From 64b867bc4245a12c6c4984bfcebb3c46e9c0ca8f Mon Sep 17 00:00:00 2001 From: juju4 Date: Sat, 25 Nov 2023 16:04:29 +0000 Subject: [PATCH 1/4] feat(hackingai): add ai/ml tools EDR detections --- definitions/hackingai.json | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 definitions/hackingai.json diff --git a/definitions/hackingai.json b/definitions/hackingai.json new file mode 100644 index 0000000..fb13878 --- /dev/null +++ b/definitions/hackingai.json @@ -0,0 +1,32 @@ +{ + + "mlflow": { + "process_name": ["python*.exe", + "python*", + "pip*"], + + "cmdline": ["mlflow"], + "domain": ["mlflow.org"] + }, + "h2o.ai": { + "process_name": ["python*.exe", + "python*", + "pip*", + "java*", + "hadoop*"], + "cmdline": ["h2o-driver.jar", "h2odriver.jar", "h2o", "/h2o_"], + "domain": ["h2o.ai", "h2o-release.s3.amazonaws.com"], + "ipaddr":[ + "228.246.114.236", + "ff05:0:3ff6:72ec:0:0:3ff6:72ec" + ] + }, + "ray.io": { + "process_name": ["python*.exe", + "python*", + "pip*", + "gcs_server", "raylet"], + "cmdline": ["ray", "gcs_server", "ray/_private/log_monitor.py", "ray/_private/runtime_env/agent/main.py", "ray/autoscaler/_private/monitor.py", "ray/_private/workers/default_worker.py", "ray/dashboard/dashboard.py", "ray/raylet/raylet"], + "domain": ["ray.io"] + } +} From 8bee4a95e0659c40ea2ad8449f26d76a92f54a25 Mon Sep 17 00:00:00 2001 From: juju4 Date: Sun, 7 Apr 2024 05:23:32 +0000 Subject: [PATCH 2/4] remove generic python process_name --- definitions/hackingai.json | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/definitions/hackingai.json b/definitions/hackingai.json index fb13878..97b6d45 100644 --- a/definitions/hackingai.json +++ b/definitions/hackingai.json @@ -1,18 +1,11 @@ { "mlflow": { - "process_name": ["python*.exe", - "python*", - "pip*"], - "cmdline": ["mlflow"], "domain": ["mlflow.org"] }, "h2o.ai": { - "process_name": ["python*.exe", - "python*", - "pip*", - "java*", + "process_name": ["java*", "hadoop*"], "cmdline": ["h2o-driver.jar", "h2odriver.jar", "h2o", "/h2o_"], "domain": ["h2o.ai", "h2o-release.s3.amazonaws.com"], @@ -22,10 +15,7 @@ ] }, "ray.io": { - "process_name": ["python*.exe", - "python*", - "pip*", - "gcs_server", "raylet"], + "process_name": ["gcs_server", "raylet"], "cmdline": ["ray", "gcs_server", "ray/_private/log_monitor.py", "ray/_private/runtime_env/agent/main.py", "ray/autoscaler/_private/monitor.py", "ray/_private/workers/default_worker.py", "ray/dashboard/dashboard.py", "ray/raylet/raylet"], "domain": ["ray.io"] } From 0004cbb618b6e6f939d2fb3889bdac9ad945bbcb Mon Sep 17 00:00:00 2001 From: Julien Date: Sun, 12 May 2024 14:52:16 +0700 Subject: [PATCH 3/4] Remove non-unique java process names Co-authored-by: Cori Smith <74794990+rc-csmith@users.noreply.github.com> --- definitions/hackingai.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/definitions/hackingai.json b/definitions/hackingai.json index 97b6d45..ef453b6 100644 --- a/definitions/hackingai.json +++ b/definitions/hackingai.json @@ -5,8 +5,6 @@ "domain": ["mlflow.org"] }, "h2o.ai": { - "process_name": ["java*", - "hadoop*"], "cmdline": ["h2o-driver.jar", "h2odriver.jar", "h2o", "/h2o_"], "domain": ["h2o.ai", "h2o-release.s3.amazonaws.com"], "ipaddr":[ From 2754ea04bdea3986cccdfa2abbc742108b0cea51 Mon Sep 17 00:00:00 2001 From: Julien Date: Sun, 12 May 2024 14:52:50 +0700 Subject: [PATCH 4/4] Removing ray short string Co-authored-by: Cori Smith <74794990+rc-csmith@users.noreply.github.com> --- definitions/hackingai.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/definitions/hackingai.json b/definitions/hackingai.json index ef453b6..7358019 100644 --- a/definitions/hackingai.json +++ b/definitions/hackingai.json @@ -14,7 +14,7 @@ }, "ray.io": { "process_name": ["gcs_server", "raylet"], - "cmdline": ["ray", "gcs_server", "ray/_private/log_monitor.py", "ray/_private/runtime_env/agent/main.py", "ray/autoscaler/_private/monitor.py", "ray/_private/workers/default_worker.py", "ray/dashboard/dashboard.py", "ray/raylet/raylet"], + "cmdline": ["gcs_server", "ray/_private/log_monitor.py", "ray/_private/runtime_env/agent/main.py", "ray/autoscaler/_private/monitor.py", "ray/_private/workers/default_worker.py", "ray/dashboard/dashboard.py", "ray/raylet/raylet"], "domain": ["ray.io"] } }