Operations
The operations part defines which operations executed by a process raise the detection. If empty, the detection is triggered when the process generates an event.
Operations are defined using an operation element with a type attribute and an expression element.
<operation type="WriteFile">Expression</operation>
The following components are supported by all operation.
CodeInjection
A process was subject to some form of code injection.
Supported components:
CreateNamedPipe
A named pipe was created.
Supported components:
CreateProcess
A process was created.
Supported components:
DeleteFile
A file was deleted.
Supported components:
Detection
This operation can be used in two different ways:
•Used in a regular rule—an event was triggered on client-side antivirus
•Used in a sequence rule—only detections triggered by Inspect
Supported components:
DnsRequest
A DNS request was made (usually IP > domain, domain > IP).
Supported components:
HttpRequest
A HTTP request was made.
Supported components:
LoadDLL
A DLL was loaded.
Supported components:
LoadDriver
A driver or kernel module was loaded.
Supported components:
ModuleDrop
An executable was dropped.
Supported components:
MultipleFilesChanged
Process modified multiple files.
Supported components:
OpenProcess
Added a new rule attribute, which triggers when a process is opened. Only the open process to lsass.exe is monitored.
Supported components:
ReadFile
Triggered when a monitored file was read. Monitored files refer to those which contain either sensitive information or stored credentials, for example, stored browser passwords, stored FTP clients passwords, AD database and so on.
Supported components:
RegDeleteKey
A registry key was deleted.
Supported components:
RegDeleteValue
The value of the registry was deleted.
Supported components:
RegRenameKey
A registry key was renamed.
Supported components:
RegSetValue
A registry key was altered.
Supported components:
RenameFile
A file was renamed.
Supported components:
Scripts
A script exposed by AMSI was executed.
Supported components:
SetFileAttribute
A file attribute was set.
Supported components:
SystemApiCall
A system function was called.
Supported components:
TcpIpAccept
An incoming TCP/IP connection was accepted.
Supported components:
TcpIpConnect
An outbound TCP/IP connection was made.
Supported components:
TcpIpProtocolIdentified
On top of TCP/IP connection, describes the protocol used.
Supported components:
TruncateFile
A file was truncated, this operation is reported only on Posix systems
Supported components:
UserActivate
The user was activated.
Supported components:
UserAddToGroup
The user was added to the group.
Supported components:
UserCreate
A new user was created.
Supported components:
UserDisable
The user was disabled.
Supported components:
UserLogin
The user logged in.
Supported components:
UserLogout
The user logged out.
Supported components:
UserRemove
The user was removed.
Supported components:
UserRemoveFromGroup
The user was removed from the group.
Supported components:
WmiExecution
WMI execution event was triggered.
Supported components:
WmiPersistence
The event is generated when consumer binds to a filter.
Supported components:
WmiQuery
WMI query was executed on a computer.
Supported components:
WriteFile
A file was written to.
Supported components:
|
Earlier versions of Windows do not produce WMI events. This functionality has been available since Windows 10 version 1803. Some of the events provide only partial information: •File write events—only the first file change is recorded (This is per process. If two processes change the same file, both changes are recorded) •Registry related events—only the first registry key change is recorded (first time by a process) •DLLLoad—only DLLs that are not whitelisted by AV are recorded •TcpIp events—only the first connection is recorded (first time by a process) •Http events—only the first request is recorded (first time by a process) •ModuleDrop (a.k.a PEDrop)—it is reported only for the first drop of a given module (first time on a computer) •AmsiTriggerEvent—only the first execution is recorded (first time on a computer) |
