Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding Trellix EDR (mcafee) #5

Merged
merged 5 commits into from
Apr 26, 2023
Merged

adding Trellix EDR (mcafee) #5

merged 5 commits into from
Apr 26, 2023

Conversation

mthcht
Copy link
Contributor

@mthcht mthcht commented Apr 19, 2023

No description provided.

@tsale
Copy link
Owner

tsale commented Apr 19, 2023

Thank you very much for submitting this proposal @mthcht! Could you please include the below information so we can validate before merging?

  1. Does Trellix EDR align with our definition of telemetry?(definition here)
  2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
  3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

Thanks again!

@mthcht
Copy link
Contributor Author

mthcht commented Apr 19, 2023

Thank you very much for submitting this proposal @mthcht! Could you please include the below information so we can validate before merging?

  1. Does Trellix EDR align with our definition of telemetry?(definition here)
  2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
  3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

Thanks again!

  1. Yes Trellix EDR does align with your definition of telemetry
  2. Unfortunately, I wasn't able to obtain EDR documentation from the vendor. However, I did collect the telemetry using Trellix's API, which can be found at https://developer.manage.trellix.com/mvision/apis/searches (where we can find most of the fields)

Here are the EventTypes present in my logs:

  • Account Changed
  • Account Created
  • Account Deleted
  • Account Disabled
  • Account Enabled
  • Api
  • COM Api
  • Code Injected
  • Code Injection
  • Context Changed
  • DNS Query
  • Epp File Scan
  • Epp Process Response
  • Epp Process Scan
  • File Attribute Changed
  • File Created
  • File Deleted
  • File Executed
  • File Modified
  • File Moved
  • File Read
  • Image Loaded
  • NamedPipe Connected
  • Network Accessed
  • Password Reset
  • Process Accessed
  • Process Created
  • Process Hollowed
  • Process Reputation Changed
  • RegKey Created
  • RegKey Deleted
  • RegKey Read
  • RegValue Created
  • RegValue Deleted
  • RegValue Modified
  • ScheduledTask Changed
  • Script Executed
  • Service Changed
  • SysInfo
  • User Login
  • User Logout
  • Username Changed
  • WMI Activity
  1. If necessary, I can provide logs for the 43 categories, but it will take some time for me to anonymize the content, as almost every field contains sensitive data. Please let me know if you require these logs, and I will get to it.

@tsale
Copy link
Owner

tsale commented Apr 19, 2023

This is great! Please give me some time to review and I'll reach out if I have any questions 🙂

@tsale
Copy link
Owner

tsale commented Apr 20, 2023

Hey @mthcht, unfortunately, the link you provided me of the API documentation does not include a definitive answer to the fields we are looking for. It would be great if you can provide some sanitized data to me on a private channel.

I will also try to do some testing myself if I manage to get a trial of the product. I will have to reach out to Trellix for that.

@mthcht
Copy link
Contributor Author

mthcht commented Apr 20, 2023
edited
Loading

@tsale here is a raw log extract for each EventType i have:

Account Changed
{"eventType": "Account Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "01eb704f-3b7d-4965-83ec-5c9d725fd0d6", "traceId": "27bbdca8-e76c-4287-8d93-31f9ad0412be", "contextTraceId": "da67763a-854d-412c-a66f-edcca0eeb3d4", "pid": 1076, "it": 1, "time": "2023-04-19T16:08:47.129Z", "uniqueRuleId": 1, "ppid": 1076, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4738, "user": {"adminType": 0, "domain": "HIDDEN22958", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22958$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T16:08:53Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Created
{"eventType": "Account Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4644b033d0", "traceId": "49054632-69cd-4e34-8292-bd6eb30d4003", "contextTraceId": "8480c6d8-c619-4019-9359-fc7a4a9be425", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.515Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4720, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Deleted
{"eventType": "Account Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3d6a84b3-91fb-41f0-93b1-aa482bc531f6", "traceId": "c61cbd7a-62bc-4186-8b80-6eead86a4710", "contextTraceId": "87a2f691-5fbb-49b5-8417-ce551000e23d", "pid": 872, "it": 1, "time": "2023-04-19T08:14:25.865Z", "uniqueRuleId": 1, "ppid": 872, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4726, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_kadvAYTV"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:14:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Disabled
{"eventType": "Account Disabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b08de07d-b15f-441a-b143-78c42cb61a78", "traceId": "9b95b0f5-dee6-487c-aaf6-65af35cf3256", "contextTraceId": "873a8979-6c94-4085-872b-ded4c54ee9a9", "pid": 988, "it": 1, "time": "2023-04-18T08:02:43.593Z", "uniqueRuleId": 1, "ppid": 988, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4725, "user": {"adminType": 0, "domain": "HIDDEN22172", "id": "S-1-5-21-HIDDENSID", "name": "defaultuser0"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22172$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T08:05:18Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Enabled
{"eventType": "Account Enabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4645b032d0", "traceId": "859ac34b-348e-44e1-8711-a9c306642202", "contextTraceId": "8480c6d8-c619-4019-9459-fc7a4a9be435", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.530Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4722, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Api
{"eventType": "Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0318c", "traceId": "ea0cf5f2-0adc-4619-8837-4403a69798cd", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747947b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:52.975Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "api": {"name": "FindFirstFile", "data": "HIDDENDATA", "result": "1952366316400", "moduleName": "", "arguments": [], "targetPid": 0}, "uniqueRuleId": 19120, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.APICall"]}

COM Api
{"eventType": "COM Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b62a-7f9bcdd3c4aa", "traceId": "0c46d2d8-f86d-4c7f-88eb-cb977aa78207", "contextTraceId": "4df162be-c064-4b64-b250-41ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.428Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\\Windows\\System32\\cscript.exe", "uniqueRuleId": 4294967295, "comApis": [{"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.RegWrite", "args": "\"HKCU\\Software\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy\",\"Unrestricted\",\"REG_SZ\"", "result": ""}, {"flags": 3, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.ExpandEnvironmentStrings", "args": "\"%LOCALAPPDATA%\\HIDDEN_VPN\\script.ps1\"", "result": "\"C:\\Users\\HIDDENUSER\\AppData\\Local\\HIDDEN_VPN\\script.ps1\""}, {"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.Run", "args": "\"powershell.exe -nologo -command C:\\Users\\HIDDENUSER\\AppData\\Local\\HIDDEN_VPN\\script.ps1\",0", "result": ""}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}



Code Injected
{"eventType": "Code Injected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-5368-b63a-7f9bcdd3c4aa", "traceId": "52fc84ae-6d72-49fe-bf65-74265c57224d", "contextTraceId": "4df162be-c064-4b64-b850-41ba1493d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\\Windows\\System32\\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "relatedProcess": {"pid": 6620, "cmdLine": "\"cscript.exe\" C:\\Users\\edubois\\AppData\\Local\\HIDDEN_VPN\\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"lastModificationDate": "2021-09-15T10:42:04.643Z", "creationDate": "2021-09-15T10:42:04.640Z", "md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\\Windows\\System32\\cscript.exe", "size": 161280, "fsattrs": 32, "embedFilename": "cscript.exe", "embedFileVersion": "5.812.10240.16384", "embedProductName": "Microsoft \u00ae Windows Script Host", "embedProductVersion": "5.812.10240.16384", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injection
{"eventType": "Code Injection", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd3c4aa", "traceId": "0e5172ff-98a2-47c8-9d94-3488c6df70c0", "contextTraceId": "4df162be-c064-4b64-b850-42ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\\Windows\\System32\\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "injectedProcessTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd2c4aa", "relatedProcess": {"pid": 6620, "cmdLine": "\"cscript.exe\" C:\\Users\\HIDDENUSER\\AppData\\Local\\HIDDEN_VPN\\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENUSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\\Windows\\System32\\cscript.exe", "size": 161280, "embedFilename": "cscript.exe", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Context Changed
{"eventType": "Context Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "0e9c4e60-49af-451d-b807-39da4003af3d", "traceId": "3ce0bbe4-92b4-430b-996e-cc32cfe99837", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e3bf69", "pid": 5164, "it": 1, "time": "2023-04-19T18:46:31.739Z", "pSha2": "5A5C59646969CE0D99B05556CEA793F9F89A019BE4D66D8C9A1AF9EED699AC89", "ppid": 5164, "pFullName": "C:\\Windows\\System32\\spoolsv.exe", "reason": 1, "relatedTraceId": "ba434310-89f5-4749-9cc2-b9df78bc18d3", "relatedProcess": {"pid": 5164, "cmdLine": "C:\\WINDOWS\\System32\\spoolsv.exe", "processName": "spoolsv.exe", "integrity": 4, "user": {"domain": "NT AUTHORITY", "id": "S-1-5-18", "name": "NT AUTHORITY\\SYSTEM"}, "procFileAttrs": {"md5": "3BCB8517038CACDF2F2498E1D0F80544", "sha1": "F8D8AC37C3C194F8C8EF052FF46C19CBB65361D5", "sha256": "5A5C59646969CE0D99B05556CEA793F9F89A019BE5D66D8C9A1AF9EED699AC89", "fileType": "PE", "name": "spoolsv.exe", "path": "C:\\Windows\\System32\\spoolsv.exe", "size": 929792, "embedFilename": "spoolsv.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "tdmRuleIds": [112, 100003, 99999], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:47Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

DNS Query
{"eventType": "DNS Query", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c6fc0e114ff7", "traceId": "e76f265c-cb4a-4ab2-9857-b04bfeb0aebb", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.903Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\\Users\\rtadjer\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", "dns": {"name": "HIDDEN.trouter.teams.microsoft.com", "type": 1}, "uniqueRuleId": 19112, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.DNSQuery"]}

Epp File Scan
{"eventType": "Epp File Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "ee75a850-7bf9-44f4-8623-c26aaad762ed", "traceId": "e24fd01c-4eeb-453d-a688-09bbee345095", "contextTraceId": "4df162be-c064-4b64-b850-41ba1495d6d2", "pid": 2256, "it": 1, "time": "2023-04-19T14:22:58.726Z", "pSha2": "20330D3CA71D58F4AEB432676CB6A3D5B97005954E45132FB083E90782EFDD50", "ppid": 2256, "pFullName": "C:\\Windows\\System32\\backgroundTaskHost.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "NativeHostNE.dll", "path": "C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.23022.140.0_x64__8wekyb3d8bbwe\\NativeHostNE.dll", "size": 0}, "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:23:19Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Epp Process Response
{"eventType": "Epp Process Response", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "a65892eb-990a-407c-89d1-7f4a25aab465", "traceId": "c6e24a8f-004b-4f15-b3d6-aa752b3b2812", "contextTraceId": "0a3768eb-d606-4282-8466-201fd8596be1", "pid": 9492, "time": "2023-04-19T18:36:46.512Z", "pSha2": "FC6BA3C701AFBEB082BA25F677FE47A0D3225465AF02C50E2AC2B10728E9D89E", "ppid": 9492, "pFullName": "C:\\Windows\\CCM\\CcmExec.exe", "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 1, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:36:52Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.EPP_Response"]}

Epp Process Scan
{"eventType": "Epp Process Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e74be1a-90b5-466e-aff3-652aa73d0216", "traceId": "46bfe244-cfa7-41ef-99a8-ec354fdc38f7", "contextTraceId": "300409fb-6c49-4bf0-832d-205265b6d9d1", "pid": 12300, "it": 1, "time": "2023-04-19T18:26:16.293Z", "pSha2": "B5DDC370739579D2EE7C8A1284D4C83F15F4CF662893FDA55854D03B99AA2685", "ppid": 12300, "pFullName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\\TiWorker.exe", "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:26:41Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

File Attribute Changed
{"eventType": "File Attribute Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37434aab53f", "traceId": "337454e9-dbe6-46d6-999d-c6647f406410", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-742957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:40.875Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "uniqueRuleId": 7, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.739Z", "creationDate": "2023-04-19T17:49:40.873Z", "md5": "9D04081293A783441ED1133888E8721C", "sha1": "2F688EFBC6ACEA6B5E6C172EB4AE7A41A2FB3C05", "sha256": "1C3DBA99D46303A00D83DEDDAEEE6988BB9E0E97F8D02925D2270A1B539157D1", "fileType": "PE", "name": "MFC90CHS.DLL", "path": "C:\\$WINDOWS.~BT\\Work\\MachineSpecific\\Working\\agentmgr\\CCSIAgent\\005A53BA\\SxsAsm38\\MFC90CHS.DLL", "size": 35664, "fsattrs": 8224, "fsattrsChanged": 2, "embedFilename": "MFC90CHS.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Created
{"eventType": "File Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-43ec-9659-f37432aab53f", "traceId": "2b98410e-fea4-420d-98da-1220479161fe", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b490d", "pid": 4160, "time": "2023-04-19T17:49:40.861Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.108Z", "creationDate": "2023-04-19T17:49:40.858Z", "md5": "CDBE9690CF2B8409FACAD94FAC9479C9", "sha1": "4BCDFE2C1B354645314A4CE26B55B2B1A0212DB9", "sha256": "8E7FE1A1F3550C479FFD86A77BC9D10686D47F8727025BB891D8F4F0259354C8", "fileType": "PE", "name": "msvcr90.dll", "path": "C:\\$WINDOWS.~BT\\Work\\MachineSpecific\\Working\\agentmgr\\CCSIAgent\\005A54BA\\SxsAsm37\\msvcr90.dll", "size": 653136, "fsattrs": 8224, "embedFilename": "MSVCR90.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Deleted
{"eventType": "File Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "e3c8e545-3d68-4d75-9168-f332c3b72b3e", "traceId": "447205ad-ea41-4ad0-b0ee-a3b1eebd486b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b3c90d", "pid": 3872, "time": "2023-04-19T17:54:22.517Z", "pSha2": "823523E1B4BF1DBFF1CA7E65C67483B2260F13AD4AB61F6131F84D5B8DBE985F", "ppid": 3872, "pFullName": "C:\\Windows\\System32\\drvinst.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-03-11T18:46:14.000Z", "creationDate": "2022-03-11T18:46:14.000Z", "md5": "", "sha1": "", "sha256": "2B7FDFAD42885DD4FFED2BF0EE0FD810FD6D2C3F21567513FB2ACF296CD80016", "fileType": "PE", "name": "igdumdim32.dll", "path": "C:\\Windows\\System32\\DriverStore\\FileRepository\\iigd_dch_d.inf_amd64_07f5935d7ce74872\\igdumdim32.dll", "size": 1569160, "fsattrs": 128}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Executed
{"eventType": "File Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "7eec0405-02a9-4391-a213-3d221308f33e", "traceId": "e89bdf24-e752-487e-a423-a2d55766db0b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c9d", "pid": 4960, "it": 1, "time": "2023-04-19T17:55:18.886Z", "pSha2": "A00790D3844F6A2DC3767945124FECCBBFC15E7654E53C2FD38D660DD1A91733", "ppid": 4960, "pFullName": "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JUNS\\PulseSecureService.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "salib_OSSL.dll", "path": "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JUNS\\salib_OSSL.dll", "size": 0, "fsattrs": 128}, "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 6, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Modified
{"eventType": "File Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "df9f1187-be22-45ba-862e-b678750434af", "traceId": "4974570a-8542-4ef9-b038-850b3503ac7a", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 1388, "time": "2023-04-19T17:50:07.640Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 1388, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T17:42:08.114Z", "creationDate": "2022-08-25T18:56:09.172Z", "md5": "23A09C342E04E45BE828409B39DB0A5D", "sha1": "C1D03FDE664C1EB522EA72BEF31F7DCFC4D20EE0", "sha256": "7846F5D43BBC99701B558E9737E654348855CB7FA6A0403739AEA63908099E7E", "name": "setuperr.log", "path": "C:\\Windows\\setuperr.log", "size": 495, "fsattrs": 32, "mhdr": "efbbbf323032332d"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Moved
{"eventType": "File Moved", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "6efe949e-59ff-4f92-b736-a41e3bfd64c4", "traceId": "d7cf9750-0945-4fa6-99f6-f4ed00988881", "contextTraceId": "c49554af-b28f-4d43-b49a-89b935df02eb", "pid": 14856, "it": 1, "time": "2023-04-19T15:05:54.741Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 14856, "pFullName": "C:\\Users\\HIDDENUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T14:14:48.977Z", "creationDate": "2020-03-17T15:39:36.625Z", "md5": "DFA84FC7A9620554D263AFDE3073753C", "sha1": "BEB95A2255EB67B0A71310156677AAA67926AD7D", "sha256": "B26968E75201C2AE4908ECB3C23CB361B9E08C53780AFAA682F4BDDAD5B4A069", "name": "a55ed4fbb973aefb.customDestinations-ms", "path": "C:\\Users\\HIDDENUSER\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\a54ed4fbb973aefb.customDestinations-ms", "newFilePath": "C:\\Users\\HIDDENUSER\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\a54ed4fbb973aefb.customDestinations-ms~RF6c135fa.TMP", "size": 10512, "fsattrs": 32}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Read
{"eventType": "File Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c20a0218c", "traceId": "ab9be903-4b85-4338-81c0-507c71e1fa7d", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-737957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.548Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "uniqueRuleId": 5, "fileAttributes": {"lastModificationDate": "2023-04-19T17:51:53.544Z", "creationDate": "2023-04-19T17:51:53.543Z", "md5": "D17FE0A3F47BE24A6453E9EF58C94641", "sha1": "6AB83620379FC69F80C0242105DDFFD7D98D5D9D", "sha256": "96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7", "name": "__PSScriptPolicyTest_2yelgbav.p0r.ps1", "path": "C:\\Windows\\Temp\\__PSScriptPolicyTest_2yelgbav.p0r.ps1", "size": 60, "fsattrs": 32, "mhdr": "2320506f77657253"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptCreated"]}

Image Loaded
{"eventType": "Image Loaded", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "722b8348-1566-4315-a160-e37c17b6d06b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-727957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.501Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "uniqueRuleId": 18, "modules": [{"sha256": "0C3793703087C34745609D4DB2683750560FFF7A6BD04D618BC4BD4BC55E5106", "name": "C:\\WINDOWS\\SYSTEM32\\BCRYPT.DLL", "loadTime": "2023-04-19T17:51:53.501Z", "vtpPrivileges": 1, "fsattrs": 32}, {"sha256": "1F996574F38219CDD848375F517F8D86E17542BC84D64CCE63AA0C64CC15F22D", "name": "C:\\WINDOWS\\SYSTEM32\\WS2_32.DLL", "loadTime": "2023-04-19T17:51:53.599Z", "vtpPrivileges": 1, "fsattrs": 32}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoadedDLLs"]}

NamedPipe Connected
{"eventType": "NamedPipe Connected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d7114add-5126-4b2a-893e-20a248182832", "traceId": "35c96280-b766-40b8-9608-74a32387f22e", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b2c90d", "pid": 2104, "it": 1, "time": "2023-04-19T17:55:20.448Z", "pSha2": "27412E8CDEBB7F3E645454ED1BEE0EBB04C976BC8946698EF8CE4C664B63B3C0", "ppid": 2104, "pFullName": "C:\\Program Files\\ForeScout SecureConnector\\SecureConnector.exe", "uniqueRuleId": 4, "pipe": {"name": "\\\\.\\pipe\\_FSA_TMP_6544_643E4C1F_0002PERFORMER_CNTL"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Network Accessed
{"eventType": "Network Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c4fc0e112ff7", "traceId": "24264358-6a18-43ac-ab02-5d5a89c74bbc", "contextTraceId": "5537a2e8-1a88-44f3-9d1f-747957b6c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.935Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\\Users\\HIDDENUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", "uniqueRuleId": 19103, "network": {"accessType": "connection_opened", "direction": "outbound", "dstIp": "127.0.0.1", "dstPort": 53574, "srcIp": "127.0.0.1", "srcPort": 53573, "protocol": "tcp", "dnsNames": ["gearssdk.HIDDEN.com"]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

Password Reset
{"eventType": "Password Reset", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "85056462-75dc-4eb9-935d-e22da7674050", "traceId": "cda5b2be-4636-41f3-988f-f009d2697f6d", "contextTraceId": "252fcdc6-95dc-4437-924c-1e1a740f4d03", "pid": 868, "it": 1, "time": "2023-04-14T15:43:09.634Z", "uniqueRuleId": 1, "ppid": 868, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4724, "user": {"adminType": 0, "domain": "HIDDEN230171", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN230171$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-14T15:43:33Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Process Accessed
{"eventType": "Process Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "ea0291b7-5854-4235-b710-0a1528849534", "traceId": "2d9ae548-3eda-4e6a-9ae7-829f2a94c55e", "contextTraceId": "c49554af-b28f-4d43-b49a-84b932df02eb", "pid": 18572, "it": 1, "time": "2023-04-19T16:10:31.049Z", "pSha2": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "ppid": 18572, "pFullName": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "uniqueRuleId": 19114, "accessType": 16, "relatedProcess": {"pid": 6448, "cmdLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3944 --field-trial-handle=2252,i,15327557186177104925,6464273188186216104,131072 /prefetch:8", "processName": "msedge.exe", "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "BECC2E4F21743168C59876A6BAD0E74A", "sha1": "9EF706CD46650B807255FE7752599520C7E6BEE4", "sha256": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "fileType": "PE", "name": "msedge.exe", "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "size": 4139936, "embedFilename": "msedge.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "integrity": 1}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T16:11:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Created
{"eventType": "Process Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f65d9571093", "traceId": "df9f1147-be22-45ba-862e-b678730434af", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 1388, "time": "2023-04-19T17:50:07.579Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4180, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\SetupHost.exe", "cmdLine": "\"C:\\$WINDOWS.~BT\\Sources\\mighost.exe\" {HIDDENSID} /InitDoneEvent:MigHost.{HIDDENSID}.Event /ParentPID:4180", "processName": "mighost.exe", "integrity": 4, "user": {"domain": "AUTORITE NT", "id": "S-1-5-18", "name": "Syst\u00e8me"}, "procFileAttrs": {"creationDate": "2023-04-19T17:31:50.338Z", "md5": "A29006724D36A128C8471BC463ECA83A", "sha1": "6518BFC3B22E82E94F6C404B33AD9BE9B5162FB2", "sha256": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "name": "mighost.exe", "path": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "size": 279896, "embedFilename": "MigHost.exe", "embedFileVersion": "10.0.22621.1 (WinBuild.160101.0800)", "embedProductName": "Microsoft\u00ae Windows\u00ae Operating System", "embedProductVersion": "10.0.22621.1", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "parentsTraceId": ["261c5c80-d583-43b2-a1d9-3f65d9571094", "6bbc10bf-abad-4cf2-ba43-c19f415ffb51", "9d81e708-c5db-4b71-a9ca-2f39d1ed77ba", "cf5e5a2f-5f39-45de-b2fc-c07742e1a724", "d9a8593c-49c5-4698-8ea2-f4d554f21358", "afa7552d-7f45-46a0-a590-d2dd01fa9479", "e4c78c17-8878-4c5b-9b93-10c15fa23986"], "tdmRuleIds": [110, 100000, 100003], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ProcessCreated"]}

Process Hollowed
{"eventType": "Process Hollowed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "37e0d41f-dfec-41c0-a36d-9d7310a77bd3", "traceId": "933ab594-0167-4f88-b858-c6c042bf146c", "contextTraceId": "c49554af-b28f-4d43-b49a-89b934df02eb", "pid": 26384, "it": 1, "time": "2023-04-19T20:25:31.329Z", "pSha2": "5BB79BEEF24F2254DBFA1F53078483AF9DD9D4506508FEE886F21847F7DFF504", "ppid": 26384, "pFullName": "C:\\Users\\HIDDENUSER\\AppData\\Local\\Seclore\\FileSecure\\Desktop Client\\X64\\FSDC64.exe", "hollowInfo": {"targetPid": 2488, "targetTraceId": "b7bf6bc1-9eb4-44e1-8fc6-712142573792", "originalIp": 0, "finalIp": 0, "apis": [10, 2, 14]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T20:25:44Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Reputation Changed
{"eventType": "Process Reputation Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "751c64e7-d243-4757-a7dc-5f113e75aa35", "traceId": "8eb5b562-5f6a-4ded-ae5f-bef61a0bbbf2", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 4228, "it": 1, "time": "2023-04-19T17:54:53.574Z", "pSha2": "2198A7B58BCCB758036B969DDAE6CC2ECE07565E2659A7C541A313A0492231A3", "ppid": 4228, "pFullName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "reputation": {"reputation": 85, "productId": 514, "reason": 2, "data": "{\"module_filepath\":\"C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System\\\\4fb9160b27f2daa1ec55050bde519fcc\\\\System.ni.dll\",\"module_reputation\":85,\"process_previous_reputation\":99}\n"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

RegKey Created
{"eventType": "RegKey Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "d8fd4b5b-6757-467d-b9ea-634dd2be5424", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.420Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "registry": {"regKeyName": "HKLM\\SYSTEM\\SETUP\\UPGRADE\\PNP\\CURRENTCONTROLSET\\CONTROL\\DEVICEMIGRATION\\DEVICES\\USB\\VID_17E9&PID_6015&MI_02\\7&1D07AD4B&0&0002\\INTERFACES\\{HIDDENSID}#PCM_IN_05_00\\DEVICE\\EP\\0"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Deleted
{"eventType": "RegKey Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f34432aab53f", "traceId": "cc3dd5d2-8db2-4822-8032-0948e1f67779", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747457b6c90d", "pid": 4160, "time": "2023-04-19T17:49:34.130Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "registry": {"regKeyName": "HKLM\\SYSTEM\\SETUP\\UPGRADE\\PNP\\TEMP\\NDI\\PARAMS\\UAPSDSUPPORT"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:00Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Read
{"eventType": "RegKey Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b7f8e1db-b86e-4a95-9b0f-360d5b9f6244", "traceId": "e27fb183-897e-49e8-be43-c76ba90f8370", "contextTraceId": "10ab02e8-c043-4ea4-9c2c-41a805ac0a7e", "pid": 22064, "it": 1, "time": "2023-02-15T06:31:52.915Z", "pSha2": "9179048992E0FBB51CFA7E42EF65074661295B6B155BDD60DE47AA684D82F4FD", "ppid": 22064, "pFullName": "C:\\Windows\\System32\\mmc.exe", "registry": {"regKeyName": "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CANARYCERTSTORE\\"}, "response": {"action": 1, "description": "HIDDENDOMAIN\\HIDDENUSERNAME a ex\u00e9cut\u00e9 C:\\Windows\\System32\\mmc.exe, qui tentait d'acc\u00e9der \u00e0 HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CANARYCERTSTORE\\, d'une mani\u00e8re contraire \u00e0 la r\u00e8gle \u00ab Protection essentielle - Prot\u00e9ger les cl\u00e9s et valeurs de Registre McAfee essentielles \u00bb, et a \u00e9t\u00e9 bloqu\u00e9. Pour obtenir de plus amples informations sur la mani\u00e8re de r\u00e9pondre \u00e0 cet \u00e9v\u00e9nement, voir KB85494.", "ruleId": "PROTECT_MCAFEE_REG_VALUE1", "operation": 3, "productId": 513, "reason": 6}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-02-15T06:32:09Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Created
{"eventType": "RegValue Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "5ae2323c-98cc-4020-ad3f-8d0e25de9f95", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.421Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "registry": {"keyName": "HKLM\\SYSTEM\\SETUP\\UPGRADE\\PNP\\CURRENTCONTROLSET\\CONTROL\\DEVICEMIGRATION\\DEVICES\\USB\\VID_17E9&PID_6015&MI_02\\7&1D07AD2B&0&0004\\INTERFACES\\{HIDDENSID}#PCM_IN_05_00\\DEVICE", "keyValueName": "FRIENDLYNAME", "keyValueType": "REG_SZ", "keyValue": "Lenovo USB Audio"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Deleted
{"eventType": "RegValue Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "d162fb4b-1c6b-41e5-9458-a0d5be22deae", "contextTraceId": "5537a2e8-1a38-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:38.131Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "registry": {"keyName": "HKLM\\SYSTEM\\SETUP\\UPGRADE\\PNP\\TEMP", "keyValueName": "DISABLESETUPDICHANGESTATE"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:31Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Modified
{"eventType": "RegValue Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f45d9571094", "traceId": "efff6774-159e-424c-85b3-cd570e3b6d22", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747958b6c90d", "pid": 4180, "time": "2023-04-19T17:50:07.139Z", "pSha2": "7538940533F3B531D2FF8B57D79C01C475BB457FA5103E5A0D4AFADB728702C6", "ppid": 4180, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\SetupHost.exe", "registry": {"keyName": "HKLM\\SYSTEM\\SETUP\\MOSETUP\\VOLATILE", "keyValueName": "SETUPPROGRESS", "keyValueType": "REG_DWORD", "keyValue": "64", "keyOldValue": "51"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

ScheduledTask Changed
{"eventType": "ScheduledTask Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d57e9fa6-7967-45b5-a54e-468f5c2be4db", "traceId": "b5a8f55e-3d1b-464c-84c8-ac4791366f22", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e4bf69", "pid": 7392, "time": "2023-04-19T18:46:06.775Z", "pSha2": "949BFB5B4C7D58D92F3F9C5F8EC7CA4CEAFFD10EC5F0020F0A987C472D61C54B", "ppid": 7392, "pFullName": "C:\\Windows\\System32\\svchost.exe", "uniqueRuleId": 30, "action": "deleted", "schedtask": {"name": "Microsoft\\Windows\\MemoryDiagnostic\\DecompressionFailureDetector"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScheduledTaskRegistered"]}

Script Executed
{"eventType": "Script Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "5179615b-3a3f-49e4-8e27-2d1966deed68", "contextTraceId": "5537a2e8-1a88-43f3-8d1f-747957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.536Z", "uniqueRuleId": 28001, "ppid": 23856, "pFullName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "scriptType": "powershell", "scripts": [{"timestamp": "2023-04-19T17:51:53.536Z", "length": 391, "hash": "40D27F34C4D18A9A07D13655FFE2738D3B19975A4FAC8192C6ABAE55319A91B9", "intentions": [{"name": "action:Object/Select", "lines": ["[...]52428800') -or ($_.BytesFromPeers -ne '0') -or (($_.BytesFromCacheServer -ne '0') -and ($_.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInforma[...]"]}, {"name": "action:Xml/ConvertTo", "lines": ["[...]cheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInformation"]}, {"name": "observable:network.url.http", "lines": ["Get-DeliveryOptimizationStatus | where-object {($_.Sourceurl -CLike 'http://HIDDEN:8005*') -AND (($_.FileSize -ge '52428800') -or ($_.BytesFromPeers -ne '0') -or (($_.BytesFromCacheServer -ne '0') -and[...]"]}]}], "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:03Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptExecuted"]}

Service Changed
{"eventType": "Service Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "ff683f3a-7433-4122-8478-80560270cf1a", "contextTraceId": "5537a2e8-1a88-43f3-9c1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:12.567Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "uniqueRuleId": 16, "action": "deleted", "service": {"name": "BTHPORT"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:50:56Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ServiceChanged"]}

SysInfo
{"eventType": "SysInfo", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "0a3fc885-44c0-487d-951a-65ac7bdd2ab2", "contextTraceId": "3e1cbf79-f99f-48f8-8db0-6112de4ee587", "time": "2023-04-19T18:55:21.807Z", "os": {"desc": "Windows 11", "major": 10, "minor": 0, "build": 22621, "sp": ""}, "ifaces": [{"name": "Ethernet", "mac": "6c:24:08:HIDDEN", "ip": "169.254.39.215", "type": 6}, {"name": "Connexion au r\u00e9seau local* 1", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.133.182", "type": 71}, {"name": "Wi-Fi", "mac": "54:6c:eb:HIDDEN", "ip": "192.168.1.34", "type": 71}, {"name": "Connexion r\u00e9seau Bluetooth", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.228.207", "type": 6}], "bootTime": "2023-04-19T18:54:53.057Z", "domain": "HIDDENDOMAIN.lan", "cv": 1408, "pv": 0, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:55:54Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "it": 1}

User Login
{"eventType": "User Login", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "8010fadb-6402-4977-9279-db7a61bd8aed", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df02eb", "time": "2023-04-19T15:05:52.023Z", "uniqueRuleId": 1, "eventId": 4624, "success": true, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182954904}, "networkInfo": {"workstationName": "HIDDEN29451", "ipAddress": "127.0.0.1", "ipPort": 0}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

User Logout
{"eventType": "User Logout", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "91acc5be-d782-4ea9-9181-ada93c91ba45", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df04eb", "time": "2023-04-19T15:05:52.027Z", "uniqueRuleId": 1, "eventId": 4634, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182952904}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

Username Changed
{"eventType": "Username Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9b0fcb12-5182-4877-98b4-6b0eb9c5d16f", "traceId": "a71c4d2e-1ad5-4d84-bd23-ffe0ff6476fa", "contextTraceId": "cd64419d-1e3d-4576-af0f-32387fce4c71", "pid": 660, "it": 1, "time": "2023-04-18T07:54:28.337Z", "uniqueRuleId": 1, "ppid": 660, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4781, "user": {"adminType": 0, "domain": "HIDDEN22703", "id": "S-1-5-21-HIDDEN", "name": "Invit\u00e9", "newName": "HIDDEN_invit\u00e9"}, "userInitiator": {"adminType": 0, "domain": "HIDDEN", "id": "S-1-5-18", "name": "HIDDEN22703$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T07:54:40Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

WMI Activity
{"eventType": "WMI Activity", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e832285-a165-4126-8d73-fe112095bb60", "traceId": "2611f0a8-8c60-4f94-8f99-6b07b146a45b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c70d", "pid": 15260, "time": "2023-04-19T17:45:09.423Z", "uniqueRuleId": 27000, "wmi": {"type": 1, "operation": "Start IWbemServices::CreateClassEnum - root\\subscription : ", "evid": 11}, "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 15260, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:45:20Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.WMIActivity"]}

@mthcht
Copy link
Contributor Author

mthcht commented Apr 20, 2023

@tsale here is an extract for each EventTypen:

Account Changed
{"eventType": "Account Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "01eb704f-3b7d-4965-83ec-5c9d725fd0d6", "traceId": "27bbdca8-e76c-4287-8d93-31f9ad0412be", "contextTraceId": "da67763a-854d-412c-a66f-edcca0eeb3d4", "pid": 1076, "it": 1, "time": "2023-04-19T16:08:47.129Z", "uniqueRuleId": 1, "ppid": 1076, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4738, "user": {"adminType": 0, "domain": "HIDDEN22958", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22958$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T16:08:53Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Created
{"eventType": "Account Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4644b033d0", "traceId": "49054632-69cd-4e34-8292-bd6eb30d4003", "contextTraceId": "8480c6d8-c619-4019-9359-fc7a4a9be425", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.515Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4720, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Deleted
{"eventType": "Account Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3d6a84b3-91fb-41f0-93b1-aa482bc531f6", "traceId": "c61cbd7a-62bc-4186-8b80-6eead86a4710", "contextTraceId": "87a2f691-5fbb-49b5-8417-ce551000e23d", "pid": 872, "it": 1, "time": "2023-04-19T08:14:25.865Z", "uniqueRuleId": 1, "ppid": 872, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4726, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_kadvAYTV"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:14:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Disabled
{"eventType": "Account Disabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b08de07d-b15f-441a-b143-78c42cb61a78", "traceId": "9b95b0f5-dee6-487c-aaf6-65af35cf3256", "contextTraceId": "873a8979-6c94-4085-872b-ded4c54ee9a9", "pid": 988, "it": 1, "time": "2023-04-18T08:02:43.593Z", "uniqueRuleId": 1, "ppid": 988, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4725, "user": {"adminType": 0, "domain": "HIDDEN22172", "id": "S-1-5-21-HIDDENSID", "name": "defaultuser0"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22172$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T08:05:18Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Enabled
{"eventType": "Account Enabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4645b032d0", "traceId": "859ac34b-348e-44e1-8711-a9c306642202", "contextTraceId": "8480c6d8-c619-4019-9459-fc7a4a9be435", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.530Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4722, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Api
{"eventType": "Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0318c", "traceId": "ea0cf5f2-0adc-4619-8837-4403a69798cd", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747947b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:52.975Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "api": {"name": "FindFirstFile", "data": "HIDDENDATA", "result": "1952366316400", "moduleName": "", "arguments": [], "targetPid": 0}, "uniqueRuleId": 19120, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.APICall"]}

COM Api
{"eventType": "COM Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b62a-7f9bcdd3c4aa", "traceId": "0c46d2d8-f86d-4c7f-88eb-cb977aa78207", "contextTraceId": "4df162be-c064-4b64-b250-41ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.428Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "uniqueRuleId": 4294967295, "comApis": [{"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.RegWrite", "args": ""HKCU\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy","Unrestricted","REG_SZ"", "result": ""}, {"flags": 3, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.ExpandEnvironmentStrings", "args": ""%LOCALAPPDATA%\HIDDEN_VPN\script.ps1"", "result": ""C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\script.ps1""}, {"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.Run", "args": ""powershell.exe -nologo -command C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\script.ps1",0", "result": ""}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injected
{"eventType": "Code Injected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-5368-b63a-7f9bcdd3c4aa", "traceId": "52fc84ae-6d72-49fe-bf65-74265c57224d", "contextTraceId": "4df162be-c064-4b64-b850-41ba1493d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "relatedProcess": {"pid": 6620, "cmdLine": ""cscript.exe" C:\Users\edubois\AppData\Local\HIDDEN_VPN\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"lastModificationDate": "2021-09-15T10:42:04.643Z", "creationDate": "2021-09-15T10:42:04.640Z", "md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\Windows\System32\cscript.exe", "size": 161280, "fsattrs": 32, "embedFilename": "cscript.exe", "embedFileVersion": "5.812.10240.16384", "embedProductName": "Microsoft \u00ae Windows Script Host", "embedProductVersion": "5.812.10240.16384", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injection
{"eventType": "Code Injection", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd3c4aa", "traceId": "0e5172ff-98a2-47c8-9d94-3488c6df70c0", "contextTraceId": "4df162be-c064-4b64-b850-42ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "injectedProcessTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd2c4aa", "relatedProcess": {"pid": 6620, "cmdLine": ""cscript.exe" C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENUSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\Windows\System32\cscript.exe", "size": 161280, "embedFilename": "cscript.exe", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Context Changed
{"eventType": "Context Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "0e9c4e60-49af-451d-b807-39da4003af3d", "traceId": "3ce0bbe4-92b4-430b-996e-cc32cfe99837", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e3bf69", "pid": 5164, "it": 1, "time": "2023-04-19T18:46:31.739Z", "pSha2": "5A5C59646969CE0D99B05556CEA793F9F89A019BE4D66D8C9A1AF9EED699AC89", "ppid": 5164, "pFullName": "C:\Windows\System32\spoolsv.exe", "reason": 1, "relatedTraceId": "ba434310-89f5-4749-9cc2-b9df78bc18d3", "relatedProcess": {"pid": 5164, "cmdLine": "C:\WINDOWS\System32\spoolsv.exe", "processName": "spoolsv.exe", "integrity": 4, "user": {"domain": "NT AUTHORITY", "id": "S-1-5-18", "name": "NT AUTHORITY\SYSTEM"}, "procFileAttrs": {"md5": "3BCB8517038CACDF2F2498E1D0F80544", "sha1": "F8D8AC37C3C194F8C8EF052FF46C19CBB65361D5", "sha256": "5A5C59646969CE0D99B05556CEA793F9F89A019BE5D66D8C9A1AF9EED699AC89", "fileType": "PE", "name": "spoolsv.exe", "path": "C:\Windows\System32\spoolsv.exe", "size": 929792, "embedFilename": "spoolsv.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "tdmRuleIds": [112, 100003, 99999], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:47Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

DNS Query
{"eventType": "DNS Query", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c6fc0e114ff7", "traceId": "e76f265c-cb4a-4ab2-9857-b04bfeb0aebb", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.903Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\Users\rtadjer\AppData\Local\Microsoft\Teams\current\Teams.exe", "dns": {"name": "HIDDEN.trouter.teams.microsoft.com", "type": 1}, "uniqueRuleId": 19112, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.DNSQuery"]}

Epp File Scan
{"eventType": "Epp File Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "ee75a850-7bf9-44f4-8623-c26aaad762ed", "traceId": "e24fd01c-4eeb-453d-a688-09bbee345095", "contextTraceId": "4df162be-c064-4b64-b850-41ba1495d6d2", "pid": 2256, "it": 1, "time": "2023-04-19T14:22:58.726Z", "pSha2": "20330D3CA71D58F4AEB432676CB6A3D5B97005954E45132FB083E90782EFDD50", "ppid": 2256, "pFullName": "C:\Windows\System32\backgroundTaskHost.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "NativeHostNE.dll", "path": "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23022.140.0_x64__8wekyb3d8bbwe\NativeHostNE.dll", "size": 0}, "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:23:19Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Epp Process Response
{"eventType": "Epp Process Response", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "a65892eb-990a-407c-89d1-7f4a25aab465", "traceId": "c6e24a8f-004b-4f15-b3d6-aa752b3b2812", "contextTraceId": "0a3768eb-d606-4282-8466-201fd8596be1", "pid": 9492, "time": "2023-04-19T18:36:46.512Z", "pSha2": "FC6BA3C701AFBEB082BA25F677FE47A0D3225465AF02C50E2AC2B10728E9D89E", "ppid": 9492, "pFullName": "C:\Windows\CCM\CcmExec.exe", "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 1, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:36:52Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.EPP_Response"]}

Epp Process Scan
{"eventType": "Epp Process Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e74be1a-90b5-466e-aff3-652aa73d0216", "traceId": "46bfe244-cfa7-41ef-99a8-ec354fdc38f7", "contextTraceId": "300409fb-6c49-4bf0-832d-205265b6d9d1", "pid": 12300, "it": 1, "time": "2023-04-19T18:26:16.293Z", "pSha2": "B5DDC370739579D2EE7C8A1284D4C83F15F4CF662893FDA55854D03B99AA2685", "ppid": 12300, "pFullName": "C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\TiWorker.exe", "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:26:41Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

File Attribute Changed
{"eventType": "File Attribute Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37434aab53f", "traceId": "337454e9-dbe6-46d6-999d-c6647f406410", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-742957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:40.875Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 7, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.739Z", "creationDate": "2023-04-19T17:49:40.873Z", "md5": "9D04081293A783441ED1133888E8721C", "sha1": "2F688EFBC6ACEA6B5E6C172EB4AE7A41A2FB3C05", "sha256": "1C3DBA99D46303A00D83DEDDAEEE6988BB9E0E97F8D02925D2270A1B539157D1", "fileType": "PE", "name": "MFC90CHS.DLL", "path": "C:\$WINDOWS.~BT\Work\MachineSpecific\Working\agentmgr\CCSIAgent\005A53BA\SxsAsm38\MFC90CHS.DLL", "size": 35664, "fsattrs": 8224, "fsattrsChanged": 2, "embedFilename": "MFC90CHS.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Created
{"eventType": "File Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-43ec-9659-f37432aab53f", "traceId": "2b98410e-fea4-420d-98da-1220479161fe", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b490d", "pid": 4160, "time": "2023-04-19T17:49:40.861Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.108Z", "creationDate": "2023-04-19T17:49:40.858Z", "md5": "CDBE9690CF2B8409FACAD94FAC9479C9", "sha1": "4BCDFE2C1B354645314A4CE26B55B2B1A0212DB9", "sha256": "8E7FE1A1F3550C479FFD86A77BC9D10686D47F8727025BB891D8F4F0259354C8", "fileType": "PE", "name": "msvcr90.dll", "path": "C:\$WINDOWS.~BT\Work\MachineSpecific\Working\agentmgr\CCSIAgent\005A54BA\SxsAsm37\msvcr90.dll", "size": 653136, "fsattrs": 8224, "embedFilename": "MSVCR90.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Deleted
{"eventType": "File Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "e3c8e545-3d68-4d75-9168-f332c3b72b3e", "traceId": "447205ad-ea41-4ad0-b0ee-a3b1eebd486b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b3c90d", "pid": 3872, "time": "2023-04-19T17:54:22.517Z", "pSha2": "823523E1B4BF1DBFF1CA7E65C67483B2260F13AD4AB61F6131F84D5B8DBE985F", "ppid": 3872, "pFullName": "C:\Windows\System32\drvinst.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-03-11T18:46:14.000Z", "creationDate": "2022-03-11T18:46:14.000Z", "md5": "", "sha1": "", "sha256": "2B7FDFAD42885DD4FFED2BF0EE0FD810FD6D2C3F21567513FB2ACF296CD80016", "fileType": "PE", "name": "igdumdim32.dll", "path": "C:\Windows\System32\DriverStore\FileRepository\iigd_dch_d.inf_amd64_07f5935d7ce74872\igdumdim32.dll", "size": 1569160, "fsattrs": 128}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Executed
{"eventType": "File Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "7eec0405-02a9-4391-a213-3d221308f33e", "traceId": "e89bdf24-e752-487e-a423-a2d55766db0b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c9d", "pid": 4960, "it": 1, "time": "2023-04-19T17:55:18.886Z", "pSha2": "A00790D3844F6A2DC3767945124FECCBBFC15E7654E53C2FD38D660DD1A91733", "ppid": 4960, "pFullName": "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "salib_OSSL.dll", "path": "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\salib_OSSL.dll", "size": 0, "fsattrs": 128}, "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 6, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Modified
{"eventType": "File Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "df9f1187-be22-45ba-862e-b678750434af", "traceId": "4974570a-8542-4ef9-b038-850b3503ac7a", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 1388, "time": "2023-04-19T17:50:07.640Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 1388, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T17:42:08.114Z", "creationDate": "2022-08-25T18:56:09.172Z", "md5": "23A09C342E04E45BE828409B39DB0A5D", "sha1": "C1D03FDE664C1EB522EA72BEF31F7DCFC4D20EE0", "sha256": "7846F5D43BBC99701B558E9737E654348855CB7FA6A0403739AEA63908099E7E", "name": "setuperr.log", "path": "C:\Windows\setuperr.log", "size": 495, "fsattrs": 32, "mhdr": "efbbbf323032332d"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Moved
{"eventType": "File Moved", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "6efe949e-59ff-4f92-b736-a41e3bfd64c4", "traceId": "d7cf9750-0945-4fa6-99f6-f4ed00988881", "contextTraceId": "c49554af-b28f-4d43-b49a-89b935df02eb", "pid": 14856, "it": 1, "time": "2023-04-19T15:05:54.741Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 14856, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T14:14:48.977Z", "creationDate": "2020-03-17T15:39:36.625Z", "md5": "DFA84FC7A9620554D263AFDE3073753C", "sha1": "BEB95A2255EB67B0A71310156677AAA67926AD7D", "sha256": "B26968E75201C2AE4908ECB3C23CB361B9E08C53780AFAA682F4BDDAD5B4A069", "name": "a55ed4fbb973aefb.customDestinations-ms", "path": "C:\Users\HIDDENUSER\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a54ed4fbb973aefb.customDestinations-ms", "newFilePath": "C:\Users\HIDDENUSER\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a54ed4fbb973aefb.customDestinations-ms~RF6c135fa.TMP", "size": 10512, "fsattrs": 32}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Read
{"eventType": "File Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c20a0218c", "traceId": "ab9be903-4b85-4338-81c0-507c71e1fa7d", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-737957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.548Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "uniqueRuleId": 5, "fileAttributes": {"lastModificationDate": "2023-04-19T17:51:53.544Z", "creationDate": "2023-04-19T17:51:53.543Z", "md5": "D17FE0A3F47BE24A6453E9EF58C94641", "sha1": "6AB83620379FC69F80C0242105DDFFD7D98D5D9D", "sha256": "96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7", "name": "__PSScriptPolicyTest_2yelgbav.p0r.ps1", "path": "C:\Windows\Temp\__PSScriptPolicyTest_2yelgbav.p0r.ps1", "size": 60, "fsattrs": 32, "mhdr": "2320506f77657253"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptCreated"]}

Image Loaded
{"eventType": "Image Loaded", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "722b8348-1566-4315-a160-e37c17b6d06b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-727957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.501Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "uniqueRuleId": 18, "modules": [{"sha256": "0C3793703087C34745609D4DB2683750560FFF7A6BD04D618BC4BD4BC55E5106", "name": "C:\WINDOWS\SYSTEM32\BCRYPT.DLL", "loadTime": "2023-04-19T17:51:53.501Z", "vtpPrivileges": 1, "fsattrs": 32}, {"sha256": "1F996574F38219CDD848375F517F8D86E17542BC84D64CCE63AA0C64CC15F22D", "name": "C:\WINDOWS\SYSTEM32\WS2_32.DLL", "loadTime": "2023-04-19T17:51:53.599Z", "vtpPrivileges": 1, "fsattrs": 32}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoadedDLLs"]}

NamedPipe Connected
{"eventType": "NamedPipe Connected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d7114add-5126-4b2a-893e-20a248182832", "traceId": "35c96280-b766-40b8-9608-74a32387f22e", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b2c90d", "pid": 2104, "it": 1, "time": "2023-04-19T17:55:20.448Z", "pSha2": "27412E8CDEBB7F3E645454ED1BEE0EBB04C976BC8946698EF8CE4C664B63B3C0", "ppid": 2104, "pFullName": "C:\Program Files\ForeScout SecureConnector\SecureConnector.exe", "uniqueRuleId": 4, "pipe": {"name": "\\.\pipe\_FSA_TMP_6544_643E4C1F_0002PERFORMER_CNTL"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Network Accessed
{"eventType": "Network Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c4fc0e112ff7", "traceId": "24264358-6a18-43ac-ab02-5d5a89c74bbc", "contextTraceId": "5537a2e8-1a88-44f3-9d1f-747957b6c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.935Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "uniqueRuleId": 19103, "network": {"accessType": "connection_opened", "direction": "outbound", "dstIp": "127.0.0.1", "dstPort": 53574, "srcIp": "127.0.0.1", "srcPort": 53573, "protocol": "tcp", "dnsNames": ["gearssdk.HIDDEN.com"]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

Password Reset
{"eventType": "Password Reset", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "85056462-75dc-4eb9-935d-e22da7674050", "traceId": "cda5b2be-4636-41f3-988f-f009d2697f6d", "contextTraceId": "252fcdc6-95dc-4437-924c-1e1a740f4d03", "pid": 868, "it": 1, "time": "2023-04-14T15:43:09.634Z", "uniqueRuleId": 1, "ppid": 868, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4724, "user": {"adminType": 0, "domain": "HIDDEN230171", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN230171$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-14T15:43:33Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Process Accessed
{"eventType": "Process Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "ea0291b7-5854-4235-b710-0a1528849534", "traceId": "2d9ae548-3eda-4e6a-9ae7-829f2a94c55e", "contextTraceId": "c49554af-b28f-4d43-b49a-84b932df02eb", "pid": 18572, "it": 1, "time": "2023-04-19T16:10:31.049Z", "pSha2": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "ppid": 18572, "pFullName": "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "uniqueRuleId": 19114, "accessType": 16, "relatedProcess": {"pid": 6448, "cmdLine": ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3944 --field-trial-handle=2252,i,15327557186177104925,6464273188186216104,131072 /prefetch:8", "processName": "msedge.exe", "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "BECC2E4F21743168C59876A6BAD0E74A", "sha1": "9EF706CD46650B807255FE7752599520C7E6BEE4", "sha256": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "fileType": "PE", "name": "msedge.exe", "path": "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "size": 4139936, "embedFilename": "msedge.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "integrity": 1}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T16:11:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Created
{"eventType": "Process Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f65d9571093", "traceId": "df9f1147-be22-45ba-862e-b678730434af", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 1388, "time": "2023-04-19T17:50:07.579Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4180, "pFullName": "C:\$WINDOWS.~BT\Sources\SetupHost.exe", "cmdLine": ""C:\$WINDOWS.~BT\Sources\mighost.exe" {HIDDENSID} /InitDoneEvent:MigHost.{HIDDENSID}.Event /ParentPID:4180", "processName": "mighost.exe", "integrity": 4, "user": {"domain": "AUTORITE NT", "id": "S-1-5-18", "name": "Syst\u00e8me"}, "procFileAttrs": {"creationDate": "2023-04-19T17:31:50.338Z", "md5": "A29006724D36A128C8471BC463ECA83A", "sha1": "6518BFC3B22E82E94F6C404B33AD9BE9B5162FB2", "sha256": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "name": "mighost.exe", "path": "C:\$WINDOWS.~BT\Sources\mighost.exe", "size": 279896, "embedFilename": "MigHost.exe", "embedFileVersion": "10.0.22621.1 (WinBuild.160101.0800)", "embedProductName": "Microsoft\u00ae Windows\u00ae Operating System", "embedProductVersion": "10.0.22621.1", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "parentsTraceId": ["261c5c80-d583-43b2-a1d9-3f65d9571094", "6bbc10bf-abad-4cf2-ba43-c19f415ffb51", "9d81e708-c5db-4b71-a9ca-2f39d1ed77ba", "cf5e5a2f-5f39-45de-b2fc-c07742e1a724", "d9a8593c-49c5-4698-8ea2-f4d554f21358", "afa7552d-7f45-46a0-a590-d2dd01fa9479", "e4c78c17-8878-4c5b-9b93-10c15fa23986"], "tdmRuleIds": [110, 100000, 100003], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ProcessCreated"]}

Process Hollowed
{"eventType": "Process Hollowed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "37e0d41f-dfec-41c0-a36d-9d7310a77bd3", "traceId": "933ab594-0167-4f88-b858-c6c042bf146c", "contextTraceId": "c49554af-b28f-4d43-b49a-89b934df02eb", "pid": 26384, "it": 1, "time": "2023-04-19T20:25:31.329Z", "pSha2": "5BB79BEEF24F2254DBFA1F53078483AF9DD9D4506508FEE886F21847F7DFF504", "ppid": 26384, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Seclore\FileSecure\Desktop Client\X64\FSDC64.exe", "hollowInfo": {"targetPid": 2488, "targetTraceId": "b7bf6bc1-9eb4-44e1-8fc6-712142573792", "originalIp": 0, "finalIp": 0, "apis": [10, 2, 14]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T20:25:44Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Reputation Changed
{"eventType": "Process Reputation Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "751c64e7-d243-4757-a7dc-5f113e75aa35", "traceId": "8eb5b562-5f6a-4ded-ae5f-bef61a0bbbf2", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 4228, "it": 1, "time": "2023-04-19T17:54:53.574Z", "pSha2": "2198A7B58BCCB758036B969DDAE6CC2ECE07565E2659A7C541A313A0492231A3", "ppid": 4228, "pFullName": "C:\Windows\System32\wbem\WmiPrvSE.exe", "reputation": {"reputation": 85, "productId": 514, "reason": 2, "data": "{"module_filepath":"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\4fb9160b27f2daa1ec55050bde519fcc\\System.ni.dll","module_reputation":85,"process_previous_reputation":99}\n"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

RegKey Created
{"eventType": "RegKey Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "d8fd4b5b-6757-467d-b9ea-634dd2be5424", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.420Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"regKeyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\CURRENTCONTROLSET\CONTROL\DEVICEMIGRATION\DEVICES\USB\VID_17E9&PID_6015&MI_02\7&1D07AD4B&0&0002\INTERFACES\{HIDDENSID}#PCM_IN_05_00\DEVICE\EP\0"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Deleted
{"eventType": "RegKey Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f34432aab53f", "traceId": "cc3dd5d2-8db2-4822-8032-0948e1f67779", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747457b6c90d", "pid": 4160, "time": "2023-04-19T17:49:34.130Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"regKeyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\TEMP\NDI\PARAMS\UAPSDSUPPORT"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:00Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Read
{"eventType": "RegKey Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b7f8e1db-b86e-4a95-9b0f-360d5b9f6244", "traceId": "e27fb183-897e-49e8-be43-c76ba90f8370", "contextTraceId": "10ab02e8-c043-4ea4-9c2c-41a805ac0a7e", "pid": 22064, "it": 1, "time": "2023-02-15T06:31:52.915Z", "pSha2": "9179048992E0FBB51CFA7E42EF65074661295B6B155BDD60DE47AA684D82F4FD", "ppid": 22064, "pFullName": "C:\Windows\System32\mmc.exe", "registry": {"regKeyName": "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CANARYCERTSTORE\"}, "response": {"action": 1, "description": "HIDDENDOMAIN\HIDDENUSERNAME a ex\u00e9cut\u00e9 C:\Windows\System32\mmc.exe, qui tentait d'acc\u00e9der \u00e0 HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CANARYCERTSTORE\, d'une mani\u00e8re contraire \u00e0 la r\u00e8gle \u00ab Protection essentielle - Prot\u00e9ger les cl\u00e9s et valeurs de Registre McAfee essentielles \u00bb, et a \u00e9t\u00e9 bloqu\u00e9. Pour obtenir de plus amples informations sur la mani\u00e8re de r\u00e9pondre \u00e0 cet \u00e9v\u00e9nement, voir KB85494.", "ruleId": "PROTECT_MCAFEE_REG_VALUE1", "operation": 3, "productId": 513, "reason": 6}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-02-15T06:32:09Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Created
{"eventType": "RegValue Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "5ae2323c-98cc-4020-ad3f-8d0e25de9f95", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.421Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\CURRENTCONTROLSET\CONTROL\DEVICEMIGRATION\DEVICES\USB\VID_17E9&PID_6015&MI_02\7&1D07AD2B&0&0004\INTERFACES\{HIDDENSID}#PCM_IN_05_00\DEVICE", "keyValueName": "FRIENDLYNAME", "keyValueType": "REG_SZ", "keyValue": "Lenovo USB Audio"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Deleted
{"eventType": "RegValue Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "d162fb4b-1c6b-41e5-9458-a0d5be22deae", "contextTraceId": "5537a2e8-1a38-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:38.131Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\TEMP", "keyValueName": "DISABLESETUPDICHANGESTATE"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:31Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Modified
{"eventType": "RegValue Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f45d9571094", "traceId": "efff6774-159e-424c-85b3-cd570e3b6d22", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747958b6c90d", "pid": 4180, "time": "2023-04-19T17:50:07.139Z", "pSha2": "7538940533F3B531D2FF8B57D79C01C475BB457FA5103E5A0D4AFADB728702C6", "ppid": 4180, "pFullName": "C:\$WINDOWS.~BT\Sources\SetupHost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\MOSETUP\VOLATILE", "keyValueName": "SETUPPROGRESS", "keyValueType": "REG_DWORD", "keyValue": "64", "keyOldValue": "51"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

ScheduledTask Changed
{"eventType": "ScheduledTask Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d57e9fa6-7967-45b5-a54e-468f5c2be4db", "traceId": "b5a8f55e-3d1b-464c-84c8-ac4791366f22", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e4bf69", "pid": 7392, "time": "2023-04-19T18:46:06.775Z", "pSha2": "949BFB5B4C7D58D92F3F9C5F8EC7CA4CEAFFD10EC5F0020F0A987C472D61C54B", "ppid": 7392, "pFullName": "C:\Windows\System32\svchost.exe", "uniqueRuleId": 30, "action": "deleted", "schedtask": {"name": "Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScheduledTaskRegistered"]}

Script Executed
{"eventType": "Script Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "5179615b-3a3f-49e4-8e27-2d1966deed68", "contextTraceId": "5537a2e8-1a88-43f3-8d1f-747957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.536Z", "uniqueRuleId": 28001, "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "scriptType": "powershell", "scripts": [{"timestamp": "2023-04-19T17:51:53.536Z", "length": 391, "hash": "40D27F34C4D18A9A07D13655FFE2738D3B19975A4FAC8192C6ABAE55319A91B9", "intentions": [{"name": "action:Object/Select", "lines": ["[...]52428800') -or ($.BytesFromPeers -ne '0') -or (($.BytesFromCacheServer -ne '0') -and ($.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInforma[...]"]}, {"name": "action:Xml/ConvertTo", "lines": ["[...]cheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInformation"]}, {"name": "observable:network.url.http", "lines": ["Get-DeliveryOptimizationStatus | where-object {($.Sourceurl -CLike 'http://HIDDEN:8005*') -AND (($.FileSize -ge '52428800') -or ($.BytesFromPeers -ne '0') -or (($_.BytesFromCacheServer -ne '0') -and[...]"]}]}], "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:03Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptExecuted"]}

Service Changed
{"eventType": "Service Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "ff683f3a-7433-4122-8478-80560270cf1a", "contextTraceId": "5537a2e8-1a88-43f3-9c1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:12.567Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 16, "action": "deleted", "service": {"name": "BTHPORT"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:50:56Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ServiceChanged"]}

SysInfo
{"eventType": "SysInfo", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "0a3fc885-44c0-487d-951a-65ac7bdd2ab2", "contextTraceId": "3e1cbf79-f99f-48f8-8db0-6112de4ee587", "time": "2023-04-19T18:55:21.807Z", "os": {"desc": "Windows 11", "major": 10, "minor": 0, "build": 22621, "sp": ""}, "ifaces": [{"name": "Ethernet", "mac": "6c:24:08:HIDDEN", "ip": "169.254.39.215", "type": 6}, {"name": "Connexion au r\u00e9seau local* 1", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.133.182", "type": 71}, {"name": "Wi-Fi", "mac": "54:6c:eb:HIDDEN", "ip": "192.168.1.34", "type": 71}, {"name": "Connexion r\u00e9seau Bluetooth", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.228.207", "type": 6}], "bootTime": "2023-04-19T18:54:53.057Z", "domain": "HIDDENDOMAIN.lan", "cv": 1408, "pv": 0, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:55:54Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "it": 1}

User Login
{"eventType": "User Login", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "8010fadb-6402-4977-9279-db7a61bd8aed", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df02eb", "time": "2023-04-19T15:05:52.023Z", "uniqueRuleId": 1, "eventId": 4624, "success": true, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182954904}, "networkInfo": {"workstationName": "HIDDEN29451", "ipAddress": "127.0.0.1", "ipPort": 0}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

User Logout
{"eventType": "User Logout", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "91acc5be-d782-4ea9-9181-ada93c91ba45", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df04eb", "time": "2023-04-19T15:05:52.027Z", "uniqueRuleId": 1, "eventId": 4634, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182952904}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

Username Changed
{"eventType": "Username Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9b0fcb12-5182-4877-98b4-6b0eb9c5d16f", "traceId": "a71c4d2e-1ad5-4d84-bd23-ffe0ff6476fa", "contextTraceId": "cd64419d-1e3d-4576-af0f-32387fce4c71", "pid": 660, "it": 1, "time": "2023-04-18T07:54:28.337Z", "uniqueRuleId": 1, "ppid": 660, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4781, "user": {"adminType": 0, "domain": "HIDDEN22703", "id": "S-1-5-21-HIDDEN", "name": "Invit\u00e9", "newName": "HIDDEN_invit\u00e9"}, "userInitiator": {"adminType": 0, "domain": "HIDDEN", "id": "S-1-5-18", "name": "HIDDEN22703$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T07:54:40Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

WMI Activity
{"eventType": "WMI Activity", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e832285-a165-4126-8d73-fe112095bb60", "traceId": "2611f0a8-8c60-4f94-8f99-6b07b146a45b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c70d", "pid": 15260, "time": "2023-04-19T17:45:09.423Z", "uniqueRuleId": 27000, "wmi": {"type": 1, "operation": "Start IWbemServices::CreateClassEnum - root\subscription : ", "evid": 11}, "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 15260, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:45:20Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.WMIActivity"]}Account Changed
{"eventType": "Account Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "01eb704f-3b7d-4965-83ec-5c9d725fd0d6", "traceId": "27bbdca8-e76c-4287-8d93-31f9ad0412be", "contextTraceId": "da67763a-854d-412c-a66f-edcca0eeb3d4", "pid": 1076, "it": 1, "time": "2023-04-19T16:08:47.129Z", "uniqueRuleId": 1, "ppid": 1076, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4738, "user": {"adminType": 0, "domain": "HIDDEN22958", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22958$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T16:08:53Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Created
{"eventType": "Account Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4644b033d0", "traceId": "49054632-69cd-4e34-8292-bd6eb30d4003", "contextTraceId": "8480c6d8-c619-4019-9359-fc7a4a9be425", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.515Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4720, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Deleted
{"eventType": "Account Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3d6a84b3-91fb-41f0-93b1-aa482bc531f6", "traceId": "c61cbd7a-62bc-4186-8b80-6eead86a4710", "contextTraceId": "87a2f691-5fbb-49b5-8417-ce551000e23d", "pid": 872, "it": 1, "time": "2023-04-19T08:14:25.865Z", "uniqueRuleId": 1, "ppid": 872, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4726, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_kadvAYTV"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:14:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Disabled
{"eventType": "Account Disabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b08de07d-b15f-441a-b143-78c42cb61a78", "traceId": "9b95b0f5-dee6-487c-aaf6-65af35cf3256", "contextTraceId": "873a8979-6c94-4085-872b-ded4c54ee9a9", "pid": 988, "it": 1, "time": "2023-04-18T08:02:43.593Z", "uniqueRuleId": 1, "ppid": 988, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4725, "user": {"adminType": 0, "domain": "HIDDEN22172", "id": "S-1-5-21-HIDDENSID", "name": "defaultuser0"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22172$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T08:05:18Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Enabled
{"eventType": "Account Enabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4645b032d0", "traceId": "859ac34b-348e-44e1-8711-a9c306642202", "contextTraceId": "8480c6d8-c619-4019-9459-fc7a4a9be435", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.530Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4722, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Api
{"eventType": "Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0318c", "traceId": "ea0cf5f2-0adc-4619-8837-4403a69798cd", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747947b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:52.975Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "api": {"name": "FindFirstFile", "data": "HIDDENDATA", "result": "1952366316400", "moduleName": "", "arguments": [], "targetPid": 0}, "uniqueRuleId": 19120, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.APICall"]}

COM Api
{"eventType": "COM Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b62a-7f9bcdd3c4aa", "traceId": "0c46d2d8-f86d-4c7f-88eb-cb977aa78207", "contextTraceId": "4df162be-c064-4b64-b250-41ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.428Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "uniqueRuleId": 4294967295, "comApis": [{"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.RegWrite", "args": ""HKCU\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy","Unrestricted","REG_SZ"", "result": ""}, {"flags": 3, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.ExpandEnvironmentStrings", "args": ""%LOCALAPPDATA%\HIDDEN_VPN\script.ps1"", "result": ""C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\script.ps1""}, {"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.Run", "args": ""powershell.exe -nologo -command C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\script.ps1",0", "result": ""}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injected
{"eventType": "Code Injected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-5368-b63a-7f9bcdd3c4aa", "traceId": "52fc84ae-6d72-49fe-bf65-74265c57224d", "contextTraceId": "4df162be-c064-4b64-b850-41ba1493d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "relatedProcess": {"pid": 6620, "cmdLine": ""cscript.exe" C:\Users\edubois\AppData\Local\HIDDEN_VPN\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"lastModificationDate": "2021-09-15T10:42:04.643Z", "creationDate": "2021-09-15T10:42:04.640Z", "md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\Windows\System32\cscript.exe", "size": 161280, "fsattrs": 32, "embedFilename": "cscript.exe", "embedFileVersion": "5.812.10240.16384", "embedProductName": "Microsoft \u00ae Windows Script Host", "embedProductVersion": "5.812.10240.16384", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injection
{"eventType": "Code Injection", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd3c4aa", "traceId": "0e5172ff-98a2-47c8-9d94-3488c6df70c0", "contextTraceId": "4df162be-c064-4b64-b850-42ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "injectedProcessTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd2c4aa", "relatedProcess": {"pid": 6620, "cmdLine": ""cscript.exe" C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENUSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\Windows\System32\cscript.exe", "size": 161280, "embedFilename": "cscript.exe", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Context Changed
{"eventType": "Context Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "0e9c4e60-49af-451d-b807-39da4003af3d", "traceId": "3ce0bbe4-92b4-430b-996e-cc32cfe99837", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e3bf69", "pid": 5164, "it": 1, "time": "2023-04-19T18:46:31.739Z", "pSha2": "5A5C59646969CE0D99B05556CEA793F9F89A019BE4D66D8C9A1AF9EED699AC89", "ppid": 5164, "pFullName": "C:\Windows\System32\spoolsv.exe", "reason": 1, "relatedTraceId": "ba434310-89f5-4749-9cc2-b9df78bc18d3", "relatedProcess": {"pid": 5164, "cmdLine": "C:\WINDOWS\System32\spoolsv.exe", "processName": "spoolsv.exe", "integrity": 4, "user": {"domain": "NT AUTHORITY", "id": "S-1-5-18", "name": "NT AUTHORITY\SYSTEM"}, "procFileAttrs": {"md5": "3BCB8517038CACDF2F2498E1D0F80544", "sha1": "F8D8AC37C3C194F8C8EF052FF46C19CBB65361D5", "sha256": "5A5C59646969CE0D99B05556CEA793F9F89A019BE5D66D8C9A1AF9EED699AC89", "fileType": "PE", "name": "spoolsv.exe", "path": "C:\Windows\System32\spoolsv.exe", "size": 929792, "embedFilename": "spoolsv.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "tdmRuleIds": [112, 100003, 99999], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:47Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

DNS Query
{"eventType": "DNS Query", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c6fc0e114ff7", "traceId": "e76f265c-cb4a-4ab2-9857-b04bfeb0aebb", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.903Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\Users\rtadjer\AppData\Local\Microsoft\Teams\current\Teams.exe", "dns": {"name": "HIDDEN.trouter.teams.microsoft.com", "type": 1}, "uniqueRuleId": 19112, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.DNSQuery"]}

Epp File Scan
{"eventType": "Epp File Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "ee75a850-7bf9-44f4-8623-c26aaad762ed", "traceId": "e24fd01c-4eeb-453d-a688-09bbee345095", "contextTraceId": "4df162be-c064-4b64-b850-41ba1495d6d2", "pid": 2256, "it": 1, "time": "2023-04-19T14:22:58.726Z", "pSha2": "20330D3CA71D58F4AEB432676CB6A3D5B97005954E45132FB083E90782EFDD50", "ppid": 2256, "pFullName": "C:\Windows\System32\backgroundTaskHost.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "NativeHostNE.dll", "path": "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23022.140.0_x64__8wekyb3d8bbwe\NativeHostNE.dll", "size": 0}, "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:23:19Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Epp Process Response
{"eventType": "Epp Process Response", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "a65892eb-990a-407c-89d1-7f4a25aab465", "traceId": "c6e24a8f-004b-4f15-b3d6-aa752b3b2812", "contextTraceId": "0a3768eb-d606-4282-8466-201fd8596be1", "pid": 9492, "time": "2023-04-19T18:36:46.512Z", "pSha2": "FC6BA3C701AFBEB082BA25F677FE47A0D3225465AF02C50E2AC2B10728E9D89E", "ppid": 9492, "pFullName": "C:\Windows\CCM\CcmExec.exe", "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 1, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:36:52Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.EPP_Response"]}

Epp Process Scan
{"eventType": "Epp Process Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e74be1a-90b5-466e-aff3-652aa73d0216", "traceId": "46bfe244-cfa7-41ef-99a8-ec354fdc38f7", "contextTraceId": "300409fb-6c49-4bf0-832d-205265b6d9d1", "pid": 12300, "it": 1, "time": "2023-04-19T18:26:16.293Z", "pSha2": "B5DDC370739579D2EE7C8A1284D4C83F15F4CF662893FDA55854D03B99AA2685", "ppid": 12300, "pFullName": "C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\TiWorker.exe", "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:26:41Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

File Attribute Changed
{"eventType": "File Attribute Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37434aab53f", "traceId": "337454e9-dbe6-46d6-999d-c6647f406410", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-742957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:40.875Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 7, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.739Z", "creationDate": "2023-04-19T17:49:40.873Z", "md5": "9D04081293A783441ED1133888E8721C", "sha1": "2F688EFBC6ACEA6B5E6C172EB4AE7A41A2FB3C05", "sha256": "1C3DBA99D46303A00D83DEDDAEEE6988BB9E0E97F8D02925D2270A1B539157D1", "fileType": "PE", "name": "MFC90CHS.DLL", "path": "C:\$WINDOWS.~BT\Work\MachineSpecific\Working\agentmgr\CCSIAgent\005A53BA\SxsAsm38\MFC90CHS.DLL", "size": 35664, "fsattrs": 8224, "fsattrsChanged": 2, "embedFilename": "MFC90CHS.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Created
{"eventType": "File Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-43ec-9659-f37432aab53f", "traceId": "2b98410e-fea4-420d-98da-1220479161fe", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b490d", "pid": 4160, "time": "2023-04-19T17:49:40.861Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.108Z", "creationDate": "2023-04-19T17:49:40.858Z", "md5": "CDBE9690CF2B8409FACAD94FAC9479C9", "sha1": "4BCDFE2C1B354645314A4CE26B55B2B1A0212DB9", "sha256": "8E7FE1A1F3550C479FFD86A77BC9D10686D47F8727025BB891D8F4F0259354C8", "fileType": "PE", "name": "msvcr90.dll", "path": "C:\$WINDOWS.~BT\Work\MachineSpecific\Working\agentmgr\CCSIAgent\005A54BA\SxsAsm37\msvcr90.dll", "size": 653136, "fsattrs": 8224, "embedFilename": "MSVCR90.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Deleted
{"eventType": "File Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "e3c8e545-3d68-4d75-9168-f332c3b72b3e", "traceId": "447205ad-ea41-4ad0-b0ee-a3b1eebd486b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b3c90d", "pid": 3872, "time": "2023-04-19T17:54:22.517Z", "pSha2": "823523E1B4BF1DBFF1CA7E65C67483B2260F13AD4AB61F6131F84D5B8DBE985F", "ppid": 3872, "pFullName": "C:\Windows\System32\drvinst.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-03-11T18:46:14.000Z", "creationDate": "2022-03-11T18:46:14.000Z", "md5": "", "sha1": "", "sha256": "2B7FDFAD42885DD4FFED2BF0EE0FD810FD6D2C3F21567513FB2ACF296CD80016", "fileType": "PE", "name": "igdumdim32.dll", "path": "C:\Windows\System32\DriverStore\FileRepository\iigd_dch_d.inf_amd64_07f5935d7ce74872\igdumdim32.dll", "size": 1569160, "fsattrs": 128}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Executed
{"eventType": "File Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "7eec0405-02a9-4391-a213-3d221308f33e", "traceId": "e89bdf24-e752-487e-a423-a2d55766db0b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c9d", "pid": 4960, "it": 1, "time": "2023-04-19T17:55:18.886Z", "pSha2": "A00790D3844F6A2DC3767945124FECCBBFC15E7654E53C2FD38D660DD1A91733", "ppid": 4960, "pFullName": "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "salib_OSSL.dll", "path": "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\salib_OSSL.dll", "size": 0, "fsattrs": 128}, "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 6, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Modified
{"eventType": "File Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "df9f1187-be22-45ba-862e-b678750434af", "traceId": "4974570a-8542-4ef9-b038-850b3503ac7a", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 1388, "time": "2023-04-19T17:50:07.640Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 1388, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T17:42:08.114Z", "creationDate": "2022-08-25T18:56:09.172Z", "md5": "23A09C342E04E45BE828409B39DB0A5D", "sha1": "C1D03FDE664C1EB522EA72BEF31F7DCFC4D20EE0", "sha256": "7846F5D43BBC99701B558E9737E654348855CB7FA6A0403739AEA63908099E7E", "name": "setuperr.log", "path": "C:\Windows\setuperr.log", "size": 495, "fsattrs": 32, "mhdr": "efbbbf323032332d"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Moved
{"eventType": "File Moved", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "6efe949e-59ff-4f92-b736-a41e3bfd64c4", "traceId": "d7cf9750-0945-4fa6-99f6-f4ed00988881", "contextTraceId": "c49554af-b28f-4d43-b49a-89b935df02eb", "pid": 14856, "it": 1, "time": "2023-04-19T15:05:54.741Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 14856, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T14:14:48.977Z", "creationDate": "2020-03-17T15:39:36.625Z", "md5": "DFA84FC7A9620554D263AFDE3073753C", "sha1": "BEB95A2255EB67B0A71310156677AAA67926AD7D", "sha256": "B26968E75201C2AE4908ECB3C23CB361B9E08C53780AFAA682F4BDDAD5B4A069", "name": "a55ed4fbb973aefb.customDestinations-ms", "path": "C:\Users\HIDDENUSER\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a54ed4fbb973aefb.customDestinations-ms", "newFilePath": "C:\Users\HIDDENUSER\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a54ed4fbb973aefb.customDestinations-ms~RF6c135fa.TMP", "size": 10512, "fsattrs": 32}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Read
{"eventType": "File Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c20a0218c", "traceId": "ab9be903-4b85-4338-81c0-507c71e1fa7d", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-737957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.548Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "uniqueRuleId": 5, "fileAttributes": {"lastModificationDate": "2023-04-19T17:51:53.544Z", "creationDate": "2023-04-19T17:51:53.543Z", "md5": "D17FE0A3F47BE24A6453E9EF58C94641", "sha1": "6AB83620379FC69F80C0242105DDFFD7D98D5D9D", "sha256": "96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7", "name": "__PSScriptPolicyTest_2yelgbav.p0r.ps1", "path": "C:\Windows\Temp\__PSScriptPolicyTest_2yelgbav.p0r.ps1", "size": 60, "fsattrs": 32, "mhdr": "2320506f77657253"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptCreated"]}

Image Loaded
{"eventType": "Image Loaded", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "722b8348-1566-4315-a160-e37c17b6d06b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-727957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.501Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "uniqueRuleId": 18, "modules": [{"sha256": "0C3793703087C34745609D4DB2683750560FFF7A6BD04D618BC4BD4BC55E5106", "name": "C:\WINDOWS\SYSTEM32\BCRYPT.DLL", "loadTime": "2023-04-19T17:51:53.501Z", "vtpPrivileges": 1, "fsattrs": 32}, {"sha256": "1F996574F38219CDD848375F517F8D86E17542BC84D64CCE63AA0C64CC15F22D", "name": "C:\WINDOWS\SYSTEM32\WS2_32.DLL", "loadTime": "2023-04-19T17:51:53.599Z", "vtpPrivileges": 1, "fsattrs": 32}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoadedDLLs"]}

NamedPipe Connected
{"eventType": "NamedPipe Connected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d7114add-5126-4b2a-893e-20a248182832", "traceId": "35c96280-b766-40b8-9608-74a32387f22e", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b2c90d", "pid": 2104, "it": 1, "time": "2023-04-19T17:55:20.448Z", "pSha2": "27412E8CDEBB7F3E645454ED1BEE0EBB04C976BC8946698EF8CE4C664B63B3C0", "ppid": 2104, "pFullName": "C:\Program Files\ForeScout SecureConnector\SecureConnector.exe", "uniqueRuleId": 4, "pipe": {"name": "\\.\pipe\_FSA_TMP_6544_643E4C1F_0002PERFORMER_CNTL"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Network Accessed
{"eventType": "Network Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c4fc0e112ff7", "traceId": "24264358-6a18-43ac-ab02-5d5a89c74bbc", "contextTraceId": "5537a2e8-1a88-44f3-9d1f-747957b6c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.935Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "uniqueRuleId": 19103, "network": {"accessType": "connection_opened", "direction": "outbound", "dstIp": "127.0.0.1", "dstPort": 53574, "srcIp": "127.0.0.1", "srcPort": 53573, "protocol": "tcp", "dnsNames": ["gearssdk.HIDDEN.com"]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

Password Reset
{"eventType": "Password Reset", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "85056462-75dc-4eb9-935d-e22da7674050", "traceId": "cda5b2be-4636-41f3-988f-f009d2697f6d", "contextTraceId": "252fcdc6-95dc-4437-924c-1e1a740f4d03", "pid": 868, "it": 1, "time": "2023-04-14T15:43:09.634Z", "uniqueRuleId": 1, "ppid": 868, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4724, "user": {"adminType": 0, "domain": "HIDDEN230171", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN230171$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-14T15:43:33Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Process Accessed
{"eventType": "Process Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "ea0291b7-5854-4235-b710-0a1528849534", "traceId": "2d9ae548-3eda-4e6a-9ae7-829f2a94c55e", "contextTraceId": "c49554af-b28f-4d43-b49a-84b932df02eb", "pid": 18572, "it": 1, "time": "2023-04-19T16:10:31.049Z", "pSha2": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "ppid": 18572, "pFullName": "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "uniqueRuleId": 19114, "accessType": 16, "relatedProcess": {"pid": 6448, "cmdLine": ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3944 --field-trial-handle=2252,i,15327557186177104925,6464273188186216104,131072 /prefetch:8", "processName": "msedge.exe", "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "BECC2E4F21743168C59876A6BAD0E74A", "sha1": "9EF706CD46650B807255FE7752599520C7E6BEE4", "sha256": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "fileType": "PE", "name": "msedge.exe", "path": "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "size": 4139936, "embedFilename": "msedge.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "integrity": 1}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T16:11:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Created
{"eventType": "Process Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f65d9571093", "traceId": "df9f1147-be22-45ba-862e-b678730434af", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 1388, "time": "2023-04-19T17:50:07.579Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4180, "pFullName": "C:\$WINDOWS.~BT\Sources\SetupHost.exe", "cmdLine": ""C:\$WINDOWS.~BT\Sources\mighost.exe" {HIDDENSID} /InitDoneEvent:MigHost.{HIDDENSID}.Event /ParentPID:4180", "processName": "mighost.exe", "integrity": 4, "user": {"domain": "AUTORITE NT", "id": "S-1-5-18", "name": "Syst\u00e8me"}, "procFileAttrs": {"creationDate": "2023-04-19T17:31:50.338Z", "md5": "A29006724D36A128C8471BC463ECA83A", "sha1": "6518BFC3B22E82E94F6C404B33AD9BE9B5162FB2", "sha256": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "name": "mighost.exe", "path": "C:\$WINDOWS.~BT\Sources\mighost.exe", "size": 279896, "embedFilename": "MigHost.exe", "embedFileVersion": "10.0.22621.1 (WinBuild.160101.0800)", "embedProductName": "Microsoft\u00ae Windows\u00ae Operating System", "embedProductVersion": "10.0.22621.1", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "parentsTraceId": ["261c5c80-d583-43b2-a1d9-3f65d9571094", "6bbc10bf-abad-4cf2-ba43-c19f415ffb51", "9d81e708-c5db-4b71-a9ca-2f39d1ed77ba", "cf5e5a2f-5f39-45de-b2fc-c07742e1a724", "d9a8593c-49c5-4698-8ea2-f4d554f21358", "afa7552d-7f45-46a0-a590-d2dd01fa9479", "e4c78c17-8878-4c5b-9b93-10c15fa23986"], "tdmRuleIds": [110, 100000, 100003], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ProcessCreated"]}

Process Hollowed
{"eventType": "Process Hollowed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "37e0d41f-dfec-41c0-a36d-9d7310a77bd3", "traceId": "933ab594-0167-4f88-b858-c6c042bf146c", "contextTraceId": "c49554af-b28f-4d43-b49a-89b934df02eb", "pid": 26384, "it": 1, "time": "2023-04-19T20:25:31.329Z", "pSha2": "5BB79BEEF24F2254DBFA1F53078483AF9DD9D4506508FEE886F21847F7DFF504", "ppid": 26384, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Seclore\FileSecure\Desktop Client\X64\FSDC64.exe", "hollowInfo": {"targetPid": 2488, "targetTraceId": "b7bf6bc1-9eb4-44e1-8fc6-712142573792", "originalIp": 0, "finalIp": 0, "apis": [10, 2, 14]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T20:25:44Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Reputation Changed
{"eventType": "Process Reputation Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "751c64e7-d243-4757-a7dc-5f113e75aa35", "traceId": "8eb5b562-5f6a-4ded-ae5f-bef61a0bbbf2", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 4228, "it": 1, "time": "2023-04-19T17:54:53.574Z", "pSha2": "2198A7B58BCCB758036B969DDAE6CC2ECE07565E2659A7C541A313A0492231A3", "ppid": 4228, "pFullName": "C:\Windows\System32\wbem\WmiPrvSE.exe", "reputation": {"reputation": 85, "productId": 514, "reason": 2, "data": "{"module_filepath":"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\4fb9160b27f2daa1ec55050bde519fcc\\System.ni.dll","module_reputation":85,"process_previous_reputation":99}\n"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

RegKey Created
{"eventType": "RegKey Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "d8fd4b5b-6757-467d-b9ea-634dd2be5424", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.420Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"regKeyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\CURRENTCONTROLSET\CONTROL\DEVICEMIGRATION\DEVICES\USB\VID_17E9&PID_6015&MI_02\7&1D07AD4B&0&0002\INTERFACES\{HIDDENSID}#PCM_IN_05_00\DEVICE\EP\0"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Deleted
{"eventType": "RegKey Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f34432aab53f", "traceId": "cc3dd5d2-8db2-4822-8032-0948e1f67779", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747457b6c90d", "pid": 4160, "time": "2023-04-19T17:49:34.130Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"regKeyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\TEMP\NDI\PARAMS\UAPSDSUPPORT"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:00Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Read
{"eventType": "RegKey Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b7f8e1db-b86e-4a95-9b0f-360d5b9f6244", "traceId": "e27fb183-897e-49e8-be43-c76ba90f8370", "contextTraceId": "10ab02e8-c043-4ea4-9c2c-41a805ac0a7e", "pid": 22064, "it": 1, "time": "2023-02-15T06:31:52.915Z", "pSha2": "9179048992E0FBB51CFA7E42EF65074661295B6B155BDD60DE47AA684D82F4FD", "ppid": 22064, "pFullName": "C:\Windows\System32\mmc.exe", "registry": {"regKeyName": "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CANARYCERTSTORE\"}, "response": {"action": 1, "description": "HIDDENDOMAIN\HIDDENUSERNAME a ex\u00e9cut\u00e9 C:\Windows\System32\mmc.exe, qui tentait d'acc\u00e9der \u00e0 HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CANARYCERTSTORE\, d'une mani\u00e8re contraire \u00e0 la r\u00e8gle \u00ab Protection essentielle - Prot\u00e9ger les cl\u00e9s et valeurs de Registre McAfee essentielles \u00bb, et a \u00e9t\u00e9 bloqu\u00e9. Pour obtenir de plus amples informations sur la mani\u00e8re de r\u00e9pondre \u00e0 cet \u00e9v\u00e9nement, voir KB85494.", "ruleId": "PROTECT_MCAFEE_REG_VALUE1", "operation": 3, "productId": 513, "reason": 6}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-02-15T06:32:09Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Created
{"eventType": "RegValue Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "5ae2323c-98cc-4020-ad3f-8d0e25de9f95", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.421Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\CURRENTCONTROLSET\CONTROL\DEVICEMIGRATION\DEVICES\USB\VID_17E9&PID_6015&MI_02\7&1D07AD2B&0&0004\INTERFACES\{HIDDENSID}#PCM_IN_05_00\DEVICE", "keyValueName": "FRIENDLYNAME", "keyValueType": "REG_SZ", "keyValue": "Lenovo USB Audio"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Deleted
{"eventType": "RegValue Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "d162fb4b-1c6b-41e5-9458-a0d5be22deae", "contextTraceId": "5537a2e8-1a38-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:38.131Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\TEMP", "keyValueName": "DISABLESETUPDICHANGESTATE"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:31Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Modified
{"eventType": "RegValue Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f45d9571094", "traceId": "efff6774-159e-424c-85b3-cd570e3b6d22", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747958b6c90d", "pid": 4180, "time": "2023-04-19T17:50:07.139Z", "pSha2": "7538940533F3B531D2FF8B57D79C01C475BB457FA5103E5A0D4AFADB728702C6", "ppid": 4180, "pFullName": "C:\$WINDOWS.~BT\Sources\SetupHost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\MOSETUP\VOLATILE", "keyValueName": "SETUPPROGRESS", "keyValueType": "REG_DWORD", "keyValue": "64", "keyOldValue": "51"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

ScheduledTask Changed
{"eventType": "ScheduledTask Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d57e9fa6-7967-45b5-a54e-468f5c2be4db", "traceId": "b5a8f55e-3d1b-464c-84c8-ac4791366f22", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e4bf69", "pid": 7392, "time": "2023-04-19T18:46:06.775Z", "pSha2": "949BFB5B4C7D58D92F3F9C5F8EC7CA4CEAFFD10EC5F0020F0A987C472D61C54B", "ppid": 7392, "pFullName": "C:\Windows\System32\svchost.exe", "uniqueRuleId": 30, "action": "deleted", "schedtask": {"name": "Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScheduledTaskRegistered"]}

Script Executed
{"eventType": "Script Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "5179615b-3a3f-49e4-8e27-2d1966deed68", "contextTraceId": "5537a2e8-1a88-43f3-8d1f-747957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.536Z", "uniqueRuleId": 28001, "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "scriptType": "powershell", "scripts": [{"timestamp": "2023-04-19T17:51:53.536Z", "length": 391, "hash": "40D27F34C4D18A9A07D13655FFE2738D3B19975A4FAC8192C6ABAE55319A91B9", "intentions": [{"name": "action:Object/Select", "lines": ["[...]52428800') -or ($.BytesFromPeers -ne '0') -or (($.BytesFromCacheServer -ne '0') -and ($.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInforma[...]"]}, {"name": "action:Xml/ConvertTo", "lines": ["[...]cheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInformation"]}, {"name": "observable:network.url.http", "lines": ["Get-DeliveryOptimizationStatus | where-object {($.Sourceurl -CLike 'http://HIDDEN:8005*') -AND (($.FileSize -ge '52428800') -or ($.BytesFromPeers -ne '0') -or (($_.BytesFromCacheServer -ne '0') -and[...]"]}]}], "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:03Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptExecuted"]}

Service Changed
{"eventType": "Service Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "ff683f3a-7433-4122-8478-80560270cf1a", "contextTraceId": "5537a2e8-1a88-43f3-9c1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:12.567Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 16, "action": "deleted", "service": {"name": "BTHPORT"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:50:56Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ServiceChanged"]}

SysInfo
{"eventType": "SysInfo", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "0a3fc885-44c0-487d-951a-65ac7bdd2ab2", "contextTraceId": "3e1cbf79-f99f-48f8-8db0-6112de4ee587", "time": "2023-04-19T18:55:21.807Z", "os": {"desc": "Windows 11", "major": 10, "minor": 0, "build": 22621, "sp": ""}, "ifaces": [{"name": "Ethernet", "mac": "6c:24:08:HIDDEN", "ip": "169.254.39.215", "type": 6}, {"name": "Connexion au r\u00e9seau local* 1", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.133.182", "type": 71}, {"name": "Wi-Fi", "mac": "54:6c:eb:HIDDEN", "ip": "192.168.1.34", "type": 71}, {"name": "Connexion r\u00e9seau Bluetooth", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.228.207", "type": 6}], "bootTime": "2023-04-19T18:54:53.057Z", "domain": "HIDDENDOMAIN.lan", "cv": 1408, "pv": 0, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:55:54Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "it": 1}

User Login
{"eventType": "User Login", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "8010fadb-6402-4977-9279-db7a61bd8aed", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df02eb", "time": "2023-04-19T15:05:52.023Z", "uniqueRuleId": 1, "eventId": 4624, "success": true, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182954904}, "networkInfo": {"workstationName": "HIDDEN29451", "ipAddress": "127.0.0.1", "ipPort": 0}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

User Logout
{"eventType": "User Logout", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "91acc5be-d782-4ea9-9181-ada93c91ba45", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df04eb", "time": "2023-04-19T15:05:52.027Z", "uniqueRuleId": 1, "eventId": 4634, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182952904}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

Username Changed
{"eventType": "Username Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9b0fcb12-5182-4877-98b4-6b0eb9c5d16f", "traceId": "a71c4d2e-1ad5-4d84-bd23-ffe0ff6476fa", "contextTraceId": "cd64419d-1e3d-4576-af0f-32387fce4c71", "pid": 660, "it": 1, "time": "2023-04-18T07:54:28.337Z", "uniqueRuleId": 1, "ppid": 660, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4781, "user": {"adminType": 0, "domain": "HIDDEN22703", "id": "S-1-5-21-HIDDEN", "name": "Invit\u00e9", "newName": "HIDDEN_invit\u00e9"}, "userInitiator": {"adminType": 0, "domain": "HIDDEN", "id": "S-1-5-18", "name": "HIDDEN22703$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T07:54:40Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

WMI Activity
{"eventType": "WMI Activity", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e832285-a165-4126-8d73-fe112095bb60", "traceId": "2611f0a8-8c60-4f94-8f99-6b07b146a45b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c70d", "pid": 15260, "time": "2023-04-19T17:45:09.423Z", "uniqueRuleId": 27000, "wmi": {"type": 1, "operation": "Start IWbemServices::CreateClassEnum - root\subscription : ", "evid": 11}, "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 15260, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:45:20Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.WMIActivity"]}

@inodee
Copy link
Collaborator

inodee commented Apr 20, 2023

Hey @mthcht,

Thanks for that!

Are you also considering the value 'Via Windows Eventlogs' (WEL) besides the Yes/No? For example:

User Login
{"eventType": "User Login", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "8010fadb-6402-4977-9279-db7a61bd8aed", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df02eb", "time": "2023-04-19T15:05:52.023Z", "uniqueRuleId": 1, "eventId": 4624, "success": true, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182954904}, "networkInfo": {"workstationName": "HIDDEN29451", "ipAddress": "127.0.0.1", "ipPort": 0}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

If that relies on WEL, is the agent automatically taking care of necessary audit policy changes?

@mthcht
Copy link
Contributor Author

mthcht commented Apr 20, 2023

@inodee i was thinking of this category Via Windows Eventlogs as a log we can add with the EDR capabilities... for example Crowdstrike has the ability to add any eventlog we want to the collect (like a splunk input) that is not collected by default.

I hadn't considered this category as the method through which the EDR generates the log, using the Windows event logs behind the scenes by default, so it could fall into this category for logs displaying "eventid"

I believe that there might be other EDR solutions generating numerous logs via Windows EventLogs by default without clearly indicating it in the log like trellix does. It can be difficult to know without examining the EDR internals.

As for the policy on the agent, it is done automatically, nothing to configure on our end.

@tsale
Copy link
Owner

tsale commented Apr 20, 2023

That is awesome @mthcht, thank you very much for all the info much appreciated!

It will take me some time to go through and validate. I will reach out with any questions, if any.

@tsale tsale added enhancement New feature or request under review Evaluating proposal labels Apr 20, 2023
@tsale
Copy link
Owner

tsale commented Apr 24, 2023

@mthcht, I reviewed the submission and I have some questions regarding some of the sub-categories. See below:

  1. I cannot see evidence for the UDP Connection, URL, Driver Loaded and Group Policy Modification. Could you please provide some info on those?
  2. Under EDR SysOps, are you waiting for confirmation from the vendor?
  3. As @inodee mentioned above, we will have to change the values that are depending on the Windows Event Logs to reflect that. Just giving you a heads up on that.

Looking forward to the info, thanks again!

We will soon be releasing a tool that will make telemetry generation easy 🙂.

@tsale tsale added waiting for info Further information is requested and removed under review Evaluating proposal waiting for info Further information is requested labels Apr 24, 2023
@mthcht
Copy link
Contributor Author

mthcht commented Apr 26, 2023

@mthcht, I reviewed the submission and I have some questions regarding some of the sub-categories. See below:

  1. I cannot see evidence for the UDP Connection, URL, Driver Loaded and Group Policy Modification. Could you please provide some info on those?
  2. Under EDR SysOps, are you waiting for confirmation from the vendor?
  3. As @inodee mentioned above, we will have to change the values that are depending on the Windows Event Logs to reflect that. Just giving you a heads up on that.

Looking forward to the info, thanks again!

We will soon be releasing a tool that will make telemetry generation easy 🙂.

the url requests from process are logged in the Network Accessed eventtype

here is a sample:

{"eventType": "Network Accessed", "maGuid": "648926D2-ADEC-11ED-1387-3C18A016CD51", "host": "HIDDENHOST2428", "rv": 1408, "parentTraceId": "9fd5c9e7-7fab-4917-9f69-7da865155df2", "traceId": "006c5067-fd34-4b8e-9c98-55158b504fde", "contextTraceId": "bcb714a9-3df6-40ac-b1e7-911e84869cac", "pid": 3116, "it": 1, "time": "2023-04-26T13:21:09.366Z", "pSha2": "45A66726915893E4B0BD56ABA177C244B13DA3344949377140A29DF8E7C9BA13", "ppid": 3116, "pFullName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", "uniqueRuleId": 29000, "network": {"accessType": "connection_opened", "direction": "outbound", "dstIp": "52.111.231.17", "dstPort": 443, "srcIp": "127.0.0.1", "srcPort": 65129, "protocol": "https", "bRec": 68, "layer7": {"url": "https://statics.teams.microsoft.com/evergreen-assets/emails/email_tracker_hidden.png", "httpRequestHeaders": "GET /evergreen-assets/emails/email_tracker_hidden.png HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nConnection: Keep-Alive\r\nHost: statics.teams.microsoft.com\r\n\r\n", "httpResponseHeaders": "HTTP/1.1 200 \r\ncache-control: public, max-age=604800\r\ncontent-length: 68\r\ncontent-type: image/png\r\ncontent-md5: l4wb7knXrV/BpNgBmbE+GA==\r\nlast-modified: Tue, 09 May 2017 17:24:03 GMT\r\naccept-ranges: bytes\r\netag: \"0x8D495003054D68E\"\r\nx-cache: TCP_HIT\r\nx-ms-request-id: 36ce57e8-801e-0073-22bb-757bea000000\r\nx-ms-version: 2014-02-14\r\nx-ms-lease-status: unlocked\r\nx-ms-lease-state: available\r\nx-ms-blob-type: BlockBlob\r\naccess-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-lease-state,x-ms-blob-type,Accept-Ranges,Content-Length,Date,Transfer-Encoding\r\naccess-control-allow-origin: *\r\nx-azure-ref-originshield: Ref A: 50B5A73AD3B545F8969D80D9055F75B1 Ref B: AMS221021014023 Ref C: 2023-04-26T00:36:20Z\r\nnel: {\"report_to\":\"NelMSTeams\",\"max_age\":604800,\"failure_fraction\":0.2,\"success_fraction\":0.001}\r\nreport-to: {\"group\":\"NelMSTeams\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://teams.nel.measure.office.net/api/report?cat=teams\"}]}\r\nx-msedge-ref: Ref A: 35D4F161A45E431391F961C3DFE08B04 Ref B: PRAEDGE2018 Ref C: 2023-04-26T13:21:04Z\r\ndate: Wed, 26 Apr 2023 13:21:03 GMT\r\n\r\n"}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-26T13:21:36Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

same for UDP requests, another sample:

{"eventType": "Network Accessed", "maGuid": "B6DB8120-86FE-11EB-1676-482AE3A1B8E2", "host": "HIDDENHOST0234", "rv": 1104, "parentTraceId": "2bcb5dbe-86c5-4430-8e63-ed086d431532", "traceId": "9de74698-400b-4e56-aa26-531e1e94a3c3", "contextTraceId": "da8033c2-af45-4d5b-8d90-0cca58aec00b", "pid": 4656, "time": "2023-04-26T16:18:39.251Z", "pSha2": "ADD683A6910ABBBF0E28B557FAD0BA998166394932AE2ACA069D9AA19EA8FE88", "ppid": 4656, "pFullName": "C:\\Windows\\System32\\svchost.exe", "uniqueRuleId": 19000, "network": {"accessType": "connection_opened", "direction": "inbound", "dstIp": "192.168.1.1", "dstPort": 1900, "srcIp": "192.168.1.155", "srcPort": 59811, "protocol": "udp", "dnsNames": [""]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-26T16:18:52Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

Driver Loaded is not logged, my mistake.
And it appears i do not collect Group Policy Modifications, it seems to be categorized under a different API endpoint that i do not use. i updated the commit to set these to 'false'.

For the EDR SysOps logs it seems that some events are logged locally on each machine but i did not found them with the API Endpoint EDR events, there are a lots of API endpoint so i am not sure if it is also available with another API endpoint)

@tsale
Copy link
Owner

tsale commented Apr 26, 2023

Thanks for the info @mthcht! For the EDR SysOps, logged locally is acceptable as well. You could edit the commit to include what you see in regards to it and I’ll approve it.

@mthcht
Copy link
Contributor Author

mthcht commented Apr 26, 2023

Thanks for the info @mthcht! For the EDR SysOps, logged locally is acceptable as well. You could edit the commit to include what you see in regards to it and I’ll approve it.

ok i added what i saw, will make another PR if i find a way to collect more with the API

tsale
tsale approved these changes Apr 26, 2023
View reviewed changes
Copy link
Owner

@tsale tsale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much @mthcht for this contribution!

@tsale tsale merged commit 8eecba6 into tsale:main Apr 26, 2023
tsale pushed a commit that referenced this pull request Apr 26, 2023
@mthcht
adding Trellix EDR (mcafee) (#5)
0bb12f5 
* adding Trellix EDR (mcafee) to EDR_telem.json
---------

Fixing typo as a result of the last commit.
@bolzy1
Copy link

bolzy1 commented May 2, 2023

a few things i would like to add/correct around the trellix EDR solution, the correct link to the user/product guide is located here https://docs.trellix.com/en/bundle/mvision-endpoint-detection-and-response-landing/page/GUID-571E9972-9D54-49D3-BAC8-6197FFFB02C9.html. With regards to agent monitoring, the agent is monitored via ePO (separate management plane).

@mthcht
Copy link
Contributor Author

mthcht commented May 9, 2023

a few things i would like to add/correct around the trellix EDR solution, the correct link to the user/product guide is located here https://docs.trellix.com/en/bundle/mvision-endpoint-detection-and-response-landing/page/GUID-571E9972-9D54-49D3-BAC8-6197FFFB02C9.html. With regards to agent monitoring, the agent is monitored via ePO (separate management plane).

Thank you. I am also collecting McAfee ePO syslogs and have not come across any events related to EDR agent monitoring. Could you confirm if you have seen such events on your end and provide some samples for reference?

@bolzy1
Copy link

bolzy1 commented May 9, 2023

a few things i would like to add/correct around the trellix EDR solution, the correct link to the user/product guide is located here https://docs.trellix.com/en/bundle/mvision-endpoint-detection-and-response-landing/page/GUID-571E9972-9D54-49D3-BAC8-6197FFFB02C9.html. With regards to agent monitoring, the agent is monitored via ePO (separate management plane).

Thank you. I am also collecting McAfee ePO syslogs and have not come across any events related to EDR agent monitoring. Could you confirm if you have seen such events on your end and provide some samples for reference?

Epo won't have logs of this, it's reflected in the dashboard - if you filter the system tree view to show last agent communication is one way, the other way is to build a report with the data out of the sql database to show last agent communications. Hope this help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsale tsale tsale approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request waiting for info Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mthcht @tsale @inodee @bolzy1