Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: composite/live-response.toml

Source

  • Original path: profiles/composite/live-response.toml

Profile (TOML)

# Live Response Profile
# Inspired by UAC's live response capabilities
# Focuses on volatile data and live system artifacts

includes = [
  "../base/system-artifacts.toml",
  "../base/malware.toml",
  "../base/network.toml"
]

decode = ["base64", "hex"]

# Process and Memory Artifacts
[[patterns]]
  name = "Running Process"
  pattern = "(?:tasklist|ps aux|top|htop)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Process ID"
  pattern = "(?:PID|pid)\\s*[:=]?\\s*\\d+"
  type = "regex"

[[patterns]]
  name = "Loaded Module"
  pattern = "(?:LoadedModule|DLL.*loaded)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Open Handle"
  pattern = "(?:handle|file.*descriptor)\\s+\\d+"
  case-insensitive = true
  type = "regex"

# Network Connections
[[patterns]]
  name = "Active Connection"
  pattern = "(?:ESTABLISHED|LISTEN|TIME_WAIT)"
  type = "regex"

[[patterns]]
  name = "Netstat Output"
  pattern = "(?:netstat|ss|lsof)"
  type = "regex"

[[patterns]]
  name = "Local Port"
  pattern = "(?:0\\.0\\.0\\.0|127\\.0\\.0\\.1|localhost):\\d+"
  type = "regex"

[[patterns]]
  name = "Foreign Address"
  pattern = "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d+"
  type = "regex"

# System Information
[[patterns]]
  name = "System Uptime"
  pattern = "(?:uptime|up\\s+\\d+\\s+days)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Logged In User"
  pattern = "(?:who|w|users|query user)"
  type = "regex"

[[patterns]]
  name = "Environment Variable"
  pattern = "(?:PATH|HOME|USER|TEMP)="
  type = "regex"

[[patterns]]
  name = "System Time"
  pattern = "(?:date|time)\\s*:\\s*\\d{4}-\\d{2}-\\d{2}"
  case-insensitive = true
  type = "regex"

# Volatile Registry Keys (Windows)
[[patterns]]
  name = "RunMRU"
  pattern = "RunMRU"
  type = "string"

[[patterns]]
  name = "TypedURLs"
  pattern = "TypedURLs"
  type = "string"

[[patterns]]
  name = "UserAssist"
  pattern = "UserAssist"
  type = "string"

[[patterns]]
  name = "MUICache"
  pattern = "MUICache"
  type = "string"

# Command History
[[patterns]]
  name = "PowerShell History"
  pattern = "ConsoleHost_history\\.txt"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "CMD History"
  pattern = "doskey.*history"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Recent Commands"
  pattern = "(?:history|fc -l)"
  type = "regex"

# Live Malware Indicators
[[patterns]]
  name = "Suspicious Process Name"
  pattern = "(?:svchost|lsass|csrss|winlogon|explorer)\\.exe"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Rootkit Indicator"
  pattern = "(?:hidden.*process|DKOM|SSDT.*hook)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Injected Code"
  pattern = "(?:code.*inject|remote.*thread|process.*hollow)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Active Malicious Activity"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Suspicious%' OR pattern_name LIKE '%Inject%' OR pattern_name LIKE '%Rootkit%'"

[[signatures]]
  name = "Live System State"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name IN ('Running Process', 'Active Connection', 'Logged In User', 'System Uptime')"

[[signatures]]
  name = "Volatile Artifacts"
  query = "SELECT sha256, COUNT(*) as volatile_count FROM pattern_matches WHERE pattern_name LIKE '%History%' OR pattern_name LIKE '%MRU%' OR pattern_name LIKE '%Recent%' GROUP BY sha256 HAVING volatile_count > 2"