|
1 | 1 | SYS_MON_VALUE_PRESETS: dict[str, list[str]] = { |
2 | 2 | "Image": [ |
3 | | - "powershell.exe", |
4 | | - "powershell_ise.exe", |
5 | | - "pwsh.exe", |
6 | | - "cmd.exe", |
7 | | - "wscript.exe", |
8 | | - "cscript.exe", |
9 | | - "mshta.exe", |
10 | | - "rundll32.exe", |
11 | | - "regsvr32.exe", |
12 | | - "regsvcs.exe", |
13 | | - "regasm.exe", |
14 | | - "certutil.exe", |
15 | | - "bitsadmin.exe", |
16 | | - "wmic.exe", |
17 | | - "schtasks.exe", |
18 | | - "at.exe", |
19 | | - "net.exe", |
20 | | - "net1.exe", |
21 | | - "whoami.exe", |
22 | | - "ipconfig.exe", |
23 | | - "nslookup.exe", |
24 | | - "nltest.exe", |
25 | | - "netstat.exe", |
26 | | - "tasklist.exe", |
27 | | - "qprocess.exe", |
28 | | - "qwinsta.exe", |
29 | | - "rwinsta.exe", |
30 | | - "quser.exe", |
31 | | - "runas.exe", |
32 | | - "curl.exe", |
33 | | - "wget.exe", |
34 | | - "ftp.exe", |
35 | | - "winrs.exe", |
36 | | - "wsmprovhost.exe", |
37 | | - "winrshost.exe", |
38 | | - "mofcomp.exe", |
39 | | - "wmiprvse.exe", |
40 | | - "scrcons.exe", |
41 | | - "pcalua.exe", |
42 | | - "bash.exe", |
43 | | - "hh.exe", |
44 | | - "installutil.exe", |
45 | | - "msbuild.exe", |
46 | | - "msiexec.exe", |
47 | | - "odbcconf.exe", |
48 | | - "desktopimgdownldr.exe", |
49 | | - "replace.exe", |
50 | | - "diskshadow.exe", |
51 | | - "esentutl.exe", |
52 | | - "ntdsutil.exe", |
53 | | - "rpcping.exe", |
54 | | - "vssadmin.exe", |
55 | | - "wbadmin.exe", |
56 | | - "bcdedit.exe", |
57 | | - "wevtutil.exe", |
58 | | - "fsutil.exe", |
59 | | - "dnscmd.exe", |
60 | | - "sc.exe", |
61 | | - "taskkill.exe", |
62 | | - "xcopy.exe", |
63 | | - "robocopy.exe", |
64 | | - "PktMon.exe", |
65 | | - "PsExec.exe", |
| 3 | + "powershell.exe", # Windows PowerShell interpreter (commonly abused for execution and download cradles) |
| 4 | + "powershell_ise.exe", # PowerShell Integrated Scripting Environment |
| 5 | + "pwsh.exe", # PowerShell Core (cross-platform PowerShell) |
| 6 | + "cmd.exe", # Windows command interpreter |
| 7 | + "wscript.exe", # Windows Script Host (GUI) |
| 8 | + "cscript.exe", # Windows Script Host (CLI) |
| 9 | + "mshta.exe", # Executes HTA files (frequently abused LOLBin) |
| 10 | + "rundll32.exe", # Executes exported DLL functions (common living-off-the-land technique) |
| 11 | + "regsvr32.exe", # Registers COM objects (often abused to load remote scripts) |
| 12 | + "regsvcs.exe", # .NET service registration utility |
| 13 | + "regasm.exe", # Registers .NET assemblies |
| 14 | + "certutil.exe", # Certificate utility often abused for file download/encoding |
| 15 | + "bitsadmin.exe", # BITS download tool (used for persistence and file staging) |
| 16 | + "wmic.exe", # Windows Management Instrumentation CLI |
| 17 | + "schtasks.exe", # Scheduled task management (persistence technique) |
| 18 | + "at.exe", # Legacy scheduled task tool |
| 19 | + "net.exe", # Windows networking command utility |
| 20 | + "net1.exe", # Alternative version of net.exe |
| 21 | + "whoami.exe", # Displays current user identity |
| 22 | + "ipconfig.exe", # Network configuration display |
| 23 | + "nslookup.exe", # DNS lookup tool |
| 24 | + "nltest.exe", # Active Directory domain controller testing |
| 25 | + "netstat.exe", # Displays network connections |
| 26 | + "tasklist.exe", # Lists running processes |
| 27 | + "qprocess.exe", # Displays processes on RDS servers |
| 28 | + "qwinsta.exe", # Query terminal sessions |
| 29 | + "rwinsta.exe", # Reset terminal session |
| 30 | + "quser.exe", # Query logged-in users |
| 31 | + "runas.exe", # Execute program as another user |
| 32 | + "curl.exe", # HTTP transfer tool |
| 33 | + "wget.exe", # HTTP download utility |
| 34 | + "ftp.exe", # FTP client |
| 35 | + "winrs.exe", # Windows Remote Shell |
| 36 | + "wsmprovhost.exe", # WinRM provider host |
| 37 | + "winrshost.exe", # WinRM command host |
| 38 | + "mofcomp.exe", # WMI MOF compiler (persistence vector) |
| 39 | + "wmiprvse.exe", # WMI provider host process |
| 40 | + "scrcons.exe", # WMI script consumer |
| 41 | + "pcalua.exe", # Program compatibility assistant launcher |
| 42 | + "bash.exe", # Windows Subsystem for Linux launcher |
| 43 | + "hh.exe", # HTML help viewer (used in LOLBin chains) |
| 44 | + "installutil.exe", # .NET installer utility (commonly abused) |
| 45 | + "msbuild.exe", # Microsoft build engine (used for code execution) |
| 46 | + "msiexec.exe", # Windows installer execution engine |
| 47 | + "odbcconf.exe", # ODBC configuration tool |
| 48 | + "desktopimgdownldr.exe", # Desktop image downloader (LOLBin abuse) |
| 49 | + "replace.exe", # Replace files utility |
| 50 | + "diskshadow.exe", # VSS snapshot tool |
| 51 | + "esentutl.exe", # Extensible storage engine utility |
| 52 | + "ntdsutil.exe", # Active Directory database maintenance tool |
| 53 | + "rpcping.exe", # RPC connectivity testing tool |
| 54 | + "vssadmin.exe", # Volume shadow copy management |
| 55 | + "wbadmin.exe", # Backup utility |
| 56 | + "bcdedit.exe", # Boot configuration editor |
| 57 | + "wevtutil.exe", # Windows event log management tool |
| 58 | + "fsutil.exe", # File system utility |
| 59 | + "dnscmd.exe", # DNS server management tool |
| 60 | + "sc.exe", # Windows service controller |
| 61 | + "taskkill.exe", # Process termination utility |
| 62 | + "xcopy.exe", # File copy utility |
| 63 | + "robocopy.exe", # Advanced file copy utility |
| 64 | + "PktMon.exe", # Windows packet monitor |
| 65 | + "PsExec.exe", # Sysinternals remote execution tool |
66 | 66 | "PsExec.c", |
67 | | - "PsList.exe", |
68 | | - "PsService.exe", |
69 | | - "PsGetSID.exe", |
70 | | - "PsKill.exe", |
71 | | - "PsLoggedOn.exe", |
72 | | - "PsFile.exe", |
73 | | - "PipeList.exe", |
74 | | - "AccessChk.exe", |
75 | | - "AccessEnum.exe", |
76 | | - "LogonSessions.exe", |
77 | | - "PsLogList.exe", |
78 | | - "PsInfo.exe", |
79 | | - "PsPasswd.exe", |
80 | | - "ProcDump.exe", |
| 67 | + "PsList.exe", # Sysinternals process listing tool |
| 68 | + "PsService.exe", # Sysinternals service management tool |
| 69 | + "PsGetSID.exe", # Sysinternals SID lookup |
| 70 | + "PsKill.exe", # Sysinternals process killer |
| 71 | + "PsLoggedOn.exe", # Sysinternals user session viewer |
| 72 | + "PsFile.exe", # Sysinternals open file viewer |
| 73 | + "PipeList.exe", # Sysinternals named pipe viewer |
| 74 | + "AccessChk.exe", # Sysinternals permission auditing tool |
| 75 | + "AccessEnum.exe", # Sysinternals access enumeration tool |
| 76 | + "LogonSessions.exe", # Sysinternals logon session viewer |
| 77 | + "PsLogList.exe", # Sysinternals event log viewer |
| 78 | + "PsInfo.exe", # Sysinternals system information tool |
| 79 | + "PsPasswd.exe", # Sysinternals password reset tool |
| 80 | + "ProcDump.exe", # Sysinternals process dump utility |
81 | 81 | "procdump.exe", |
82 | | - "chrome.exe", |
83 | | - "firefox.exe", |
84 | | - "msedge.exe", |
85 | | - "iexplore.exe", |
86 | | - "outlook.exe", |
87 | | - "winword.exe", |
88 | | - "excel.exe", |
89 | | - "powerpnt.exe", |
90 | | - "onenote.exe", |
91 | | - "msaccess.exe", |
92 | | - "teams.exe", |
93 | | - "discord.exe", |
94 | | - "svchost.exe", |
95 | | - "java.exe", |
96 | | - "javaw.exe", |
97 | | - "javaws.exe", |
98 | | - "notepad.exe", |
99 | | - "mmc.exe", |
100 | | - "explorer.exe", |
101 | | - "svchost.exe", |
102 | | - "services.exe", |
103 | | - "lsass.exe", |
104 | | - "dllhost.exe", |
105 | | - "tor.exe", |
106 | | - "software_reporter_tool.exe", |
107 | | - "OneDrive.exe", |
108 | | - "OneDriveStandaloneUpdater.exe", |
109 | | - "Dropbox.exe", |
110 | | - "spotify.exe", |
111 | | - "splunk.exe", |
112 | | - "splunkd.exe", |
113 | | - "winlogbeat.exe", |
114 | | - "packetbeat.exe", |
| 82 | + "chrome.exe", # Google Chrome browser |
| 83 | + "firefox.exe", # Mozilla Firefox browser |
| 84 | + "msedge.exe", # Microsoft Edge browser |
| 85 | + "iexplore.exe", # Internet Explorer |
| 86 | + "outlook.exe", # Microsoft Outlook |
| 87 | + "winword.exe", # Microsoft Word |
| 88 | + "excel.exe", # Microsoft Excel |
| 89 | + "powerpnt.exe", # Microsoft PowerPoint |
| 90 | + "onenote.exe", # Microsoft OneNote |
| 91 | + "msaccess.exe", # Microsoft Access |
| 92 | + "teams.exe", # Microsoft Teams |
| 93 | + "discord.exe", # Discord client |
| 94 | + "java.exe", # Java runtime launcher |
| 95 | + "javaw.exe", # Java runtime launcher (no console) |
| 96 | + "javaws.exe", # Java Web Start |
| 97 | + "notepad.exe", # Windows text editor |
| 98 | + "mmc.exe", # Microsoft Management Console |
| 99 | + "explorer.exe", # Windows shell |
| 100 | + "services.exe", # Windows service control manager |
| 101 | + "svchost.exe", # Generic service host |
| 102 | + "lsass.exe", # Local Security Authority subsystem |
| 103 | + "dllhost.exe", # COM surrogate host |
| 104 | + "tor.exe", # Tor network client |
| 105 | + "software_reporter_tool.exe", # Chrome cleanup/reporting tool |
| 106 | + "OneDrive.exe", # Microsoft OneDrive client |
| 107 | + "OneDriveStandaloneUpdater.exe", # OneDrive updater |
| 108 | + "Dropbox.exe", # Dropbox client |
| 109 | + "spotify.exe", # Spotify client |
| 110 | + "splunk.exe", # Splunk CLI |
| 111 | + "splunkd.exe", # Splunk daemon |
| 112 | + "winlogbeat.exe", # Elastic Windows log shipper |
| 113 | + "packetbeat.exe", # Elastic network data shipper |
| 114 | + "procexp.exe", # Sysinternals Process Explorer |
| 115 | + "procmon.exe", # Sysinternals Process Monitor |
| 116 | + "tcpview.exe", # Sysinternals TCP connection viewer |
| 117 | + "autoruns.exe", # Sysinternals persistence inspection tool |
| 118 | + "sigcheck.exe", # Sysinternals file signature checker |
| 119 | + "strings.exe", # Sysinternals string extraction tool |
| 120 | + "handle.exe", # Sysinternals open handle viewer |
| 121 | + "vmmap.exe", # Sysinternals virtual memory inspector |
| 122 | + "rammap.exe", # Sysinternals memory analysis tool |
| 123 | + "bginfo.exe", # Sysinternals desktop system info display |
| 124 | + "livekd.exe", # Sysinternals kernel debugging tool |
| 125 | + "klist.exe", # Kerberos ticket viewer |
| 126 | + "ktpass.exe", # Kerberos service principal management |
| 127 | + "setspn.exe", # Service principal name configuration tool |
| 128 | + "dsquery.exe", # Active Directory query tool |
| 129 | + "dsget.exe", # Active Directory object information tool |
| 130 | + "dsadd.exe", # Active Directory object creation tool |
| 131 | + "dsmod.exe", # Active Directory object modification tool |
| 132 | + "dsrm.exe", # Active Directory object deletion tool |
| 133 | + "gpupdate.exe", # Group policy update tool |
| 134 | + "gpresult.exe", # Group policy result viewer |
| 135 | + "logoff.exe", # Logs off a user session |
| 136 | + "shutdown.exe", # Shutdown or reboot system |
| 137 | + "takeown.exe", # Take ownership of files |
| 138 | + "icacls.exe", # Modify file ACL permissions |
| 139 | + "attrib.exe", # Change file attributes |
| 140 | + "timeout.exe", # Command line delay utility |
| 141 | + "choice.exe", # Command-line prompt selection tool |
| 142 | + "where.exe", # Locate executable paths |
| 143 | + "hostname.exe", # Display system hostname |
115 | 144 | ], |
116 | 145 | "ParentImage": [ |
117 | 146 | "explorer.exe", |
|
263 | 292 | "31337", |
264 | 293 | ], |
265 | 294 | "DestinationIp": [ |
266 | | - "127.0.0.1", |
267 | | - "0.0.0.0", |
268 | | - "8.8.8.8", |
269 | | - "1.1.1.1", |
| 295 | + "127.0.0.1", # localhost |
| 296 | + "0.0.0.0", # wildcard address |
| 297 | + "8.8.8.8", # Google DNS |
| 298 | + "1.1.1.1", # Cloudflare DNS |
| 299 | + |
| 300 | + "8.8.4.4", # Google secondary DNS |
| 301 | + "9.9.9.9", # Quad9 DNS |
| 302 | + "149.112.112.112", # Quad9 secondary DNS |
| 303 | + "208.67.222.222", # OpenDNS |
| 304 | + "208.67.220.220", # OpenDNS secondary |
| 305 | + "4.2.2.2", # Level3 DNS |
| 306 | + "4.2.2.1", # Level3 DNS |
| 307 | + "4.2.2.3", # Level3 DNS |
| 308 | + "4.2.2.4", # Level3 DNS |
| 309 | + "4.2.2.5", # Level3 DNS |
| 310 | + "4.2.2.6", # Level3 DNS |
| 311 | + "64.6.64.6", # Verisign DNS |
| 312 | + "64.6.65.6", # Verisign secondary DNS |
| 313 | + "94.140.14.14", # AdGuard DNS |
| 314 | + "94.140.15.15", # AdGuard secondary DNS |
| 315 | + "76.76.19.19", # ControlD DNS |
| 316 | + "76.223.122.150", # ControlD secondary DNS |
| 317 | + "185.228.168.9", # CleanBrowsing DNS |
| 318 | + "185.228.169.9", # CleanBrowsing secondary |
| 319 | + "198.101.242.72", # Dyn DNS |
| 320 | + "156.154.70.1", # Neustar DNS |
| 321 | + "156.154.71.1", # Neustar secondary |
| 322 | + "192.168.1.1", # common home router |
| 323 | + "192.168.0.1", # common home router |
| 324 | + "10.0.0.1", # internal gateway |
| 325 | + "172.16.0.1", # internal gateway |
| 326 | + "169.254.169.254", # cloud metadata service (AWS/Azure/GCP) |
270 | 327 | ], |
271 | 328 | "DestinationHostname": [ |
272 | 329 | ".windowsupdate.microsoft.com", |
|
316 | 373 | "vbscript.dll", |
317 | 374 | ], |
318 | 375 | "TargetFilename": [ |
319 | | - ".exe", |
320 | | - ".dll", |
321 | | - ".ps1", |
322 | | - ".vbs", |
323 | | - ".js", |
324 | | - ".hta", |
325 | | - ".bat", |
326 | | - ".cmd", |
327 | | - ".scr", |
328 | | - ".zip", |
329 | | - ".rar", |
330 | | - ".wll", |
331 | | - ".xll", |
332 | | - "C:\\Windows\\AppPatch\\Custom", |
333 | | - "C:\\Windows\\AppPatch\\Custom\\Custom64", |
334 | | - "Zone.Identifier", |
| 376 | + ".exe", # executable file |
| 377 | + ".dll", # dynamic library |
| 378 | + ".ps1", # PowerShell script |
| 379 | + ".vbs", # VBScript |
| 380 | + ".js", # JavaScript |
| 381 | + ".hta", # HTML application |
| 382 | + ".bat", # batch script |
| 383 | + ".cmd", # command script |
| 384 | + ".scr", # screensaver executable |
| 385 | + ".zip", # compressed archive |
| 386 | + ".rar", # compressed archive |
| 387 | + ".wll", # Word add-in |
| 388 | + ".xll", # Excel add-in |
| 389 | + "C:\\Windows\\AppPatch\\Custom", # Application Compatibility persistence location |
| 390 | + "C:\\Windows\\AppPatch\\Custom\\Custom64", # 64-bit AppPatch persistence path |
| 391 | + "Zone.Identifier", # Mark-of-the-Web ADS |
| 392 | + ".7z", # compressed archive |
| 393 | + ".iso", # disk image often used for malware delivery |
| 394 | + ".img", # disk image |
| 395 | + ".cab", # cabinet archive |
| 396 | + ".msi", # Windows installer package |
| 397 | + ".lnk", # Windows shortcut (frequently abused for execution) |
| 398 | + ".pif", # legacy program information file |
| 399 | + ".application", # ClickOnce deployment file |
| 400 | + ".jar", # Java archive |
| 401 | + ".class", # Java bytecode file |
| 402 | + ".sys", # driver file |
| 403 | + ".dat", # generic data file often used for payload storage |
| 404 | + ".tmp", # temporary file used in staging payloads |
| 405 | + ".config", # .NET configuration files |
| 406 | + ".manifest", # application manifest |
| 407 | + ".psm1", # PowerShell module |
| 408 | + ".psd1", # PowerShell module manifest |
| 409 | + ".chm", # compiled help file used for code execution |
| 410 | + ".ocx", # COM control |
| 411 | + ".drv", # driver file |
| 412 | + ".cpl", # Control Panel item |
| 413 | + ".msc", # Microsoft Management Console snap-in |
| 414 | + "C:\\Users\\Public", # common attacker staging directory |
| 415 | + "C:\\ProgramData", # hidden system-wide writable location |
| 416 | + "C:\\Windows\\Temp", # system temp directory |
| 417 | + "%TEMP%", # user temp directory |
335 | 418 | ], |
336 | 419 | "TargetObject": [ |
337 | 420 | "Run", |
|
0 commit comments