LoFP / administrative scripts

condition: all of selection*
selection1:
  CommandLine|contains:
  - powershell.exe
  - \powershell
  - \pwsh
  - pwsh.exe
selection2:
  CommandLine|contains:
  - Local\
  - Roaming\
  CommandLine|contains|all:
  - '/c '
  - \AppData\

condition: selection and not 1 of filter_*
filter_amazon:
  ParentCommandLine|contains:
  - \Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1
  - \Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1
  - \Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1
  - \nessus_
filter_ccmcache:
  CurrentDirectory|contains: \ccmcache\
filter_nessus:
  CommandLine|contains: \nessus_
filter_sccm_install:
  CommandLine|contains|all:
  - C:\MEM_Configmgr_
  - \SMSSETUP\BIN\
  - \autorun.hta
  - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
  Image|endswith: \mshta.exe
  ParentCommandLine|contains|all:
  - C:\MEM_Configmgr_
  - \splash.hta
  - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
  ParentImage|endswith: \mshta.exe
selection:
  Image|endswith:
  - \schtasks.exe
  - \nslookup.exe
  - \certutil.exe
  - \bitsadmin.exe
  - \mshta.exe
  ParentImage|endswith:
  - \mshta.exe
  - \powershell.exe
  - \pwsh.exe
  - \rundll32.exe
  - \cscript.exe
  - \wscript.exe
  - \wmiprvse.exe
  - \regsvr32.exe

condition: selection_target and (selection_other_tools or all of selection_cmd_* or
  all of selection_pwsh_*)
selection_cmd_cli:
  CommandLine|contains: copy
selection_cmd_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
selection_other_tools:
- Image|endswith:
  - \robocopy.exe
  - \xcopy.exe
- OriginalFileName:
  - robocopy.exe
  - XCOPY.EXE
selection_pwsh_cli:
  CommandLine|contains:
  - copy-item
  - 'copy '
  - 'cpi '
  - ' cp '
  - 'move '
  - move-item
  - ' mi '
  - ' mv '
selection_pwsh_img:
- Image|contains:
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
selection_target:
  CommandLine|contains:
  - \\\\*$
  - \Sysvol\

condition: selection and not filter
filter:
  CommandLine|contains:
  - ' >'
  - Out-File
  - ConvertTo-Json
  - -WindowStyle hidden -Verb runAs
  - \Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\
selection:
  CommandLine|contains:
  - \Windows\Temp
  - \Temporary Internet
  - \AppData\Local\Temp
  - \AppData\Roaming\Temp
  - '%TEMP%'
  - '%TMP%'
  - '%LocalAppData%\Temp'
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \mshta.exe
  - \wscript.exe
  - \cscript.exe

condition: selection and not 1 of filter*
filter1:
  CommandLine|contains: \netlogon\
filter2:
- Image|endswith: \explorer.exe
- OriginalFileName: explorer.exe
selection:
  ParentImage|endswith: \userinit.exe

condition: 1 of selection_*
selection_Hidden:
  Details: DWORD (0x00000002)
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
selection_HideFileExt:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_domain_controller:
  Details: '%%systemroot%%\system32\ntdsa.dll'
  Image: C:\Windows\system32\lsass.exe
  TargetObject|endswith: \Services\NTDS\Parameters\ServiceDll
filter_main_poqexec:
  Image: C:\Windows\System32\poqexec.exe
filter_main_printextensionmanger:
  Details: C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll
filter_optional_safetica:
  Details: C:\Windows\System32\STAgent.dll
  Image|endswith: \regsvr32.exe
selection:
  TargetObject|contains|all:
  - \System\
  - ControlSet
  - \Services\
  TargetObject|endswith: \Parameters\ServiceDll

condition: selection_domains and not filter
filter:
  Details:
  - DWORD (0x00000000)
  - DWORD (0x00000001)
  - (Empty)
selection_domains:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

condition: selection
selection:
- Image|endswith: \psexec.exe
- OriginalFileName: psexec.c