process_name:explorer.exe AND netconn_count:[500 TO *]
process_name:explorer.exe (modload:"c:\windows\syswow64\taskschd.dll")
-digsig_result_filemod:Signed process_name:rundll32.exe
process_name:cacls.exe cmdline:\startup\
-digsig_result_parent:Signed process_name:svchost.exe
c:\windows\system32\wbem\
filemod:"wbem\loadperf.dll" OR filemod:"wbem\bcrypt.dll"
process_name:svchost.exe cmdline:RemoteRegistry
process_name:explorer.exe filemod:temp1_*.zip filemod:request*.doc
process_name:winword.exe cmdline:request*.doc\"
process_name:explorer.exe filemod:temp1_*.zip filemod:request*.doc
process_name:mode.com
digsig_result_parent:Unsigned process_name:raserver.exe
process_name:regsvr32.exe (modload:scrobj.dll) AND childproc_name:powershell.exe
parent_name:powershell.exe AND process_name:nslookup.exe AND netconn_count:[1 TO *]
process_name:java.exe cmdline:-classpath parent_name:javaw.exe (childproc_name:java.exe or childproc_name:conhost.exe)
process_name:java.exe cmdline:-classpath parent_name:javaw.exe (childproc_name:java.exe or childproc_name:conhost.exe) filemod:appdata\local\temp\*.class
regmod:"mscfile\shell\open\command"
parent_name:powershell.exe process_name:eventvwr.exe
process_name:rundll32.exe cmdline:Shell32.dll* cmdline:SHCreateLocalServerRunDll cmdline:{c08afd90-f2a1-11d1-8455-00a0c91f3880}
process_name:browser_broker.exe digsig_result_child:Unsigned
parent_name:userinit.exe digsig_result_process:Unsigned
parent_name:powershell.exe process_name:csc.exe
parent_name:powershell.exe process_name:nslookup.exe
(process_name:excel.exe OR process_name:winword.exe OR process_name:outlook.exe) childproc_name:csc.exe
(process_name:excel.exe OR process_name:winword.exe OR process_name:outlook.exe) filemod:.cs
https://github.com/clr2of8/DPAT
process_name:ntdsutil.exe
process_name:dcdiag.exe
process_name:repadmin.exe
process_name:netdom.exe
company_name:"http://www.joeware.net"
parent_name:wininit.exe process_name:spoolsv.exe
process_name:sc.exe cmdline:Snmpstorsrv
process_name:svchost.exe digsig_result_modload:unsigned
filemod:"url exploitables.xml"
filemod:"url list.txt"
process_name:"sqli dumper.exe"
process_name:"advanced mass sender.exe"
process_name:"turbomailer.exe"
modload:"appvirtdll64_advanced mass sender.dll"
process_name:storm.exe
(modload:"c:\windows\syswow64\ntmarta.dll") process_name:svchost.exe
(modload:"c:\windows\system32\wshtcpip.dll") digsig_result:Unsigned (modload:"c:\windows\system32\wship6.dll")
(modload:"c:\windows\syswow64\iertutil.dll" modload:"c:\windows\syswow64\ntmarta.dll") process_name:rundll32.exe
(modload:"c:\windows\syswow64\iertutil.dll" modload:"c:\windows\syswow64\ntmarta.dll") process_name:rundll32.exe AND netconn_count:[1 TO * ]
digsig_result_parent:Unsigned (process_name:svchost.exe -username:SYSTEM -username:"NETWORK SERVICE" -username:"LOCAL SERVICE" -cmdline:"UnistackSvcGroup")
digsig_result_parent:Unsigned process_name:svchost.exe
parent_name:rundll32.exe process_name:svchost.exe
(regmod:"\registry\user\.default\software\microsoft\windows\currentversion\internet settings\proxyenable") digsig_result:Unsigned AND path:c:\windows\syswow64\*
process_name:procdump.exe cmdline:-accepteula
process_name:procdump.exe cmdline:lsass.exe
digsig_result_parent:Unsigned process_name:explorer.exe
process_name:schtasks.exe cmdline:/c
process_name:schtasks.exe cmdline:"cscript.exe"
process_name:schtasks.exe cmdline:"wscript.exe"
process_name:schtasks.exe cmdline:"powershell.exe"
crossproc_type:"remotethread" AND -process_name:wmiprvse.exe -process_name:svchost.exe -process_name:csrss.exe
process_name:klist.exe
parent_name:browser_broker.exe process_name:mshta.exe
parent_name:browser_broker.exe process_name:rundll32.exe
process_name:dfsvc.exe digsig_result_child:"Unsigned" OR digsig_result_child:"Untrusted Root"
process_name:rundll32.exe childproc_name:dfsvc.exe
is_executable_image_filewrite:True -path:google\chrome\* and -path:google\update\* -digsig_result_filewrite:Signed filemod:local\settings\* filemod:appdata\local\temp\*
process_name:lsass.exe digsig_result_filewrite:"Unsigned"
process_name:lsass.exe AND digsig_result_modload:"Unsigned"
filemod:Content.Outlook\* and is_executable_image_filewrite:True
filemod:Content.Outlook\* and -digsig_result_filewrite:Signed
process_name:winlogon.exe AND netconn_count:[1 TO *]
filemod: “Start Menu\Programs\Startup”
regmod:CurrentVersion\Run*
filemod:windows\system32\* digsig_result:unsigned digsig_result_filewrite:"Unsigned"
regmod:services\national* digsig_result:unsigned
regmod:services\svchostc* digsig_result:unsigned
path:windows\system32\* digsig_result:unsigned parent_name:services.exe childproc_count:1
(regmod:"\registry\user\s-1-5-21-348440682-330175067-1304115618-242891\software\microsoft\office\14.0\excel\security\accessvbom")
(process_name:cmd.exe OR process_name:powershell.exe OR process_name:wmic.exe OR process_name:msbuild.exe OR process_name:mshta.exe OR process_name:wscript.exe OR process_name:cscript.exe OR process_name:installutil.exe OR process_name:rundll32.exe OR process_name:regsvr32.exe OR process_name:msxsl.exe OR process_name:regasm.exe OR process_name:regsvcs.exe) (domain:pastebin.com OR domain:dl.dropboxusercontent.com OR domain:githubusercontent.com)
digsig_result_child:"Unsigned" ((parent_name:chrome.exe OR parent_name:firefox.exe OR parent_name:iexplore.exe OR parent_name:microsoftedge.exe OR parent_name:outlook.exe) is_executable_image_filewrite:"true")
digsig_result_process:"Unsigned" ((parent_name:chrome.exe OR parent_name:firefox.exe OR parent_name:iexplore.exe OR parent_name:microsoftedge.exe OR parent_name:outlook.exe) is_executable_image_filewrite:"true")
regmod:"keyboard layout\2"
(regmod:"\registry\machine\software\microsoft\windows nt\currentversion\image file execution options\cmd.exe\verifierdlls")
process_name:mshta.exe modload:mscoree.dll
(modload:mscoree.dll AND modload:system.management.automation.dll) -process_name:powershell_ise.exe -process_name:sdiagnhost.exe -process_name:mscorsvw.exe -process_name:powershell.exe -process_name:searchfilterhost.exe
process_name:netsh.exe cmdline:appdata/
(modload:mscoree.dll AND modload:system.management.automation.dll AND modload:mscorlib*) -process_name:powershell_ise.exe -process_name:sdiagnhost.exe -process_name:mscorsvw.exe -process_name:powershell.exe -process_name:searchfilterhost.exe
(cmdline:/user: OR cmdline:/pwd: OR cmdline:/username: OR cmdline:/password:)
process_name:notepad.exe (modload:vaultcli.dll AND modload:samlib.dll)
parent_name:explorer.exe process_name:lsass.exe
process_name:netsh.exe cmdline:ProgramData/
process_name:csc.exe netconn_count:[1 TO *]
path:programdata\* -path:programdata\*\* -process_name:chgservice.exe -process_name:userprofilemigrationservice.exe -process_name:mm.exe -process_name:mmimage.exe
process_name:rundll32.exe domain:.ru AND netconn_count:[1 TO *]
(process_name:powershell.exe OR internal_name:powershell) (modload:samlib.dll OR modload:vaultcli.dll)
parent_name:spoolsv.exe (process_name:cmd.exe OR process_name:powershell.exe)
digsig_result:Unsigned ipport:443 modload:winsta.dll path:appdata/local/temp/*
ipport:445 AND netconn_count:[150 TO *] AND -process_name:ntoskrnl.exe AND process_name:*
cmdline:--ExcludeDC OR cmdline:LoggedOn OR cmdline:ObjectProps OR cmdline:GPOLocalGroup OR product_name:"SharpHound"
filemod:sessions.csv OR filemod:acls.csv OR filemod:group_membership.csv OR filemod:local_admins.csv OR filemod:computer_props.csv OR filemod:user_props.csv
filemod:\pipe\samr AND filemod:\pipe\lsarpc AND filemod:pipe\srvsvc
netconn_count:[100 TO *] AND ipport:445 AND (filemod:lsarpc OR filemod:samr OR filemod:srvsvc)
(process_name:wmic.exe OR internal_name:wmic.exe) (cmdline:format:\ AND cmdline:os)
(process_name:wmic.exe OR internal_name:wmic.exe) (cmdline:format:\ AND cmdline:os) AND netconn_count:[1 TO *]
(process_name:wmic.exe OR internal_name:wmic.exe) netconn_count:[1 TO *]
process_name:wmic.exe (modload:jscript.dll OR modload:vbscript.dll)
process_name:powershell.exe (filemod:c:\windows\temp\*)
process_name:powershell.exe ipport:445
process_name:powershell.exe AND netconn_count:[2 TO *] ipport:445
process_name:powershell.exe AND netconn_count:[2 TO *] (ipport:445 OR ipport:80 OR ipport:443 OR ipport:137 OR ipport:138 OR ipport:135 OR ipport:22)
(process_name:powershell.exe or process_name:powershell_ise.exe) AND netconn_count:[2 TO *] (ipport:445 OR ipport:80 OR ipport:443 OR ipport:137 OR ipport:138 OR ipport:135 OR ipport:22)
parent_name:explorer.exe process_name:mshta.exe (modload:jscript.dll OR modload:vbscript.dll) netconn_count:[1 TO *]
process_name:mshta.exe (modload:jscript.dll OR modload:vbscript.dll) netconn_count:[1 TO *]
process_name:php.exe childproc_name:cmd.exe
parent_name:php.exe process_name:cmd.exe
parent_name:php.exe process_name:cmd.exe digsig_result_child:"Unsigned"
(filemod:wwwroot\* or filemod:htdocs\*) and (filemod:.aspx or filemod:.jsp or filemod:.cfm or filemod:.asp or filemod:.php) AND host_type:"server"
parent_name:outlook.exe (process_name:iexplore.exe OR process_name:chrome.exe OR process_name:microsoftedge.exe OR process_name:firefox.exe)
domain:.ru -process_name:iexplore.exe OR -process_name:chrome.exe OR -process_name:microsoftedge.exe OR -process_name:microsoftedgecp.exe OR -process_name:firefox.exe OR -process_name:opera.exe digsig_result:Unsigned
process_name:svchost.exe AND cmdline:"-k netsvcs -p -s gpsvc" AND domain:* AND -(ipaddr:172.20.1.200 OR ipaddr:10.100.12.4 OR ipaddr:172.20.0.117 OR ipaddr:10.100.86.75 OR ipaddr:10.254.1.120 OR ipaddr:10.254.1.69 OR ipaddr:10.254.1.121)
process_name:svchost.exe AND cmdline:"-k netsvcs -p -s gpsvc" AND domain:* AND -host_type:"domain_controller"
digsig_result:"Unsigned" company_name:"Zhuhai Kingsoft Office Software Co.,Ltd"
parent_name:lsass.exe process_name:cmd.exe childproc_name:reg.exe
parent_name:lsass.exe process_name:cmd.exe childproc_name:schtasks.exe
process_name:net1.exe cmdline:"net1 user IISUSER_ACCOUNTXX /del"
process_name:lsass.exe digsig_result_filewrite:"Unsigned"
company_name:"TODO: <公司名>"
parent_name:conhost.exe digsig_result_parent:"Unsigned"
https://github.com/fireice-uk/xmr-stak
filemod:xmrstak_opencl_backend.dll
filemod:xmrstak_cuda_backend.dll
observed_filename:c:\windows\debug\
observed_filename:c:\windows\inf\
observed_filename:c:\windows\web\