-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathtest_observed_attack_technique_2.json
109 lines (109 loc) · 13.7 KB
/
test_observed_attack_technique_2.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
{
"input": {
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"541ec898-a229-49ae-831a-04f0a8fdb256\", \"detectedDateTime\": \"2024-11-26T16:45:02Z\", \"filters\": [{\"id\": \"F3457\", \"name\": \"Execution of System Discovery Tools\", \"description\": \"Detects the execution of system discovery tools\", \"highlightedObjects\": [{\"field\": \"objectCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\"}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0007\"], \"mitreTechniqueIds\": [\"T1082\"], \"riskLevel\": \"low\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"eventId\": \"1\", \"eventSubId\": 2, \"eventTime\": \"1732639502571\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639502571\", \"groupId\": \"3927f750-c536-480a-ae9f-d9ede20f4a9e\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639502571\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\", \"objectFileHashMd5\": \"c0ab059977511f3da83329c7562224e0\", \"objectFileHashSha1\": \"a4c1830c1e00779c50626a5ea93b8a54e2e3960b\", \"objectFileHashSha256\": \"f4c3734b96965947a3f42c6509538774bd0ecea110edfcb9f7463c83c90f32a7\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectHashId\": \"-4153650555873691306\", \"objectIntegrityLevel\": 12288, \"objectName\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectPid\": 3464, \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectTrueType\": 7, \"objectUser\": \"jdoe\", \"objectUserDomain\": \"Windows10\", \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"a377274ae8e84c7e8ff5fd1b3bb9d080\", \"parentFileHashSha1\": \"b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316\", \"parentFileHashSha256\": \"4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"fe6a3a98112b13aaad196444afcc041c\", \"processFileHashSha1\": \"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b\", \"processFileHashSha256\": \"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F3457\", \"MITRE.T1082\"], \"uuid\": \"775a187e-723d-4889-a532-0835e28ab109\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"-1446580424195895092\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"parentSignerFlagsLibValid\": [false], \"objectFileCreation\": \"1728117145131\", \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"objectFileSize\": \"76288\", \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectFileModifiedTime\": \"1728117145131\", \"objectSignerFlagsRuntime\": [false], \"objectSessionId\": \"2\", \"objectRunAsLocalAccount\": false, \"objectSignerFlagsLibValid\": [false], \"objectLaunchTime\": \"1732639502565\", \"objectSignerFlagsAdhoc\": [false], \"objectAuthId\": \"1494147\", \"objectFileHashId\": \"-8054087497998296081\", \"processUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"], \"objectUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,239.144.71.57)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"agentGuid\": \"9f6b89c4-c3b2-4b9f-9401-dae324506ceb\", \"endpointName\": \"Windows10\"}}"
},
"expected": {
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"541ec898-a229-49ae-831a-04f0a8fdb256\", \"detectedDateTime\": \"2024-11-26T16:45:02Z\", \"filters\": [{\"id\": \"F3457\", \"name\": \"Execution of System Discovery Tools\", \"description\": \"Detects the execution of system discovery tools\", \"highlightedObjects\": [{\"field\": \"objectCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\"}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0007\"], \"mitreTechniqueIds\": [\"T1082\"], \"riskLevel\": \"low\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"eventId\": \"1\", \"eventSubId\": 2, \"eventTime\": \"1732639502571\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639502571\", \"groupId\": \"3927f750-c536-480a-ae9f-d9ede20f4a9e\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639502571\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\", \"objectFileHashMd5\": \"c0ab059977511f3da83329c7562224e0\", \"objectFileHashSha1\": \"a4c1830c1e00779c50626a5ea93b8a54e2e3960b\", \"objectFileHashSha256\": \"f4c3734b96965947a3f42c6509538774bd0ecea110edfcb9f7463c83c90f32a7\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectHashId\": \"-4153650555873691306\", \"objectIntegrityLevel\": 12288, \"objectName\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectPid\": 3464, \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectTrueType\": 7, \"objectUser\": \"jdoe\", \"objectUserDomain\": \"Windows10\", \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"a377274ae8e84c7e8ff5fd1b3bb9d080\", \"parentFileHashSha1\": \"b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316\", \"parentFileHashSha256\": \"4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"fe6a3a98112b13aaad196444afcc041c\", \"processFileHashSha1\": \"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b\", \"processFileHashSha256\": \"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F3457\", \"MITRE.T1082\"], \"uuid\": \"775a187e-723d-4889-a532-0835e28ab109\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"-1446580424195895092\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"parentSignerFlagsLibValid\": [false], \"objectFileCreation\": \"1728117145131\", \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"objectFileSize\": \"76288\", \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectFileModifiedTime\": \"1728117145131\", \"objectSignerFlagsRuntime\": [false], \"objectSessionId\": \"2\", \"objectRunAsLocalAccount\": false, \"objectSignerFlagsLibValid\": [false], \"objectLaunchTime\": \"1732639502565\", \"objectSignerFlagsAdhoc\": [false], \"objectAuthId\": \"1494147\", \"objectFileHashId\": \"-8054087497998296081\", \"processUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"], \"objectUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,239.144.71.57)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"agentGuid\": \"9f6b89c4-c3b2-4b9f-9401-dae324506ceb\", \"endpointName\": \"Windows10\"}}",
"event": {
"category": [
"intrusion_detection"
],
"dataset": "endpointActivityData",
"end": "2024-11-26T16:45:02.571000Z",
"start": "2024-11-26T16:45:02.571000Z",
"type": [
"info"
]
},
"@timestamp": "2024-11-26T16:45:02Z",
"agent": {
"id": "9f6b89c4-c3b2-4b9f-9401-dae324506ceb"
},
"group": {
"id": "3927f750-c536-480a-ae9f-d9ede20f4a9e"
},
"host": {
"id": "1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1",
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"239.144.71.57"
],
"name": "Windows10",
"os": {
"full": "Windows 10 Pro (64 bit) build 19045",
"name": "Windows",
"version": "10.0.19045"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"command_line": "\"C:\\Windows\\system32\\klist.exe\"",
"name": "powershell_ise.exe",
"parent": {
"command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ",
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
"hash": {
"md5": "fe6a3a98112b13aaad196444afcc041c",
"sha1": "0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b",
"sha256": "09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed"
},
"parent": {
"command_line": "C:\\Windows\\Explorer.EXE",
"executable": "C:\\Windows\\explorer.exe",
"hash": {
"md5": "a377274ae8e84c7e8ff5fd1b3bb9d080",
"sha1": "b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316",
"sha256": "4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac"
},
"name": "explorer.exe",
"pid": "9920",
"start": "2024-11-26T16:35:53.785000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 5040,
"start": "2024-11-26T16:37:55.967000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 3464
},
"related": {
"hash": [
"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed",
"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b",
"fe6a3a98112b13aaad196444afcc041c"
],
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"239.144.71.57"
],
"user": [
"jdoe"
]
},
"threat": {
"tactic": {
"id": [
"TA0007"
]
},
"technique": {
"id": [
"T1082"
]
}
},
"user": {
"domain": "Windows10",
"name": "jdoe"
}
}
}