jermdw
11/29/2017 - 3:23 PM

Tanium Hunting Questions

Tanium Hunting Questions

Tanium Hunting Questions

Initial Infection

New Scripts in Webroot Paths

Get "Trace File Operations[unlimited, 1488479715768|1488483314768, 1, 0, 0, 10, .*\\wwwroot\\.*\.(asp|aspx|cfm|jsp|php), CreateNewFile, , , ]" from all machines

Command Shell Spawned by Unusual Parent

Get "Trace Executed Processes[unlimited, 1488479676718|1488483275718, 1, 0, 10, 0, (?i).*cmd\.exe, (?i).*(office|adobe|java|iexplore|firefox|chrome|svchost|w3wp).*, , , , ]" from all machines

Persistence

Registry Run Key Changes

Get "Trace Registry Keys or Values[unlimited, 1488479754121|1488483353121, 1, 0, 10, 0, (?i).*\\CurrentVersion\\Run, , SetValueKey, , , ]" from all machines

Autoruns in User Directories without Publisher Data

Get AutoRun Program Details containing ":|:|c:\users" from all machines

Lateral Movement

Domain Reconnaissance with Net.exe

Get "Trace Executed Processes[unlimited, 1488479819205|1488483418205, 1, 0, 10, 0, (?i).*\\net\.exe, , (?i).*(localgroup administrators|group "domain admins"|view /domain).*, , , ]" from all machines

Mount Remote Root Share

Get "Trace Executed Processes[unlimited, 1488479895047|1488483494047, 1, 0, 10, 0, (?i).*\\net\.exe, , (?i).*use.*\\\\.*\\(ADMIN|C)\$.*, , , ]" from all machines

Office Attacks

Suspicious processes launched by Office

Get "Trace Executed Processes[unlimited, 1488480102075|1488483701075, 1, 0, 10, 0, (?i).*\\AppData\\.*, (?i).*(winword|excel|outlook)\.exe, , , , ]" from all machines

Decoding malware payload with Certutil

Get "Trace Executed Processes[unlimited, 1488480143929|1488483742929, 1, 0, 10, 0, , (?i).*(winword|excel|powerpnt).*, (?i).*certutil.*-decode.*, , , ]" from all machines

Process Trees

Get "Trace Executed Process Trees[(winword.exe|outlook.exe|excel.exe), 1, 0, 0, As Parent, 10000]" from all machines

PowerShell Attacks

Process Trees

Get Trace Executed Process Trees[powershell.exe, 0, 0, 0, As Child, 10000] from all machines

Suspicious Command Lines

Get "Trace Executed Processes[unlimited, 1488479986508|1488483585508, 1, 0, 10, 0, (?i).*powershell\.exe$, , (?i).*(-enc|-encodedcommand|iex|webclient|invoke-expression|new-object|downloadfile|downloadstring|frombase64string|deflatestream|createobject|uploadfile).*, , , ]" from all machines