osquery-1/packs/windows-attacks.conf

{
  "platform": "windows",
  "queries": {
    "CCleaner_Trojan.Floxif": {
      "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/ccleaner-trojan-floxif-malware-how-to-remove/)",
      "value" : "Artifact used by this malware"
    },
    "CCleaner_Trojan_stage2.Floxif": {
      "query": "select h.md5, h.sha1, h.sha256, s.name, s.service_type, s.display_name, s.module_path, s.user_account from services s, hash h where h.path = s.module_path and ((s.module_path like '%GeeSetup_x86%' and h.sha256 = 'dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83') or (s.module_path like '%EFACli64%' and h.sha256 = '128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f') or (s.module_path like '%TSMSISrv%' and h.sha256 = '07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902'));",
      "interval" : "3600",
      "version": "2.1.0",
      "description" : "(https://sensorstechforum.com/ccleaner-trojan-floxif-malware-how-to-remove/)",
      "value" : "Artifact used by this malware"
    },
    "Winsecurity_info_1": {
      "query" : "select * from programs where name = 'Winsecurity.info';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/windows-infected-2-viruses-scam-remove/)",
      "value" : "Artifact used by this malware"
    },
    "Winsecurity_info_2": {
      "query" : "select * from chrome_extensions join users using (uid) where name = 'Winsecurity.info';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/windows-infected-2-viruses-scam-remove/)",
      "value" : "Artifact used by this malware"
    },
    "unTabs_1": {
      "query" : "select * from programs where name like 'unTabs%';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/untabs-browser-extension-virus-remove-completely/)",
      "value" : "Artifact used by this malware"
    },
    "unTabs_2": {
      "query" : "select * from chrome_extensions join users using (uid) where name like 'unTabs%';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "(https://sensorstechforum.com/untabs-browser-extension-virus-remove-completely/)",
      "value" : "Artifact used by this malware"
    },
    "StickyKeys_File_Replace_Backdoor": {
      "query": "SELECT * FROM hash WHERE (path='c:\\windows\\system32\\osk.exe' OR path='c:\\windows\\system32\\sethc.exe' OR path='c:\\windows\\system32\\narrator.exe' OR path='c:\\windows\\system32\\magnify.exe' OR path='c:\\windows\\system32\\displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:\\windows\\system32\\cmd.exe' OR path='c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' OR path='c:\\windows\\system32\\explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1)"
    },
    "StickyKeys_Registry_Backdoor": {
      "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%%' and name='Debugger';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)"
    },
    "conhost.exe_incorrect_path": {
      "query": "SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "dllhost.exe_incorrect_path": {
      "query": "SELECT * FROM processes WHERE LOWER(name)='dllhost.exe' AND LOWER(path)!='c:\\windows\\system32\\dllhost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\dllhost.exe' AND path!='';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "lsass.exe_incorrect_path": {
      "query": "SELECT * FROM processes WHERE LOWER(name)='lsass.exe' AND LOWER(path)!='c:\\windows\\system32\\lsass.exe' AND path!='';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "services.exe_incorrect_parent_process": {
      "query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe') AND LOWER(name)!='wininit.exe';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "svchost.exe_incorrect_path": {
      "query": "SELECT * FROM processes WHERE LOWER(name)='svchost.exe' AND LOWER(path)!='c:\\windows\\system32\\svchost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\svchost.exe' AND path!='';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    },
    "svchost.exe_incorrect_parent_process": {
      "query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='svchost.exe') AND LOWER(name)!='services.exe';",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Detect processes masquerading as legitimate Windows processes"
    }
  }
}
Windows attacks query pack (#3754) 2017-10-03 03:11:24 +00:00			`{`
			`"platform": "windows",`
			`"queries": {`
			`"CCleaner_Trojan.Floxif": {`
			`"query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Piriform\\Agomo%';",`
			`"interval" : "3600",`
Adding queries to windows-attacks, fix version, nits (#3922) 2017-11-15 00:29:47 +00:00			`"version": "2.2.1",`
Windows attacks query pack (#3754) 2017-10-03 03:11:24 +00:00			`"description" : "(https://sensorstechforum.com/ccleaner-trojan-floxif-malware-how-to-remove/)",`
			`"value" : "Artifact used by this malware"`
			`},`
packs: updating query versions in windows attack packs (#3926) 2017-11-15 04:48:21 +00:00			`"CCleaner_Trojan_stage2.Floxif": {`
packs: fixing malformed win attack pack (#3928) 2017-11-16 05:46:48 +00:00			"query": "select h.md5, h.sha1, h.sha256, s.name, s.service_type, s.display_name, s.module_path, s.user_account from services s, hash h where h.path = s.module_path and ((s.module_path like '%GeeSetup_x86%' and h.sha256 = 'dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83') or (s.module_path like '%EFACli64%' and h.sha256 = '128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f') or (s.module_path like '%TSMSISrv%' and h.sha256 = '07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902'));",
			`"interval" : "3600",`
			`"version": "2.1.0",`
			`"description" : "(https://sensorstechforum.com/ccleaner-trojan-floxif-malware-how-to-remove/)",`
			`"value" : "Artifact used by this malware"`
packs: Query to identify ccleaner malware (#3790) 2017-11-15 04:44:39 +00:00			`},`
Windows attacks query pack (#3754) 2017-10-03 03:11:24 +00:00			`"Winsecurity_info_1": {`
			`"query" : "select * from programs where name = 'Winsecurity.info';",`
			`"interval" : "3600",`
Adding queries to windows-attacks, fix version, nits (#3922) 2017-11-15 00:29:47 +00:00			`"version": "2.2.1",`
Windows attacks query pack (#3754) 2017-10-03 03:11:24 +00:00			`"description" : "(https://sensorstechforum.com/windows-infected-2-viruses-scam-remove/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Winsecurity_info_2": {`
			`"query" : "select * from chrome_extensions join users using (uid) where name = 'Winsecurity.info';",`
			`"interval" : "3600",`
Adding queries to windows-attacks, fix version, nits (#3922) 2017-11-15 00:29:47 +00:00			`"version": "2.2.1",`
Windows attacks query pack (#3754) 2017-10-03 03:11:24 +00:00			`"description" : "(https://sensorstechforum.com/windows-infected-2-viruses-scam-remove/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"unTabs_1": {`
			`"query" : "select * from programs where name like 'unTabs%';",`
			`"interval" : "3600",`
Adding queries to windows-attacks, fix version, nits (#3922) 2017-11-15 00:29:47 +00:00			`"version": "2.2.1",`
Windows attacks query pack (#3754) 2017-10-03 03:11:24 +00:00			`"description" : "(https://sensorstechforum.com/untabs-browser-extension-virus-remove-completely/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"unTabs_2": {`
			`"query" : "select * from chrome_extensions join users using (uid) where name like 'unTabs%';",`
			`"interval" : "3600",`
Adding queries to windows-attacks, fix version, nits (#3922) 2017-11-15 00:29:47 +00:00			`"version": "2.2.1",`
Windows attacks query pack (#3754) 2017-10-03 03:11:24 +00:00			`"description" : "(https://sensorstechforum.com/untabs-browser-extension-virus-remove-completely/)",`
			`"value" : "Artifact used by this malware"`
Adding queries to windows-attacks, fix version, nits (#3922) 2017-11-15 00:29:47 +00:00			`},`
			`"StickyKeys_File_Replace_Backdoor": {`
packs: remove escape - Error parsing the "windows-attacks" pack JSON (#4154) 2018-03-09 16:48:36 +00:00			"query": "SELECT * FROM hash WHERE (path='c:\\windows\\system32\\osk.exe' OR path='c:\\windows\\system32\\sethc.exe' OR path='c:\\windows\\system32\\narrator.exe' OR path='c:\\windows\\system32\\magnify.exe' OR path='c:\\windows\\system32\\displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:\\windows\\system32\\cmd.exe' OR path='c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' OR path='c:\\windows\\system32\\explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';",
Adding queries to windows-attacks, fix version, nits (#3922) 2017-11-15 00:29:47 +00:00			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: (https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1)"`
			`},`
			`"StickyKeys_Registry_Backdoor": {`
			`"query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%%' and name='Debugger';",`
			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)"`
			`},`
			`"conhost.exe_incorrect_path": {`
			`"query": "SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';",`
			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Detect processes masquerading as legitimate Windows processes"`
			`},`
			`"dllhost.exe_incorrect_path": {`
			`"query": "SELECT * FROM processes WHERE LOWER(name)='dllhost.exe' AND LOWER(path)!='c:\\windows\\system32\\dllhost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\dllhost.exe' AND path!='';",`
			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Detect processes masquerading as legitimate Windows processes"`
			`},`
			`"lsass.exe_incorrect_path": {`
			`"query": "SELECT * FROM processes WHERE LOWER(name)='lsass.exe' AND LOWER(path)!='c:\\windows\\system32\\lsass.exe' AND path!='';",`
			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Detect processes masquerading as legitimate Windows processes"`
			`},`
			`"services.exe_incorrect_parent_process": {`
			`"query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe') AND LOWER(name)!='wininit.exe';",`
			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Detect processes masquerading as legitimate Windows processes"`
			`},`
			`"svchost.exe_incorrect_path": {`
			`"query": "SELECT * FROM processes WHERE LOWER(name)='svchost.exe' AND LOWER(path)!='c:\\windows\\system32\\svchost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\svchost.exe' AND path!='';",`
			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Detect processes masquerading as legitimate Windows processes"`
			`},`
			`"svchost.exe_incorrect_parent_process": {`
			`"query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='svchost.exe') AND LOWER(name)!='services.exe';",`
			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Detect processes masquerading as legitimate Windows processes"`
Windows attacks query pack (#3754) 2017-10-03 03:11:24 +00:00			`}`
			`}`
			`}`