Maps the Mitre Att&ck framework process executions into artifacts.
NOTE: This artifact uses the process tracker. If you also enable the Windows.Events.TrackProcesses or Windows.Events.TrackProcessesBasic artifacts, this will be able to retrieve information about exited processes.
name: Windows.Attack.ParentProcess
description: |
Maps the Mitre Att&ck framework process executions into artifacts.
NOTE: This artifact uses the process tracker. If you also enable the
Windows.Events.TrackProcesses or Windows.Events.TrackProcessesBasic
artifacts, this will be able to retrieve information about exited
processes.
reference:
- https://www.sans.org/security-resources/posters/hunt-evil/165/download
- https://github.com/teoseller/osquery-attck/blob/master/windows-incorrect_parent_process.conf
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: lookupTable
type: csv
description: |
A table mapping a process name to its expected parents. Both
columns are regular expressions. The ProcessName must appear
only once - you can specify multiple possible parents using
regular expressions patterns.
default: |
ProcessName,ParentRegex
smss.exe,System
runtimebroker.exe,svchost.exe
taskhostw.exe,svchost.exe
services.exe,wininit.exe
lsass.exe,wininit.exe
svchost.exe,services.exe
cmd.exe,explorer.exe
powershell.exe,explorer.exe
iexplore.exe,explorer.exe
firefox.exe,(firefox|explorer).exe
chrome.exe,(chrome|explorer).exe
sources:
- query: |
SELECT * FROM foreach(row=lookupTable,
query={
SELECT Name AS ActualProcessName,
process_tracker_get(id=Ppid).Data.Name AS ActualParentName,
Pid, Ppid,
CommandLine,
StartTime,
EndTime,
Exe,
ParentRegex as ExpectedParentName,
Username,
join(array=process_tracker_callchain(id=Pid).Data.Name,
sep=" -> ") AS CallChain
FROM process_tracker_pslist()
WHERE ActualProcessName =~ ProcessName
AND ActualParentName
AND NOT ActualParentName =~ ParentRegex
})