/
potentially_malicious_code_on_cmdline_tokenize_score.yml
3 lines (3 loc) · 4.41 KB
/
potentially_malicious_code_on_cmdline_tokenize_score.yml
1
2
3
definition: eval orig_process=process, process=replace(lower(process), "`", "") | makemv tokenizer="([\w\d\-]+)" process | eval unusual_cmdline_feature_for=if(match(process, "^for$"), mvcount(mvfilter(match(process, "^for$"))), 0), unusual_cmdline_feature_netsh=if(match(process, "^netsh$"), mvcount(mvfilter(match(process, "^netsh$"))), 0), unusual_cmdline_feature_readbytes=if(match(process, "^readbytes$"), mvcount(mvfilter(match(process, "^readbytes$"))), 0), unusual_cmdline_feature_set=if(match(process, "^set$"), mvcount(mvfilter(match(process, "^set$"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, "^unrestricted$"), mvcount(mvfilter(match(process, "^unrestricted$"))), 0), unusual_cmdline_feature_winstations=if(match(process, "^winstations$"), mvcount(mvfilter(match(process, "^winstations$"))), 0), unusual_cmdline_feature_-value=if(match(process, "^-value$"), mvcount(mvfilter(match(process, "^-value$"))), 0), unusual_cmdline_feature_compression=if(match(process, "^compression$"), mvcount(mvfilter(match(process, "^compression$"))), 0), unusual_cmdline_feature_server=if(match(process, "^server$"), mvcount(mvfilter(match(process, "^server$"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, "^set-mppreference$"), mvcount(mvfilter(match(process, "^set-mppreference$"))), 0), unusual_cmdline_feature_terminal=if(match(process, "^terminal$"), mvcount(mvfilter(match(process, "^terminal$"))), 0), unusual_cmdline_feature_-name=if(match(process, "^-name$"), mvcount(mvfilter(match(process, "^-name$"))), 0), unusual_cmdline_feature_catch=if(match(process, "^catch$"), mvcount(mvfilter(match(process, "^catch$"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, "^get-wmiobject$"), mvcount(mvfilter(match(process, "^get-wmiobject$"))), 0), unusual_cmdline_feature_hklm=if(match(process, "^hklm$"), mvcount(mvfilter(match(process, "^hklm$"))), 0), unusual_cmdline_feature_streamreader=if(match(process, "^streamreader$"), mvcount(mvfilter(match(process, "^streamreader$"))), 0), unusual_cmdline_feature_system32=if(match(process, "^system32$"), mvcount(mvfilter(match(process, "^system32$"))), 0), unusual_cmdline_feature_username=if(match(process, "^username$"), mvcount(mvfilter(match(process, "^username$"))), 0), unusual_cmdline_feature_webrequest=if(match(process, "^webrequest$"), mvcount(mvfilter(match(process, "^webrequest$"))), 0), unusual_cmdline_feature_count=if(match(process, "^count$"), mvcount(mvfilter(match(process, "^count$"))), 0), unusual_cmdline_feature_webclient=if(match(process, "^webclient$"), mvcount(mvfilter(match(process, "^webclient$"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, "^writeallbytes$"), mvcount(mvfilter(match(process, "^writeallbytes$"))), 0), unusual_cmdline_feature_convert=if(match(process, "^convert$"), mvcount(mvfilter(match(process, "^convert$"))), 0), unusual_cmdline_feature_create=if(match(process, "^create$"), mvcount(mvfilter(match(process, "^create$"))), 0), unusual_cmdline_feature_function=if(match(process, "^function$"), mvcount(mvfilter(match(process, "^function$"))), 0), unusual_cmdline_feature_net=if(match(process, "^net$"), mvcount(mvfilter(match(process, "^net$"))), 0), unusual_cmdline_feature_com=if(match(process, "^com$"), mvcount(mvfilter(match(process, "^com$"))), 0), unusual_cmdline_feature_http=if(match(process, "^http$"), mvcount(mvfilter(match(process, "^http$"))), 0), unusual_cmdline_feature_io=if(match(process, "^io$"), mvcount(mvfilter(match(process, "^io$"))), 0), unusual_cmdline_feature_system=if(match(process, "^system$"), mvcount(mvfilter(match(process, "^system$"))), 0), unusual_cmdline_feature_new-object=if(match(process, "^new-object$"), mvcount(mvfilter(match(process, "^new-object$"))), 0), unusual_cmdline_feature_if=if(match(process, "^if$"), mvcount(mvfilter(match(process, "^if$"))), 0), unusual_cmdline_feature_threading=if(match(process, "^threading$"), mvcount(mvfilter(match(process, "^threading$"))), 0), unusual_cmdline_feature_mutex=if(match(process, "^mutex$"), mvcount(mvfilter(match(process, "^mutex$"))), 0), unusual_cmdline_feature_cryptography=if(match(process, "^cryptography$"), mvcount(mvfilter(match(process, "^cryptography$"))), 0), unusual_cmdline_feature_computehash=if(match(process, "^computehash$"), mvcount(mvfilter(match(process, "^computehash$"))), 0)
description: Performs the tokenization and application of the malicious commandline classifier
name: potentially_malicious_code_on_cmdline_tokenize_score