diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index cbb9b311a..000b90405 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -52,31 +52,31 @@ pipeline: timezone: "UTC" - name: parsed_date - filter: '{{parsed_event.message.get("eventtime") != None}}' + filter: '{{parsed_event.message.get("timestamp") != None}}' external: name: date.parse properties: - input_field: "{{parsed_event.message.eventtime }}" + input_field: "{{parsed_event.message.timestamp }}" output_field: date - timezone: "UTC" + timezone: "{{parsed_event.message.tz}}" - name: parsed_date - filter: '{{parsed_event.message.get("timestamp") != None}}' + filter: '{{parsed_event.message.get("start") != None}}' external: name: date.parse properties: - input_field: "{{parsed_event.message.timestamp }}" + input_field: "{{parsed_event.message.start }}" output_field: date - timezone: "UTC" + timezone: "{{parsed_event.message.tz}}" - name: parsed_date - filter: '{{parsed_event.message.get("start") != None}}' + filter: '{{parsed_event.message.get("eventtime") != None}}' external: name: date.parse properties: - input_field: "{{parsed_event.message.start }}" + input_field: "{{parsed_event.message.eventtime }}" output_field: date - timezone: "{{parsed_event.message.tz}}" + timezone: "UTC" - name: field_extraction - name: set_event_dataset diff --git a/Fortinet/fortigate/tests/test_ips.STANDARD.json b/Fortinet/fortigate/tests/test_ips.STANDARD.json index 2ba1de9cc..6ba631e5e 100644 --- a/Fortinet/fortigate/tests/test_ips.STANDARD.json +++ b/Fortinet/fortigate/tests/test_ips.STANDARD.json @@ -12,7 +12,7 @@ "reason": "tools: Qualys.Vulnerability.Scanner", "timezone": "-0700" }, - "@timestamp": "2023-10-23T07:40:49Z", + "@timestamp": "2023-10-23T07:40:49.852013Z", "action": { "name": "detected", "outcome": "success", diff --git a/Fortinet/fortigate/tests/traffic_nat_1.STANDARD.json b/Fortinet/fortigate/tests/traffic_nat_1.STANDARD.json index 0ff2301d4..3779fa7ab 100644 --- a/Fortinet/fortigate/tests/traffic_nat_1.STANDARD.json +++ b/Fortinet/fortigate/tests/traffic_nat_1.STANDARD.json @@ -12,7 +12,7 @@ "outcome": "success", "timezone": "+0000" }, - "@timestamp": "2024-03-06T22:06:03Z", + "@timestamp": "2024-03-06T22:06:04.028578Z", "action": { "name": "accept", "outcome": "success", diff --git a/Fortinet/fortigate/tests/traffic_nat_2.STANDARD.json b/Fortinet/fortigate/tests/traffic_nat_2.STANDARD.json new file mode 100644 index 000000000..64b51ace1 --- /dev/null +++ b/Fortinet/fortigate/tests/traffic_nat_2.STANDARD.json @@ -0,0 +1,97 @@ +{ + "input": { + "message": "timestamp=1732640381 devname=\"12_LE_XXXXX-60F\" devid=\"xxxxxxxxxxxxxxxxxxx\" vd=\"root\" date=2024-11-26 time=16:59:41 eventtime=1732633180924621531 tz=\"+0200\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=1.2.3.4 srcname=\"xxxxxxx.test.info\" srcport=56745 srcintf=\"internal\" srcintfrole=\"undefined\" dstip=1.2.4.5 dstport=80 dstintf=\"wan1\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Egypt\" sessionid=157131884 proto=6 action=\"close\" policyid=12 policytype=\"policy\" poluuid=\"c1353c04-b6ee-51ea-9664-c8541f024774\" policyname=\"LAN to Internet\" service=\"HTTP\" trandisp=\"snat\" transip=45.245.209.162 transport=56745 appid=15893 app=\"HTTP.BROWSER\" appcat=\"Web.Client\" apprisk=\"medium\" applist=\"block-high-risk\" duration=1 sentbyte=483 rcvdbyte=399 sentpkt=7 rcvdpkt=5 wanin=187 wanout=111 lanin=111 lanout=187 utmaction=\"allow\" countweb=1 osname=\"Windows\" srcswversion=\"10\" mastersrcmac=\"00:e0:4c:68:00:0a\" srcmac=\"00:e0:4c:68:00:0a\" srcserver=0" + }, + "expected": { + "message": "timestamp=1732640381 devname=\"12_LE_XXXXX-60F\" devid=\"xxxxxxxxxxxxxxxxxxx\" vd=\"root\" date=2024-11-26 time=16:59:41 eventtime=1732633180924621531 tz=\"+0200\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=1.2.3.4 srcname=\"xxxxxxx.test.info\" srcport=56745 srcintf=\"internal\" srcintfrole=\"undefined\" dstip=1.2.4.5 dstport=80 dstintf=\"wan1\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Egypt\" sessionid=157131884 proto=6 action=\"close\" policyid=12 policytype=\"policy\" poluuid=\"c1353c04-b6ee-51ea-9664-c8541f024774\" policyname=\"LAN to Internet\" service=\"HTTP\" trandisp=\"snat\" transip=45.245.209.162 transport=56745 appid=15893 app=\"HTTP.BROWSER\" appcat=\"Web.Client\" apprisk=\"medium\" applist=\"block-high-risk\" duration=1 sentbyte=483 rcvdbyte=399 sentpkt=7 rcvdpkt=5 wanin=187 wanout=111 lanin=111 lanout=187 utmaction=\"allow\" countweb=1 osname=\"Windows\" srcswversion=\"10\" mastersrcmac=\"00:e0:4c:68:00:0a\" srcmac=\"00:e0:4c:68:00:0a\" srcserver=0", + "event": { + "action": "close", + "category": "traffic", + "code": "0000000013", + "dataset": "traffic:forward", + "outcome": "success", + "timezone": "+0200" + }, + "@timestamp": "2024-11-26T14:59:40.924622Z", + "action": { + "name": "close", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, + "destination": { + "address": "1.2.4.5", + "bytes": 399, + "ip": "1.2.4.5", + "packets": 5, + "port": 80 + }, + "fortinet": { + "fortigate": { + "apprisk": "medium", + "event": { + "type": "traffic" + }, + "policyid": "12", + "poluuid": "c1353c04-b6ee-51ea-9664-c8541f024774", + "virtual_domain": "root" + } + }, + "host": { + "name": "xxxxxxx.test.info", + "os": { + "family": "Windows" + } + }, + "log": { + "hostname": "12_LE_XXXXX-60F", + "level": "notice" + }, + "network": { + "application": "HTTP.BROWSER", + "bytes": 882, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "wan1" + } + }, + "hostname": "12_LE_XXXXX-60F", + "ingress": { + "interface": { + "name": "internal" + } + }, + "serial_number": "xxxxxxxxxxxxxxxxxxx" + }, + "related": { + "hosts": [ + "12_LE_XXXXX-60F" + ], + "ip": [ + "1.2.3.4", + "1.2.4.5", + "45.245.209.162" + ] + }, + "rule": { + "apprisk": "medium", + "category": "Web.Client", + "ruleset": "block-high-risk" + }, + "source": { + "address": "1.2.3.4", + "bytes": 483, + "ip": "1.2.3.4", + "mac": "00:e0:4c:68:00:0a", + "nat": { + "ip": "45.245.209.162" + }, + "packets": 7, + "port": 56745 + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 1ad5ffb1e..d9fcdaa24 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -998,11 +998,6 @@ harfanglab.grandparent.process.ancestors: name: harfanglab.grandparent.process.ancestors type: keyword -harfanglab.grandparent.process.command_line: - description: Command line that started the grandparent process - name: harfanglab.grandparent.process.command_line - type: keyword - harfanglab.grandparent.process.executable: description: Absolute path to the grandparent process executable name: harfanglab.grandparent.process.executable diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 2b8fb9c96..9a07a2fe4 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -207,7 +207,6 @@ stages: process.working_directory: "{{json_event.message.current_directory}}" process.pe.imphash: "{{json_event.message.pe_imphash}}" harfanglab.grandparent.process.executable: "{{json_event.message.grandparent_image}}" - harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}" harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}" user.name: > diff --git a/HarfangLab/harfanglab/tests/process-event.json b/HarfangLab/harfanglab/tests/process-event.json index 9f1f078f3..3428ebe94 100644 --- a/HarfangLab/harfanglab/tests/process-event.json +++ b/HarfangLab/harfanglab/tests/process-event.json @@ -28,7 +28,6 @@ "harfanglab": { "grandparent": { "process": { - "command_line": "C:\\ProgramData\\CentraStage\\AEMAgent\\AEMAge.exe", "executable": "C:\\Program Files (x86)\\Centra\\CagServ.exe" } }, diff --git a/HarfangLab/harfanglab/tests/process.json b/HarfangLab/harfanglab/tests/process.json index 024f674a3..0f1dd018c 100644 --- a/HarfangLab/harfanglab/tests/process.json +++ b/HarfangLab/harfanglab/tests/process.json @@ -25,13 +25,6 @@ "sha256": "100af46c952e58105dbc51eb92510f6990377a3ffc57e82074a8bfb64c56c529" } }, - "harfanglab": { - "grandparent": { - "process": { - "command_line": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.Diagnostics.Service.exe" - } - } - }, "host": { "domain": "NIVURA", "hostname": "EXCHANGE", diff --git a/HarfangLab/harfanglab/tests/process3.json b/HarfangLab/harfanglab/tests/process3.json index 3e464ccab..94dc5cd95 100644 --- a/HarfangLab/harfanglab/tests/process3.json +++ b/HarfangLab/harfanglab/tests/process3.json @@ -25,13 +25,6 @@ "sha256": "b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15" } }, - "harfanglab": { - "grandparent": { - "process": { - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p" - } - } - }, "host": { "domain": "WORKGROUP", "hostname": "REDACTED", diff --git a/HarfangLab/harfanglab/tests/process4.json b/HarfangLab/harfanglab/tests/process4.json index 3f32333c2..81c856502 100644 --- a/HarfangLab/harfanglab/tests/process4.json +++ b/HarfangLab/harfanglab/tests/process4.json @@ -34,7 +34,6 @@ "C:\\Windows\\test2.exe", "C:\\Windows\\test3.exe" ], - "command_line": "test.exe -p -e test_script.py | find test", "executable": "C:\\Windows\\grandparent_image.exe" } }, diff --git a/Trend Micro/trend-micro-vision-one-oat/CHANGELOG.md b/Trend Micro/trend-micro-vision-one-oat/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml new file mode 100644 index 000000000..abdf1aea4 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml @@ -0,0 +1,59 @@ +action.properties.ScriptBlockText: + description: '' + name: action.properties.ScriptBlockText + type: keyword + +process.parent.parent.command_line: + description: '' + name: process.parent.parent.command_line + type: keyword + +process.parent.parent.executable: + description: '' + name: process.parent.parent.executable + type: keyword + +process.parent.parent.hash.md5: + description: '' + name: process.parent.parent.hash.md5 + type: keyword + +process.parent.parent.hash.sha1: + description: '' + name: process.parent.parent.hash.sha1 + type: keyword + +process.parent.parent.hash.sha256: + description: '' + name: process.parent.parent.hash.sha256 + type: keyword + +process.parent.parent.name: + description: '' + name: process.parent.parent.name + type: keyword + +process.parent.parent.pid: + description: '' + name: process.parent.parent.pid + type: keyword + +process.parent.parent.start: + description: '' + name: process.parent.parent.start + type: datetime + +process.parent.parent.user.domain: + description: '' + name: process.parent.parent.user.domain + type: keyword + +process.parent.parent.user.name: + description: '' + name: process.parent.parent.user.name + type: keyword + +process.parent.user.domain: + description: '' + name: process.parent.user.domain + type: keyword diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/logo.png b/Trend Micro/trend-micro-vision-one-oat/_meta/logo.png new file mode 100644 index 000000000..e51bb3eb7 Binary files /dev/null and b/Trend Micro/trend-micro-vision-one-oat/_meta/logo.png differ diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml new file mode 100644 index 000000000..221cd1be1 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml @@ -0,0 +1,12 @@ +uuid: 2345b987-a94a-4363-b7bc-a6e4a9efd98a +automation_connector_uuid: 3b5a417e-e86f-4fce-ac10-4c1d76d91b46 +automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 +name: Trend Micro Vision One OAT [BETA] +slug: trend-micro-vision-one-oat + +description: >- + Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. + This intake format will ingest Observed Attack Techniques from Trend Micro Vision One. + +data_sources: + Network intrusion detection system: \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json new file mode 100644 index 000000000..11011507c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json @@ -0,0 +1,27 @@ +[ + { + "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.id}({threat.technique.subtechnique.id}) technique(s) on {host.ip}", + "conditions": [ + { "field": "threat.tactic.id" }, + { "field": "threat.technique.id" }, + { "field": "threat.technique.subtechnique.id" }, + { "field": "host.ip" } + ] + }, + { + "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.id} technique(s) on {host.ip}", + "conditions": [ + { "field": "threat.tactic.id" }, + { "field": "threat.technique.id" }, + { "field": "host.ip" } + ] + }, + { + "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.subtechnique.id} technique(s) on {host.ip}", + "conditions": [ + { "field": "threat.tactic.id" }, + { "field": "threat.technique.subtechnique.id" }, + { "field": "host.ip" } + ] + } +] diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml new file mode 100644 index 000000000..d10eac119 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -0,0 +1,84 @@ +name: trend-micro-vision-one-oat +ignored_values: [] +pipeline: + - name: parsed_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + output_field: message + + - name: set_ecs_fields + +stages: + set_ecs_fields: + actions: + - set: + event.category: ["intrusion_detection"] + event.type: ["info"] + observer.vendor: "TrendMicro" + observer.product: "Vision One" + + - set: + "@timestamp": "{{parsed_event.message.detectedDateTime | to_rfc3339}}" + + host.name: "{{parsed_event.message.endpoint.endpointName}}" + host.ip: "{{parsed_event.message.endpoint.ips}}" + + agent.id: "{{parsed_event.message.endpoint.agentGuid}}" + event.start: "{{parsed_event.message.detail.firstSeen | to_rfc3339}}" + event.end: "{{parsed_event.message.detail.lastSeen | to_rfc3339}}" + + host.id: "{{parsed_event.message.detail.endpointGuid}}" + host.os.name: "{{parsed_event.message.detail.osName}}" + host.os.version: "{{parsed_event.message.detail.osVer}}" + host.os.full: "{{parsed_event.message.detail.osDescription}}" + + process.name: "{{parsed_event.message.detail.processName | basename or parsed_event.message.detail.ObjectName | basename}}" + process.parent.pid: "{{parsed_event.message.detail.processPid}}" + process.parent.user.name: "{{parsed_event.message.detail.processUser}}" + process.parent.user.domain: "{{parsed_event.message.detail.processUserDomain}}" + process.parent.start: "{{parsed_event.message.detail.processLaunchTime | to_rfc3339}}" + process.parent.command_line: "{{parsed_event.message.detail.processCmd}}" + process.parent.executable: "{{parsed_event.message.detail.processFilePath}}" + process.parent.hash.sha1: "{{parsed_event.message.detail.processFileHashSha1}}" + process.parent.hash.sha256: "{{parsed_event.message.detail.processFileHashSha256}}" + process.parent.hash.md5: "{{parsed_event.message.detail.processFileHashMd5}}" + process.parent.parent.name: "{{parsed_event.message.detail.parentName | basename}}" + process.parent.parent.executable: "{{parsed_event.message.detail.parentFilePath}}" + process.parent.parent.command_line: "{{parsed_event.message.detail.parentCmd}}" + process.parent.parent.pid: "{{parsed_event.message.detail.parentPid}}" + process.parent.parent.start: "{{parsed_event.message.detail.parentLaunchTime | to_rfc3339}}" + process.parent.parent.hash.sha1: "{{parsed_event.message.detail.parentFileHashSha1}}" + process.parent.parent.hash.sha256: "{{parsed_event.message.detail.parentFileHashSha256}}" + process.parent.parent.hash.md5: "{{parsed_event.message.detail.parentFileHashMd5}}" + process.parent.parent.user.name: "{{parsed_event.message.detail.parentUser}}" + process.parent.parent.user.domain: "{{parsed_event.message.detail.parentUserDomain}}" + + group.id: "{{parsed_event.message.detail.groupId}}" + action.properties.ScriptBlockText: "{{parsed_event.message.detail.objectRawDataStr}}" + + user.name: "{{parsed_event.message.detail.objectUser}}" + user.domain: "{{parsed_event.message.detail.objectUserDomain}}" + + process.pid: "{{parsed_event.message.detail.objectPid}}" + process.command_line: "{{parsed_event.message.detail.objectCmd}}" + process.executable: "{{parsed_event.message.detail.ObjectFilePath}}" + process.hash.md5: "{{parsed_event.message.detail.ObjectFileHashMd5}}" + process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}" + process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}" + + threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" + threat.technique.id: > + {%- set ids = [] -%} + {%- for item in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%} + {%- if "." not in item -%}{%- set ids = ids.append(item) -%}{%- endif -%} + {%- endfor -%} + {%- if ids | length > 0 -%}{{ ids | tojson }}{%- endif -%} + + threat.technique.subtechnique.id: > + {%- set ids = [] -%} + {%- for item in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%} + {%- if "." in item -%}{%- set ids = ids.append(item) -%}{%- endif -%} + {%- endfor -%} + {%- if ids | length > 0 -%}{{ ids | tojson }}{%- endif -%} diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json new file mode 100644 index 000000000..d5d205d40 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json @@ -0,0 +1,91 @@ +{ + "input": { + "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"filters\": [{\"id\": \"F4231\", \"name\": \"Service Execution via Service Control Manager\", \"description\": \"Service Control Manager (services.exe) has executed a process\", \"mitreTacticIds\": [\"TA0002\"], \"mitreTechniqueIds\": [\"T1560.002\"], \"highlightedObjects\": [{\"type\": \"port\", \"field\": \"objectPort\", \"value\": 443}], \"riskLevel\": \"info\", \"type\": \"custom\"}], \"endpoint\": {\"endpointName\": \"LAB-Luwak-1048\", \"agentGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"ips\": [\"150.183.13.135\", \"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\"]}, \"entityType\": \"endpoint\", \"entityName\": \"desktop 1 (110.205.134.245) or 110.205.134.245 | xxxx@gmail.com | arn:aws:lambda:*:%s:function:%s | k8s_container-8c55678bd-8r7zt_default_c1e0cf9a-47bb-41e7-ad41-bac976462a81_6411 | 6d7d30d2148a | -\", \"detectedDateTime\": \"2020-06-01T02:12:56Z\", \"ingestedDateTime\": \"2020-06-01T02:12:56Z\", \"detail\": {\"eventTime\": \"1649806995000\", \"tags\": [\"MITREV9.T1569.002\", \"XSAE.F4231\"], \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"productCode\": \"xes\", \"filterRiskLevel\": \"info\", \"bitwiseFilterRiskLevel\": 1, \"eventId\": \"1\", \"eventSubId\": 2, \"eventHashId\": \"-7817927890991207527\", \"firstSeen\": \"1649806995000\", \"lastSeen\": \"1649806995000\", \"endpointGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"endpointHostName\": \"LAB-Luwak-1048\", \"endpointIp\": [\"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\", \"150.183.13.135\"], \"endpointMacAddress\": [\"00:50:56:89:09:9b\"], \"timezone\": \"UTC+08:00\", \"pname\": \"751\", \"pver\": \"1.2.0.2454\", \"plang\": 1, \"pplat\": 5889, \"osName\": \"Windows\", \"osVer\": \"10.0.19044\", \"osDescription\": \"Windows 10 Enterprise (64 bit) build 19044\", \"osType\": \"0x00000004\", \"processHashId\": \"8149551095598764453\", \"processName\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processPid\": 672, \"sessionId\": 0, \"processUser\": \"SYSTEM\", \"processUserDomain\": \"NT AUTHORITY\", \"processLaunchTime\": \"1646826182237\", \"processCmd\": \"C:\\\\Windows\\\\system32\\\\services.exe\", \"authId\": \"999\", \"integrityLevel\": 16384, \"processFileHashId\": \"-4092577940452904134\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processFileHashSha1\": \"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e\", \"processFileHashSha256\": \"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08\", \"processFileHashMd5\": \"dac02fbf9bebb39e34afe11bfddf2f83\", \"processSigner\": [\"Microsoft Windows Publisher\"], \"processSignerValid\": [true], \"processFileSize\": \"714856\", \"processFileCreation\": \"1618396713939\", \"processFileModifiedTime\": \"1618396713971\", \"processTrueType\": 7, \"objectHashId\": \"499492567380524547\", \"objectUser\": \"NETWORK SERVICE\", \"objectUserDomain\": \"NT AUTHORITY\", \"objectSessionId\": \"0\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectFileHashSha1\": \"42aeb6f7261c3c0521d19a77d2ea1956d122921f\", \"objectFileHashSha256\": \"be86edb76a659ddb715dbe985013683bf7831736a779178b28240ee74e393c21\", \"objectFileHashMd5\": \"e47a33a58764cd5cb567000035876e1a\", \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectFileSize\": \"4629328\", \"objectFileCreation\": \"1646822883174\", \"objectFileModifiedTime\": \"1646822883393\", \"objectTrueType\": 7, \"objectName\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectPid\": 3832, \"objectLaunchTime\": \"1649806995010\", \"objectCmd\": \"C:\\\\Windows\\\\system32\\\\sppsvc.exe\", \"objectAuthId\": \"996\", \"objectIntegrityLevel\": 16384, \"objectFileHashId\": \"-4729198244400997661\", \"objectRunAsLocalAccount\": false}}" + }, + "expected": { + "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"filters\": [{\"id\": \"F4231\", \"name\": \"Service Execution via Service Control Manager\", \"description\": \"Service Control Manager (services.exe) has executed a process\", \"mitreTacticIds\": [\"TA0002\"], \"mitreTechniqueIds\": [\"T1560.002\"], \"highlightedObjects\": [{\"type\": \"port\", \"field\": \"objectPort\", \"value\": 443}], \"riskLevel\": \"info\", \"type\": \"custom\"}], \"endpoint\": {\"endpointName\": \"LAB-Luwak-1048\", \"agentGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"ips\": [\"150.183.13.135\", \"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\"]}, \"entityType\": \"endpoint\", \"entityName\": \"desktop 1 (110.205.134.245) or 110.205.134.245 | xxxx@gmail.com | arn:aws:lambda:*:%s:function:%s | k8s_container-8c55678bd-8r7zt_default_c1e0cf9a-47bb-41e7-ad41-bac976462a81_6411 | 6d7d30d2148a | -\", \"detectedDateTime\": \"2020-06-01T02:12:56Z\", \"ingestedDateTime\": \"2020-06-01T02:12:56Z\", \"detail\": {\"eventTime\": \"1649806995000\", \"tags\": [\"MITREV9.T1569.002\", \"XSAE.F4231\"], \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"productCode\": \"xes\", \"filterRiskLevel\": \"info\", \"bitwiseFilterRiskLevel\": 1, \"eventId\": \"1\", \"eventSubId\": 2, \"eventHashId\": \"-7817927890991207527\", \"firstSeen\": \"1649806995000\", \"lastSeen\": \"1649806995000\", \"endpointGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"endpointHostName\": \"LAB-Luwak-1048\", \"endpointIp\": [\"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\", \"150.183.13.135\"], \"endpointMacAddress\": [\"00:50:56:89:09:9b\"], \"timezone\": \"UTC+08:00\", \"pname\": \"751\", \"pver\": \"1.2.0.2454\", \"plang\": 1, \"pplat\": 5889, \"osName\": \"Windows\", \"osVer\": \"10.0.19044\", \"osDescription\": \"Windows 10 Enterprise (64 bit) build 19044\", \"osType\": \"0x00000004\", \"processHashId\": \"8149551095598764453\", \"processName\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processPid\": 672, \"sessionId\": 0, \"processUser\": \"SYSTEM\", \"processUserDomain\": \"NT AUTHORITY\", \"processLaunchTime\": \"1646826182237\", \"processCmd\": \"C:\\\\Windows\\\\system32\\\\services.exe\", \"authId\": \"999\", \"integrityLevel\": 16384, \"processFileHashId\": \"-4092577940452904134\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processFileHashSha1\": \"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e\", \"processFileHashSha256\": \"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08\", \"processFileHashMd5\": \"dac02fbf9bebb39e34afe11bfddf2f83\", \"processSigner\": [\"Microsoft Windows Publisher\"], \"processSignerValid\": [true], \"processFileSize\": \"714856\", \"processFileCreation\": \"1618396713939\", \"processFileModifiedTime\": \"1618396713971\", \"processTrueType\": 7, \"objectHashId\": \"499492567380524547\", \"objectUser\": \"NETWORK SERVICE\", \"objectUserDomain\": \"NT AUTHORITY\", \"objectSessionId\": \"0\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectFileHashSha1\": \"42aeb6f7261c3c0521d19a77d2ea1956d122921f\", \"objectFileHashSha256\": \"be86edb76a659ddb715dbe985013683bf7831736a779178b28240ee74e393c21\", \"objectFileHashMd5\": \"e47a33a58764cd5cb567000035876e1a\", \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectFileSize\": \"4629328\", \"objectFileCreation\": \"1646822883174\", \"objectFileModifiedTime\": \"1646822883393\", \"objectTrueType\": 7, \"objectName\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectPid\": 3832, \"objectLaunchTime\": \"1649806995010\", \"objectCmd\": \"C:\\\\Windows\\\\system32\\\\sppsvc.exe\", \"objectAuthId\": \"996\", \"objectIntegrityLevel\": 16384, \"objectFileHashId\": \"-4729198244400997661\", \"objectRunAsLocalAccount\": false}}", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2022-04-12T23:43:15Z", + "start": "2022-04-12T23:43:15Z", + "type": [ + "info" + ] + }, + "@timestamp": "2020-06-01T02:12:56Z", + "agent": { + "id": "b1cde761-16ad-4067-9a57-cbea882915df" + }, + "host": { + "id": "b1cde761-16ad-4067-9a57-cbea882915df", + "ip": [ + "150.183.13.135", + "433e:5c7b:50b0:d145:2c61:9d1d:f317:627e" + ], + "name": "LAB-Luwak-1048", + "os": { + "full": "Windows 10 Enterprise (64 bit) build 19044", + "name": "Windows", + "version": "10.0.19044" + } + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "C:\\Windows\\system32\\sppsvc.exe", + "name": "services.exe", + "parent": { + "command_line": "C:\\Windows\\system32\\services.exe", + "executable": "C:\\Windows\\System32\\services.exe", + "hash": { + "md5": "dac02fbf9bebb39e34afe11bfddf2f83", + "sha1": "a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e", + "sha256": "ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08" + }, + "pid": 672, + "start": "2022-03-09T11:43:02.237000Z", + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" + } + }, + "pid": 3832 + }, + "related": { + "hash": [ + "a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e", + "ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08", + "dac02fbf9bebb39e34afe11bfddf2f83" + ], + "ip": [ + "150.183.13.135", + "433e:5c7b:50b0:d145:2c61:9d1d:f317:627e" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "threat": { + "tactic": { + "id": [ + "TA0002" + ] + }, + "technique": { + "subtechnique": { + "id": [ + "T1560.002" + ] + } + } + }, + "user": { + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json new file mode 100644 index 000000000..75fff3679 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json @@ -0,0 +1,108 @@ +{ + "input": { + "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"541ec898-a229-49ae-831a-04f0a8fdb256\", \"detectedDateTime\": \"2024-11-26T16:45:02Z\", \"filters\": [{\"id\": \"F3457\", \"name\": \"Execution of System Discovery Tools\", \"description\": \"Detects the execution of system discovery tools\", \"highlightedObjects\": [{\"field\": \"objectCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\"}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0007\"], \"mitreTechniqueIds\": [\"T1082\"], \"riskLevel\": \"low\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"eventId\": \"1\", \"eventSubId\": 2, \"eventTime\": \"1732639502571\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639502571\", \"groupId\": \"3927f750-c536-480a-ae9f-d9ede20f4a9e\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639502571\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\", \"objectFileHashMd5\": \"c0ab059977511f3da83329c7562224e0\", \"objectFileHashSha1\": \"a4c1830c1e00779c50626a5ea93b8a54e2e3960b\", \"objectFileHashSha256\": \"f4c3734b96965947a3f42c6509538774bd0ecea110edfcb9f7463c83c90f32a7\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectHashId\": \"-4153650555873691306\", \"objectIntegrityLevel\": 12288, \"objectName\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectPid\": 3464, \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectTrueType\": 7, \"objectUser\": \"jdoe\", \"objectUserDomain\": \"Windows10\", \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"a377274ae8e84c7e8ff5fd1b3bb9d080\", \"parentFileHashSha1\": \"b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316\", \"parentFileHashSha256\": \"4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"fe6a3a98112b13aaad196444afcc041c\", \"processFileHashSha1\": \"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b\", \"processFileHashSha256\": \"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F3457\", \"MITRE.T1082\"], \"uuid\": \"775a187e-723d-4889-a532-0835e28ab109\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"-1446580424195895092\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"parentSignerFlagsLibValid\": [false], \"objectFileCreation\": \"1728117145131\", \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"objectFileSize\": \"76288\", \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectFileModifiedTime\": \"1728117145131\", \"objectSignerFlagsRuntime\": [false], \"objectSessionId\": \"2\", \"objectRunAsLocalAccount\": false, \"objectSignerFlagsLibValid\": [false], \"objectLaunchTime\": \"1732639502565\", \"objectSignerFlagsAdhoc\": [false], \"objectAuthId\": \"1494147\", \"objectFileHashId\": \"-8054087497998296081\", \"processUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"], \"objectUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,239.144.71.57)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"agentGuid\": \"9f6b89c4-c3b2-4b9f-9401-dae324506ceb\", \"endpointName\": \"Windows10\"}}" + }, + "expected": { + "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"541ec898-a229-49ae-831a-04f0a8fdb256\", \"detectedDateTime\": \"2024-11-26T16:45:02Z\", \"filters\": [{\"id\": \"F3457\", \"name\": \"Execution of System Discovery Tools\", \"description\": \"Detects the execution of system discovery tools\", \"highlightedObjects\": [{\"field\": \"objectCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\"}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0007\"], \"mitreTechniqueIds\": [\"T1082\"], \"riskLevel\": \"low\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"eventId\": \"1\", \"eventSubId\": 2, \"eventTime\": \"1732639502571\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639502571\", \"groupId\": \"3927f750-c536-480a-ae9f-d9ede20f4a9e\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639502571\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\", \"objectFileHashMd5\": \"c0ab059977511f3da83329c7562224e0\", \"objectFileHashSha1\": \"a4c1830c1e00779c50626a5ea93b8a54e2e3960b\", \"objectFileHashSha256\": \"f4c3734b96965947a3f42c6509538774bd0ecea110edfcb9f7463c83c90f32a7\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectHashId\": \"-4153650555873691306\", \"objectIntegrityLevel\": 12288, \"objectName\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectPid\": 3464, \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectTrueType\": 7, \"objectUser\": \"jdoe\", \"objectUserDomain\": \"Windows10\", \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"a377274ae8e84c7e8ff5fd1b3bb9d080\", \"parentFileHashSha1\": \"b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316\", \"parentFileHashSha256\": \"4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"fe6a3a98112b13aaad196444afcc041c\", \"processFileHashSha1\": \"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b\", \"processFileHashSha256\": \"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F3457\", \"MITRE.T1082\"], \"uuid\": \"775a187e-723d-4889-a532-0835e28ab109\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"-1446580424195895092\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"parentSignerFlagsLibValid\": [false], \"objectFileCreation\": \"1728117145131\", \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"objectFileSize\": \"76288\", \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectFileModifiedTime\": \"1728117145131\", \"objectSignerFlagsRuntime\": [false], \"objectSessionId\": \"2\", \"objectRunAsLocalAccount\": false, \"objectSignerFlagsLibValid\": [false], \"objectLaunchTime\": \"1732639502565\", \"objectSignerFlagsAdhoc\": [false], \"objectAuthId\": \"1494147\", \"objectFileHashId\": \"-8054087497998296081\", \"processUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"], \"objectUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,239.144.71.57)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"agentGuid\": \"9f6b89c4-c3b2-4b9f-9401-dae324506ceb\", \"endpointName\": \"Windows10\"}}", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2024-11-26T16:45:02.571000Z", + "start": "2024-11-26T16:45:02.571000Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-26T16:45:02Z", + "agent": { + "id": "9f6b89c4-c3b2-4b9f-9401-dae324506ceb" + }, + "group": { + "id": "3927f750-c536-480a-ae9f-d9ede20f4a9e" + }, + "host": { + "id": "1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1", + "ip": [ + "1802:d896:65fe:b84:742d:615:f69b:6600", + "239.144.71.57" + ], + "name": "Windows10", + "os": { + "full": "Windows 10 Pro (64 bit) build 19045", + "name": "Windows", + "version": "10.0.19045" + } + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\klist.exe\"", + "name": "powershell_ise.exe", + "parent": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "md5": "fe6a3a98112b13aaad196444afcc041c", + "sha1": "0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b", + "sha256": "09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "md5": "a377274ae8e84c7e8ff5fd1b3bb9d080", + "sha1": "b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316", + "sha256": "4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac" + }, + "name": "explorer.exe", + "pid": "9920", + "start": "2024-11-26T16:35:53.785000Z", + "user": { + "domain": "Windows10", + "name": "jdoe" + } + }, + "pid": 5040, + "start": "2024-11-26T16:37:55.967000Z", + "user": { + "domain": "Windows10", + "name": "jdoe" + } + }, + "pid": 3464 + }, + "related": { + "hash": [ + "09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed", + "0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b", + "fe6a3a98112b13aaad196444afcc041c" + ], + "ip": [ + "1802:d896:65fe:b84:742d:615:f69b:6600", + "239.144.71.57" + ], + "user": [ + "jdoe" + ] + }, + "threat": { + "tactic": { + "id": [ + "TA0007" + ] + }, + "technique": { + "id": [ + "T1082" + ] + } + }, + "user": { + "domain": "Windows10", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json new file mode 100644 index 000000000..a93027304 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json @@ -0,0 +1,126 @@ +{ + "input": { + "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"43483725-969b-4fb8-a453-c2353a9a5e12\", \"detectedDateTime\": \"2024-11-26T16:45:01Z\", \"filters\": [{\"id\": \"F3367\", \"name\": \"Sensitive File Locating via Powershell\", \"description\": \"Locate files deemed sensitive via Powershell\", \"highlightedObjects\": [{\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0009\"], \"mitreTechniqueIds\": [\"T1005\"], \"riskLevel\": \"low\", \"type\": \"preset\"}, {\"id\": \"F1971\", \"name\": \"Modify File Last Modified Timestamp With PowerShell\", \"description\": \"An attempt to modify file's last modified timestamp using Powershell was detected on an endpoint.\", \"highlightedObjects\": [{\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0005\"], \"mitreTechniqueIds\": [\"T1070\", \"T1070.006\"], \"riskLevel\": \"info\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"9567d4bc-ce0b-45cf-b259-138beb4c80c3\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"eventId\": \"11\", \"eventSubId\": 901, \"eventTime\": \"1732639501774\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639501774\", \"groupId\": \"a1c0d757-0961-40a4-8a00-bf9b2922d5de\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639503446\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectAppName\": \"PowerShell_C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe_10.0.19041.1\", \"objectHashId\": \"-1780503710981816722\", \"objectRawDataStr\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"], \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"f8ad78f2ad64799786242d69ef77edd7\", \"parentFileHashSha1\": \"f021ca2dca81ee77aa80467096a804a26cd11364\", \"parentFileHashSha256\": \"f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"bd5cf4568d83088240e3b33f9f9838b1\", \"processFileHashSha1\": \"b1692a60d67dc55538f9a25ad3874a6a8f6bb089\", \"processFileHashSha256\": \"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F1971\", \"XSAE.F3367\", \"MITRE.T1005\", \"MITRE.T1070.006\", \"MITRE.T1070\"], \"uuid\": \"b2ece961-6eed-43f1-8890-a8d926840049\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"7588760429245659303\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"objectFirstSeen\": \"1732639501774\", \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"objectLastSeen\": \"1732639503446\", \"parentSignerFlagsLibValid\": [false], \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectSessionId\": \"19746\", \"objectRawDataSize\": [\"2995\", \"3802\", \"50\", \"55\", \"44\", \"32\", \"169\", \"169\", \"170\", \"56\", \"107\", \"1848\", \"1719\", \"411\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,193.103.164.106)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"agentGuid\": \"8e53268d-8348-4fd4-a314-b742448960c9\", \"endpointName\": \"Windows10\"}}" + }, + "expected": { + "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"43483725-969b-4fb8-a453-c2353a9a5e12\", \"detectedDateTime\": \"2024-11-26T16:45:01Z\", \"filters\": [{\"id\": \"F3367\", \"name\": \"Sensitive File Locating via Powershell\", \"description\": \"Locate files deemed sensitive via Powershell\", \"highlightedObjects\": [{\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0009\"], \"mitreTechniqueIds\": [\"T1005\"], \"riskLevel\": \"low\", \"type\": \"preset\"}, {\"id\": \"F1971\", \"name\": \"Modify File Last Modified Timestamp With PowerShell\", \"description\": \"An attempt to modify file's last modified timestamp using Powershell was detected on an endpoint.\", \"highlightedObjects\": [{\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0005\"], \"mitreTechniqueIds\": [\"T1070\", \"T1070.006\"], \"riskLevel\": \"info\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"9567d4bc-ce0b-45cf-b259-138beb4c80c3\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"eventId\": \"11\", \"eventSubId\": 901, \"eventTime\": \"1732639501774\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639501774\", \"groupId\": \"a1c0d757-0961-40a4-8a00-bf9b2922d5de\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639503446\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectAppName\": \"PowerShell_C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe_10.0.19041.1\", \"objectHashId\": \"-1780503710981816722\", \"objectRawDataStr\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"], \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"f8ad78f2ad64799786242d69ef77edd7\", \"parentFileHashSha1\": \"f021ca2dca81ee77aa80467096a804a26cd11364\", \"parentFileHashSha256\": \"f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"bd5cf4568d83088240e3b33f9f9838b1\", \"processFileHashSha1\": \"b1692a60d67dc55538f9a25ad3874a6a8f6bb089\", \"processFileHashSha256\": \"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F1971\", \"XSAE.F3367\", \"MITRE.T1005\", \"MITRE.T1070.006\", \"MITRE.T1070\"], \"uuid\": \"b2ece961-6eed-43f1-8890-a8d926840049\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"7588760429245659303\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"objectFirstSeen\": \"1732639501774\", \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"objectLastSeen\": \"1732639503446\", \"parentSignerFlagsLibValid\": [false], \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectSessionId\": \"19746\", \"objectRawDataSize\": [\"2995\", \"3802\", \"50\", \"55\", \"44\", \"32\", \"169\", \"169\", \"170\", \"56\", \"107\", \"1848\", \"1719\", \"411\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,193.103.164.106)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"agentGuid\": \"8e53268d-8348-4fd4-a314-b742448960c9\", \"endpointName\": \"Windows10\"}}", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2024-11-26T16:45:03.446000Z", + "start": "2024-11-26T16:45:01.774000Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-26T16:45:01Z", + "action": { + "properties": { + "ScriptBlockText": [ + "\r\n $_.PSParentPath.Replace(\"Microsoft.PowerShell.Core\\FileSystem::\", \"\")\r\n ", + "\r\n [String]::Format(\"{0,10} {1,8}\", $_.LastWriteTime.ToString(\"d\"), $_.LastWriteTime.ToString(\"t\"))\r\n ", + "\r\n if ($_.FullyQualifiedErrorId -ne \"NativeCommandErrorMessage\" -and $ErrorView -ne \"CategoryView\")\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and $myinv.MyCommand)\r\n {\r\n switch -regex ( $myinv.MyCommand.CommandType )\r\n {\r\n ([System.Management.Automation.CommandTypes]::ExternalScript)\r\n {\r\n if ($myinv.MyCommand.Path)\r\n {\r\n $myinv.MyCommand.Path + \" : \"\r\n }\r\n break\r\n }\r\n ([System.Management.Automation.CommandTypes]::Script)\r\n {\r\n if ($myinv.MyCommand.ScriptBlock)\r\n {\r\n $myinv.MyCommand.ScriptBlock.ToString() + \" : \"\r\n }\r\n break\r\n }\r\n default\r\n {\r\n if ($myinv.InvocationName -match '^[&\\.]?$')\r\n {\r\n if ($myinv.MyCommand.Name)\r\n {\r\n $myinv.MyCommand.Name + \" : \"\r\n }\r\n }\r\n else\r\n {\r\n $myinv.InvocationName + \" : \"\r\n }\r\n break\r\n }\r\n }\r\n }\r\n elseif ($myinv -and $myinv.InvocationName)\r\n {\r\n $myinv.InvocationName + \" : \"\r\n }\r\n }\r\n ", + "\r\n if ($_.FullyQualifiedErrorId -eq \"NativeCommandErrorMessage\") {\r\n $_.Exception.Message \r\n }\r\n else\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\r\n $posmsg = $myinv.PositionMessage\r\n } else {\r\n $posmsg = \"\"\r\n }\r\n \r\n if ($posmsg -ne \"\")\r\n {\r\n $posmsg = \"`n\" + $posmsg\r\n }\r\n \t\t\t\t \r\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\r\n $posmsg = \" : \" + $_.PSMessageDetails + $posmsg \r\n }\r\n\r\n $indent = 4\r\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\r\n\r\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\r\n if ($errorCategoryMsg -ne $null)\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.ErrorCategory_Message\r\n }\r\n else\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.CategoryInfo\r\n }\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $indentString = \"+ FullyQualifiedErrorId : \" + $_.FullyQualifiedErrorId\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\r\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\r\n {\r\n $indentString = \"+ PSComputerName : \" + $originInfo.PSComputerName\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n }\r\n\r\n if ($ErrorView -eq \"CategoryView\") {\r\n $_.CategoryInfo.GetMessage()\r\n }\r\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\r\n $_.Exception.Message + $posmsg + \"`n \"\r\n } else {\r\n $_.ErrorDetails.Message + $posmsg\r\n }\r\n }\r\n ", + "if ($_ -is [System.IO.DirectoryInfo]) { return '' }\r\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\r\n{\r\n return '({0})' -f $_.Length\r\n}\r\nreturn $_.Length", + "{\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }", + "{\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }", + "{\n Write-Host $_.FullName\n }", + "{\n $Drive = $_\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }\n}", + "{\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\n Write-Host \"$_ Found!\" -ForegroundColor red\n }\n}", + "{\n if (Test-Path $_) {\n Write-Host \"$_ found.\"\n }\n}", + "{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }", + "{ Set-StrictMode -Version 1; $_.OriginInfo }", + "{ Set-StrictMode -Version 1; $_.PSMessageDetails }" + ] + } + }, + "agent": { + "id": "8e53268d-8348-4fd4-a314-b742448960c9" + }, + "group": { + "id": "a1c0d757-0961-40a4-8a00-bf9b2922d5de" + }, + "host": { + "id": "9567d4bc-ce0b-45cf-b259-138beb4c80c3", + "ip": [ + "1802:d896:65fe:b84:742d:615:f69b:6600", + "193.103.164.106" + ], + "name": "Windows10", + "os": { + "full": "Windows 10 Pro (64 bit) build 19045", + "name": "Windows", + "version": "10.0.19045" + } + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "name": "powershell_ise.exe", + "parent": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "md5": "bd5cf4568d83088240e3b33f9f9838b1", + "sha1": "b1692a60d67dc55538f9a25ad3874a6a8f6bb089", + "sha256": "4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "md5": "f8ad78f2ad64799786242d69ef77edd7", + "sha1": "f021ca2dca81ee77aa80467096a804a26cd11364", + "sha256": "f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f" + }, + "name": "explorer.exe", + "pid": "9920", + "start": "2024-11-26T16:35:53.785000Z", + "user": { + "domain": "Windows10", + "name": "jdoe" + } + }, + "pid": 5040, + "start": "2024-11-26T16:37:55.967000Z", + "user": { + "domain": "Windows10", + "name": "jdoe" + } + } + }, + "related": { + "hash": [ + "4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2", + "b1692a60d67dc55538f9a25ad3874a6a8f6bb089", + "bd5cf4568d83088240e3b33f9f9838b1" + ], + "ip": [ + "1802:d896:65fe:b84:742d:615:f69b:6600", + "193.103.164.106" + ] + }, + "threat": { + "tactic": { + "id": [ + "TA0005", + "TA0009" + ] + }, + "technique": { + "id": [ + "T1005", + "T1070" + ], + "subtechnique": { + "id": [ + "T1070.006" + ] + } + } + } + } +} \ No newline at end of file