-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathATP-Rules-Regex.txt
341 lines (171 loc) · 10.7 KB
/
ATP-Rules-Regex.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
.*reg(\\.exe)?\\s.+(?=(.{4})*$)[A-Za-z0-9+/]*={1,2}.+
.*reg(\\.exe)?\\\"?\\s+(add|delete|copy|restore|import)\\s+.*
.*cmd(\\.exe\\\"?)?.*\\.bat\\b.*
.*rundll32.*davclnt.dll.*http\\:\\/\\/.*template.dotm.*
.*wmic(\\.exe\\\"?)?.*\\s+(group|win32_group).*
.*(gwmi|get-wmiobject).*\\s+(win32_group).*
.*wmic(\\.exe\\\"?)?.*\\s+/node.*
.*wmic(\\.exe\\\"?)?.*\\s+(process).*
.*(gwmi|get-wmiobject).*\\s+(win32_process).*
.*wmic(\\.exe\\\"?)?.*\\s+(share|win32_share).*
.*(gwmi|get-wmiobject).*\\s+(win32_share).*
.*wmic(\\.exe\\\"?)?.*\\s+(win32_pnpentity|bios|win32_bios|computersystem|win32_computersystem).*
.*(gwmi|get-wmiobject).*\\s+(win32_pnpentity|win32_bios|win32_computersystem).*
.*(wmic|get-wmiobject).*
.*\\/wsman\\?.*
.*reg(\\.exe)?\\\"?\\s+(save|query|export)\\s+(hkey_local_machine|hklm)\\\\(sam|security)(\\\\|\\s+|$).*
procdump(64)?(\\.exe)?\\\"?\\s+(.*\\s+)?\\-ma(\\s+.*)?\\s+lsass\\.exe\\s+.*\\.dmp
.*\\s\\/(create|change|run)\\s.*
.*svchost\\.exe.*-k\\s+netsvcs.*schedule.*
.*(controlrundllasuser|control_rundll).*\\s+.*\\.cpl
reg(\\.exe)?\\\"?\\s+query\\s+(.*\\s+)?/f\\s+password.*
.*reg(\\.exe)?\\\"?\\s+(save|export)\\s+.*
.*regedit(\\.exe)?\\\"?.*\\s+(\\/a|\\/e)\\s+.*
net1?(\\.exe)?\\\"?\\s+start\\s+termservice
.*regsvr32(\\.exe)?\\s+(\\/s|\\/n|\\/u)?\\s.*/i:https?:\\/\\/.*
.*\\s+(remove-item|rm)\\s+.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*\\s+(remove-item|rm)\\s+.*
.*delete\\s+shadows.*
.*shadowcopy\\s+delete.*
.*/set\\s+.*\\s+bootstatuspolicy\\s+ignoreallfailures.*
.*/set\\s+.*\\s+recoveryenabled\\s+no.*
.*delete\\s+catalog.*
fsutil.*usn\\s+deletejournal\\s+.*
cmd(\\.exe)?\\\"?\\s+\\/c\\s+ver(\\.\\w*)?
cmd(\\.exe)?\\\"?\\s+ver(\\.\\w*)?
cmd(\\.exe)?\\\"?\\s+\\/c\\s+ver(\\.\\w*)?\\s+.*
cmd(\\.exe)?\\\"?\\s+ver(\\.\\w*)?\\s+.*
.*get-process.*
net1?(\\.exe)?\\\"?\\s+view.*
net1?(\\.exe)?\\\"?(?!.*\\s\\/(g(r(a(n(t)?)?)?)?|us(e(r(s)?)?)?|un(l(i(m(i(t(e(d)?)?)?)?)?)?)?|r(e(m(a(r(k)?)?)?)?)?|c(a(c(h(e)?)?)?)?|d(e(l(e(t(e)?)?)?)?)?))(?=.*\\sshare)
net1?(\\.exe)?\\\"?(?!.*\\s\\/(add?|d(e(l(e(t(e)?)?)?)?)?|ac(t(i(v(e)?)?)?)?|ex(p(i(r(e(s)?)?)?)?)?|h(o(m(e(d(i(r)?)?)?)?)?)?|password(c(h(g)?)?|r(e(q)?)?)|(pr(o(f(i(l(e)?)?)?)?)?|sc(r(i(p(t)?)?)?)?)(p(a(t(h)?)?)?)?|t(i(m(e(s)?)?)?)?|w(o(r(k(s(t(a(t(i(o(n(s)?)?)?)?)?)?)?)?)?)?)?))(?=.*\\suser\\b)
net1?(\\.exe)?\\\"?(?!.*\\s\\/(a(d(d)?)?|d(e(l(e(t(e)?)?)?)?)?))(?=.*\\s(local)?group)
.*get-localgroup.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*get-localgroup.*
.*get-localuser.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*get-localuser.*
cmd(\\.exe)?\\\"?\\s+/c\\s+set$
cmd(\\.exe)?\\\"?\\s+set$
reg(\\.exe)?\\\"?\\s+(query|export)\\s+.*\\\\system\\\\currentcontrolset\\\\services\\\\disk\\\\enum
cmd(\\.exe\\\"?)?.*\\s+dir$
cmd(\\.exe\\\"?)?.*\\s+dir\\s+.*
cmd(\\.exe\\\"?)?.*\\s+/c\\s+dir$
cmd(\\.exe\\\"?)?.*\\s+/c\\s+dir\\s+.*
powershell(\\.exe\\\"?)?.*\\s+(get-childitem|gci|childitem|get-item|gi|ls)
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
powershell(\\.exe\\\"?)?.*\\s+(get-childitem|gci|childitem|get-item|gi|ls)
.*forfiles(?:\\.exe)?.*\\/c.*\\.lnk.*
.*forfiles(?:\\.exe)?.+\\/c.+(?:\\^[\\w\\d]){1,}.*
netsh(\\.exe)?\\\"?\\s+(adv)?firewall(?=.*\\sshow)
netsh(\\.exe)?\\\"?\\s+(adv)?firewall(?=.*\\s(add|delete|set))
net1?(\\.exe)?\\\"?\\s+(config|statistics).*
.*get-netipconfiguration.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*get-netipconfiguration.*
.*(get-adprincipalgroupmembership|get-adgroup|get-aduser).*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*(get-adprincipalgroupmembership|get-adgroup|get-aduser).*
.*get-smbshare.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*get-smbshare.*
net1?(\\.exe)?\\\"?(?!.*\\s\\/(f(o(r(c(e(l(o(g(o(f(f)?)?)?)?)?)?)?)?)?)?|minpw(l(e(n)?)?|a(g(e)?)?)|ma(x(p(w(a(g(e)?)?)?)?)?)?|u(n(i(q(u(e(p(w)?)?)?)?)?)?)?))(?=.*\\saccounts)
query(\\.exe)?\\\"?\\s+user.*
reg(\\.exe)?\\\"?/s+query\\s+.*\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\policies\\\\credui\\\\enumerateadministrators
cmd(\\.exe)?\\\"?\\s+dir\\s+.:\\\\users
cmd(\\.exe)?\\\"?\\s+/c\\s+dir\\s+.:\\\\users
.*get-processtokengroup.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*get-processtokengroup.*
.*(get-childitem|gci|ls|dir)\\s+.:\\\\users
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*(get-childitem|gci|ls|dir)\\s+.:\\\\users
.*(get-wmiobject|gwmi)\\s+.*win32_useraccount.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*(get-wmiobject|gwmi)\\s+.*win32_useraccount.*
.*get-aduser.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*get-aduser.*
wmic(\\.exe)?\\\"?\\s+(useraccount|computersystem).*
.*(gwmi|get-wmiobject).*\\s+(win32_loggedonuser|win32_computersystem).*
net1?(\\.exe)?\\\"?\\s+use(?!r)(?!.*\\s(\\\\|\\/(u(s(e(r)?)?)?|savecred|smartcard|d(e(l(e(t(e)?)?)?)?)?|p(e(r(s(i(s(t(e(n(t)?)?)?)?)?)?)?)?)?|h(o(m(e)?)?)?)))
net1?(\\.exe)?\\\"?(?!.*\\s\\/d(e(l(e(t(e)?)?)?)?)?)(?=.*\\ssession)
net1?(\\.exe)?\\\"?(?!.*\\s\\/c(l(o(s(e)?)?)?)?)(?=.*\\sfile)
.*get-nettcpconnection.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*get-nettcpconnection.*
\\w:\\s+[\\w\\d-+\\.]{2,}:\\/\\/.+
net1?(\\.exe)?\\\"?\\s+use(?!r)(?=.*\\s\\/u(s(e(r)?)?)?)
net1?(\\.exe)?\\\"?\\s+use(?!r)(?=.*\\s\\/u(s(e(r)?)?)?)
runas(\\.exe)?\\\"?(?=.*\\s\\/u(s(e(r)?)?)?)
(7z(\\.exe)?|rar(\\.exe)?)\\\"?((\"[^\"]*\")|[^\"])*\\s(\\-p|\\-hp)\\w*((\"[^\"]*\")|[^\"])*
.r[0-9][0-9]$
.z[0-9][0-9]$
.zip.[0-9][0-9][0-9]$
.r[0-9][0-9]$
.z[0-9][0-9]$
.zip.[0-9][0-9][0-9]$
wevtutil(\\.exe)?\\\"?\\s+cl\\s+.*
.*(clear|remove)-eventlog.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*(clear|remove)-eventlog.*
sc(\\.exe)?\\\"?\\s+(.*\\s+)?create\\s+.*\\s+binpath=.*
installutil(\\.exe)?\\\"?\\s+(?!.*\\/u).*
.*(new-service).*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*(new-service).*
(.*\\.dll\\\"?|.*\\.exe\\\"?|.*\\._dl\\\"?|.*\\.ocx\\\"?|.*\\.cpl\\\"?)
net1?(\\.exe)?\\\"?\\s+(start|stop|pause|continue)\\s+.*
psservice(64)?(\\.exe)?\\\"?\\s+(.*\\s+)?(start|stop|restart|pause|cont)\\s+.*
wmic(\\.exe)?\\\"?\\s+service\\s+.*\\s+call\\s+(start|stop|pause|resume)service
psexec(64)?(\\.exe)?\\\"?\\s+(.*\\s+)?net\\s+(start|stop|pause|continue)\\s+.*
.*(start|stop|suspend|resume)-service\\s+.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*(start|stop|suspend|resume)-service\\s+.*
sc(\\.exe)?\\\"?\\s+(.*\\s+)?start\\s+.*
sc(\\.exe)?\\\"?\\s+(.*\\s+)?stop\\s+.*
sc(\\.exe)?\\\"?\\s+(.*\\s+)?pause\\s+.*
sc(\\.exe)?\\\"?\\s+(.*\\s+)?continue\\s+.*
sc(\\.exe)?\\\"?\\s+(.*\\s+)?query
sc(\\.exe)?\\\"?\\s+(.*\\s+)?sdset\\s+.*
sc(\\.exe)?\\\"?\\s+(.*\\s+)?privs\\s+.*
psexe(c|svc|svc)(\\.exe)?\\\"?\\s+.*(admin\\$|c\\$).*
net1?(\\.exe)?\\\"?(?=.*\\s(local)?group)(?=.*\\s\\/(a(d(d)?)?|d(e(l(e(t(e)?)?)?)?)?))
net1?(\\.exe)?\\\"?(?=.*\\saccounts)(?=.*\\s\\/(f(o(r(c(e(l(o(g(o(f(f)?)?)?)?)?)?)?)?)?)?|minpw(l(e(n)?)?|a(g(e)?)?)|ma(x(p(w(a(g(e)?)?)?)?)?)?|u(n(i(q(u(e(p(w)?)?)?)?)?)?)?))
net1?(\\.exe)?\\\"?(?=.*\\suser)(?=.*\\s\\/(ac(t(i(v(e)?)?)?)?|ex(p(i(r(e(s)?)?)?)?)?|h(o(m(e(d(i(r)?)?)?)?)?)?|password(c(h(g)?)?|r(e(q)?)?)|(pr(o(f(i(l(e)?)?)?)?)?|sc(r(i(p(t)?)?)?)?)(p(a(t(h)?)?)?)?|t(i(m(e(s)?)?)?)?|w(o(r(k(s(t(a(t(i(o(n(s)?)?)?)?)?)?)?)?)?)?)?))
.*(rename|enable|disable|set)-localuser.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*(rename|enable|disable|set)-localuser.*
.*(admin\\$|c\\$).*
net1?(\\.exe)?\\\"?\\s+use(?=.*\\s\\\\\\\\.*\\\\.*\\$)(?!.*\\s\\/d(e(l(e(t(e)?)?)?)?)?)
net1?(\\.exe)?\\\"?(?=.*\\sshare)(?=.*\\s.*\\$)(?!.*\\s\\/d(e(l(e(t(e)?)?)?)?)?)
.*new-psdrive.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*new-psdrive.*
wmic(\\.exe)?\\\"?\\s+service.*get\\s+name.*
net1?(\\.exe)?\\\"?(?=.*\\suser\\s)(?=.*\\s\\/add?)
.*(new-localuser|new-aduser).*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*(new-localuser|new-aduser).*
\\d+\\s+\\/injectrunning\\s+\\S+\\.dll
net1?(\\.exe)?\\\"?(?=.*\\stime)(?!.*\\s\\/set)
w32tm(\\.exe)?\\\"?(?=.*\\s\\/(stripchart|tz|dumpreg|query))
.*\\sget-date
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*\\sget-date
net1?(\\.exe)?\\\"?(?=.*\\sshare)(?=.*\\s\\/d(e(l(e(t(e)?)?)?)?)?)
net1?(\\.exe)?\\\"?(?=.*\\suse(?!r))(?=.*\\s\\/d(e(l(e(t(e)?)?)?)?)?)
.*\\sremove-(smb|file)share
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
.*\\sremove-(smb|file)share
findstr(\\.exe)?\\\"?(?=.*(virus|cb|defender|cylance|ccsvchst))
findstr(\\.exe)?\\\"?\\s+\\b((4|6|8)|1([2-4]|6|8)|(2(2|6|8))|(3(0|2|[6-8]))|(40))[0-9]{4}\\b
.*(/s|/au).*
^(?!.*(rm|del|remove-item|ren|taskkill)).*\\*
.*get-localuser.*
[-/][Ee](?:[Nn](?:[Cc](?:[Oo](?:[Dd](?:[Ee](?:[Dd](?:[Cc](?:[Oo](?:[Mm](?:[Mm](?:[Aa](?:[Nn](?:[Dd])?)?)?)?)?)?)?)?)?)?)?)?)?\\s+\"?([A-Za-z0-9+/=\\s]+)\"?
^(?!.*(rm|del|remove-item|ren|taskkill)).*\\*
.*get-localuser.*
.*get-processtokengroup.*