Skip to content

Commit

Permalink
Rules Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@wagga40
wagga40 committed Oct 29, 2024
1 parent 5c11b38 commit adc4fce
Show file tree
Hide file tree
Showing 7 changed files with 133 additions and 13 deletions.
24 changes: 22 additions & 2 deletions rules_windows_generic_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31484,6 +31484,26 @@
],
"filename": ""
},
{
"title": "Access To Browser Credential Files By Uncommon Applications - Security",
"id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
"status": "experimental",
"description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
"author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
"tags": [
"attack.credential-access",
"attack.t1555.003",
"detection.threat-hunting"
],
"falsepositives": [
"Unknown"
],
"level": "low",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
],
"filename": ""
},
{
"title": "Scheduled Task Deletion",
"id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
Expand Down Expand Up @@ -53720,7 +53740,7 @@
"filename": ""
},
{
"title": "Suspicious Schtasks From Env Var Folder",
"title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
"id": "81325ce1-be01-4250-944f-b4789644556f",
"status": "test",
"description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
Expand All @@ -53735,7 +53755,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
],
"filename": ""
},
Expand Down
24 changes: 22 additions & 2 deletions rules_windows_generic_medium.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31484,6 +31484,26 @@
],
"filename": ""
},
{
"title": "Access To Browser Credential Files By Uncommon Applications - Security",
"id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
"status": "experimental",
"description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
"author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
"tags": [
"attack.credential-access",
"attack.t1555.003",
"detection.threat-hunting"
],
"falsepositives": [
"Unknown"
],
"level": "low",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
],
"filename": ""
},
{
"title": "Scheduled Task Deletion",
"id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
Expand Down Expand Up @@ -53720,7 +53740,7 @@
"filename": ""
},
{
"title": "Suspicious Schtasks From Env Var Folder",
"title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
"id": "81325ce1-be01-4250-944f-b4789644556f",
"status": "test",
"description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
Expand All @@ -53735,7 +53755,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
],
"filename": ""
},
Expand Down
24 changes: 22 additions & 2 deletions rules_windows_generic_pysigma.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31484,6 +31484,26 @@
],
"filename": ""
},
{
"title": "Access To Browser Credential Files By Uncommon Applications - Security",
"id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
"status": "experimental",
"description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
"author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
"tags": [
"attack.credential-access",
"attack.t1555.003",
"detection.threat-hunting"
],
"falsepositives": [
"Unknown"
],
"level": "low",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
],
"filename": ""
},
{
"title": "Scheduled Task Deletion",
"id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
Expand Down Expand Up @@ -53720,7 +53740,7 @@
"filename": ""
},
{
"title": "Suspicious Schtasks From Env Var Folder",
"title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
"id": "81325ce1-be01-4250-944f-b4789644556f",
"status": "test",
"description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
Expand All @@ -53735,7 +53755,7 @@
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
],
"filename": ""
},
Expand Down
Loading

0 comments on commit adc4fce

Please sign in to comment.