Detection rules › Equivalence class
eq_0004 — 2 rules with the same canonical form
Members
Stages and predicates (per member)
Each member's stage rendered in its own native syntax (verbatim source where the IR captures it; falls back to the synthesised native form for the few stage types whose source segments aren't recoverable).
Potential Recon Activity Using DriverQuery.EXE — stage 1 all of selection_img
or:
Image|endswith: driverquery.exe
OriginalFileName: drvqry.exe
Potential Recon Activity Using DriverQuery.EXE — stage 2 all of selection_parent
or:
ParentImage|endswith: '\cscript.exe'
ParentImage|endswith: '\mshta.exe'
ParentImage|endswith: '\regsvr32.exe'
ParentImage|endswith: '\rundll32.exe'
ParentImage|endswith: '\wscript.exe'
ParentImage|contains: '\AppData\Local\'
ParentImage|contains: '\Users\Public\'
ParentImage|contains: '\Windows\Temp\'
DriverQuery.EXE Execution — stage 3 selection
or:
Image|endswith: driverquery.exe
OriginalFileName: drvqry.exe
DriverQuery.EXE Execution — stage 4 not 1 of filter_main_other
or:
ParentImage|endswith: '\cscript.exe'
ParentImage|endswith: '\mshta.exe'
ParentImage|endswith: '\regsvr32.exe'
ParentImage|endswith: '\rundll32.exe'
ParentImage|endswith: '\wscript.exe'
ParentImage|contains: '\AppData\Local\'
ParentImage|contains: '\Users\Public\'
ParentImage|contains: '\Windows\Temp\'
Indicators (across all members)
| Field | Kind | Value | Members | Corpus |
|---|---|---|---|---|
Image | ends_with | driverquery.exe | 2 | 2 |
OriginalFileName | eq | drvqry.exe | 2 | 2 |
ParentImage | ends_with | \cscript.exe | 2 | 14 |
ParentImage | ends_with | \mshta.exe | 2 | 10 |
ParentImage | ends_with | \regsvr32.exe | 2 | 11 |
ParentImage | ends_with | \rundll32.exe | 2 | 12 |
ParentImage | ends_with | \wscript.exe | 2 | 14 |
ParentImage | match | \AppData\Local\ | 2 | 3 |
ParentImage | match | \Users\Public\ | 2 | 2 |
ParentImage | match | \Windows\Temp\ | 2 | 2 |