-
Notifications
You must be signed in to change notification settings - Fork 160
/
Copy pathwindows_critical_service_status.conf
47 lines (47 loc) · 1.95 KB
/
windows_critical_service_status.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{
"platform": "windows",
"description": "ATT&CK: T1089",
"queries": {
"Windows_Defender_Services": {
"query": "SELECT * FROM services WHERE name = 'WinDefend' AND status != 'RUNNING';",
"interval": 3600,
"description": "Windows Defender service Status change - ATT&CK T1089"
},
"Windows_Firewall_Services": {
"query": "SELECT * FROM services WHERE name = 'MpsSvc' AND status != 'RUNNING';",
"interval": 3600,
"description": "Windows Firewall service Status change - ATT&CK T1089"
},
"Symantec_Endpoint_Protection_Services": {
"query": "SELECT * FROM services WHERE name = 'SepMasterService' AND status != 'RUNNING';",
"interval": 3600,
"description": "Symantec Endpoint Protection service Status change - ATT&CK T1089"
},
" Sophos_Anti-Virus_Services_1": {
"query": "SELECT * FROM services WHERE name = 'SAVAdminService' AND status != 'RUNNING';",
"interval": 3600,
"description": "Symantec Endpoint Protection service Status change - ATT&CK T1089"
},
"Sophos_Anti-Virus_Services_2": {
"query": "SELECT * FROM services WHERE name = 'SavService' AND status != 'RUNNING';",
"interval": 3600,
"description": "Symantec Endpoint Protection service Status change - ATT&CK T1089"
},
"Windows_Security_Service": {
"query": "SELECT * FROM services WHERE name = 'wscsvc' AND status != 'RUNNING';",
"interval": 3600,
"description": "Windows Security Service Status change - ATT&CK T1089"
},
"Windows_Update_Service": {
"query": "SELECT * FROM services WHERE name = 'wuauserv' AND status != 'RUNNING';",
"interval": 3600,
"description": "Windows Update Service Status change - ATT&CK T1089"
},
"Snapshot_services": {
"query": "SELECT * FROM services;",
"interval": 28800,
"description": "Snapshot Services query",
"snapshot": true
}
}
}