From 6994bd47155aa517c513b62fa5898efe979e4a1f Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Thu, 9 Jan 2025 16:40:07 +0400 Subject: [PATCH 01/10] Feature: Trend Micro vision one oat --- .../_meta/fields.yml | 40 +++++++++++ .../_meta/manifest.yml | 2 +- .../_meta/smart-descriptions.json | 2 +- .../ingest/parser.yml | 21 +++++- .../test_observed_attack_technique_4.json | 31 +++++++++ .../test_observed_attack_technique_5.json | 43 ++++++++++++ .../test_observed_attack_technique_6.json | 69 +++++++++++++++++++ 7 files changed, 205 insertions(+), 3 deletions(-) create mode 100644 Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json create mode 100644 Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json create mode 100644 Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml index abdf1aea4..30f7b23aa 100644 --- a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml @@ -3,6 +3,46 @@ action.properties.ScriptBlockText: name: action.properties.ScriptBlockText type: keyword +email.attachments: + description: A list of objects describing the attachment files sent along with an + email message + name: email.attachments + type: array + +email.delivery_timestamp: + description: The date and time when the email message was received by the service + or client + name: email.delivery_timestamp + type: date + +email.from.address: + description: 'The email address of the sender, typically from the RFC 5322 From: + header field' + name: email.from.address + type: keyword + +email.local_id: + description: Unique identifier given to the email by the source that created the + event + name: email.local_id + type: keyword + +email.message_id: + description: 'Identifier from the RFC 5322 Message-ID: email header that refers + to a particular email message' + name: email.message_id + type: keyword + +email.subject: + description: A brief summary of the topic of the message + name: email.subject + type: keyword + +email.to.address: + description: The email address of recipient + name: email.to.address + type: keyword + process.parent.parent.command_line: description: '' name: process.parent.parent.command_line diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml index 221cd1be1..fac477cf6 100644 --- a/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml @@ -9,4 +9,4 @@ description: >- This intake format will ingest Observed Attack Techniques from Trend Micro Vision One. data_sources: - Network intrusion detection system: \ No newline at end of file + Network intrusion detection system: diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json index 11011507c..656e4f9c7 100644 --- a/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json @@ -1,5 +1,5 @@ [ - { + { "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.id}({threat.technique.subtechnique.id}) technique(s) on {host.ip}", "conditions": [ { "field": "threat.tactic.id" }, diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index d10eac119..71356949d 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -9,6 +9,8 @@ pipeline: output_field: message - name: set_ecs_fields + - name: set_email_fields + filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}" stages: set_ecs_fields: @@ -68,7 +70,6 @@ stages: process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}" process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}" - threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" threat.technique.id: > {%- set ids = [] -%} {%- for item in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%} @@ -82,3 +83,21 @@ stages: {%- if "." in item -%}{%- set ids = ids.append(item) -%}{%- endif -%} {%- endfor -%} {%- if ids | length > 0 -%}{{ ids | tojson }}{%- endif -%} + + - set: + threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" + filter: "{{parsed_event.message.filters | length > 0 }}" + + set_email_fields: + actions: + - set: + event.category: ["email"] + event.type: ["info"] + + email.from.address: "{{ parsed_event.message.suser }}" + email.to.address: "{{ parsed_event.message.duser }}" + email.subject: "{{ parsed_event.message.mailMsgSubject }}" + email.local_id: "{{ parsed_event.message.uuid }}" + email.delivery_timestamp: "{{ parsed_event.message.rt_utc }}" + email.message_id: "{{ parsed_event.message.msgId }}" + email.attachments: "{{ parsed_event.message.attachment }}" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json new file mode 100644 index 000000000..e1caa7923 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@grandreims.fr\",\"suser\":[\"XXXXXX@u-psud.fr\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@u-psud.fr\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@u-psud.fr\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@grandreims.fr\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@grandreims.fr\",\"riskLevel\":\"RISK_DANGEROUS\"}" + }, + "expected": { + "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@grandreims.fr\",\"suser\":[\"XXXXXX@u-psud.fr\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@u-psud.fr\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@u-psud.fr\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@grandreims.fr\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@grandreims.fr\",\"riskLevel\":\"RISK_DANGEROUS\"}", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "delivery_timestamp": "2024-12-11T23:47:10.0000000Z", + "from": { + "address": [ + "XXXXXX@u-psud.fr" + ] + }, + "local_id": "05c522d1-e2d8-42da-a06d-1b2a0535b4cf", + "message_id": "XXXXX@u-psud.fr", + "subject": "XXXXXXXXXXX." + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json new file mode 100644 index 000000000..c844f9164 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json @@ -0,0 +1,43 @@ +{ + "input": { + "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@grandreims.fr\",\"duser\":[\"XXXX@ubikasec.com\",\"XXXXX@grandreims.fr\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@grandreims.fr\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@grandreims.fr\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}" + }, + "expected": { + "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@grandreims.fr\",\"duser\":[\"XXXX@ubikasec.com\",\"XXXXX@grandreims.fr\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@grandreims.fr\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@grandreims.fr\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [ + { + "attachmentFileHash": "cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2", + "attachmentFileName": "PVI_06-12-2024.pdf", + "attachmentFileSize": "-1", + "attachmentFileTlsh": "" + } + ], + "delivery_timestamp": "2024-12-11T13:52:57.0150000Z", + "from": { + "address": "XXXXX@grandreims.fr" + }, + "local_id": "ba4e0d21-e780-4087-b06d-d26262fa46e9", + "message_id": "[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)", + "subject": "RE: PVI", + "to": { + "address": [ + "XXXX@ubikasec.com", + "XXXXX@grandreims.fr" + ] + } + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json new file mode 100644 index 000000000..9b44177d1 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@reims.fr\"],\"duser\":[\"XXXXt@reims.fr\",\"XXX@reims.fr\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"highlightedRequest\":[\"https://dpc.fr/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"dpc.fr/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@reims.fr\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.reims.fr/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://dpc.fr/\",\"http://www.bm-reims.fr/\",\"http://www.dpc.fr/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}" + }, + "expected": { + "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@reims.fr\"],\"duser\":[\"XXXXt@reims.fr\",\"XXX@reims.fr\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"highlightedRequest\":[\"https://dpc.fr/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"dpc.fr/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@reims.fr\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.reims.fr/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://dpc.fr/\",\"http://www.bm-reims.fr/\",\"http://www.dpc.fr/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [ + { + "attachmentFileHash": "8acffca6144b332362ea706a9e30bb56538b359c", + "attachmentFileName": "image001.png", + "attachmentFileSize": "-1", + "attachmentFileTlsh": "" + }, + { + "attachmentFileHash": "c04c157f903f1beb0beb83138909b42633541218", + "attachmentFileName": "image003.jpg", + "attachmentFileSize": "-1", + "attachmentFileTlsh": "" + }, + { + "attachmentFileHash": "e16cc3996443713902366cefc201fe47d6700b34", + "attachmentFileName": "CE7B0279.jpg", + "attachmentFileSize": "-1", + "attachmentFileTlsh": "" + }, + { + "attachmentFileHash": "52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84", + "attachmentFileName": "BD0C5626.jpg", + "attachmentFileSize": "-1", + "attachmentFileTlsh": "" + }, + { + "attachmentFileHash": "134c22a75f082d8db78acb2b0a72dcf910e44f52", + "attachmentFileName": "image002.jpg", + "attachmentFileSize": "-1", + "attachmentFileTlsh": "" + } + ], + "delivery_timestamp": "2024-12-11T07:51:23.4600000Z", + "from": { + "address": [ + "XXXXX@reims.fr" + ] + }, + "local_id": "5fbbe268-adf5-404b-af37-afe194d80cd0", + "message_id": "MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM", + "subject": "RE: Meubles DVD , ce serait le fournisseur DPC??", + "to": { + "address": [ + "XXX@reims.fr", + "XXXXt@reims.fr" + ] + } + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + } + } +} \ No newline at end of file From 67356d9250362665a2b7647e91e49747588adae4 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Thu, 9 Jan 2025 16:44:29 +0400 Subject: [PATCH 02/10] Fix --- Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml | 4 ++-- .../tests/test_observed_attack_technique_4.json | 2 +- .../tests/test_observed_attack_technique_5.json | 2 +- .../tests/test_observed_attack_technique_6.json | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index 71356949d..177c656f6 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -97,7 +97,7 @@ stages: email.from.address: "{{ parsed_event.message.suser }}" email.to.address: "{{ parsed_event.message.duser }}" email.subject: "{{ parsed_event.message.mailMsgSubject }}" - email.local_id: "{{ parsed_event.message.uuid }}" - email.delivery_timestamp: "{{ parsed_event.message.rt_utc }}" + email.local_id: "{{ parsed_event.message.msgUuid }}" email.message_id: "{{ parsed_event.message.msgId }}" + email.delivery_timestamp: "{{ parsed_event.message.rt_utc }}" email.attachments: "{{ parsed_event.message.attachment }}" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json index e1caa7923..d434c7aae 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json @@ -19,7 +19,7 @@ "XXXXXX@u-psud.fr" ] }, - "local_id": "05c522d1-e2d8-42da-a06d-1b2a0535b4cf", + "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA", "message_id": "XXXXX@u-psud.fr", "subject": "XXXXXXXXXXX." }, diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json index c844f9164..31a5653a6 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json @@ -25,7 +25,7 @@ "from": { "address": "XXXXX@grandreims.fr" }, - "local_id": "ba4e0d21-e780-4087-b06d-d26262fa46e9", + "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA", "message_id": "[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)", "subject": "RE: PVI", "to": { diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json index 9b44177d1..40cebf0ac 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json @@ -51,7 +51,7 @@ "XXXXX@reims.fr" ] }, - "local_id": "5fbbe268-adf5-404b-af37-afe194d80cd0", + "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA", "message_id": "MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM", "subject": "RE: Meubles DVD , ce serait le fournisseur DPC??", "to": { From 93e9e8d9b9565dd8e64d13643b908f6cb87d808f Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Thu, 9 Jan 2025 18:01:52 +0400 Subject: [PATCH 03/10] Add smart-descriptions.json --- .../_meta/smart-descriptions.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json index 656e4f9c7..233994a0d 100644 --- a/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json @@ -23,5 +23,20 @@ { "field": "threat.technique.subtechnique.id" }, { "field": "host.ip" } ] + }, + { + "value": "Email with subject {email.subject} sent from {email.from.address} to {email.to.address}", + "conditions": [ + { "field": "email.subject" }, + { "field": "email.from.address" }, + { "field": "email.to.address" } + ] + }, + { + "value": "Email with subject {email.subject} sent from {email.from.address}", + "conditions": [ + { "field": "email.subject" }, + { "field": "email.from.address" } + ] } ] From 07bff905bd766c9970ad4db56ee243b827635e18 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Mon, 13 Jan 2025 16:43:28 +0400 Subject: [PATCH 04/10] Replace urls --- .../tests/test_observed_attack_technique_3.json | 8 ++++---- .../tests/test_observed_attack_technique_4.json | 8 ++++---- .../tests/test_observed_attack_technique_5.json | 10 +++++----- .../tests/test_observed_attack_technique_6.json | 10 +++++----- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json index a93027304..fb5a2d23f 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"43483725-969b-4fb8-a453-c2353a9a5e12\", \"detectedDateTime\": \"2024-11-26T16:45:01Z\", \"filters\": [{\"id\": \"F3367\", \"name\": \"Sensitive File Locating via Powershell\", \"description\": \"Locate files deemed sensitive via Powershell\", \"highlightedObjects\": [{\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0009\"], \"mitreTechniqueIds\": [\"T1005\"], \"riskLevel\": \"low\", \"type\": \"preset\"}, {\"id\": \"F1971\", \"name\": \"Modify File Last Modified Timestamp With PowerShell\", \"description\": \"An attempt to modify file's last modified timestamp using Powershell was detected on an endpoint.\", \"highlightedObjects\": [{\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0005\"], \"mitreTechniqueIds\": [\"T1070\", \"T1070.006\"], \"riskLevel\": \"info\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"9567d4bc-ce0b-45cf-b259-138beb4c80c3\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"eventId\": \"11\", \"eventSubId\": 901, \"eventTime\": \"1732639501774\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639501774\", \"groupId\": \"a1c0d757-0961-40a4-8a00-bf9b2922d5de\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639503446\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectAppName\": \"PowerShell_C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe_10.0.19041.1\", \"objectHashId\": \"-1780503710981816722\", \"objectRawDataStr\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"], \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"f8ad78f2ad64799786242d69ef77edd7\", \"parentFileHashSha1\": \"f021ca2dca81ee77aa80467096a804a26cd11364\", \"parentFileHashSha256\": \"f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"bd5cf4568d83088240e3b33f9f9838b1\", \"processFileHashSha1\": \"b1692a60d67dc55538f9a25ad3874a6a8f6bb089\", \"processFileHashSha256\": \"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F1971\", \"XSAE.F3367\", \"MITRE.T1005\", \"MITRE.T1070.006\", \"MITRE.T1070\"], \"uuid\": \"b2ece961-6eed-43f1-8890-a8d926840049\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"7588760429245659303\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"objectFirstSeen\": \"1732639501774\", \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"objectLastSeen\": \"1732639503446\", \"parentSignerFlagsLibValid\": [false], \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectSessionId\": \"19746\", \"objectRawDataSize\": [\"2995\", \"3802\", \"50\", \"55\", \"44\", \"32\", \"169\", \"169\", \"170\", \"56\", \"107\", \"1848\", \"1719\", \"411\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,193.103.164.106)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"agentGuid\": \"8e53268d-8348-4fd4-a314-b742448960c9\", \"endpointName\": \"Windows10\"}}" + "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"43483725-969b-4fb8-a453-c2353a9a5e12\", \"detectedDateTime\": \"2024-11-26T16:45:01Z\", \"filters\": [{\"id\": \"F3367\", \"name\": \"Sensitive File Locating via Powershell\", \"description\": \"Locate files deemed sensitive via Powershell\", \"highlightedObjects\": [{\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0009\"], \"mitreTechniqueIds\": [\"T1005\"], \"riskLevel\": \"low\", \"type\": \"preset\"}, {\"id\": \"F1971\", \"name\": \"Modify File Last Modified Timestamp With PowerShell\", \"description\": \"An attempt to modify file's last modified timestamp using Powershell was detected on an endpoint.\", \"highlightedObjects\": [{\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0005\"], \"mitreTechniqueIds\": [\"T1070\", \"T1070.006\"], \"riskLevel\": \"info\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"9567d4bc-ce0b-45cf-b259-138beb4c80c3\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"eventId\": \"11\", \"eventSubId\": 901, \"eventTime\": \"1732639501774\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639501774\", \"groupId\": \"a1c0d757-0961-40a4-8a00-bf9b2922d5de\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639503446\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectAppName\": \"PowerShell_C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe_10.0.19041.1\", \"objectHashId\": \"-1780503710981816722\", \"objectRawDataStr\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"], \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"f8ad78f2ad64799786242d69ef77edd7\", \"parentFileHashSha1\": \"f021ca2dca81ee77aa80467096a804a26cd11364\", \"parentFileHashSha256\": \"f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"bd5cf4568d83088240e3b33f9f9838b1\", \"processFileHashSha1\": \"b1692a60d67dc55538f9a25ad3874a6a8f6bb089\", \"processFileHashSha256\": \"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F1971\", \"XSAE.F3367\", \"MITRE.T1005\", \"MITRE.T1070.006\", \"MITRE.T1070\"], \"uuid\": \"b2ece961-6eed-43f1-8890-a8d926840049\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"7588760429245659303\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"objectFirstSeen\": \"1732639501774\", \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"objectLastSeen\": \"1732639503446\", \"parentSignerFlagsLibValid\": [false], \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectSessionId\": \"19746\", \"objectRawDataSize\": [\"2995\", \"3802\", \"50\", \"55\", \"44\", \"32\", \"169\", \"169\", \"170\", \"56\", \"107\", \"1848\", \"1719\", \"411\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,193.103.164.106)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"agentGuid\": \"8e53268d-8348-4fd4-a314-b742448960c9\", \"endpointName\": \"Windows10\"}}" }, "expected": { - "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"43483725-969b-4fb8-a453-c2353a9a5e12\", \"detectedDateTime\": \"2024-11-26T16:45:01Z\", \"filters\": [{\"id\": \"F3367\", \"name\": \"Sensitive File Locating via Powershell\", \"description\": \"Locate files deemed sensitive via Powershell\", \"highlightedObjects\": [{\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0009\"], \"mitreTechniqueIds\": [\"T1005\"], \"riskLevel\": \"low\", \"type\": \"preset\"}, {\"id\": \"F1971\", \"name\": \"Modify File Last Modified Timestamp With PowerShell\", \"description\": \"An attempt to modify file's last modified timestamp using Powershell was detected on an endpoint.\", \"highlightedObjects\": [{\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0005\"], \"mitreTechniqueIds\": [\"T1070\", \"T1070.006\"], \"riskLevel\": \"info\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"9567d4bc-ce0b-45cf-b259-138beb4c80c3\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"eventId\": \"11\", \"eventSubId\": 901, \"eventTime\": \"1732639501774\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639501774\", \"groupId\": \"a1c0d757-0961-40a4-8a00-bf9b2922d5de\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639503446\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectAppName\": \"PowerShell_C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe_10.0.19041.1\", \"objectHashId\": \"-1780503710981816722\", \"objectRawDataStr\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"], \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"f8ad78f2ad64799786242d69ef77edd7\", \"parentFileHashSha1\": \"f021ca2dca81ee77aa80467096a804a26cd11364\", \"parentFileHashSha256\": \"f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"bd5cf4568d83088240e3b33f9f9838b1\", \"processFileHashSha1\": \"b1692a60d67dc55538f9a25ad3874a6a8f6bb089\", \"processFileHashSha256\": \"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F1971\", \"XSAE.F3367\", \"MITRE.T1005\", \"MITRE.T1070.006\", \"MITRE.T1070\"], \"uuid\": \"b2ece961-6eed-43f1-8890-a8d926840049\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"7588760429245659303\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"objectFirstSeen\": \"1732639501774\", \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"objectLastSeen\": \"1732639503446\", \"parentSignerFlagsLibValid\": [false], \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectSessionId\": \"19746\", \"objectRawDataSize\": [\"2995\", \"3802\", \"50\", \"55\", \"44\", \"32\", \"169\", \"169\", \"170\", \"56\", \"107\", \"1848\", \"1719\", \"411\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,193.103.164.106)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"agentGuid\": \"8e53268d-8348-4fd4-a314-b742448960c9\", \"endpointName\": \"Windows10\"}}", + "message": "{\"source\": \"endpointActivityData\", \"uuid\": \"43483725-969b-4fb8-a453-c2353a9a5e12\", \"detectedDateTime\": \"2024-11-26T16:45:01Z\", \"filters\": [{\"id\": \"F3367\", \"name\": \"Sensitive File Locating via Powershell\", \"description\": \"Locate files deemed sensitive via Powershell\", \"highlightedObjects\": [{\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0009\"], \"mitreTechniqueIds\": [\"T1005\"], \"riskLevel\": \"low\", \"type\": \"preset\"}, {\"id\": \"F1971\", \"name\": \"Modify File Last Modified Timestamp With PowerShell\", \"description\": \"An attempt to modify file's last modified timestamp using Powershell was detected on an endpoint.\", \"highlightedObjects\": [{\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0005\"], \"mitreTechniqueIds\": [\"T1070\", \"T1070.006\"], \"riskLevel\": \"info\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"9567d4bc-ce0b-45cf-b259-138beb4c80c3\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"eventId\": \"11\", \"eventSubId\": 901, \"eventTime\": \"1732639501774\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639501774\", \"groupId\": \"a1c0d757-0961-40a4-8a00-bf9b2922d5de\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639503446\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectAppName\": \"PowerShell_C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe_10.0.19041.1\", \"objectHashId\": \"-1780503710981816722\", \"objectRawDataStr\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"], \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"f8ad78f2ad64799786242d69ef77edd7\", \"parentFileHashSha1\": \"f021ca2dca81ee77aa80467096a804a26cd11364\", \"parentFileHashSha256\": \"f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"bd5cf4568d83088240e3b33f9f9838b1\", \"processFileHashSha1\": \"b1692a60d67dc55538f9a25ad3874a6a8f6bb089\", \"processFileHashSha256\": \"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F1971\", \"XSAE.F3367\", \"MITRE.T1005\", \"MITRE.T1070.006\", \"MITRE.T1070\"], \"uuid\": \"b2ece961-6eed-43f1-8890-a8d926840049\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"7588760429245659303\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"objectFirstSeen\": \"1732639501774\", \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"objectLastSeen\": \"1732639503446\", \"parentSignerFlagsLibValid\": [false], \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectSessionId\": \"19746\", \"objectRawDataSize\": [\"2995\", \"3802\", \"50\", \"55\", \"44\", \"32\", \"169\", \"169\", \"170\", \"56\", \"107\", \"1848\", \"1719\", \"411\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,193.103.164.106)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"agentGuid\": \"8e53268d-8348-4fd4-a314-b742448960c9\", \"endpointName\": \"Windows10\"}}", "event": { "category": [ "intrusion_detection" @@ -24,9 +24,9 @@ "\r\n if ($_.FullyQualifiedErrorId -eq \"NativeCommandErrorMessage\") {\r\n $_.Exception.Message \r\n }\r\n else\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\r\n $posmsg = $myinv.PositionMessage\r\n } else {\r\n $posmsg = \"\"\r\n }\r\n \r\n if ($posmsg -ne \"\")\r\n {\r\n $posmsg = \"`n\" + $posmsg\r\n }\r\n \t\t\t\t \r\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\r\n $posmsg = \" : \" + $_.PSMessageDetails + $posmsg \r\n }\r\n\r\n $indent = 4\r\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\r\n\r\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\r\n if ($errorCategoryMsg -ne $null)\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.ErrorCategory_Message\r\n }\r\n else\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.CategoryInfo\r\n }\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $indentString = \"+ FullyQualifiedErrorId : \" + $_.FullyQualifiedErrorId\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\r\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\r\n {\r\n $indentString = \"+ PSComputerName : \" + $originInfo.PSComputerName\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n }\r\n\r\n if ($ErrorView -eq \"CategoryView\") {\r\n $_.CategoryInfo.GetMessage()\r\n }\r\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\r\n $_.Exception.Message + $posmsg + \"`n \"\r\n } else {\r\n $_.ErrorDetails.Message + $posmsg\r\n }\r\n }\r\n ", "if ($_ -is [System.IO.DirectoryInfo]) { return '' }\r\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\r\n{\r\n return '({0})' -f $_.Length\r\n}\r\nreturn $_.Length", "{\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }", - "{\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }", + "{\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }", "{\n Write-Host $_.FullName\n }", - "{\n $Drive = $_\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }\n}", + "{\n $Drive = $_\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://test.com/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }\n}", "{\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\n Write-Host \"$_ Found!\" -ForegroundColor red\n }\n}", "{\n if (Test-Path $_) {\n Write-Host \"$_ found.\"\n }\n}", "{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }", diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json index d434c7aae..63c0b40d6 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@grandreims.fr\",\"suser\":[\"XXXXXX@u-psud.fr\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@u-psud.fr\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@u-psud.fr\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@grandreims.fr\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@grandreims.fr\",\"riskLevel\":\"RISK_DANGEROUS\"}" + "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}" }, "expected": { - "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@grandreims.fr\",\"suser\":[\"XXXXXX@u-psud.fr\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@u-psud.fr\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@u-psud.fr\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@grandreims.fr\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@grandreims.fr\",\"riskLevel\":\"RISK_DANGEROUS\"}", + "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}", "event": { "category": [ "email" @@ -16,11 +16,11 @@ "delivery_timestamp": "2024-12-11T23:47:10.0000000Z", "from": { "address": [ - "XXXXXX@u-psud.fr" + "XXXXXX@test.com" ] }, "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA", - "message_id": "XXXXX@u-psud.fr", + "message_id": "XXXXX@test.com", "subject": "XXXXXXXXXXX." }, "observer": { diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json index 31a5653a6..ab5632b7d 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@grandreims.fr\",\"duser\":[\"XXXX@ubikasec.com\",\"XXXXX@grandreims.fr\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@grandreims.fr\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@grandreims.fr\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}" + "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}" }, "expected": { - "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@grandreims.fr\",\"duser\":[\"XXXX@ubikasec.com\",\"XXXXX@grandreims.fr\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@grandreims.fr\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@grandreims.fr\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}", + "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}", "event": { "category": [ "email" @@ -23,15 +23,15 @@ ], "delivery_timestamp": "2024-12-11T13:52:57.0150000Z", "from": { - "address": "XXXXX@grandreims.fr" + "address": "XXXXX@test.com" }, "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA", "message_id": "[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)", "subject": "RE: PVI", "to": { "address": [ - "XXXX@ubikasec.com", - "XXXXX@grandreims.fr" + "XXXX@test.com", + "XXXXX@test.com" ] } }, diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json index 40cebf0ac..a42e90b09 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@reims.fr\"],\"duser\":[\"XXXXt@reims.fr\",\"XXX@reims.fr\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"highlightedRequest\":[\"https://dpc.fr/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"dpc.fr/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@reims.fr\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.reims.fr/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://dpc.fr/\",\"http://www.bm-reims.fr/\",\"http://www.dpc.fr/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}" + "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}" }, "expected": { - "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@reims.fr\"],\"duser\":[\"XXXXt@reims.fr\",\"XXX@reims.fr\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"highlightedRequest\":[\"https://dpc.fr/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"dpc.fr/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@reims.fr\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.reims.fr/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://dpc.fr/\",\"http://www.bm-reims.fr/\",\"http://www.dpc.fr/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}", + "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}", "event": { "category": [ "email" @@ -48,7 +48,7 @@ "delivery_timestamp": "2024-12-11T07:51:23.4600000Z", "from": { "address": [ - "XXXXX@reims.fr" + "XXXXX@test.com" ] }, "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA", @@ -56,8 +56,8 @@ "subject": "RE: Meubles DVD , ce serait le fournisseur DPC??", "to": { "address": [ - "XXX@reims.fr", - "XXXXt@reims.fr" + "XXX@test.com", + "XXXXt@test.com" ] } }, From eed7373c4a9bf0c736141410fd69a99e42138789 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 15 Jan 2025 18:36:04 +0400 Subject: [PATCH 05/10] Fix comments --- .../_meta/fields.yml | 40 ------------------- .../ingest/parser.yml | 26 ++++++++---- .../test_observed_attack_technique_4.json | 2 +- .../test_observed_attack_technique_5.json | 2 +- .../test_observed_attack_technique_6.json | 2 +- 5 files changed, 21 insertions(+), 51 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml index 30f7b23aa..abdf1aea4 100644 --- a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml @@ -3,46 +3,6 @@ action.properties.ScriptBlockText: name: action.properties.ScriptBlockText type: keyword -email.attachments: - description: A list of objects describing the attachment files sent along with an - email message - name: email.attachments - type: array - -email.delivery_timestamp: - description: The date and time when the email message was received by the service - or client - name: email.delivery_timestamp - type: date - -email.from.address: - description: 'The email address of the sender, typically from the RFC 5322 From: - header field' - name: email.from.address - type: keyword - -email.local_id: - description: Unique identifier given to the email by the source that created the - event - name: email.local_id - type: keyword - -email.message_id: - description: 'Identifier from the RFC 5322 Message-ID: email header that refers - to a particular email message' - name: email.message_id - type: keyword - -email.subject: - description: A brief summary of the topic of the message - name: email.subject - type: keyword - -email.to.address: - description: The email address of recipient - name: email.to.address - type: keyword - process.parent.parent.command_line: description: '' name: process.parent.parent.command_line diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index 177c656f6..d53b6c859 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -1,5 +1,5 @@ name: trend-micro-vision-one-oat -ignored_values: [] +ignored_values: [ ] pipeline: - name: parsed_event external: @@ -9,6 +9,15 @@ pipeline: output_field: message - name: set_ecs_fields + + - name: parse_email_date + external: + name: date.parse + properties: + input_field: "{{parsed_event.message.rt_utc}}" + output_field: datetime + filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}" + - name: set_email_fields filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}" @@ -16,8 +25,8 @@ stages: set_ecs_fields: actions: - set: - event.category: ["intrusion_detection"] - event.type: ["info"] + event.category: [ "intrusion_detection" ] + event.type: [ "info" ] observer.vendor: "TrendMicro" observer.product: "Vision One" @@ -70,6 +79,9 @@ stages: process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}" process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}" + - set: + threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" + threat.technique.id: > {%- set ids = [] -%} {%- for item in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%} @@ -84,20 +96,18 @@ stages: {%- endfor -%} {%- if ids | length > 0 -%}{{ ids | tojson }}{%- endif -%} - - set: - threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" filter: "{{parsed_event.message.filters | length > 0 }}" set_email_fields: actions: - set: - event.category: ["email"] - event.type: ["info"] + event.category: [ "email" ] + event.type: [ "info" ] email.from.address: "{{ parsed_event.message.suser }}" email.to.address: "{{ parsed_event.message.duser }}" email.subject: "{{ parsed_event.message.mailMsgSubject }}" email.local_id: "{{ parsed_event.message.msgUuid }}" email.message_id: "{{ parsed_event.message.msgId }}" - email.delivery_timestamp: "{{ parsed_event.message.rt_utc }}" + email.delivery_timestamp: "{{ parse_email_date.datetime }}" email.attachments: "{{ parsed_event.message.attachment }}" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json index 63c0b40d6..320ec1dd5 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json @@ -13,7 +13,7 @@ ] }, "email": { - "delivery_timestamp": "2024-12-11T23:47:10.0000000Z", + "delivery_timestamp": "2024-12-11T23:47:10Z", "from": { "address": [ "XXXXXX@test.com" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json index ab5632b7d..65cb6cc51 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json @@ -21,7 +21,7 @@ "attachmentFileTlsh": "" } ], - "delivery_timestamp": "2024-12-11T13:52:57.0150000Z", + "delivery_timestamp": "2024-12-11T13:52:57.015000Z", "from": { "address": "XXXXX@test.com" }, diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json index a42e90b09..19cb32fc7 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json @@ -45,7 +45,7 @@ "attachmentFileTlsh": "" } ], - "delivery_timestamp": "2024-12-11T07:51:23.4600000Z", + "delivery_timestamp": "2024-12-11T07:51:23.460000Z", "from": { "address": [ "XXXXX@test.com" From c63989e71a039cccf60ad810ae6f88c8ad64b2eb Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 15 Jan 2025 18:39:06 +0400 Subject: [PATCH 06/10] Apply linter --- .../trend-micro-vision-one-oat/ingest/parser.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index d53b6c859..34b739583 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -1,5 +1,5 @@ name: trend-micro-vision-one-oat -ignored_values: [ ] +ignored_values: [] pipeline: - name: parsed_event external: @@ -25,8 +25,8 @@ stages: set_ecs_fields: actions: - set: - event.category: [ "intrusion_detection" ] - event.type: [ "info" ] + event.category: ["intrusion_detection"] + event.type: ["info"] observer.vendor: "TrendMicro" observer.product: "Vision One" @@ -101,8 +101,8 @@ stages: set_email_fields: actions: - set: - event.category: [ "email" ] - event.type: [ "info" ] + event.category: ["email"] + event.type: ["info"] email.from.address: "{{ parsed_event.message.suser }}" email.to.address: "{{ parsed_event.message.duser }}" From 32efe8d6721773d7156fd46a43f5e370175015e5 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Tue, 21 Jan 2025 19:14:58 +0400 Subject: [PATCH 07/10] Fix comments --- .../_meta/fields.yml | 25 ++++++++++++ .../ingest/parser.yml | 18 +++++++++ .../test_observed_attack_technique_4.json | 39 ++++++++++++++++++- .../test_observed_attack_technique_5.json | 20 +++++++++- .../test_observed_attack_technique_6.json | 20 +++++++++- 5 files changed, 116 insertions(+), 6 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml index abdf1aea4..0466921aa 100644 --- a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml @@ -57,3 +57,28 @@ process.parent.user.domain: description: '' name: process.parent.user.domain type: keyword + +trendmicro.visionone.oat.detectionType: + description: '' + name: trendmicro.visionone.oat.detectionType + type: keyword + +trendmicro.visionone.oat.eventId: + description: '' + name: trendmicro.visionone.oat.eventId + type: keyword + +trendmicro.visionone.oat.eventName: + description: '' + name: trendmicro.visionone.oat.eventName + type: keyword + +trendmicro.visionone.oat.eventSubName: + description: '' + name: trendmicro.visionone.oat.eventSubName + type: keyword + +trendmicro.visionone.oat.riskLevel: + description: '' + name: trendmicro.visionone.oat.riskLevel + type: keyword diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index 34b739583..e6be2d040 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -39,6 +39,9 @@ stages: agent.id: "{{parsed_event.message.endpoint.agentGuid}}" event.start: "{{parsed_event.message.detail.firstSeen | to_rfc3339}}" event.end: "{{parsed_event.message.detail.lastSeen | to_rfc3339}}" + event.action: "{{parsed_event.message.act}}" + event.provider: "{{parsed_event.message.pname}}" + event.reason: "{{parsed_event.message.description}}" host.id: "{{parsed_event.message.detail.endpointGuid}}" host.os.name: "{{parsed_event.message.detail.osName}}" @@ -79,6 +82,21 @@ stages: process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}" process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}" + url.original: "{{ parsed_event.message.request }}" + + organization.id: "{{parsed_event.message.orgId}}" + + rule.ruleset: "{{parsed_event.message.policyName}}" + rule.name: "{{parsed_event.message.ruleName}}" + + cloud.service.name: "{{parsed_event.message.cloudAppName}}" + + trendmicro.visionone.oat.eventId: "{{parsed_event.message.eventId}}" + trendmicro.visionone.oat.eventName: "{{parsed_event.message.eventName}}" + trendmicro.visionone.oat.eventSubName: "{{parsed_event.message.eventSubName}}" + trendmicro.visionone.oat.detectionType: "{{parsed_event.message.detectionType}}" + trendmicro.visionone.oat.riskLevel: "{{parsed_event.message.riskLevel}}" + - set: threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json index 320ec1dd5..4c5d91040 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json @@ -1,17 +1,26 @@ { "input": { - "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}" + "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}" }, "expected": { - "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}", + "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}", "event": { + "action": [ + "Quarantine" + ], "category": [ "email" ], + "provider": "Cloud Email and Collaboration Protection", "type": [ "info" ] }, + "cloud": { + "service": { + "name": "exchange" + } + }, "email": { "delivery_timestamp": "2024-12-11T23:47:10Z", "from": { @@ -26,6 +35,32 @@ "observer": { "product": "Vision One", "vendor": "TrendMicro" + }, + "organization": { + "id": "XXXXXX-xxxxx-XXXXXX-Xx" + }, + "rule": { + "ruleset": "CUGR-politique_principale" + }, + "trendmicro": { + "visionone": { + "oat": { + "detectionType": "Web Reputation", + "eventId": "100101", + "eventName": "WEB_THREAT_DETECTION", + "eventSubName": "Web Security Violation", + "riskLevel": "RISK_DANGEROUS" + } + } + }, + "url": { + "domain": "urlshorter.net", + "original": "https://urlshorter.net/wjhHjf", + "path": "/wjhHjf", + "port": 443, + "registered_domain": "urlshorter.net", + "scheme": "https", + "top_level_domain": "net" } } } \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json index 65cb6cc51..9dc17d330 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json @@ -1,13 +1,15 @@ { "input": { - "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}" + "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"123-123-123-123\",\"groupId\":\"123-123-123-123\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}" }, "expected": { - "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}", + "message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"XXXXX@test.com\",\"duser\":[\"XXXX@test.com\",\"XXXXX@test.com\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"123-123-123-123\",\"groupId\":\"123-123-123-123\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"XXXX@test.com\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}", "event": { "category": [ "email" ], + "provider": "Email Sensor", + "reason": "The writing style is different from the past his/her sent emails", "type": [ "info" ] @@ -38,6 +40,20 @@ "observer": { "product": "Vision One", "vendor": "TrendMicro" + }, + "organization": { + "id": "123-123-123-123" + }, + "rule": { + "name": "MA-01-009" + }, + "trendmicro": { + "visionone": { + "oat": { + "eventId": "100139", + "eventName": "MESSAGE_SUSPICIOUS_DETECTION" + } + } } } } \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json index 19cb32fc7..c6c935c52 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json @@ -1,13 +1,15 @@ { "input": { - "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}" + "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"123-123-123-123-123-123\",\"groupId\":\"123-123-123-123-123-123\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}" }, "expected": { - "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}", + "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"123-123-123-123-123-123\",\"groupId\":\"123-123-123-123-123-123\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}", "event": { "category": [ "email" ], + "provider": "Email Sensor", + "reason": "Found Forge Brand Pattern in URL", "type": [ "info" ] @@ -64,6 +66,20 @@ "observer": { "product": "Vision One", "vendor": "TrendMicro" + }, + "organization": { + "id": "123-123-123-123-123-123" + }, + "rule": { + "name": "MA-01-010" + }, + "trendmicro": { + "visionone": { + "oat": { + "eventId": "100139", + "eventName": "MESSAGE_SUSPICIOUS_DETECTION" + } + } } } } \ No newline at end of file From 65e9ad217beb6670109c06cf008052d4e5715cec Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 21 Jan 2025 17:52:34 +0100 Subject: [PATCH 08/10] fix(TrendMicro): fix event.action --- Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml | 5 ++++- .../tests/test_observed_attack_technique_4.json | 4 +--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index e6be2d040..20e6e7552 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -39,7 +39,6 @@ stages: agent.id: "{{parsed_event.message.endpoint.agentGuid}}" event.start: "{{parsed_event.message.detail.firstSeen | to_rfc3339}}" event.end: "{{parsed_event.message.detail.lastSeen | to_rfc3339}}" - event.action: "{{parsed_event.message.act}}" event.provider: "{{parsed_event.message.pname}}" event.reason: "{{parsed_event.message.description}}" @@ -97,6 +96,10 @@ stages: trendmicro.visionone.oat.detectionType: "{{parsed_event.message.detectionType}}" trendmicro.visionone.oat.riskLevel: "{{parsed_event.message.riskLevel}}" + - set: + event.action: "{{parsed_event.message.act[0]}}" + filter: "{{parsed_event.message.act | length > 0 }}" + - set: threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json index 4c5d91040..c6dbb6e9d 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json @@ -5,9 +5,7 @@ "expected": { "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}", "event": { - "action": [ - "Quarantine" - ], + "action": "Quarantine", "category": [ "email" ], From 3ee60a9cdc420c4c16e51bbdeb8ab81c9ced1ca6 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 21 Jan 2025 17:53:22 +0100 Subject: [PATCH 09/10] feat(TrendMicro): extract event.dataset --- Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml | 1 + .../tests/test_observed_attack_technique_1.json | 1 + .../tests/test_observed_attack_technique_2.json | 1 + .../tests/test_observed_attack_technique_3.json | 1 + 4 files changed, 4 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index 20e6e7552..4df78b029 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -41,6 +41,7 @@ stages: event.end: "{{parsed_event.message.detail.lastSeen | to_rfc3339}}" event.provider: "{{parsed_event.message.pname}}" event.reason: "{{parsed_event.message.description}}" + event.dataset: "{{parsed_event.message.source}}" host.id: "{{parsed_event.message.detail.endpointGuid}}" host.os.name: "{{parsed_event.message.detail.osName}}" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json index d5d205d40..9edfd67c2 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json @@ -8,6 +8,7 @@ "category": [ "intrusion_detection" ], + "dataset": "endpointActivityData", "end": "2022-04-12T23:43:15Z", "start": "2022-04-12T23:43:15Z", "type": [ diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json index 75fff3679..72fd5d18c 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json @@ -8,6 +8,7 @@ "category": [ "intrusion_detection" ], + "dataset": "endpointActivityData", "end": "2024-11-26T16:45:02.571000Z", "start": "2024-11-26T16:45:02.571000Z", "type": [ diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json index fb5a2d23f..346af1c39 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json @@ -8,6 +8,7 @@ "category": [ "intrusion_detection" ], + "dataset": "endpointActivityData", "end": "2024-11-26T16:45:03.446000Z", "start": "2024-11-26T16:45:01.774000Z", "type": [ From 19a5ab91646635d6ccd2b303678ba546d6082b68 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 21 Jan 2025 17:56:27 +0100 Subject: [PATCH 10/10] fix(TrendMicro): fix tests --- .../tests/test_observed_attack_technique_4.json | 6 +++--- .../tests/test_observed_attack_technique_6.json | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json index c6dbb6e9d..27b4018d5 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}" + "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"MyPolicy\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}" }, "expected": { - "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}", + "message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"XXXX@test.com\",\"suser\":[\"XXXXXX@test.com\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"XXXXX@test.com\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"MyPolicy\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"048ffc9460a48e85a609802bf6dfb5bfe6cb37b1@test.com\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"XXXX@test.com\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"XXXX@test.com\",\"riskLevel\":\"RISK_DANGEROUS\"}", "event": { "action": "Quarantine", "category": [ @@ -38,7 +38,7 @@ "id": "XXXXXX-xxxxx-XXXXXX-Xx" }, "rule": { - "ruleset": "CUGR-politique_principale" + "ruleset": "MyPolicy" }, "trendmicro": { "visionone": { diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json index c6c935c52..8cfcf6e77 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"123-123-123-123-123-123\",\"groupId\":\"123-123-123-123-123-123\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}" + "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"MySubject\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"123-123-123-123-123-123\",\"groupId\":\"123-123-123-123-123-123\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}" }, "expected": { - "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"RE: Meubles DVD , ce serait le fournisseur DPC??\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"123-123-123-123-123-123\",\"groupId\":\"123-123-123-123-123-123\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}", + "message": "{\"uuid\":\"5fbbe268-adf5-404b-af37-afe194d80cd0\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"image001.png\",\"image003.jpg\",\"CE7B0279.jpg\",\"BD0C5626.jpg\",\"image002.jpg\"],\"suser\":[\"XXXXX@test.com\"],\"duser\":[\"XXXXt@test.com\",\"XXX@test.com\"],\"mailMsgSubject\":\"MySubject\",\"msgId\":\"MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM\",\"tags\":[\"XSJG.MA-01-010.01\",\"mitre.t1566.002\",\"MITRE.T1566.002\",\"XSAE.F1938\"],\"ruleName\":\"MA-01-010\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"subRuleName\":\"forge_brand\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA\",\"orgId\":\"123-123-123-123-123-123\",\"groupId\":\"123-123-123-123-123-123\",\"highlightedRequest\":[\"https://test.com/wp-includes/images/DPC.jpg\"],\"eventTime\":\"1733903461000\",\"logReceivedTime\":\"1733903483549\",\"attachmentFileSizes\":[\"-1\",\"-1\",\"-1\",\"-1\",\"-1\"],\"groupIdCorrValues\":[\"test.com/wp-includes/images/dpc.jpg\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"XXXX@test.com\",\"rt_utc\":\"2024-12-11T07:51:23.4600000Z\",\"attachmentFileTlshes\":[\"\",\"\",\"\",\"\",\"\"],\"rt\":\"1733903461000\",\"description\":\"Found Forge Brand Pattern in URL\",\"ruleVer\":\"\",\"requests\":[\"http://www.test.com/\",\"http://cdn3.iconfinder.com/data/icons/free-social-icons/67/youtube_square_gray-24.png\",\"https://test.com/\",\"http://www.bm-test.com/\",\"http://www.test.com/\"],\"samUser\":\"Virginie.BBBB\",\"attachmentFileHashs\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image001.png\",\"attachmentFileHash\":\"8acffca6144b332362ea706a9e30bb56538b359c\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image003.jpg\",\"attachmentFileHash\":\"c04c157f903f1beb0beb83138909b42633541218\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"CE7B0279.jpg\",\"attachmentFileHash\":\"e16cc3996443713902366cefc201fe47d6700b34\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"BD0C5626.jpg\",\"attachmentFileHash\":\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"attachmentFileSize\":\"-1\"},{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"image002.jpg\",\"attachmentFileHash\":\"134c22a75f082d8db78acb2b0a72dcf910e44f52\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"URL\",\"attachmentFileHashes\":[\"8acffca6144b332362ea706a9e30bb56538b359c\",\"c04c157f903f1beb0beb83138909b42633541218\",\"e16cc3996443713902366cefc201fe47d6700b34\",\"52495a6ce0b3de34a5a4d8dff10c9465aa1b7b84\",\"134c22a75f082d8db78acb2b0a72dcf910e44f52\"],\"attachmentFileTlshs\":[\"\",\"\",\"\",\"\",\"\"]}", "event": { "category": [ "email" @@ -55,7 +55,7 @@ }, "local_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0APQjoWguLYUioEoMFJLcp2QABmzS7DwAA", "message_id": "MRZP264MB2315CAD850058D02706E80D9853E2@MRZP264MB2315.FRAP264.PROD.OUTLOOK.COM", - "subject": "RE: Meubles DVD , ce serait le fournisseur DPC??", + "subject": "MySubject", "to": { "address": [ "XXX@test.com",