Tanium Hunting Questions
New Scripts in Webroot Paths
Get "Trace File Operations[unlimited, 1488479715768|1488483314768, 1, 0, 0, 10, .*\\wwwroot\\.*\.(asp|aspx|cfm|jsp|php), CreateNewFile, , , ]" from all machines
Command Shell Spawned by Unusual Parent
Get "Trace Executed Processes[unlimited, 1488479676718|1488483275718, 1, 0, 10, 0, (?i).*cmd\.exe, (?i).*(office|adobe|java|iexplore|firefox|chrome|svchost|w3wp).*, , , , ]" from all machines
Registry Run Key Changes
Get "Trace Registry Keys or Values[unlimited, 1488479754121|1488483353121, 1, 0, 10, 0, (?i).*\\CurrentVersion\\Run, , SetValueKey, , , ]" from all machines
Autoruns in User Directories without Publisher Data
Get AutoRun Program Details containing ":|:|c:\users" from all machines
Domain Reconnaissance with Net.exe
Get "Trace Executed Processes[unlimited, 1488479819205|1488483418205, 1, 0, 10, 0, (?i).*\\net\.exe, , (?i).*(localgroup administrators|group "domain admins"|view /domain).*, , , ]" from all machines
Mount Remote Root Share
Get "Trace Executed Processes[unlimited, 1488479895047|1488483494047, 1, 0, 10, 0, (?i).*\\net\.exe, , (?i).*use.*\\\\.*\\(ADMIN|C)\$.*, , , ]" from all machines
Suspicious processes launched by Office
Get "Trace Executed Processes[unlimited, 1488480102075|1488483701075, 1, 0, 10, 0, (?i).*\\AppData\\.*, (?i).*(winword|excel|outlook)\.exe, , , , ]" from all machines
Decoding malware payload with Certutil
Get "Trace Executed Processes[unlimited, 1488480143929|1488483742929, 1, 0, 10, 0, , (?i).*(winword|excel|powerpnt).*, (?i).*certutil.*-decode.*, , , ]" from all machines
Process Trees
Get "Trace Executed Process Trees[(winword.exe|outlook.exe|excel.exe), 1, 0, 0, As Parent, 10000]" from all machines
Process Trees
Get Trace Executed Process Trees[powershell.exe, 0, 0, 0, As Child, 10000] from all machines
Suspicious Command Lines
Get "Trace Executed Processes[unlimited, 1488479986508|1488483585508, 1, 0, 10, 0, (?i).*powershell\.exe$, , (?i).*(-enc|-encodedcommand|iex|webclient|invoke-expression|new-object|downloadfile|downloadstring|frombase64string|deflatestream|createobject|uploadfile).*, , , ]" from all machines