markdown Tanium狩猎问题

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了markdown Tanium狩猎问题相关的知识,希望对你有一定的参考价值。

# Tanium Hunting Questions

## Initial Infection

New Scripts in Webroot Paths  

```
Get "Trace File Operations[unlimited, 1488479715768|1488483314768, 1, 0, 0, 10, .*\\wwwroot\\.*\.(asp|aspx|cfm|jsp|php), CreateNewFile, , , ]" from all machines
```

Command Shell Spawned by Unusual Parent  

```
Get "Trace Executed Processes[unlimited, 1488479676718|1488483275718, 1, 0, 10, 0, (?i).*cmd\.exe, (?i).*(office|adobe|java|iexplore|firefox|chrome|svchost|w3wp).*, , , , ]" from all machines
```

## Persistence 

Registry Run Key Changes

```
Get "Trace Registry Keys or Values[unlimited, 1488479754121|1488483353121, 1, 0, 10, 0, (?i).*\\CurrentVersion\\Run, , SetValueKey, , , ]" from all machines
```

Autoruns in User Directories without Publisher Data 

```
Get AutoRun Program Details containing ":|:|c:\users" from all machines
```


## Lateral Movement

Domain Reconnaissance with Net.exe  

```
Get "Trace Executed Processes[unlimited, 1488479819205|1488483418205, 1, 0, 10, 0, (?i).*\\net\.exe, , (?i).*(localgroup administrators|group "domain admins"|view /domain).*, , , ]" from all machines
```

Mount Remote Root Share  

```
Get "Trace Executed Processes[unlimited, 1488479895047|1488483494047, 1, 0, 10, 0, (?i).*\\net\.exe, , (?i).*use.*\\\\.*\\(ADMIN|C)\$.*, , , ]" from all machines
```

## Office Attacks

Suspicious processes launched by Office  

```
Get "Trace Executed Processes[unlimited, 1488480102075|1488483701075, 1, 0, 10, 0, (?i).*\\AppData\\.*, (?i).*(winword|excel|outlook)\.exe, , , , ]" from all machines
```

Decoding malware payload with Certutil  

```
Get "Trace Executed Processes[unlimited, 1488480143929|1488483742929, 1, 0, 10, 0, , (?i).*(winword|excel|powerpnt).*, (?i).*certutil.*-decode.*, , , ]" from all machines
```

Process Trees  

```
Get "Trace Executed Process Trees[(winword.exe|outlook.exe|excel.exe), 1, 0, 0, As Parent, 10000]" from all machines
```

## PowerShell Attacks
 
Process Trees  

```
Get Trace Executed Process Trees[powershell.exe, 0, 0, 0, As Child, 10000] from all machines
```

Suspicious Command Lines  

```
Get "Trace Executed Processes[unlimited, 1488479986508|1488483585508, 1, 0, 10, 0, (?i).*powershell\.exe$, , (?i).*(-enc|-encodedcommand|iex|webclient|invoke-expression|new-object|downloadfile|downloadstring|frombase64string|deflatestream|createobject|uploadfile).*, , , ]" from all machines
```

以上是关于markdown Tanium狩猎问题的主要内容,如果未能解决你的问题,请参考以下文章

狩猎三国隐私政策

凌美狩猎者EF和F笔尖有啥区别?

狩猎大赛(社团周赛)

凌美狩猎者EF和F笔尖有啥区别?

Hunter狩猎者机器人系统开发(技术搭建)丨狩猎者机器人Hunter项目系统开发(现成源码))

精通Python爬虫-03-狩猎大师