title: Minimal Rule
logsource:
category: json
product: air
detection:
selection:
Processes:
Name: csrss.exe
Modules:
DllPath|contains: csrss.dll
condition: selection
title: Scan System Settings
logsource:
category: json
product: air
detection:
selection:
System:
ComputerName: JohnPC
condition: selection
title: Scan Autorun Entries
logsource:
category: json
product: air
detection:
selection:
AutorunsRegistry:
CommandLine|contains: vm3dservice.exe
condition: any of them
title: Scan Service Entries
logsource:
category: json
product: air
detection:
cond1:
AutorunsServices:
KeyPath|contains: 1394ohci
cond2:
AutorunsServices:
EntryName: ahcache
condition: 2 of them
title: Scan Prefetch Entries
logsource:
category: json
product: air
detection:
selection:
Prefetch:
FilePath|contains:
- icacls.exe
- psexec.exe
- bitsadmin.exe
condition: selection
title: Scan WMI Scripts
logsource:
category: json
product: air
detection:
selection:
WMICommandLine:
Command|contains: powershell.exe
condition: selection
title: Scan DNSCache Entries
logsource:
category: json
product: air
detection:
selection:
DnsCache:
Name|endswith: binalyze.com
condition: selection
title: Scan TCP Table Entries
logsource:
category: json
product: air
detection:
selection:
TcpTable:
RemoteAddress: 40.90.23.154
condition: selection