*" 5347 | }, 5348 | { 5349 | "Field":"prcs_cmd_line", 5350 | "Operator":"Match", 5351 | "Value":"*/k echo %time% && timeout 4000 > NUL*" 5352 | }, 5353 | { 5354 | "Field":"prcs_cmd_line", 5355 | "Operator":"Match", 5356 | "Value":"*.log\\\"&& exit" 5357 | } 5358 | ] 5359 | } 5360 | ] 5361 | }, 5362 | "EventType":"4e391caf73b2444fa5e57f02c741de4e" 5363 | }, 5364 | { 5365 | "BaseEventType":1, 5366 | "Condition":{ 5367 | "Field":"verdict", 5368 | "Operator":"!Equal", 5369 | "Value":1 5370 | }, 5371 | "EventType":"4e1885dddf8b428bad867f20e8bdb1a2" 5372 | }, 5373 | { 5374 | "BaseEventType":1, 5375 | "Condition":{ 5376 | "BooleanOperator":"And", 5377 | "Conditions":[ 5378 | { 5379 | "Field":"path", 5380 | "Operator":"Match", 5381 | "Value":"*msbuild.exe" 5382 | }, 5383 | { 5384 | "BooleanOperator":"Or", 5385 | "Conditions":[ 5386 | { 5387 | "Field":"prcs_cmd_line", 5388 | "Operator":"Match", 5389 | "Value":"*\\\\Windows\\\\Temp*" 5390 | }, 5391 | { 5392 | "Field":"prcs_cmd_line", 5393 | "Operator":"Match", 5394 | "Value":"*\\\\Windows\\\\temp*" 5395 | }, 5396 | { 5397 | "Field":"prcs_cmd_line", 5398 | "Operator":"Match", 5399 | "Value":"*\\\\windows\\\\Temp*" 5400 | }, 5401 | { 5402 | "Field":"prcs_cmd_line", 5403 | "Operator":"Match", 5404 | "Value":"*\\\\windows\\\\temp*" 5405 | } 5406 | ] 5407 | } 5408 | ] 5409 | }, 5410 | "EventType":"4d6a2a84f7ce43f0946313afa7f62fef" 5411 | }, 5412 | { 5413 | "BaseEventType":1, 5414 | "Condition":{ 5415 | "BooleanOperator":"And", 5416 | "Conditions":[ 5417 | { 5418 | "BooleanOperator":"Or", 5419 | "Conditions":[ 5420 | { 5421 | "Field":"path", 5422 | "Operator":"Match", 5423 | "Value":"*net.exe" 5424 | }, 5425 | { 5426 | "Field":"path", 5427 | "Operator":"Match", 5428 | "Value":"*cmd.exe" 5429 | } 5430 | ] 5431 | }, 5432 | { 5433 | "Field":"prcs_cmd_line", 5434 | "Operator":"Match", 5435 | "Value":"*net use*" 5436 | }, 5437 | { 5438 | "BooleanOperator":"Or", 5439 | "Conditions":[ 5440 | { 5441 | "Field":"prcs_cmd_line", 5442 | "Operator":"Match", 5443 | "Value":"*c$*" 5444 | }, 5445 | { 5446 | "Field":"prcs_cmd_line", 5447 | "Operator":"Match", 5448 | "Value":"*C$*" 5449 | }, 5450 | { 5451 | "Field":"prcs_cmd_line", 5452 | "Operator":"Match", 5453 | "Value":"*ipc$*" 5454 | }, 5455 | { 5456 | "Field":"prcs_cmd_line", 5457 | "Operator":"Match", 5458 | "Value":"*IPC$*" 5459 | }, 5460 | { 5461 | "Field":"prcs_cmd_line", 5462 | "Operator":"Match", 5463 | "Value":"*ADMIN$*" 5464 | }, 5465 | { 5466 | "Field":"prcs_cmd_line", 5467 | "Operator":"Match", 5468 | "Value":"*admin$*" 5469 | } 5470 | ] 5471 | } 5472 | ] 5473 | }, 5474 | "EventType":"22f6efe09ea5483b8271a9d0624f3535" 5475 | }, 5476 | { 5477 | "BaseEventType":1, 5478 | "Condition":{ 5479 | "BooleanOperator":"And", 5480 | "Conditions":[ 5481 | { 5482 | "Field":"path", 5483 | "Operator":"Match", 5484 | "Value":"cscript.exe" 5485 | }, 5486 | { 5487 | "BooleanOperator":"Or", 5488 | "Conditions":[ 5489 | { 5490 | "Field":"prcs_cmd_line", 5491 | "Operator":"Match", 5492 | "Value":"*PubPrn.vbs*" 5493 | }, 5494 | { 5495 | "Field":"prcs_cmd_line", 5496 | "Operator":"Match", 5497 | "Value":"*pubprn.vbs*" 5498 | } 5499 | ] 5500 | } 5501 | ] 5502 | }, 5503 | "EventType":"20bde7b8a85547f1896f0cfac4c5b777" 5504 | }, 5505 | { 5506 | "BaseEventType":1, 5507 | "Condition":{ 5508 | "BooleanOperator":"And", 5509 | "Conditions":[ 5510 | { 5511 | "Field":"parentProcessPath", 5512 | "Operator":"Match", 5513 | "Value":"*msbuild.exe" 5514 | }, 5515 | { 5516 | "Field":"path", 5517 | "Operator":"Match", 5518 | "Value":"*userinit.exe" 5519 | } 5520 | ] 5521 | }, 5522 | "EventType":"1367a054799144d18e0393c96095f6e7" 5523 | }, 5524 | { 5525 | "BaseEventType":1, 5526 | "Condition":{ 5527 | "BooleanOperator":"And", 5528 | "Conditions":[ 5529 | { 5530 | "Field":"path", 5531 | "Operator":"Match", 5532 | "Value":"*reg.exe" 5533 | }, 5534 | { 5535 | "Field":"prcs_cmd_line", 5536 | "Operator":"Match", 5537 | "Value":"*Credential Providers*" 5538 | }, 5539 | { 5540 | "Field":"prcs_cmd_line", 5541 | "Operator":"Match", 5542 | "Value":"*add*" 5543 | } 5544 | ] 5545 | }, 5546 | "EventType":"12c3d36090e647d6ba7e443515c7bb4d" 5547 | }, 5548 | { 5549 | "BaseEventType":1, 5550 | "Condition":{ 5551 | "BooleanOperator":"And", 5552 | "Conditions":[ 5553 | { 5554 | "Field":"parentProcessPath", 5555 | "Operator":"Match", 5556 | "Value":"*winlogon.exe" 5557 | }, 5558 | { 5559 | "Field":"prcs_cmd_line", 5560 | "Operator":"!Match", 5561 | "Value":"*Logon*" 5562 | }, 5563 | { 5564 | "Field":"prcs_cmd_line", 5565 | "Operator":"!Match", 5566 | "Value":"*setupcomplete*" 5567 | }, 5568 | { 5569 | "BooleanOperator":"Or", 5570 | "Conditions":[ 5571 | { 5572 | "Field":"path", 5573 | "Operator":"Match", 5574 | "Value":"*cmd.exe" 5575 | }, 5576 | { 5577 | "Field":"path", 5578 | "Operator":"Match", 5579 | "Value":"*powershell.exe" 5580 | } 5581 | ] 5582 | } 5583 | ] 5584 | }, 5585 | "EventType":"111db5b56c17407c8b98bf893ff61f5e" 5586 | }, 5587 | { 5588 | "BaseEventType":1, 5589 | "Condition":{ 5590 | "BooleanOperator":"And", 5591 | "Conditions":[ 5592 | { 5593 | "Field":"path", 5594 | "Operator":"Match", 5595 | "Value":"*bcdedit.exe" 5596 | }, 5597 | { 5598 | "Field":"prcs_cmd_line", 5599 | "Operator":"Match", 5600 | "Value":"*off*" 5601 | }, 5602 | { 5603 | "Field":"prcs_cmd_line", 5604 | "Operator":"!Match", 5605 | "Value":"*/set hypervisorlaunchtype off*" 5606 | }, 5607 | { 5608 | "Field":"prcs_cmd_line", 5609 | "Operator":"!Match", 5610 | "Value":"*flightsigning off*" 5611 | }, 5612 | { 5613 | "Field":"prcs_cmd_line", 5614 | "Operator":"!Match", 5615 | "Value":"*testsigning off*" 5616 | }, 5617 | { 5618 | "Field":"prcs_cmd_line", 5619 | "Operator":"!Match", 5620 | "Value":"*nointegritycheck off*" 5621 | } 5622 | ] 5623 | }, 5624 | "EventType":"0c9f4971312b464fb698bc75e887ef63" 5625 | }, 5626 | { 5627 | "BaseEventType":1, 5628 | "Condition":{ 5629 | "BooleanOperator":"And", 5630 | "Conditions":[ 5631 | { 5632 | "Field":"path", 5633 | "Operator":"Match", 5634 | "Value":"*acw.exe" 5635 | }, 5636 | { 5637 | "BooleanOperator":"Or", 5638 | "Conditions":[ 5639 | { 5640 | "Field":"prcs_cmd_line", 5641 | "Operator":"Match", 5642 | "Value":"*extensions*" 5643 | }, 5644 | { 5645 | "Field":"prcs_cmd_line", 5646 | "Operator":"Match", 5647 | "Value":"*Extensions*" 5648 | } 5649 | ] 5650 | } 5651 | ] 5652 | }, 5653 | "EventType":"01d1e1bb1ac54203bd350e8cbd790a38" 5654 | }, 5655 | { 5656 | "BaseEventType":1, 5657 | "Condition":{ 5658 | "BooleanOperator":"Or", 5659 | "Conditions":[ 5660 | { 5661 | "Field":"path", 5662 | "Operator":"Match", 5663 | "Value":"*whoami.exe*" 5664 | }, 5665 | { 5666 | "Field":"parentProcessPath", 5667 | "Operator":"Match", 5668 | "Value":"*whoami.exe*" 5669 | } 5670 | ] 5671 | }, 5672 | "EventType":"d18a23389bbc4176860188631c21b2a8" 5673 | }, 5674 | { 5675 | "BaseEventType":1, 5676 | "Condition":{ 5677 | "BooleanOperator":"And", 5678 | "Conditions":[ 5679 | { 5680 | "BooleanOperator":"Or", 5681 | "Conditions":[ 5682 | { 5683 | "Field":"path", 5684 | "Operator":"Match", 5685 | "Value":"*csrss.exe" 5686 | }, 5687 | { 5688 | "Field":"path", 5689 | "Operator":"Match", 5690 | "Value":"*lsass.exe" 5691 | }, 5692 | { 5693 | "Field":"path", 5694 | "Operator":"Match", 5695 | "Value":"*lsm.exe" 5696 | }, 5697 | { 5698 | "Field":"path", 5699 | "Operator":"Match", 5700 | "Value":"*services.exe" 5701 | }, 5702 | { 5703 | "Field":"path", 5704 | "Operator":"Match", 5705 | "Value":"*smss.exe" 5706 | }, 5707 | { 5708 | "Field":"path", 5709 | "Operator":"Match", 5710 | "Value":"*svchost.exe" 5711 | }, 5712 | { 5713 | "Field":"path", 5714 | "Operator":"Match", 5715 | "Value":"*taskhost.exe" 5716 | }, 5717 | { 5718 | "Field":"path", 5719 | "Operator":"Match", 5720 | "Value":"*taskhostw.exe" 5721 | }, 5722 | { 5723 | "Field":"path", 5724 | "Operator":"Match", 5725 | "Value":"*wininit.exe" 5726 | }, 5727 | { 5728 | "Field":"path", 5729 | "Operator":"Match", 5730 | "Value":"*winlogon.exe" 5731 | }, 5732 | { 5733 | "Field":"path", 5734 | "Operator":"Match", 5735 | "Value":"*msdtc.exe" 5736 | } 5737 | ] 5738 | }, 5739 | { 5740 | "Field":"path", 5741 | "Operator":"!Match", 5742 | "Value":"*\\\\windows\\\\system32*" 5743 | }, 5744 | { 5745 | "Field":"path", 5746 | "Operator":"!Match", 5747 | "Value":"*\\\\windows\\\\syswow64*" 5748 | }, 5749 | { 5750 | "Field":"path", 5751 | "Operator":"!Match", 5752 | "Value":"*\\\\systemroot\\\\system32*" 5753 | }, 5754 | { 5755 | "Field":"path", 5756 | "Operator":"!Match", 5757 | "Value":"*\\\\asus\\\\asus business manager*" 5758 | }, 5759 | { 5760 | "Field":"path", 5761 | "Operator":"!Match", 5762 | "Value":"*\\\\winnt\\\\system32*" 5763 | } 5764 | ] 5765 | }, 5766 | "EventType":"c0c51491591747ecb59833b56a43c4fd" 5767 | }, 5768 | { 5769 | "BaseEventType":1, 5770 | "Condition":{ 5771 | "BooleanOperator":"And", 5772 | "Conditions":[ 5773 | { 5774 | "Field":"parentProcessPath", 5775 | "Operator":"Match", 5776 | "Value":"*wmiprvse.exe" 5777 | }, 5778 | { 5779 | "Field":"path", 5780 | "Operator":"Match", 5781 | "Value":"*cmd.exe" 5782 | }, 5783 | { 5784 | "BooleanOperator":"And", 5785 | "Conditions":[ 5786 | { 5787 | "Field":"prcs_cmd_line", 5788 | "Operator":"Match", 5789 | "Value":"*2>&1*" 5790 | }, 5791 | { 5792 | "Field":"prcs_cmd_line", 5793 | "Operator":"Match", 5794 | "Value":"*/Q*" 5795 | } 5796 | ] 5797 | } 5798 | ] 5799 | }, 5800 | "EventType":"b346affda88a4fdf9602b6472a9e8042" 5801 | }, 5802 | { 5803 | "BaseEventType":1, 5804 | "Condition":{ 5805 | "BooleanOperator":"And", 5806 | "Conditions":[ 5807 | { 5808 | "Field":"parentProcessPath", 5809 | "Operator":"Match", 5810 | "Value":"*wmiprvse.exe" 5811 | }, 5812 | { 5813 | "BooleanOperator":"And", 5814 | "Conditions":[ 5815 | { 5816 | "Field":"prcs_cmd_line", 5817 | "Operator":"Match", 5818 | "Value":"*cmd.exe /Q*" 5819 | }, 5820 | { 5821 | "Field":"prcs_cmd_line", 5822 | "Operator":"Match", 5823 | "Value":"*127.0.0.1*" 5824 | } 5825 | ] 5826 | } 5827 | ] 5828 | }, 5829 | "EventType":"95eb197f662c4ea2abeb64b9489361f7" 5830 | }, 5831 | { 5832 | "BaseEventType":1, 5833 | "Condition":{ 5834 | "BooleanOperator":"And", 5835 | "Conditions":[ 5836 | { 5837 | "Field":"path", 5838 | "Operator":"Match", 5839 | "Value":"*acw.exe" 5840 | }, 5841 | { 5842 | "BooleanOperator":"Or", 5843 | "Conditions":[ 5844 | { 5845 | "Field":"prcs_cmd_line", 5846 | "Operator":"Match", 5847 | "Value":"*extensions*" 5848 | }, 5849 | { 5850 | "Field":"prcs_cmd_line", 5851 | "Operator":"Match", 5852 | "Value":"*Extensions*" 5853 | } 5854 | ] 5855 | } 5856 | ] 5857 | }, 5858 | "EventType":"31471a1b693342ddb36f275e08ffae18" 5859 | }, 5860 | { 5861 | "BaseEventType":1, 5862 | "Condition":{ 5863 | "BooleanOperator":"And", 5864 | "Conditions":[ 5865 | { 5866 | "Field":"prcs_cmd_line", 5867 | "Operator":"Match", 5868 | "Value":"*dir*" 5869 | }, 5870 | { 5871 | "Field":"prcs_cmd_line", 5872 | "Operator":"Match", 5873 | "Value":"*/ah*" 5874 | } 5875 | ] 5876 | }, 5877 | "EventType":"112ace36c0dd4d70bacce21111161dc7" 5878 | }, 5879 | { 5880 | "BaseEventType":1, 5881 | "Condition":{ 5882 | "BooleanOperator":"Or", 5883 | "Conditions":[ 5884 | { 5885 | "Field":"parentProcessPath", 5886 | "Operator":"Match", 5887 | "Value":"*\\temp\\*" 5888 | }, 5889 | { 5890 | "Field":"path", 5891 | "Operator":"Match", 5892 | "Value":"*\\temp\\*" 5893 | } 5894 | ] 5895 | }, 5896 | "EventType":"0a15c8af0eeb4f8abcb063ab9e6f0872" 5897 | }, 5898 | { 5899 | "BaseEventType":1, 5900 | "Condition":{ 5901 | "BooleanOperator":"And", 5902 | "Conditions":[ 5903 | { 5904 | "Field":"parentProcessPath", 5905 | "Operator":"Match", 5906 | "Value":"*explorer.exe" 5907 | }, 5908 | { 5909 | "Field":"path", 5910 | "Operator":"Match", 5911 | "Value":"*svchost.exe" 5912 | } 5913 | ] 5914 | }, 5915 | "EventType":"ae6e5f57fcd5407ea3f4eb21024a8e1d" 5916 | }, 5917 | { 5918 | "BaseEventType":1, 5919 | "Condition":{ 5920 | "BooleanOperator":"And", 5921 | "Conditions":[ 5922 | { 5923 | "Field":"path", 5924 | "Operator":"Match", 5925 | "Value":"*reg.exe" 5926 | }, 5927 | { 5928 | "Field":"prcs_cmd_line", 5929 | "Operator":"Match", 5930 | "Value":"*InprocServer32*" 5931 | }, 5932 | { 5933 | "Field":"prcs_cmd_line", 5934 | "Operator":"Match", 5935 | "Value":"*.dll*" 5936 | }, 5937 | { 5938 | "Field":"prcs_cmd_line", 5939 | "Operator":"Match", 5940 | "Value":"*HKLM\\\\Software\\\\Classes\\\\CLSID\\\\*" 5941 | } 5942 | ] 5943 | }, 5944 | "EventType":"75f7d72e25cf423f80b55e00dd2eca75" 5945 | }, 5946 | { 5947 | "BaseEventType":1, 5948 | "Condition":{ 5949 | "BooleanOperator":"And", 5950 | "Conditions":[ 5951 | { 5952 | "Field":"parentProcessPath", 5953 | "Operator":"Match", 5954 | "Value":"*tasklist*" 5955 | }, 5956 | { 5957 | "Field":"path", 5958 | "Operator":"Match", 5959 | "Value":"*tasklist*" 5960 | } 5961 | ] 5962 | }, 5963 | "EventType":"c387556922144f3796fa0c4d68265e5a" 5964 | }, 5965 | { 5966 | "BaseEventType":1, 5967 | "Condition":{ 5968 | "Field":"path", 5969 | "Operator":"Match", 5970 | "Value":"*t-.exe" 5971 | }, 5972 | "EventType":"bd12f60aa4f34a46bfbf02da8f5adf6f" 5973 | }, 5974 | { 5975 | "BaseEventType":1, 5976 | "Condition":{ 5977 | "BooleanOperator":"Or", 5978 | "Conditions":[ 5979 | { 5980 | "Field":"parentProcessPath", 5981 | "Operator":"Match", 5982 | "Value":"*whoami*" 5983 | }, 5984 | { 5985 | "Field":"path", 5986 | "Operator":"Match", 5987 | "Value":"*whoami*" 5988 | } 5989 | ] 5990 | }, 5991 | "EventType":"21e792d72afb4f9ab6ec3a5bf2d150be" 5992 | }, 5993 | { 5994 | "BaseEventType":1, 5995 | "Condition":{ 5996 | "BooleanOperator":"And", 5997 | "Conditions":[ 5998 | { 5999 | "BooleanOperator":"Or", 6000 | "Conditions":[ 6001 | { 6002 | "Field":"parentProcessPath", 6003 | "Operator":"Match", 6004 | "Value":"*cmd.exe" 6005 | }, 6006 | { 6007 | "Field":"path", 6008 | "Operator":"Match", 6009 | "Value":"*cmd.exe" 6010 | } 6011 | ] 6012 | }, 6013 | { 6014 | "BooleanOperator":"And", 6015 | "Conditions":[ 6016 | { 6017 | "Field":"prcs_cmd_line", 6018 | "Operator":"Match", 6019 | "Value":"*calc*" 6020 | }, 6021 | { 6022 | "Field":"prcs_cmd_line", 6023 | "Operator":"Match", 6024 | "Value":"*/c*" 6025 | } 6026 | ] 6027 | } 6028 | ] 6029 | }, 6030 | "EventType":"854679db09164723bd1273c48ab30f23" 6031 | }, 6032 | { 6033 | "BaseEventType":1, 6034 | "Condition":{ 6035 | "Field":"path", 6036 | "Operator":"Match", 6037 | "Value":"*gitl.exe" 6038 | }, 6039 | "EventType":"11a53d2b8e31441c9f7f471ba6dc5230" 6040 | }, 6041 | { 6042 | "BaseEventType":1, 6043 | "EventType":null 6044 | } 6045 | ], 6046 | "RP2":[ 6047 | 6048 | ], 6049 | "RP3":[ 6050 | 6051 | ], 6052 | "RR1":[ 6053 | 6054 | ], 6055 | "RR2":[ 6056 | { 6057 | "BaseEventType":4, 6058 | "Condition":{ 6059 | "BooleanOperator":"Or", 6060 | "Conditions":[ 6061 | { 6062 | "Field":"parentVerdict", 6063 | "Operator":"!Equal", 6064 | "Value":1 6065 | }, 6066 | { 6067 | "Field":"parentProcessPath", 6068 | "Operator":"MatchInList", 6069 | "Value":"RegWhiteList" 6070 | } 6071 | ] 6072 | }, 6073 | "EventType":null 6074 | } 6075 | ], 6076 | "RR3":[ 6077 | { 6078 | "BaseEventType":5, 6079 | "Condition":{ 6080 | "BooleanOperator":"Or", 6081 | "Conditions":[ 6082 | { 6083 | "Field":"parentVerdict", 6084 | "Operator":"!Equal", 6085 | "Value":1 6086 | }, 6087 | { 6088 | "Field":"parentProcessPath", 6089 | "Operator":"MatchInList", 6090 | "Value":"RegWhiteList" 6091 | } 6092 | ] 6093 | }, 6094 | "EventType":null 6095 | } 6096 | ], 6097 | "RR4":[ 6098 | 6099 | ], 6100 | "RR5":[ 6101 | { 6102 | "BaseEventType":6, 6103 | "Condition":{ 6104 | "BooleanOperator":"And", 6105 | "Conditions":[ 6106 | { 6107 | "BooleanOperator":"Or", 6108 | "Conditions":[ 6109 | { 6110 | "Field":"parentVerdict", 6111 | "Operator":"!Equal", 6112 | "Value":1 6113 | }, 6114 | { 6115 | "Field":"parentProcessPath", 6116 | "Operator":"MatchInList", 6117 | "Value":"RegWhiteList" 6118 | } 6119 | ] 6120 | }, 6121 | { 6122 | "BooleanOperator":"And", 6123 | "Conditions":[ 6124 | { 6125 | "Field":"path", 6126 | "Operator":"Equal", 6127 | "Value":"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" 6128 | }, 6129 | { 6130 | "Field":"reg_value_name", 6131 | "Operator":"Equal", 6132 | "Value":"DisableTaskMgr" 6133 | }, 6134 | { 6135 | "Field":"reg_value_data", 6136 | "Operator":"Equal", 6137 | "Value":"1" 6138 | } 6139 | ] 6140 | } 6141 | ] 6142 | }, 6143 | "EventType":"d16e6c17653b406cad49b60f861839ff" 6144 | }, 6145 | { 6146 | "BaseEventType":6, 6147 | "Condition":{ 6148 | "BooleanOperator":"And", 6149 | "Conditions":[ 6150 | { 6151 | "BooleanOperator":"Or", 6152 | "Conditions":[ 6153 | { 6154 | "Field":"parentVerdict", 6155 | "Operator":"!Equal", 6156 | "Value":1 6157 | }, 6158 | { 6159 | "Field":"parentProcessPath", 6160 | "Operator":"MatchInList", 6161 | "Value":"RegWhiteList" 6162 | } 6163 | ] 6164 | }, 6165 | { 6166 | "BooleanOperator":"And", 6167 | "Conditions":[ 6168 | { 6169 | "Field":"path", 6170 | "Operator":"Equal", 6171 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" 6172 | }, 6173 | { 6174 | "Field":"reg_value_name", 6175 | "Operator":"Equal", 6176 | "Value":"EnableLUA" 6177 | }, 6178 | { 6179 | "Field":"reg_value_data", 6180 | "Operator":"Equal", 6181 | "Value":"0" 6182 | } 6183 | ] 6184 | } 6185 | ] 6186 | }, 6187 | "EventType":"2db5471000734de2b313f48d11c2e469" 6188 | }, 6189 | { 6190 | "BaseEventType":6, 6191 | "Condition":{ 6192 | "BooleanOperator":"And", 6193 | "Conditions":[ 6194 | { 6195 | "BooleanOperator":"Or", 6196 | "Conditions":[ 6197 | { 6198 | "Field":"parentVerdict", 6199 | "Operator":"!Equal", 6200 | "Value":1 6201 | }, 6202 | { 6203 | "Field":"parentProcessPath", 6204 | "Operator":"MatchInList", 6205 | "Value":"RegWhiteList" 6206 | } 6207 | ] 6208 | }, 6209 | { 6210 | "BooleanOperator":"And", 6211 | "Conditions":[ 6212 | { 6213 | "Field":"path", 6214 | "Operator":"Equal", 6215 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\Folder\\shell\\open\\command" 6216 | }, 6217 | { 6218 | "Field":"reg_value_name", 6219 | "Operator":"Equal", 6220 | "Value":"DelegateExecute" 6221 | }, 6222 | { 6223 | "Field":"reg_value_data", 6224 | "Operator":"Match", 6225 | "Value":"*" 6226 | } 6227 | ] 6228 | } 6229 | ] 6230 | }, 6231 | "EventType":"7628b07fb4794a54b78f515cd9e0e911" 6232 | }, 6233 | { 6234 | "BaseEventType":6, 6235 | "Condition":{ 6236 | "BooleanOperator":"And", 6237 | "Conditions":[ 6238 | { 6239 | "BooleanOperator":"Or", 6240 | "Conditions":[ 6241 | { 6242 | "Field":"parentVerdict", 6243 | "Operator":"!Equal", 6244 | "Value":1 6245 | }, 6246 | { 6247 | "Field":"parentProcessPath", 6248 | "Operator":"MatchInList", 6249 | "Value":"RegWhiteList" 6250 | } 6251 | ] 6252 | }, 6253 | { 6254 | "BooleanOperator":"And", 6255 | "Conditions":[ 6256 | { 6257 | "Field":"path", 6258 | "Operator":"Match", 6259 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\*" 6260 | }, 6261 | { 6262 | "Field":"reg_value_name", 6263 | "Operator":"Equal", 6264 | "Value":"Type" 6265 | }, 6266 | { 6267 | "BooleanOperator":"Or", 6268 | "Conditions":[ 6269 | { 6270 | "Field":"reg_value_data", 6271 | "Operator":"Equal", 6272 | "Value":"1" 6273 | }, 6274 | { 6275 | "Field":"reg_value_data", 6276 | "Operator":"Equal", 6277 | "Value":"2" 6278 | } 6279 | ] 6280 | } 6281 | ] 6282 | } 6283 | ] 6284 | }, 6285 | "EventType":"531e589e6b8546df835491edd2094426" 6286 | }, 6287 | { 6288 | "BaseEventType":6, 6289 | "Condition":{ 6290 | "BooleanOperator":"And", 6291 | "Conditions":[ 6292 | { 6293 | "BooleanOperator":"Or", 6294 | "Conditions":[ 6295 | { 6296 | "Field":"parentVerdict", 6297 | "Operator":"!Equal", 6298 | "Value":1 6299 | }, 6300 | { 6301 | "Field":"parentProcessPath", 6302 | "Operator":"MatchInList", 6303 | "Value":"RegWhiteList" 6304 | } 6305 | ] 6306 | }, 6307 | { 6308 | "Field":"path", 6309 | "Operator":"Match", 6310 | "Value":"*shell\\open*" 6311 | } 6312 | ] 6313 | }, 6314 | "EventType":"e4445a4231664c99a93d07bc24a9467f" 6315 | }, 6316 | { 6317 | "BaseEventType":6, 6318 | "Condition":{ 6319 | "BooleanOperator":"And", 6320 | "Conditions":[ 6321 | { 6322 | "BooleanOperator":"Or", 6323 | "Conditions":[ 6324 | { 6325 | "Field":"parentVerdict", 6326 | "Operator":"!Equal", 6327 | "Value":1 6328 | }, 6329 | { 6330 | "Field":"parentProcessPath", 6331 | "Operator":"MatchInList", 6332 | "Value":"RegWhiteList" 6333 | } 6334 | ] 6335 | }, 6336 | { 6337 | "Field":"path", 6338 | "Operator":"Match", 6339 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components\\*" 6340 | } 6341 | ] 6342 | }, 6343 | "EventType":"3c1464cca4974dfcb517c1bcfcba1f49" 6344 | }, 6345 | { 6346 | "BaseEventType":6, 6347 | "Condition":{ 6348 | "BooleanOperator":"And", 6349 | "Conditions":[ 6350 | { 6351 | "BooleanOperator":"Or", 6352 | "Conditions":[ 6353 | { 6354 | "Field":"parentVerdict", 6355 | "Operator":"!Equal", 6356 | "Value":1 6357 | }, 6358 | { 6359 | "Field":"parentProcessPath", 6360 | "Operator":"MatchInList", 6361 | "Value":"RegWhiteList" 6362 | } 6363 | ] 6364 | }, 6365 | { 6366 | "Field":"path", 6367 | "Operator":"Match", 6368 | "Value":"*exefile\\shell\\runas\\command*" 6369 | } 6370 | ] 6371 | }, 6372 | "EventType":"37a1615f7b1d4ad59f41db9e03dcd095" 6373 | }, 6374 | { 6375 | "BaseEventType":6, 6376 | "Condition":{ 6377 | "BooleanOperator":"And", 6378 | "Conditions":[ 6379 | { 6380 | "BooleanOperator":"Or", 6381 | "Conditions":[ 6382 | { 6383 | "Field":"parentVerdict", 6384 | "Operator":"!Equal", 6385 | "Value":1 6386 | }, 6387 | { 6388 | "Field":"parentProcessPath", 6389 | "Operator":"MatchInList", 6390 | "Value":"RegWhiteList" 6391 | } 6392 | ] 6393 | }, 6394 | { 6395 | "BooleanOperator":"Or", 6396 | "Conditions":[ 6397 | { 6398 | "BooleanOperator":"And", 6399 | "Conditions":[ 6400 | { 6401 | "Field":"path", 6402 | "Operator":"Match", 6403 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\*" 6404 | }, 6405 | { 6406 | "Field":"reg_value_name", 6407 | "Operator":"Equal", 6408 | "Value":"ImagePath" 6409 | }, 6410 | { 6411 | "Field":"reg_value_data", 6412 | "Operator":"Match", 6413 | "Value":"*svchost.exe*" 6414 | } 6415 | ] 6416 | }, 6417 | { 6418 | "BooleanOperator":"And", 6419 | "Conditions":[ 6420 | { 6421 | "Field":"path", 6422 | "Operator":"Match", 6423 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\*\\Parameters" 6424 | }, 6425 | { 6426 | "Field":"reg_value_name", 6427 | "Operator":"Equal", 6428 | "Value":"ServiceDll" 6429 | }, 6430 | { 6431 | "Field":"reg_value_data", 6432 | "Operator":"Match", 6433 | "Value":"*.dll" 6434 | } 6435 | ] 6436 | } 6437 | ] 6438 | } 6439 | ] 6440 | }, 6441 | "EventType":"1c5302cb2be1464096b9ac904058b3d5" 6442 | }, 6443 | { 6444 | "BaseEventType":6, 6445 | "Condition":{ 6446 | "BooleanOperator":"And", 6447 | "Conditions":[ 6448 | { 6449 | "BooleanOperator":"Or", 6450 | "Conditions":[ 6451 | { 6452 | "Field":"parentVerdict", 6453 | "Operator":"!Equal", 6454 | "Value":1 6455 | }, 6456 | { 6457 | "Field":"parentProcessPath", 6458 | "Operator":"MatchInList", 6459 | "Value":"RegWhiteList" 6460 | } 6461 | ] 6462 | }, 6463 | { 6464 | "BooleanOperator":"And", 6465 | "Conditions":[ 6466 | { 6467 | "Field":"path", 6468 | "Operator":"Equal", 6469 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell" 6470 | }, 6471 | { 6472 | "Field":"reg_value_name", 6473 | "Operator":"Equal", 6474 | "Value":"ExecutionPolicy" 6475 | } 6476 | ] 6477 | } 6478 | ] 6479 | }, 6480 | "EventType":"0231704b1b334f008736a190541f3b87" 6481 | }, 6482 | { 6483 | "BaseEventType":6, 6484 | "Condition":{ 6485 | "BooleanOperator":"And", 6486 | "Conditions":[ 6487 | { 6488 | "BooleanOperator":"Or", 6489 | "Conditions":[ 6490 | { 6491 | "Field":"parentVerdict", 6492 | "Operator":"!Equal", 6493 | "Value":1 6494 | }, 6495 | { 6496 | "Field":"parentProcessPath", 6497 | "Operator":"MatchInList", 6498 | "Value":"RegWhiteList" 6499 | } 6500 | ] 6501 | }, 6502 | { 6503 | "BooleanOperator":"Or", 6504 | "Conditions":[ 6505 | { 6506 | "Field":"path", 6507 | "Operator":"Equal", 6508 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\policies\\microsoft\\windows defender\\real-time protection\\disablerealtimemonitoring" 6509 | }, 6510 | { 6511 | "Field":"path", 6512 | "Operator":"Equal", 6513 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\policies\\microsoft\\windows defender\\real-time protection\\disablescanonrealtimeenable" 6514 | }, 6515 | { 6516 | "Field":"path", 6517 | "Operator":"Equal", 6518 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\policies\\microsoft\\windows defender\\real-time protection\\disableonaccessprotection" 6519 | }, 6520 | { 6521 | "Field":"path", 6522 | "Operator":"Equal", 6523 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\policies\\microsoft\\windows defender\\real-time protection\\disablebehaviormonitoring" 6524 | }, 6525 | { 6526 | "Field":"path", 6527 | "Operator":"Equal", 6528 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\policies\\microsoft\\windows defender\\real-time protection\\disablerealtimemonitoring" 6529 | }, 6530 | { 6531 | "Field":"path", 6532 | "Operator":"Equal", 6533 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\policies\\microsoft\\windows defender\\disableantispyware" 6534 | } 6535 | ] 6536 | } 6537 | ] 6538 | }, 6539 | "EventType":"0185611c334f41b794d781c84064c683" 6540 | }, 6541 | { 6542 | "BaseEventType":6, 6543 | "Condition":{ 6544 | "BooleanOperator":"And", 6545 | "Conditions":[ 6546 | { 6547 | "BooleanOperator":"Or", 6548 | "Conditions":[ 6549 | { 6550 | "Field":"parentVerdict", 6551 | "Operator":"!Equal", 6552 | "Value":1 6553 | }, 6554 | { 6555 | "Field":"parentProcessPath", 6556 | "Operator":"MatchInList", 6557 | "Value":"RegWhiteList" 6558 | } 6559 | ] 6560 | }, 6561 | { 6562 | "BooleanOperator":"Or", 6563 | "Conditions":[ 6564 | { 6565 | "Field":"path", 6566 | "Operator":"Match", 6567 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\PROTOCOLS\\Filter*" 6568 | }, 6569 | { 6570 | "Field":"path", 6571 | "Operator":"Match", 6572 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\PROTOCOLS\\Handler*" 6573 | }, 6574 | { 6575 | "Field":"path", 6576 | "Operator":"Match", 6577 | "Value":"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components*" 6578 | }, 6579 | { 6580 | "Field":"path", 6581 | "Operator":"Match", 6582 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*" 6583 | }, 6584 | { 6585 | "Field":"path", 6586 | "Operator":"Match", 6587 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" 6588 | }, 6589 | { 6590 | "Field":"path", 6591 | "Operator":"Match", 6592 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad*" 6593 | }, 6594 | { 6595 | "Field":"path", 6596 | "Operator":"Match", 6597 | "Value":"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad*" 6598 | }, 6599 | { 6600 | "Field":"path", 6601 | "Operator":"Match", 6602 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks*" 6603 | }, 6604 | { 6605 | "Field":"path", 6606 | "Operator":"Match", 6607 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\*\\ShellEx\\ContextMenuHandlers*" 6608 | }, 6609 | { 6610 | "Field":"path", 6611 | "Operator":"Match", 6612 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\*\\ShellEx\\ContextMenuHandlers*" 6613 | }, 6614 | { 6615 | "Field":"path", 6616 | "Operator":"Match", 6617 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\AllFileSystemObjects\\ShellEx\\ContextMenuHandlers*" 6618 | }, 6619 | { 6620 | "Field":"path", 6621 | "Operator":"Match", 6622 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFileSystemObjects\\ShellEx\\ContextMenuHandlers*" 6623 | }, 6624 | { 6625 | "Field":"path", 6626 | "Operator":"Match", 6627 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers*" 6628 | }, 6629 | { 6630 | "Field":"path", 6631 | "Operator":"Match", 6632 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers*" 6633 | }, 6634 | { 6635 | "Field":"path", 6636 | "Operator":"Match", 6637 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\Directory\\Shellex\\DragDropHandlers*" 6638 | }, 6639 | { 6640 | "Field":"path", 6641 | "Operator":"Match", 6642 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\DragDropHandlers*" 6643 | }, 6644 | { 6645 | "Field":"path", 6646 | "Operator":"Match", 6647 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\Directory\\Shellex\\PropertySheetHandlers*" 6648 | }, 6649 | { 6650 | "Field":"path", 6651 | "Operator":"Match", 6652 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\PropertySheetHandlers*" 6653 | }, 6654 | { 6655 | "Field":"path", 6656 | "Operator":"Match", 6657 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers*" 6658 | }, 6659 | { 6660 | "Field":"path", 6661 | "Operator":"Match", 6662 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers*" 6663 | }, 6664 | { 6665 | "Field":"path", 6666 | "Operator":"Match", 6667 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\Folder\\Shellex\\ColumnHandlers*" 6668 | }, 6669 | { 6670 | "Field":"path", 6671 | "Operator":"Match", 6672 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\Folder\\Shellex\\ColumnHandlers*" 6673 | }, 6674 | { 6675 | "Field":"path", 6676 | "Operator":"Match", 6677 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\Folder\\ShellEx\\ContextMenuHandlers*" 6678 | }, 6679 | { 6680 | "Field":"path", 6681 | "Operator":"Match", 6682 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\Folder\\ShellEx\\ContextMenuHandlers*" 6683 | }, 6684 | { 6685 | "Field":"path", 6686 | "Operator":"Match", 6687 | "Value":"HKEY_CURRENT_USER\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers*" 6688 | }, 6689 | { 6690 | "Field":"path", 6691 | "Operator":"Match", 6692 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers*" 6693 | }, 6694 | { 6695 | "Field":"path", 6696 | "Operator":"Match", 6697 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers*" 6698 | }, 6699 | { 6700 | "Field":"path", 6701 | "Operator":"Match", 6702 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers*" 6703 | }, 6704 | { 6705 | "Field":"path", 6706 | "Operator":"Match", 6707 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Ctf\\LangBarAddin*" 6708 | }, 6709 | { 6710 | "Field":"path", 6711 | "Operator":"Match", 6712 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ctf\\LangBarAddin*" 6713 | }, 6714 | { 6715 | "Field":"path", 6716 | "Operator":"Match", 6717 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved*" 6718 | }, 6719 | { 6720 | "Field":"path", 6721 | "Operator":"Match", 6722 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved*" 6723 | } 6724 | ] 6725 | } 6726 | ] 6727 | }, 6728 | "EventType":"fedb6d804cab40a6ad563685534ae482" 6729 | }, 6730 | { 6731 | "BaseEventType":6, 6732 | "Condition":{ 6733 | "BooleanOperator":"And", 6734 | "Conditions":[ 6735 | { 6736 | "BooleanOperator":"Or", 6737 | "Conditions":[ 6738 | { 6739 | "Field":"parentVerdict", 6740 | "Operator":"!Equal", 6741 | "Value":1 6742 | }, 6743 | { 6744 | "Field":"parentProcessPath", 6745 | "Operator":"MatchInList", 6746 | "Value":"RegWhiteList" 6747 | } 6748 | ] 6749 | }, 6750 | { 6751 | "BooleanOperator":"And", 6752 | "Conditions":[ 6753 | { 6754 | "Field":"path", 6755 | "Operator":"Equal", 6756 | "Value":"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" 6757 | }, 6758 | { 6759 | "Field":"reg_value_name", 6760 | "Operator":"Equal", 6761 | "Value":"DisableRegistryTools" 6762 | }, 6763 | { 6764 | "Field":"reg_value_data", 6765 | "Operator":"Equal", 6766 | "Value":"1" 6767 | } 6768 | ] 6769 | } 6770 | ] 6771 | }, 6772 | "EventType":"f931a5c6308e41c9854d733367832863" 6773 | }, 6774 | { 6775 | "BaseEventType":6, 6776 | "Condition":{ 6777 | "BooleanOperator":"And", 6778 | "Conditions":[ 6779 | { 6780 | "BooleanOperator":"Or", 6781 | "Conditions":[ 6782 | { 6783 | "Field":"parentVerdict", 6784 | "Operator":"!Equal", 6785 | "Value":1 6786 | }, 6787 | { 6788 | "Field":"parentProcessPath", 6789 | "Operator":"MatchInList", 6790 | "Value":"RegWhiteList" 6791 | } 6792 | ] 6793 | }, 6794 | { 6795 | "BooleanOperator":"And", 6796 | "Conditions":[ 6797 | { 6798 | "Field":"path", 6799 | "Operator":"Equal", 6800 | "Value":"*netlogon\\\\parameters\\\\disablepasswordchange" 6801 | }, 6802 | { 6803 | "Field":"reg_value_data", 6804 | "Operator":"Equal", 6805 | "Value":"1" 6806 | } 6807 | ] 6808 | } 6809 | ] 6810 | }, 6811 | "EventType":"f5376456c5ad4901b7e77319620a3f4c" 6812 | }, 6813 | { 6814 | "BaseEventType":6, 6815 | "Condition":{ 6816 | "BooleanOperator":"And", 6817 | "Conditions":[ 6818 | { 6819 | "BooleanOperator":"Or", 6820 | "Conditions":[ 6821 | { 6822 | "Field":"parentVerdict", 6823 | "Operator":"!Equal", 6824 | "Value":1 6825 | }, 6826 | { 6827 | "Field":"parentProcessPath", 6828 | "Operator":"MatchInList", 6829 | "Value":"RegWhiteList" 6830 | } 6831 | ] 6832 | }, 6833 | { 6834 | "Field":"path", 6835 | "Operator":"Match", 6836 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries*" 6837 | } 6838 | ] 6839 | }, 6840 | "EventType":"d1952be09f9641bf81153a2bdea5406f" 6841 | }, 6842 | { 6843 | "BaseEventType":6, 6844 | "Condition":{ 6845 | "BooleanOperator":"And", 6846 | "Conditions":[ 6847 | { 6848 | "BooleanOperator":"Or", 6849 | "Conditions":[ 6850 | { 6851 | "Field":"parentVerdict", 6852 | "Operator":"!Equal", 6853 | "Value":1 6854 | }, 6855 | { 6856 | "Field":"parentProcessPath", 6857 | "Operator":"MatchInList", 6858 | "Value":"RegWhiteList" 6859 | } 6860 | ] 6861 | }, 6862 | { 6863 | "BooleanOperator":"And", 6864 | "Conditions":[ 6865 | { 6866 | "Field":"path", 6867 | "Operator":"Match", 6868 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\*" 6869 | }, 6870 | { 6871 | "Field":"reg_value_name", 6872 | "Operator":"Equal", 6873 | "Value":"ImagePath" 6874 | }, 6875 | { 6876 | "Field":"reg_value_data", 6877 | "Operator":"Match", 6878 | "Value":"*.exe*" 6879 | }, 6880 | { 6881 | "Field":"reg_value_data", 6882 | "Operator":"!Match", 6883 | "Value":"*svchost.exe*" 6884 | } 6885 | ] 6886 | } 6887 | ] 6888 | }, 6889 | "EventType":"caa6808c7c854efca5de8ea5e07baaba" 6890 | }, 6891 | { 6892 | "BaseEventType":6, 6893 | "Condition":{ 6894 | "BooleanOperator":"And", 6895 | "Conditions":[ 6896 | { 6897 | "BooleanOperator":"Or", 6898 | "Conditions":[ 6899 | { 6900 | "Field":"parentVerdict", 6901 | "Operator":"!Equal", 6902 | "Value":1 6903 | }, 6904 | { 6905 | "Field":"parentProcessPath", 6906 | "Operator":"MatchInList", 6907 | "Value":"RegWhiteList" 6908 | } 6909 | ] 6910 | }, 6911 | { 6912 | "BooleanOperator":"And", 6913 | "Conditions":[ 6914 | { 6915 | "Field":"path", 6916 | "Operator":"Equal", 6917 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" 6918 | }, 6919 | { 6920 | "Field":"reg_value_name", 6921 | "Operator":"Equal", 6922 | "Value":"DataBasePath" 6923 | } 6924 | ] 6925 | } 6926 | ] 6927 | }, 6928 | "EventType":"bfa803a33bd24305abaf4e37da4bce7b" 6929 | }, 6930 | { 6931 | "BaseEventType":6, 6932 | "Condition":{ 6933 | "BooleanOperator":"And", 6934 | "Conditions":[ 6935 | { 6936 | "BooleanOperator":"Or", 6937 | "Conditions":[ 6938 | { 6939 | "Field":"parentVerdict", 6940 | "Operator":"!Equal", 6941 | "Value":1 6942 | }, 6943 | { 6944 | "Field":"parentProcessPath", 6945 | "Operator":"MatchInList", 6946 | "Value":"RegWhiteList" 6947 | } 6948 | ] 6949 | }, 6950 | { 6951 | "BooleanOperator":"And", 6952 | "Conditions":[ 6953 | { 6954 | "Field":"path", 6955 | "Operator":"Equal", 6956 | "Value":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System" 6957 | }, 6958 | { 6959 | "Field":"reg_value_name", 6960 | "Operator":"Equal", 6961 | "Value":"DisableCMD" 6962 | }, 6963 | { 6964 | "Field":"reg_value_data", 6965 | "Operator":"Equal", 6966 | "Value":"2" 6967 | } 6968 | ] 6969 | } 6970 | ] 6971 | }, 6972 | "EventType":"b51a5f7ad047492282fe54bdfb1b2cec" 6973 | }, 6974 | { 6975 | "BaseEventType":6, 6976 | "Condition":{ 6977 | "BooleanOperator":"And", 6978 | "Conditions":[ 6979 | { 6980 | "BooleanOperator":"Or", 6981 | "Conditions":[ 6982 | { 6983 | "Field":"parentVerdict", 6984 | "Operator":"!Equal", 6985 | "Value":1 6986 | }, 6987 | { 6988 | "Field":"parentProcessPath", 6989 | "Operator":"MatchInList", 6990 | "Value":"RegWhiteList" 6991 | } 6992 | ] 6993 | }, 6994 | { 6995 | "Field":"path", 6996 | "Operator":"Equal", 6997 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" 6998 | } 6999 | ] 7000 | }, 7001 | "EventType":"a8ef229f79e94cf7845a83ec8cb1baf4" 7002 | }, 7003 | { 7004 | "BaseEventType":6, 7005 | "Condition":{ 7006 | "BooleanOperator":"And", 7007 | "Conditions":[ 7008 | { 7009 | "BooleanOperator":"Or", 7010 | "Conditions":[ 7011 | { 7012 | "Field":"parentVerdict", 7013 | "Operator":"!Equal", 7014 | "Value":1 7015 | }, 7016 | { 7017 | "Field":"parentProcessPath", 7018 | "Operator":"MatchInList", 7019 | "Value":"RegWhiteList" 7020 | } 7021 | ] 7022 | }, 7023 | { 7024 | "BooleanOperator":"And", 7025 | "Conditions":[ 7026 | { 7027 | "Field":"path", 7028 | "Operator":"Equal", 7029 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" 7030 | }, 7031 | { 7032 | "Field":"reg_value_name", 7033 | "Operator":"Equal", 7034 | "Value":"AppInit_DLLs" 7035 | } 7036 | ] 7037 | } 7038 | ] 7039 | }, 7040 | "EventType":"40a7c7b5532a41bebca9cc85626519ec" 7041 | }, 7042 | { 7043 | "BaseEventType":6, 7044 | "Condition":{ 7045 | "BooleanOperator":"And", 7046 | "Conditions":[ 7047 | { 7048 | "BooleanOperator":"Or", 7049 | "Conditions":[ 7050 | { 7051 | "Field":"parentVerdict", 7052 | "Operator":"!Equal", 7053 | "Value":1 7054 | }, 7055 | { 7056 | "Field":"parentProcessPath", 7057 | "Operator":"MatchInList", 7058 | "Value":"RegWhiteList" 7059 | } 7060 | ] 7061 | }, 7062 | { 7063 | "Field":"path", 7064 | "Operator":"Match", 7065 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile*" 7066 | } 7067 | ] 7068 | }, 7069 | "EventType":"11f82664d0034177901df736ccc39d65" 7070 | }, 7071 | { 7072 | "BaseEventType":6, 7073 | "Condition":{ 7074 | "BooleanOperator":"And", 7075 | "Conditions":[ 7076 | { 7077 | "BooleanOperator":"Or", 7078 | "Conditions":[ 7079 | { 7080 | "Field":"parentVerdict", 7081 | "Operator":"!Equal", 7082 | "Value":1 7083 | }, 7084 | { 7085 | "Field":"parentProcessPath", 7086 | "Operator":"MatchInList", 7087 | "Value":"RegWhiteList" 7088 | } 7089 | ] 7090 | }, 7091 | { 7092 | "BooleanOperator":"And", 7093 | "Conditions":[ 7094 | { 7095 | "Field":"path", 7096 | "Operator":"Equal", 7097 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" 7098 | }, 7099 | { 7100 | "Field":"reg_value_name", 7101 | "Operator":"Equal", 7102 | "Value":"BootExecute" 7103 | } 7104 | ] 7105 | } 7106 | ] 7107 | }, 7108 | "EventType":"b039c7328e854ac7b5fbdb0076372088" 7109 | }, 7110 | { 7111 | "BaseEventType":6, 7112 | "Condition":{ 7113 | "BooleanOperator":"And", 7114 | "Conditions":[ 7115 | { 7116 | "BooleanOperator":"Or", 7117 | "Conditions":[ 7118 | { 7119 | "Field":"parentVerdict", 7120 | "Operator":"!Equal", 7121 | "Value":1 7122 | }, 7123 | { 7124 | "Field":"parentProcessPath", 7125 | "Operator":"MatchInList", 7126 | "Value":"RegWhiteList" 7127 | } 7128 | ] 7129 | }, 7130 | { 7131 | "BooleanOperator":"And", 7132 | "Conditions":[ 7133 | { 7134 | "Field":"path", 7135 | "Operator":"Match", 7136 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\*" 7137 | }, 7138 | { 7139 | "Field":"reg_value_name", 7140 | "Operator":"Equal", 7141 | "Value":"NameServer" 7142 | } 7143 | ] 7144 | } 7145 | ] 7146 | }, 7147 | "EventType":"af026a4d209847f6a234ecb87d165552" 7148 | }, 7149 | { 7150 | "BaseEventType":6, 7151 | "Condition":{ 7152 | "BooleanOperator":"And", 7153 | "Conditions":[ 7154 | { 7155 | "BooleanOperator":"Or", 7156 | "Conditions":[ 7157 | { 7158 | "Field":"parentVerdict", 7159 | "Operator":"!Equal", 7160 | "Value":1 7161 | }, 7162 | { 7163 | "Field":"parentProcessPath", 7164 | "Operator":"MatchInList", 7165 | "Value":"RegWhiteList" 7166 | } 7167 | ] 7168 | }, 7169 | { 7170 | "BooleanOperator":"Or", 7171 | "Conditions":[ 7172 | { 7173 | "Field":"path", 7174 | "Operator":"Match", 7175 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup*" 7176 | }, 7177 | { 7178 | "Field":"path", 7179 | "Operator":"Match", 7180 | "Value":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon*" 7181 | }, 7182 | { 7183 | "Field":"path", 7184 | "Operator":"Match", 7185 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" 7186 | }, 7187 | { 7188 | "Field":"path", 7189 | "Operator":"Equal", 7190 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" 7191 | }, 7192 | { 7193 | "Field":"path", 7194 | "Operator":"Match", 7195 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx*" 7196 | }, 7197 | { 7198 | "Field":"path", 7199 | "Operator":"Match", 7200 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce*" 7201 | }, 7202 | { 7203 | "Field":"path", 7204 | "Operator":"Match", 7205 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\WindowsNT\\CurrentVersion\\Windows*" 7206 | }, 7207 | { 7208 | "Field":"path", 7209 | "Operator":"Match", 7210 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\WindowsNT\\CurrentVersion\\Windows\\Run*" 7211 | }, 7212 | { 7213 | "Field":"path", 7214 | "Operator":"Match", 7215 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run*" 7216 | }, 7217 | { 7218 | "Field":"path", 7219 | "Operator":"Match", 7220 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run*" 7221 | }, 7222 | { 7223 | "Field":"path", 7224 | "Operator":"Equal", 7225 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" 7226 | }, 7227 | { 7228 | "Field":"path", 7229 | "Operator":"Equal", 7230 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" 7231 | }, 7232 | { 7233 | "Field":"path", 7234 | "Operator":"Match", 7235 | "Value":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff*" 7236 | }, 7237 | { 7238 | "Field":"path", 7239 | "Operator":"Match", 7240 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown*" 7241 | } 7242 | ] 7243 | } 7244 | ] 7245 | }, 7246 | "EventType":"3e15b3f76bd14be59c948a0fc93f55aa" 7247 | }, 7248 | { 7249 | "BaseEventType":6, 7250 | "Condition":{ 7251 | "BooleanOperator":"And", 7252 | "Conditions":[ 7253 | { 7254 | "BooleanOperator":"Or", 7255 | "Conditions":[ 7256 | { 7257 | "Field":"parentVerdict", 7258 | "Operator":"!Equal", 7259 | "Value":1 7260 | }, 7261 | { 7262 | "Field":"parentProcessPath", 7263 | "Operator":"MatchInList", 7264 | "Value":"RegWhiteList" 7265 | } 7266 | ] 7267 | }, 7268 | { 7269 | "BooleanOperator":"And", 7270 | "Conditions":[ 7271 | { 7272 | "Field":"path", 7273 | "Operator":"Match", 7274 | "Value":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\*" 7275 | }, 7276 | { 7277 | "Field":"reg_value_name", 7278 | "Operator":"Equal", 7279 | "Value":"Start" 7280 | }, 7281 | { 7282 | "Field":"reg_value_data", 7283 | "Operator":"Equal", 7284 | "Value":"4" 7285 | } 7286 | ] 7287 | } 7288 | ] 7289 | }, 7290 | "EventType":"1dcc953afdb14aa69bed01791e61324c" 7291 | }, 7292 | { 7293 | "BaseEventType":6, 7294 | "Condition":{ 7295 | "BooleanOperator":"And", 7296 | "Conditions":[ 7297 | { 7298 | "BooleanOperator":"Or", 7299 | "Conditions":[ 7300 | { 7301 | "Field":"parentVerdict", 7302 | "Operator":"!Equal", 7303 | "Value":1 7304 | }, 7305 | { 7306 | "Field":"parentProcessPath", 7307 | "Operator":"MatchInList", 7308 | "Value":"RegWhiteList" 7309 | } 7310 | ] 7311 | }, 7312 | { 7313 | "BooleanOperator":"Or", 7314 | "Conditions":[ 7315 | { 7316 | "BooleanOperator":"And", 7317 | "Conditions":[ 7318 | { 7319 | "Field":"path", 7320 | "Operator":"Equal", 7321 | "Value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU" 7322 | }, 7323 | { 7324 | "Field":"reg_value_name", 7325 | "Operator":"Equal", 7326 | "Value":"NoAutoUpdate" 7327 | }, 7328 | { 7329 | "Field":"reg_value_data", 7330 | "Operator":"Equal", 7331 | "Value":"1" 7332 | } 7333 | ] 7334 | }, 7335 | { 7336 | "BooleanOperator":"And", 7337 | "Conditions":[ 7338 | { 7339 | "Field":"path", 7340 | "Operator":"Equal", 7341 | "Value":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate" 7342 | }, 7343 | { 7344 | "Field":"reg_value_name", 7345 | "Operator":"Equal", 7346 | "Value":"DisableWindowsUpdateAccess" 7347 | }, 7348 | { 7349 | "Field":"reg_value_data", 7350 | "Operator":"Equal", 7351 | "Value":"1" 7352 | } 7353 | ] 7354 | }, 7355 | { 7356 | "BooleanOperator":"And", 7357 | "Conditions":[ 7358 | { 7359 | "Field":"path", 7360 | "Operator":"Equal", 7361 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WindowsUpdate" 7362 | }, 7363 | { 7364 | "Field":"reg_value_name", 7365 | "Operator":"Equal", 7366 | "Value":"DisableWindowsUpdateAccess" 7367 | }, 7368 | { 7369 | "Field":"reg_value_data", 7370 | "Operator":"Equal", 7371 | "Value":"1" 7372 | } 7373 | ] 7374 | } 7375 | ] 7376 | } 7377 | ] 7378 | }, 7379 | "EventType":"0286a9c43d7d470681c322c3fad746c8" 7380 | }, 7381 | { 7382 | "BaseEventType":6, 7383 | "Condition":{ 7384 | "BooleanOperator":"And", 7385 | "Conditions":[ 7386 | { 7387 | "BooleanOperator":"Or", 7388 | "Conditions":[ 7389 | { 7390 | "Field":"parentVerdict", 7391 | "Operator":"!Equal", 7392 | "Value":1 7393 | }, 7394 | { 7395 | "Field":"parentProcessPath", 7396 | "Operator":"MatchInList", 7397 | "Value":"RegWhiteList" 7398 | } 7399 | ] 7400 | }, 7401 | { 7402 | "BooleanOperator":"And", 7403 | "Conditions":[ 7404 | { 7405 | "Field":"reg_value_data", 7406 | "Operator":"Equal", 7407 | "Value":"1" 7408 | }, 7409 | { 7410 | "Field":"path", 7411 | "Operator":"Match", 7412 | "Value":"*\\\\currentversion\\\\app paths\\\\control.exe*" 7413 | } 7414 | ] 7415 | } 7416 | ] 7417 | }, 7418 | "EventType":"f94c9f1e43ae4465b91abd8c0ebfc5ce" 7419 | }, 7420 | { 7421 | "BaseEventType":6, 7422 | "Condition":{ 7423 | "BooleanOperator":"And", 7424 | "Conditions":[ 7425 | { 7426 | "BooleanOperator":"Or", 7427 | "Conditions":[ 7428 | { 7429 | "Field":"parentVerdict", 7430 | "Operator":"!Equal", 7431 | "Value":1 7432 | }, 7433 | { 7434 | "Field":"parentProcessPath", 7435 | "Operator":"MatchInList", 7436 | "Value":"RegWhiteList" 7437 | } 7438 | ] 7439 | }, 7440 | { 7441 | "BooleanOperator":"And", 7442 | "Conditions":[ 7443 | { 7444 | "Field":"path", 7445 | "Operator":"Match", 7446 | "Value":"*\\\\securityproviders\\\\wdigest\\\\uselogoncredential" 7447 | }, 7448 | { 7449 | "Field":"reg_value_data", 7450 | "Operator":"Equal", 7451 | "Value":"1" 7452 | } 7453 | ] 7454 | } 7455 | ] 7456 | }, 7457 | "EventType":"dd2de7db4731477baa3009ff06f71ddd" 7458 | }, 7459 | { 7460 | "BaseEventType":6, 7461 | "Condition":{ 7462 | "BooleanOperator":"And", 7463 | "Conditions":[ 7464 | { 7465 | "BooleanOperator":"Or", 7466 | "Conditions":[ 7467 | { 7468 | "Field":"parentVerdict", 7469 | "Operator":"!Equal", 7470 | "Value":1 7471 | }, 7472 | { 7473 | "Field":"parentProcessPath", 7474 | "Operator":"MatchInList", 7475 | "Value":"RegWhiteList" 7476 | } 7477 | ] 7478 | }, 7479 | { 7480 | "BooleanOperator":"And", 7481 | "Conditions":[ 7482 | { 7483 | "Field":"path", 7484 | "Operator":"Equal", 7485 | "Value":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" 7486 | }, 7487 | { 7488 | "Field":"reg_value_data", 7489 | "Operator":"Equal", 7490 | "Value":"2" 7491 | }, 7492 | { 7493 | "BooleanOperator":"Or", 7494 | "Conditions":[ 7495 | { 7496 | "Field":"reg_value_name", 7497 | "Operator":"Equal", 7498 | "Value":"Hidden" 7499 | }, 7500 | { 7501 | "Field":"reg_value_name", 7502 | "Operator":"Equal", 7503 | "Value":"ShowSuperHidden" 7504 | } 7505 | ] 7506 | } 7507 | ] 7508 | } 7509 | ] 7510 | }, 7511 | "EventType":"a5655a55ea564e419a433505fa875f1d" 7512 | }, 7513 | { 7514 | "BaseEventType":6, 7515 | "Condition":{ 7516 | "BooleanOperator":"And", 7517 | "Conditions":[ 7518 | { 7519 | "BooleanOperator":"Or", 7520 | "Conditions":[ 7521 | { 7522 | "Field":"parentVerdict", 7523 | "Operator":"!Equal", 7524 | "Value":1 7525 | }, 7526 | { 7527 | "Field":"parentProcessPath", 7528 | "Operator":"MatchInList", 7529 | "Value":"RegWhiteList" 7530 | } 7531 | ] 7532 | }, 7533 | { 7534 | "Field":"path", 7535 | "Operator":"Equal", 7536 | "Value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Lanmanserver\\Shares" 7537 | } 7538 | ] 7539 | }, 7540 | "EventType":"4f2f2ed474cf439e84aa93d0f70673fc" 7541 | }, 7542 | { 7543 | "BaseEventType":6, 7544 | "Condition":{ 7545 | "BooleanOperator":"Or", 7546 | "Conditions":[ 7547 | { 7548 | "Field":"parentVerdict", 7549 | "Operator":"!Equal", 7550 | "Value":1 7551 | }, 7552 | { 7553 | "Field":"parentProcessPath", 7554 | "Operator":"MatchInList", 7555 | "Value":"RegWhiteList" 7556 | } 7557 | ] 7558 | }, 7559 | "EventType":null 7560 | } 7561 | ] 7562 | }, 7563 | "Lists":{ 7564 | "DeleteFileExtensions":[ 7565 | "*.app", 7566 | "*.bat", 7567 | "*.cmd", 7568 | "*.com", 7569 | "*.cpl", 7570 | "*.dll", 7571 | "*.exe", 7572 | "*.inf", 7573 | "*.job", 7574 | "*.jar", 7575 | "*.js", 7576 | "*.jar", 7577 | "*.jse", 7578 | "*.lnk", 7579 | "*.msc", 7580 | "*.msh", 7581 | "*.msh1", 7582 | "*.msh2", 7583 | "*.mshxml", 7584 | "*.msh1xml", 7585 | "*.msh2xml", 7586 | "*.osx", 7587 | "*.pif", 7588 | "*.ps1", 7589 | "*.ps2", 7590 | "*.psc2", 7591 | "*.psc1", 7592 | "*.ps1xml", 7593 | "*.ps2xml", 7594 | "*.py", 7595 | "*.pyc", 7596 | "*.reg", 7597 | "*.rgs", 7598 | "*.scr", 7599 | "*.scf", 7600 | "*.sct", 7601 | "*.sys", 7602 | "*.vb", 7603 | "*.vbe", 7604 | "*.vbs", 7605 | "*.vbscript", 7606 | "*.ws", 7607 | "*.wsf", 7608 | "*.wsh", 7609 | "*.chm", 7610 | "*.doc", 7611 | "*.docx", 7612 | "*.docm", 7613 | "*.dotm", 7614 | "*.hta", 7615 | "*.mam", 7616 | "*.mrc", 7617 | "*.mhtml", 7618 | "*.mht", 7619 | "*.otm", 7620 | "*.pdf", 7621 | "*.potm", 7622 | "*.ppam", 7623 | "*.ppsm", 7624 | "*.ppt", 7625 | "*.pptx", 7626 | "*.pptm", 7627 | "*.sldm", 7628 | "*.udf", 7629 | "*.xls", 7630 | "*.xlsx", 7631 | "*.xlam", 7632 | "*.xlm", 7633 | "*.xlsm", 7634 | "*.xltm", 7635 | "*.zip", 7636 | "*.7z", 7637 | "*.rar", 7638 | "*.rarx", 7639 | "*.gz", 7640 | "*.gz2", 7641 | "*.bz", 7642 | "*.bz2", 7643 | "*.cab", 7644 | "*.msi", 7645 | "*.msp" 7646 | ], 7647 | "DeleteFileWhiteList":[ 7648 | "*\\powershell.exe", 7649 | "*\\cmd.exe", 7650 | "*\\sdelete.exe", 7651 | "*\\sdelete64.exe", 7652 | "*\\cscript.exe", 7653 | "*\\wscript.exe", 7654 | "*\\wmiprvse.exe" 7655 | ], 7656 | "EmailPaths":[ 7657 | "*\\thunderbird.exe", 7658 | "*\\outlook.exe" 7659 | ], 7660 | "InfectibleFiles":[ 7661 | "*.lnk", 7662 | "*.wsf", 7663 | "*.hta", 7664 | "*.mhtml", 7665 | "*.html", 7666 | "*.doc", 7667 | "*.docm", 7668 | "*.xls", 7669 | "*.xlsm", 7670 | "*.ppt", 7671 | "*.pptm", 7672 | "*.chm", 7673 | "*.vbs", 7674 | "*.js", 7675 | "*.bat", 7676 | "*.pif", 7677 | "*.pdf", 7678 | "*.jar", 7679 | "*.sys" 7680 | ], 7681 | "RegWhiteList":[ 7682 | "*\\powershell.exe", 7683 | "*\\regedit.exe", 7684 | "*\\reg.exe", 7685 | "*\\cscript.exe", 7686 | "*\\wscript.exe" 7687 | ], 7688 | "WriteFileBlackList":[ 7689 | "*\\cmdagent.exe", 7690 | "*\\MsMpEng.exe", 7691 | "*\\RmmService.exe", 7692 | "*\\ITSMService.exe", 7693 | "*\\officec2rclient.exe", 7694 | "*\\PmService.exe", 7695 | "*\\remsh.exe", 7696 | "*\\cfpconfg.exe", 7697 | "*\\ngen.exe", 7698 | "*\\cwagtsrv.exe", 7699 | "*\\edrstart.exe", 7700 | "*\\Code.exe", 7701 | "*\\git.exe", 7702 | "*\\DropboxUpdate.exe", 7703 | "*\\GoogleUpdate.exe", 7704 | "*\\devenv.exe" 7705 | ], 7706 | "WriteFileWhiteList":[ 7707 | "*\\powershell.exe", 7708 | "*\\explorer.exe", 7709 | "*\\cmd.exe", 7710 | "*\\xcopy.exe", 7711 | "*\\cscript.exe", 7712 | "*\\wscript.exe" 7713 | ] 7714 | } 7715 | } --------------------------------------------------------------------------------