-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathtest_observed_attack_technique_1.json
92 lines (92 loc) · 9.63 KB
/
test_observed_attack_technique_1.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
{
"input": {
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"filters\": [{\"id\": \"F4231\", \"name\": \"Service Execution via Service Control Manager\", \"description\": \"Service Control Manager (services.exe) has executed a process\", \"mitreTacticIds\": [\"TA0002\"], \"mitreTechniqueIds\": [\"T1560.002\"], \"highlightedObjects\": [{\"type\": \"port\", \"field\": \"objectPort\", \"value\": 443}], \"riskLevel\": \"info\", \"type\": \"custom\"}], \"endpoint\": {\"endpointName\": \"LAB-Luwak-1048\", \"agentGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"ips\": [\"150.183.13.135\", \"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\"]}, \"entityType\": \"endpoint\", \"entityName\": \"desktop 1 (110.205.134.245) or 110.205.134.245 | xxxx@gmail.com | arn:aws:lambda:*:%s:function:%s | k8s_container-8c55678bd-8r7zt_default_c1e0cf9a-47bb-41e7-ad41-bac976462a81_6411 | 6d7d30d2148a | -\", \"detectedDateTime\": \"2020-06-01T02:12:56Z\", \"ingestedDateTime\": \"2020-06-01T02:12:56Z\", \"detail\": {\"eventTime\": \"1649806995000\", \"tags\": [\"MITREV9.T1569.002\", \"XSAE.F4231\"], \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"productCode\": \"xes\", \"filterRiskLevel\": \"info\", \"bitwiseFilterRiskLevel\": 1, \"eventId\": \"1\", \"eventSubId\": 2, \"eventHashId\": \"-7817927890991207527\", \"firstSeen\": \"1649806995000\", \"lastSeen\": \"1649806995000\", \"endpointGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"endpointHostName\": \"LAB-Luwak-1048\", \"endpointIp\": [\"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\", \"150.183.13.135\"], \"endpointMacAddress\": [\"00:50:56:89:09:9b\"], \"timezone\": \"UTC+08:00\", \"pname\": \"751\", \"pver\": \"1.2.0.2454\", \"plang\": 1, \"pplat\": 5889, \"osName\": \"Windows\", \"osVer\": \"10.0.19044\", \"osDescription\": \"Windows 10 Enterprise (64 bit) build 19044\", \"osType\": \"0x00000004\", \"processHashId\": \"8149551095598764453\", \"processName\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processPid\": 672, \"sessionId\": 0, \"processUser\": \"SYSTEM\", \"processUserDomain\": \"NT AUTHORITY\", \"processLaunchTime\": \"1646826182237\", \"processCmd\": \"C:\\\\Windows\\\\system32\\\\services.exe\", \"authId\": \"999\", \"integrityLevel\": 16384, \"processFileHashId\": \"-4092577940452904134\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processFileHashSha1\": \"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e\", \"processFileHashSha256\": \"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08\", \"processFileHashMd5\": \"dac02fbf9bebb39e34afe11bfddf2f83\", \"processSigner\": [\"Microsoft Windows Publisher\"], \"processSignerValid\": [true], \"processFileSize\": \"714856\", \"processFileCreation\": \"1618396713939\", \"processFileModifiedTime\": \"1618396713971\", \"processTrueType\": 7, \"objectHashId\": \"499492567380524547\", \"objectUser\": \"NETWORK SERVICE\", \"objectUserDomain\": \"NT AUTHORITY\", \"objectSessionId\": \"0\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectFileHashSha1\": \"42aeb6f7261c3c0521d19a77d2ea1956d122921f\", \"objectFileHashSha256\": \"be86edb76a659ddb715dbe985013683bf7831736a779178b28240ee74e393c21\", \"objectFileHashMd5\": \"e47a33a58764cd5cb567000035876e1a\", \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectFileSize\": \"4629328\", \"objectFileCreation\": \"1646822883174\", \"objectFileModifiedTime\": \"1646822883393\", \"objectTrueType\": 7, \"objectName\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectPid\": 3832, \"objectLaunchTime\": \"1649806995010\", \"objectCmd\": \"C:\\\\Windows\\\\system32\\\\sppsvc.exe\", \"objectAuthId\": \"996\", \"objectIntegrityLevel\": 16384, \"objectFileHashId\": \"-4729198244400997661\", \"objectRunAsLocalAccount\": false}}"
},
"expected": {
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"filters\": [{\"id\": \"F4231\", \"name\": \"Service Execution via Service Control Manager\", \"description\": \"Service Control Manager (services.exe) has executed a process\", \"mitreTacticIds\": [\"TA0002\"], \"mitreTechniqueIds\": [\"T1560.002\"], \"highlightedObjects\": [{\"type\": \"port\", \"field\": \"objectPort\", \"value\": 443}], \"riskLevel\": \"info\", \"type\": \"custom\"}], \"endpoint\": {\"endpointName\": \"LAB-Luwak-1048\", \"agentGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"ips\": [\"150.183.13.135\", \"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\"]}, \"entityType\": \"endpoint\", \"entityName\": \"desktop 1 (110.205.134.245) or 110.205.134.245 | xxxx@gmail.com | arn:aws:lambda:*:%s:function:%s | k8s_container-8c55678bd-8r7zt_default_c1e0cf9a-47bb-41e7-ad41-bac976462a81_6411 | 6d7d30d2148a | -\", \"detectedDateTime\": \"2020-06-01T02:12:56Z\", \"ingestedDateTime\": \"2020-06-01T02:12:56Z\", \"detail\": {\"eventTime\": \"1649806995000\", \"tags\": [\"MITREV9.T1569.002\", \"XSAE.F4231\"], \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"productCode\": \"xes\", \"filterRiskLevel\": \"info\", \"bitwiseFilterRiskLevel\": 1, \"eventId\": \"1\", \"eventSubId\": 2, \"eventHashId\": \"-7817927890991207527\", \"firstSeen\": \"1649806995000\", \"lastSeen\": \"1649806995000\", \"endpointGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"endpointHostName\": \"LAB-Luwak-1048\", \"endpointIp\": [\"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\", \"150.183.13.135\"], \"endpointMacAddress\": [\"00:50:56:89:09:9b\"], \"timezone\": \"UTC+08:00\", \"pname\": \"751\", \"pver\": \"1.2.0.2454\", \"plang\": 1, \"pplat\": 5889, \"osName\": \"Windows\", \"osVer\": \"10.0.19044\", \"osDescription\": \"Windows 10 Enterprise (64 bit) build 19044\", \"osType\": \"0x00000004\", \"processHashId\": \"8149551095598764453\", \"processName\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processPid\": 672, \"sessionId\": 0, \"processUser\": \"SYSTEM\", \"processUserDomain\": \"NT AUTHORITY\", \"processLaunchTime\": \"1646826182237\", \"processCmd\": \"C:\\\\Windows\\\\system32\\\\services.exe\", \"authId\": \"999\", \"integrityLevel\": 16384, \"processFileHashId\": \"-4092577940452904134\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processFileHashSha1\": \"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e\", \"processFileHashSha256\": \"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08\", \"processFileHashMd5\": \"dac02fbf9bebb39e34afe11bfddf2f83\", \"processSigner\": [\"Microsoft Windows Publisher\"], \"processSignerValid\": [true], \"processFileSize\": \"714856\", \"processFileCreation\": \"1618396713939\", \"processFileModifiedTime\": \"1618396713971\", \"processTrueType\": 7, \"objectHashId\": \"499492567380524547\", \"objectUser\": \"NETWORK SERVICE\", \"objectUserDomain\": \"NT AUTHORITY\", \"objectSessionId\": \"0\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectFileHashSha1\": \"42aeb6f7261c3c0521d19a77d2ea1956d122921f\", \"objectFileHashSha256\": \"be86edb76a659ddb715dbe985013683bf7831736a779178b28240ee74e393c21\", \"objectFileHashMd5\": \"e47a33a58764cd5cb567000035876e1a\", \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectFileSize\": \"4629328\", \"objectFileCreation\": \"1646822883174\", \"objectFileModifiedTime\": \"1646822883393\", \"objectTrueType\": 7, \"objectName\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectPid\": 3832, \"objectLaunchTime\": \"1649806995010\", \"objectCmd\": \"C:\\\\Windows\\\\system32\\\\sppsvc.exe\", \"objectAuthId\": \"996\", \"objectIntegrityLevel\": 16384, \"objectFileHashId\": \"-4729198244400997661\", \"objectRunAsLocalAccount\": false}}",
"event": {
"category": [
"intrusion_detection"
],
"dataset": "endpointActivityData",
"end": "2022-04-12T23:43:15Z",
"start": "2022-04-12T23:43:15Z",
"type": [
"info"
]
},
"@timestamp": "2020-06-01T02:12:56Z",
"agent": {
"id": "b1cde761-16ad-4067-9a57-cbea882915df"
},
"host": {
"id": "b1cde761-16ad-4067-9a57-cbea882915df",
"ip": [
"150.183.13.135",
"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e"
],
"name": "LAB-Luwak-1048",
"os": {
"full": "Windows 10 Enterprise (64 bit) build 19044",
"name": "Windows",
"version": "10.0.19044"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"command_line": "C:\\Windows\\system32\\sppsvc.exe",
"name": "services.exe",
"parent": {
"command_line": "C:\\Windows\\system32\\services.exe",
"executable": "C:\\Windows\\System32\\services.exe",
"hash": {
"md5": "dac02fbf9bebb39e34afe11bfddf2f83",
"sha1": "a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e",
"sha256": "ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08"
},
"pid": 672,
"start": "2022-03-09T11:43:02.237000Z",
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
}
},
"pid": 3832
},
"related": {
"hash": [
"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e",
"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08",
"dac02fbf9bebb39e34afe11bfddf2f83"
],
"ip": [
"150.183.13.135",
"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e"
],
"user": [
"NETWORK SERVICE"
]
},
"threat": {
"tactic": {
"id": [
"TA0002"
]
},
"technique": {
"subtechnique": {
"id": [
"T1560.002"
]
}
}
},
"user": {
"domain": "NT AUTHORITY",
"name": "NETWORK SERVICE"
}
}
}