6.7 KiB
6.7 KiB
| 1 | TimeGenerated [UTC] | DeviceVendor | DeviceProduct | DeviceEventClassID | LogSeverity | Message | SourceIP | DeviceVersion | Activity | FileHash | FileName | SourceHostName | SourceUserName | AdditionalExtensions | Type | Start | AttackedModule | MorphisecVersion | AttackName | AttackCategory |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2 | 12/3/2020, 1:34:42.544 PM | Morphisec | EPTP | MORPHISEC_ATTACK | 8 | Morphisec attack was detected and stopped on application lsass, https://127.0.0.1/threats/morphisecThreat/a3870626-76eb-4dad-8211 | 10.0.0.5 | 4.5.4 | Attack was detected and stopped by Morphisec | 52910ce2fdae6354b74397c2dc35c26bf323f60387bdb3f9891d52a59ca45d65 | C:/Users/Admin/AppData/Local/Microsoft/Windows/INetCache/Low/IE/9VVK36Y8/he-il[1].htm | DESKTOP-9DDBB2L | NT AUTHORITY/SYSTEM | start=Nov 02 2020 20:06:56 UTC;AttackedModule=kernel32.dll;MorphisecVersion=4.1.0;AttackName=ATOM BOMBING CODE;AttackCategory=FILELESS;Severity=8;Attackdescription=Atom Bombing is a code injection technique based on Windows identifiers that associate a string with a 16-bit integer. The Dridex malware family, among others, is known to use Atom Bombing. The Atoms can be accessed across processes when added to the global Atom table. Malware exploits this by placing shellcode as a global Atom, then accesses it via an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. | CommonSecurityLog | Nov 02 2020 20:06:56 UTC | kernel32.dll | 4.5.4 | ATOM BOMBING CODE | FILELESS |
| 3 | 12/3/2020, 1:34:43.545 PM | Morphisec | EPTP | MORPHISEC_ATTACK | 8 | Morphisec attack was detected and stopped on application lsass, https://127.0.0.1/threats/morphisecThreat/a3870626-76eb-4dad-8211 | 10.0.0.5 | 4.5.4 | Attack was detected and stopped by Morphisec | 52910ce2fdae6354b74397c2dc35c26bf323f60387bdb3f9891d52a59ca45d65 | C:/Users/Admin/AppData/Local/Microsoft/Windows/INetCache/Low/IE/9VVK36Y8/he-il[1].htm | DESKTOP-9DDBB2L | NT AUTHORITY/SYSTEM | start=Nov 02 2020 20:06:56 UTC;AttackedModule=kernel32.dll;MorphisecVersion=4.1.0;AttackName=ATOM BOMBING CODE;AttackCategory=FILELESS;Severity=8;Attackdescription=Atom Bombing is a code injection technique based on Windows identifiers that associate a string with a 16-bit integer. The Dridex malware family, among others, is known to use Atom Bombing. The Atoms can be accessed across processes when added to the global Atom table. Malware exploits this by placing shellcode as a global Atom, then accesses it via an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. | CommonSecurityLog | Nov 02 2020 20:06:56 UTC | kernel32.dll | 4.5.4 | ATOM BOMBING CODE | FILELESS |
| 4 | 12/3/2020, 1:40:15.018 PM | Morphisec | EPTP | MORPHISEC_ATTACK | 9 | Morphisec attack was detected and stopped on application lsass, https://127.0.0.1/threats/morphisecThreat/a3870626-76eb-4dad-8212 | 10.0.0.9 | 4.5.2 | Attack was detected and stopped by Morphisec | 391725186354b74397c2dc35c26bf323f60387bdb3f9891d52a59ca45d65 | C:\Users\Admin\Desktop\mimikatz\mimikatz.exe | DESKTOP-9CC234L | NT AUTHORITY/SYSTEM | start=Nov 03 2020 14:05:56 UTC;AttackedModule=kernel32.dll;MorphisecVersion=4.5.2;AttackName=HACKTOOL:WIN64/Mikatz;AttackCategory=TOOL;Severity=9 | CommonSecurityLog | Nov 03 2020 14:05:56 UTC | kernel32.dll | 4.5.2 | HACKTOOL:WIN64/Mikatz | TOOL |
| 5 | 12/3/2020, 1:40:15.790 PM | Morphisec | EPTP | MORPHISEC_ATTACK | 9 | Morphisec attack was detected and stopped on application lsass, https://127.0.0.1/threats/morphisecThreat/a3870626-76eb-4dad-8213 | 10.0.0.9 | 4.5.2 | Attack was detected and stopped by Morphisec | 391725186354b74397c2dc35c26bf323f60387bdb3f9891d52a59ca45d65 | C:\Users\Admin\Desktop\mimikatz\mimikatz.exe | DESKTOP-9CC234L | NT AUTHORITY/SYSTEM | start=Nov 03 2020 14:05:56 UTC;AttackedModule=kernel32.dll;MorphisecVersion=4.5.2;AttackName=HACKTOOL:WIN64/Mikatz;AttackCategory=TOOL;Severity=9 | CommonSecurityLog | Nov 03 2020 14:05:56 UTC | kernel32.dll | 4.5.2 | HACKTOOL:WIN64/Mikatz | TOOL |
| 6 | 12/3/2020, 9:57:37.520 AM | Morphisec | EPTP | MORPHISEC_ATTACK | 10 | Morphisec attack was detected and stopped on application lsass, https://127.0.0.1/threats/morphisecThreat/a3870626-76eb-4dad-8214 | 10.0.0.3 | 4.5.3 | Attack was detected and stopped by Morphisec | 52910ce2fdae6354b74397c2dc35c26bf323f60387bdb3f9891d52a59ca45d65 | C:/Users/Admin/AppData/Local/Microsoft/Windows/INetCache/Low/IE/9VVK36Y8/he-il[1].htm | DESKTOP-98DBB2L | NT AUTHORITY/SYSTEM | start=Nov 02 2020 20:06:56 UTC;AttackedModule=kernel32.dll;MorphisecVersion=4.1.0;AttackName=Easy Anti-Cheat Software Code Injection;AttackCategory=Hacking Tool;Severity=4;Attackdescription=The following Anti-Cheat software injects into the most critical Windows process. | CommonSecurityLog | Nov 02 2020 20:06:56 UTC | kernel32.dll | 4.5.3 | Easy Anti-Cheat Software Code Injection | Hacking Tool |
| 7 | 12/3/2020, 9:57:38.032 AM | Morphisec | EPTP | MORPHISEC_ATTACK | 10 | Morphisec attack was detected and stopped on application lsass, https://127.0.0.1/threats/morphisecThreat/a3870626-76eb-4dad-8215 | 10.0.0.3 | 4.5.3 | Attack was detected and stopped by Morphisec | 52910ce2fdae6354b74397c2dc35c26bf323f60387bdb3f9891d52a59ca45d65 | C:/Users/Admin/AppData/Local/Microsoft/Windows/INetCache/Low/IE/9VVK36Y8/he-il[1].htm | DESKTOP-98DBB2L | NT AUTHORITY/SYSTEM | start=Nov 02 2020 20:06:56 UTC;AttackedModule=kernel32.dll;MorphisecVersion=4.1.0;AttackName=Easy Anti-Cheat Software Code Injection;AttackCategory=Hacking Tool;Severity=4;Attackdescription=The following Anti-Cheat software injects into the most critical Windows process. | CommonSecurityLog | Nov 02 2020 20:06:56 UTC | kernel32.dll | 4.5.3 | Easy Anti-Cheat Software Code Injection | Hacking Tool |
| 8 | 12/3/2020, 1:41:49.391 PM | Morphisec | EPTP | MORPHISEC_ATTACK | 4 | Morphisec attack was detected and stopped on application lsass, https://127.0.0.1/threats/morphisecThreat/a3870626-76eb-4dad-8216 | 10.0.0.1 | 4.5.0 | Attack was detected and stopped by Morphisec | e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 | C:/Program Files (x86)/Internet Explorer/iexplore.exe | DESKTOP-8VC234L | NT AUTHORITY/SYSTEM | start=Nov 01 2020 15:35:56 UTC;AttackedModule=kernel32.dll;MorphisecVersion=4.5.0;AttackName=VB SCRIPT BLOCKING;AttackCategory=SUSPICIOUS ACTIVITY;Severity=4 | CommonSecurityLog | Nov 01 2020 15:35:56 UTC | kernel32.dll | 4.5.0 | VB SCRIPT BLOCKING | SUSPICIOUS ACTIVITY |
| 9 | 12/3/2020, 1:41:50.064 PM | Morphisec | EPTP | MORPHISEC_ATTACK | 4 | Morphisec attack was detected and stopped on application lsass, https://127.0.0.1/threats/morphisecThreat/a3870626-76eb-4dad-8217 | 10.0.0.1 | 4.5.0 | Attack was detected and stopped by Morphisec | e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 | C:/Program Files (x86)/Internet Explorer/iexplore.exe | DESKTOP-8VC234L | NT AUTHORITY/SYSTEM | start=Nov 01 2020 15:35:56 UTC;AttackedModule=kernel32.dll;MorphisecVersion=4.5.0;AttackName=VB SCRIPT BLOCKING;AttackCategory=SUSPICIOUS ACTIVITY;Severity=4 | CommonSecurityLog | Nov 01 2020 15:35:56 UTC | kernel32.dll | 4.5.0 | VB SCRIPT BLOCKING | SUSPICIOUS ACTIVITY |