28 строки
169 KiB
JSON
28 строки
169 KiB
JSON
[
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 10:37:55.107 AM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"\\\"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe\\\" \\\"OfflineSenseIR\\\" \\\"1120\\\" \\\"eyJDb21tYW5kSWQiOiIiLCJEb3dubG9hZEZpbGVBY3Rpb25Db25maWciOm51bGwsIkRvd25sb2FkVHJ1c3RlZENlcnRpZmljYXRlc0NoYWlucyI6bnVsbCwiRW5hYmxlU2xlZXBTdXNwZW5zaW9uIjowLCJNYXhXYWl0Rm9yTmV3QWN0aW9uc0luTXMiOjcyMDAwMCwiT3JnSWQiOiIiLCJSdW5Qc1NjcmlwdEFjdGlvbkNvbmZpZyI6eyJlbmFibGUiOnRydWV9LCJhY2NlcHRTaW11bGF0b3JTaWduaW5nIjowLCJvZmZsaW5lSXJQaXBlSGFuZGxlIjozODYwfQ==\\\"\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe\",\n \"md5\": \"7af77c07e0e89d79669e948c420c514a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe\",\n \"parent\": {\n \"args\": \"\\\"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\\\"\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\",\n \"md5\": null,\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 3284,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4759971972373353766\",\n \"start_time\": \"2022-08-23T03:17:32Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 7932,\n \"ppid\": 3284,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-7061122794110803972\",\n \"start_time\": \"2022-09-08T10:36:12Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 10:36:51.000 AM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 10:37:14.000 AM", "Timestamp_s": "", "Alert_Id_g": "044e8295-252d-4e6c-839e-73930a3f5792", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "218", "Intel_Labels_s": "Beta,Discovery,Windows", "Intel_Name_s": "Netsh WLAN Discovery", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1018\",\"T1016\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038413898\",\n \"uniqueProcessId\": \"-7729845711259631054\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038413898\",\n \"uniqueProcessId\": \"-7729845711259631054\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038413898\",\n \"uniqueProcessId\": \"-7729845711259631054\"\n }\n }\n]", "Match_Details_match_hash_d": "3229051902", "Match_Details_match_properties_args_s": "\"C:\\Windows\\system32\\netsh.exe\" wlan show profiles", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\netsh.exe", "Match_Details_match_properties_file_md5_g": "6f1e6dd6-8881-8bc3-d139-1d0cc7d597eb", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\netsh.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\8099.7816591.0.7816591-086d6612f6cd55108ad5725a0f11912b841da429\\43757d5a-50e1-49d2-8977-94dbc97b1271.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\8099.7816591.0.7816591-086d6612f6cd55108ad5725a0f11912b841da429\\43757d5a-50e1-49d2-8977-94dbc97b1271.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '3b6f6d9d53d180e0c837c71f7fc645509e8c8924f22ff0d3413958cbfd5acad6')) { exit 323;}; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\8099.7816591.0.7816591-086d6612f6cd55108ad5725a0f11912b841da429\\43757d5a-50e1-49d2-8977-94dbc97b1271.ps1' }\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n \"md5\": \"04029e121a0cfa5991749937dd22a1d9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "Match_Details_match_properties_parent_pid_d": "4824", "Match_Details_match_properties_parent_ppid_d": "7932", "Match_Details_match_properties_parent_recorder_unique_id_s": "-2827632719690976276", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "NT AUTHORITY\\SYSTEM", "Match_Details_match_properties_pid_d": "6788", "Match_Details_match_properties_ppid_d": "4824", "Match_Details_match_properties_recorder_unique_id_s": "-7729845711259631054", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "NT AUTHORITY\\SYSTEM", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 10:37:19.000 AM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Timestamp_s": "", "Alert_Id_g": "63b3c121-0357-4eef-ba63-9b83b57be03d", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "154", "Intel_Labels_s": "Beta,Defense Evasion,Execution,Windows", "Intel_Name_s": "Indirect Command Execution", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416947\",\n \"uniqueProcessId\": \"-6168473995594187237\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416947\",\n \"uniqueProcessId\": \"-6168473995594187237\"\n }\n }\n]", "Match_Details_match_hash_d": "1995528464", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "9952", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "4247957392575842156", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9964", "Match_Details_match_properties_ppid_d": "9952", "Match_Details_match_properties_recorder_unique_id_s": "-6168473995594187237", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:24.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Timestamp_s": "", "Alert_Id_g": "506a5e9e-a3a3-4dcd-9787-602808e78d83", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "157", "Intel_Labels_s": "Beta,Defense Evasion,Windows", "Intel_Name_s": "Indirect Command Execution Forfiles", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416947\",\n \"uniqueProcessId\": \"-6168473995594187237\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416947\",\n \"uniqueProcessId\": \"-6168473995594187237\"\n }\n }\n]", "Match_Details_match_hash_d": "1995528464", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "9952", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "4247957392575842156", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9964", "Match_Details_match_properties_ppid_d": "9952", "Match_Details_match_properties_recorder_unique_id_s": "-6168473995594187237", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:24.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Timestamp_s": "", "Alert_Id_g": "1dca76f1-049d-4bbf-a012-c03798cc2b0c", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "154", "Intel_Labels_s": "Beta,Defense Evasion,Execution,Windows", "Intel_Name_s": "Indirect Command Execution", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416944\",\n \"uniqueProcessId\": \"-6064277336058239044\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416944\",\n \"uniqueProcessId\": \"-6064277336058239044\"\n }\n }\n]", "Match_Details_match_hash_d": "323786512", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "9916", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "6009974082002879543", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9928", "Match_Details_match_properties_ppid_d": "9916", "Match_Details_match_properties_recorder_unique_id_s": "-6064277336058239044", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:24.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Timestamp_s": "", "Alert_Id_g": "00110a54-6f22-4fe6-a7fc-ed5397296bc6", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "157", "Intel_Labels_s": "Beta,Defense Evasion,Windows", "Intel_Name_s": "Indirect Command Execution Forfiles", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416944\",\n \"uniqueProcessId\": \"-6064277336058239044\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416944\",\n \"uniqueProcessId\": \"-6064277336058239044\"\n }\n }\n]", "Match_Details_match_hash_d": "323786512", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "9916", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "6009974082002879543", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9928", "Match_Details_match_properties_ppid_d": "9916", "Match_Details_match_properties_recorder_unique_id_s": "-6064277336058239044", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:25.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Timestamp_s": "", "Alert_Id_g": "42a43a9a-1bed-4f12-aa78-a7e8cda8c29d", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "154", "Intel_Labels_s": "Beta,Defense Evasion,Execution,Windows", "Intel_Name_s": "Indirect Command Execution", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416941\",\n \"uniqueProcessId\": \"4821027900246950917\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416941\",\n \"uniqueProcessId\": \"4821027900246950917\"\n }\n }\n]", "Match_Details_match_hash_d": "416392300", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "9880", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "-3375662715724455525", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9892", "Match_Details_match_properties_ppid_d": "9880", "Match_Details_match_properties_recorder_unique_id_s": "4821027900246950917", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:25.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:24.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:24.000 PM", "Timestamp_s": "", "Alert_Id_g": "63aed036-ab87-47c6-bed6-59bfd574dd65", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "154", "Intel_Labels_s": "Beta,Defense Evasion,Execution,Windows", "Intel_Name_s": "Indirect Command Execution", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416970\",\n \"uniqueProcessId\": \"-2243763653117153343\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416970\",\n \"uniqueProcessId\": \"-2243763653117153343\"\n }\n }\n]", "Match_Details_match_hash_d": "4253412236", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "7984", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "9173051427214666583", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9296", "Match_Details_match_properties_ppid_d": "7984", "Match_Details_match_properties_recorder_unique_id_s": "-2243763653117153343", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:26.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:24.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:24.000 PM", "Timestamp_s": "", "Alert_Id_g": "16d5ff30-9390-4c44-bb8d-d647a6c7c4e7", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "157", "Intel_Labels_s": "Beta,Defense Evasion,Windows", "Intel_Name_s": "Indirect Command Execution Forfiles", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416970\",\n \"uniqueProcessId\": \"-2243763653117153343\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416970\",\n \"uniqueProcessId\": \"-2243763653117153343\"\n }\n }\n]", "Match_Details_match_hash_d": "4253412236", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "7984", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "9173051427214666583", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9296", "Match_Details_match_properties_ppid_d": "7984", "Match_Details_match_properties_recorder_unique_id_s": "-2243763653117153343", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:26.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Timestamp_s": "", "Alert_Id_g": "4dd7f134-a9d5-4461-a4c3-ca63e802bcbb", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "157", "Intel_Labels_s": "Beta,Defense Evasion,Windows", "Intel_Name_s": "Indirect Command Execution Forfiles", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416941\",\n \"uniqueProcessId\": \"4821027900246950917\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416941\",\n \"uniqueProcessId\": \"4821027900246950917\"\n }\n }\n]", "Match_Details_match_hash_d": "416392300", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "9880", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "-3375662715724455525", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9892", "Match_Details_match_properties_ppid_d": "9880", "Match_Details_match_properties_recorder_unique_id_s": "4821027900246950917", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:26.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Timestamp_s": "", "Alert_Id_g": "16f99a54-8e01-4890-aa69-0235ca840241", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "154", "Intel_Labels_s": "Beta,Defense Evasion,Execution,Windows", "Intel_Name_s": "Indirect Command Execution", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416938\",\n \"uniqueProcessId\": \"7600924362595941111\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416938\",\n \"uniqueProcessId\": \"7600924362595941111\"\n }\n }\n]", "Match_Details_match_hash_d": "1579285868", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "9844", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "-6217156919502973517", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9856", "Match_Details_match_properties_ppid_d": "9844", "Match_Details_match_properties_recorder_unique_id_s": "7600924362595941111", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:27.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:01:51.135 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:00:22.000 PM", "Timestamp_s": "", "Alert_Id_g": "8c1814b9-7ed6-4295-a1e8-54b8e4c3275f", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "157", "Intel_Labels_s": "Beta,Defense Evasion,Windows", "Intel_Name_s": "Indirect Command Execution Forfiles", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1218\",\"T1218.002\",\"T1059\",\"T1059.003\",\"T1202\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416938\",\n \"uniqueProcessId\": \"7600924362595941111\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038416938\",\n \"uniqueProcessId\": \"7600924362595941111\"\n }\n }\n]", "Match_Details_match_hash_d": "1579285868", "Match_Details_match_properties_args_s": "FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_file_md5_g": "9bb67aea-5e26-cb13-6f23-f29cc48d6b9e", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\forfiles.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c FORFILES.EXE /P C:\\Users\\sentinel.localuser\\Desktop\\ /M winpeas.bat /C \"CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "9844", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "-6217156919502973517", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9856", "Match_Details_match_properties_ppid_d": "9844", "Match_Details_match_properties_recorder_unique_id_s": "7600924362595941111", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:00:27.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:04:08.363 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:03:17.000 PM", "Timestamp_s": "", "Alert_Id_g": "95b9925d-a9ea-4a5b-aa38-bb7d34ebba2d", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "290", "Intel_Labels_s": "Beta,Persistence,Windows", "Intel_Name_s": "Reg Security Access", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1003\",\"T1003.002\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417482\",\n \"uniqueProcessId\": \"5243893397871955056\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417482\",\n \"uniqueProcessId\": \"5243893397871955056\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417482\",\n \"uniqueProcessId\": \"5243893397871955056\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417482\",\n \"uniqueProcessId\": \"5243893397871955056\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417482\",\n \"uniqueProcessId\": \"5243893397871955056\"\n }\n }\n]", "Match_Details_match_hash_d": "82867088", "Match_Details_match_properties_args_s": "reg query HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_file_md5_g": "227f63e1-d900-8b36-bdbc-c4b397780be4", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "6908", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "5243893397871955056", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:03:18.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:04:08.363 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:03:18.000 PM", "Timestamp_s": "", "Alert_Id_g": "c9bfefa7-ba7a-4bea-985e-bb37739932f0", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "395", "Intel_Labels_s": "Beta,Discovery,Windows", "Intel_Name_s": "WMIC Antivirus Discovery", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1518\",\"T1518.001\",\"T1059\",\"T1059.003\",\"T1047\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417494\",\n \"uniqueProcessId\": \"-2386097515482250603\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417494\",\n \"uniqueProcessId\": \"-2386097515482250603\"\n }\n }\n]", "Match_Details_match_hash_d": "357200019", "Match_Details_match_properties_args_s": "WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\wbem\\WMIC.exe", "Match_Details_match_properties_file_md5_g": "c37f2f4f-4b3c-d128-bdab-caeb2266a785", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\wbem\\WMIC.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9124", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "-2386097515482250603", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:03:22.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:04:08.363 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:03:18.000 PM", "Timestamp_s": "", "Alert_Id_g": "0f32cbbb-e407-40bf-9148-7eae7765749c", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "378", "Intel_Labels_s": "Beta,Defense Evasion,Execution,Windows", "Intel_Name_s": "Uncommon XSL Script Execution", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1220\",\"T1059\",\"T1059.001\",\"T1059.003\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417494\",\n \"uniqueProcessId\": \"-2386097515482250603\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038417494\",\n \"uniqueProcessId\": \"-2386097515482250603\"\n }\n }\n]", "Match_Details_match_hash_d": "357200019", "Match_Details_match_properties_args_s": "WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\wbem\\WMIC.exe", "Match_Details_match_properties_file_md5_g": "c37f2f4f-4b3c-d128-bdab-caeb2266a785", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\wbem\\WMIC.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9124", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "-2386097515482250603", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:03:26.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:05:18.139 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:04:49.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:04:49.000 PM", "Timestamp_s": "", "Alert_Id_g": "55d4e493-b536-458d-a9a9-a18f3d4903af", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "218", "Intel_Labels_s": "Beta,Discovery,Windows", "Intel_Name_s": "Netsh WLAN Discovery", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1018\",\"T1016\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418017\",\n \"uniqueProcessId\": \"-4425300255829368536\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418017\",\n \"uniqueProcessId\": \"-4425300255829368536\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418017\",\n \"uniqueProcessId\": \"-4425300255829368536\"\n }\n }\n]", "Match_Details_match_hash_d": "2315280482", "Match_Details_match_properties_args_s": "netsh wlan show profiles ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\netsh.exe", "Match_Details_match_properties_file_md5_g": "6f1e6dd6-8881-8bc3-d139-1d0cc7d597eb", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\netsh.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\cmd.exe /c netsh wlan show profiles | find \"Profile \"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "11488", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "3153282718564674483", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "7648", "Match_Details_match_properties_ppid_d": "11488", "Match_Details_match_properties_recorder_unique_id_s": "-4425300255829368536", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:04:51.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:06:30.498 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:04:52.000 PM", "Timestamp_s": "", "Alert_Id_g": "1be2ab35-d4c5-47e9-8cc4-0fe2fc379baf", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "12", "Intel_Labels_s": "Beta,Discovery,Windows", "Intel_Name_s": "Administrator Account Enumeration", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1087\",\"T1087.001\",\"T1087.002\",\"T1087.003\",\"T1069.001\",\"T1069.002\",\"T1069\",\"T1059\",\"T1059.003\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418043\",\n \"uniqueProcessId\": \"4183066693764420215\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418043\",\n \"uniqueProcessId\": \"4183066693764420215\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418043\",\n \"uniqueProcessId\": \"4183066693764420215\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418043\",\n \"uniqueProcessId\": \"4183066693764420215\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418043\",\n \"uniqueProcessId\": \"4183066693764420215\"\n }\n }\n]", "Match_Details_match_hash_d": "3230821812", "Match_Details_match_properties_args_s": "net localgroup Administrators ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\net.exe", "Match_Details_match_properties_file_md5_g": "0bd94a33-8eea-5a4e-1f28-30ae326e6d19", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\net.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "7240", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "4183066693764420215", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:04:53.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:06:30.498 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\sentinel.localuser\\\\Desktop\\\\winpeas.bat\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 8616,\n \"ppid\": 1392,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4938002612994826743\",\n \"start_time\": \"2022-09-08T13:00:09Z\",\n \"user\": \"WINDOWS10-03\\\\sentinel.localuser\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:04:51.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:04:51.000 PM", "Timestamp_s": "", "Alert_Id_g": "8bef093f-692d-478a-8bad-3afacfbe21aa", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "87", "Intel_Labels_s": "Beta,Discovery,Windows", "Intel_Name_s": "Domain Account Enumeration", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1087\",\"T1087.002\",\"T1069\",\"T1069.002\",\"T1059\",\"T1059.003\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418028\",\n \"uniqueProcessId\": \"4106360192675906684\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418028\",\n \"uniqueProcessId\": \"4106360192675906684\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418028\",\n \"uniqueProcessId\": \"4106360192675906684\"\n }\n }\n]", "Match_Details_match_hash_d": "1949462276", "Match_Details_match_properties_args_s": "C:\\Windows\\system32\\net1 user sentinel.localuser /domain ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\net1.exe", "Match_Details_match_properties_file_md5_g": "55693df2-bb3c-be28-99df-ddf18b4eb8c9", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\net1.exe", "Match_Details_match_properties_parent_args_s": "net user sentinel.localuser /domain ", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\net.exe\",\n \"md5\": \"0bd94a338eea5a4e1f2830ae326e6d19\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\net.exe", "Match_Details_match_properties_parent_pid_d": "8208", "Match_Details_match_properties_parent_ppid_d": "8616", "Match_Details_match_properties_parent_recorder_unique_id_s": "1905556338809018826", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "5456", "Match_Details_match_properties_ppid_d": "8208", "Match_Details_match_properties_recorder_unique_id_s": "4106360192675906684", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:04:53.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:06:30.498 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:04:51.000 PM", "Timestamp_s": "", "Alert_Id_g": "61799e6b-b0c4-4bc8-9037-69fb57a6bc8d", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "87", "Intel_Labels_s": "Beta,Discovery,Windows", "Intel_Name_s": "Domain Account Enumeration", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1087\",\"T1087.002\",\"T1069\",\"T1069.002\",\"T1059\",\"T1059.003\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418027\",\n \"uniqueProcessId\": \"1905556338809018826\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418027\",\n \"uniqueProcessId\": \"1905556338809018826\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038418027\",\n \"uniqueProcessId\": \"1905556338809018826\"\n }\n }\n]", "Match_Details_match_hash_d": "1167360000", "Match_Details_match_properties_args_s": "net user sentinel.localuser /domain ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\net.exe", "Match_Details_match_properties_file_md5_g": "0bd94a33-8eea-5a4e-1f28-30ae326e6d19", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\net.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "8208", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "1905556338809018826", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:04:54.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:06:30.498 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:05:54.000 PM", "Timestamp_s": "", "Alert_Id_g": "7a749c35-ff7e-4d34-8f63-5a783adde394", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "290", "Intel_Labels_s": "Beta,Persistence,Windows", "Intel_Name_s": "Reg Security Access", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1003\",\"T1003.002\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419113\",\n \"uniqueProcessId\": \"-250029935084291532\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419113\",\n \"uniqueProcessId\": \"-250029935084291532\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419113\",\n \"uniqueProcessId\": \"-250029935084291532\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419113\",\n \"uniqueProcessId\": \"-250029935084291532\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419113\",\n \"uniqueProcessId\": \"-250029935084291532\"\n }\n }\n]", "Match_Details_match_hash_d": "2288963161", "Match_Details_match_properties_args_s": "reg restore HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\services\\SecurityHealthService C:\\Users\\SENTIN~1.LOC\\AppData\\Local\\Temp\\reg.hiv ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_file_md5_g": "227f63e1-d900-8b36-bdbc-c4b397780be4", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "8292", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "-250029935084291532", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:05:55.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:06:30.498 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:05:54.000 PM", "Timestamp_s": "", "Alert_Id_g": "432c45a7-878f-4eec-a7d7-523edacd2b0a", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "290", "Intel_Labels_s": "Beta,Persistence,Windows", "Intel_Name_s": "Reg Security Access", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1003\",\"T1003.002\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419110\",\n \"uniqueProcessId\": \"-167076374055872087\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419110\",\n \"uniqueProcessId\": \"-167076374055872087\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419110\",\n \"uniqueProcessId\": \"-167076374055872087\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419110\",\n \"uniqueProcessId\": \"-167076374055872087\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419110\",\n \"uniqueProcessId\": \"-167076374055872087\"\n }\n }\n]", "Match_Details_match_hash_d": "3487117153", "Match_Details_match_properties_args_s": "reg save HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\services\\SecurityHealthService C:\\Users\\SENTIN~1.LOC\\AppData\\Local\\Temp\\reg.hiv ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_file_md5_g": "227f63e1-d900-8b36-bdbc-c4b397780be4", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "4132", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "-167076374055872087", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:05:56.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:06:30.498 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:05:53.000 PM", "Timestamp_s": "", "Alert_Id_g": "30660ee4-ff3b-415f-b7fa-c3f797bb5c38", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "289", "Intel_Labels_s": "Beta,Persistence,Windows", "Intel_Name_s": "Reg SAM Access", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1003\",\"T1003.002\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419085\",\n \"uniqueProcessId\": \"8120986372056386832\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419085\",\n \"uniqueProcessId\": \"8120986372056386832\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419085\",\n \"uniqueProcessId\": \"8120986372056386832\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419085\",\n \"uniqueProcessId\": \"8120986372056386832\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419085\",\n \"uniqueProcessId\": \"8120986372056386832\"\n }\n }\n]", "Match_Details_match_hash_d": "2575937045", "Match_Details_match_properties_args_s": "reg restore HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\services\\SamSs C:\\Users\\SENTIN~1.LOC\\AppData\\Local\\Temp\\reg.hiv ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_file_md5_g": "227f63e1-d900-8b36-bdbc-c4b397780be4", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "8264", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "8120986372056386832", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:05:56.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:06:30.498 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:05:53.000 PM", "Timestamp_s": "", "Alert_Id_g": "e7f1cc5b-affd-49ec-a5a2-8351d368b34f", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "289", "Intel_Labels_s": "Beta,Persistence,Windows", "Intel_Name_s": "Reg SAM Access", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1003\",\"T1003.002\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419084\",\n \"uniqueProcessId\": \"5727620852369973606\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419084\",\n \"uniqueProcessId\": \"5727620852369973606\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419084\",\n \"uniqueProcessId\": \"5727620852369973606\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419084\",\n \"uniqueProcessId\": \"5727620852369973606\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038419084\",\n \"uniqueProcessId\": \"5727620852369973606\"\n }\n }\n]", "Match_Details_match_hash_d": "1824123637", "Match_Details_match_properties_args_s": "reg save HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\services\\SamSs C:\\Users\\SENTIN~1.LOC\\AppData\\Local\\Temp\\reg.hiv ", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_file_md5_g": "227f63e1-d900-8b36-bdbc-c4b397780be4", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\reg.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "9268", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "5727620852369973606", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:05:56.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:08:40.666 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:07:08.000 PM", "Timestamp_s": "", "Alert_Id_g": "72018de9-506d-4b91-84fa-1684b86b23c8", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "50", "Intel_Labels_s": "Beta,Credential Access,Windows", "Intel_Name_s": "CmdKey Cached Credential Discovery", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1003\",\"T1059\",\"T1059.003\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038421062\",\n \"uniqueProcessId\": \"2619354398017900858\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038421062\",\n \"uniqueProcessId\": \"2619354398017900858\"\n }\n }\n]", "Match_Details_match_hash_d": "545288718", "Match_Details_match_properties_args_s": "cmdkey /list", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\cmdkey.exe", "Match_Details_match_properties_file_md5_g": "f9c20642-b4cf-ce45-17f4-f26b6305607c", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\cmdkey.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "10736", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "2619354398017900858", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:07:08.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/8/2022, 1:08:40.666 PM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"md5\": \"b7f884c1b74a263f746ee12a5f7c9f6a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 1392,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"9154239389935249484\",\n \"start_time\": \"2022-08-23T03:17:29Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/8/2022, 1:00:09.000 PM", "Match_Details_match_properties_start_time_t [UTC]": "9/8/2022, 1:07:50.000 PM", "Timestamp_s": "", "Alert_Id_g": "83c3203c-f610-4eb2-a7ea-0eef0d47cc3b", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "113", "Intel_Labels_s": "Beta,Credential Access,Windows", "Intel_Name_s": "Findstr Credential Harvesting", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1555\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038421124\",\n \"uniqueProcessId\": \"8546482360695778373\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038421124\",\n \"uniqueProcessId\": \"8546482360695778373\"\n }\n }\n]", "Match_Details_match_hash_d": "495004442", "Match_Details_match_properties_args_s": "findstr /i \"DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername\"", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\findstr.exe", "Match_Details_match_properties_file_md5_g": "804a6ae2-8e88-689e-0cf1-946a6cb3fee5", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\findstr.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\System32\\cmd.exe /c C:\\Users\\sentinel.localuser\\Desktop\\winpeas.bat", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"md5\": \"8a2122e8162dbef04694b9c3e0b6cdee\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\cmd.exe", "Match_Details_match_properties_parent_pid_d": "8616", "Match_Details_match_properties_parent_ppid_d": "1392", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4938002612994826743", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_properties_pid_d": "12028", "Match_Details_match_properties_ppid_d": "8616", "Match_Details_match_properties_recorder_unique_id_s": "8546482360695778373", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "WINDOWS10-03\\sentinel.localuser", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/8/2022, 1:07:51.000 PM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""},
|
|
{"TenantId": "71964b18-ce3b-4e88-a541-000000000000", "SourceSystem": "RestAPI", "MG": "", "ManagementGroupName": "", "TimeGenerated [UTC]": "9/9/2022, 10:38:55.044 AM", "Computer": "", "RawData": "", "Impact_Score_s": "", "Match_Details_match_properties_parent_parent_s": "{\n \"args\": \"\\\"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe\\\" \\\"OfflineSenseIR\\\" \\\"4744\\\" \\\"eyJDb21tYW5kSWQiOiIiLCJEb3dubG9hZEZpbGVBY3Rpb25Db25maWciOm51bGwsIkRvd25sb2FkVHJ1c3RlZENlcnRpZmljYXRlc0NoYWlucyI6bnVsbCwiRW5hYmxlU2xlZXBTdXNwZW5zaW9uIjowLCJNYXhXYWl0Rm9yTmV3QWN0aW9uc0luTXMiOjcyMDAwMCwiT3JnSWQiOiIiLCJSdW5Qc1NjcmlwdEFjdGlvbkNvbmZpZyI6eyJlbmFibGUiOnRydWV9LCJhY2NlcHRTaW11bGF0b3JTaWduaW5nIjowLCJvZmZsaW5lSXJQaXBlSGFuZGxlIjo0Mzk2fQ==\\\"\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe\",\n \"md5\": \"7af77c07e0e89d79669e948c420c514a\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe\",\n \"parent\": {\n \"args\": \"\\\"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\\\"\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\",\n \"md5\": null,\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\",\n \"parent\": {\n \"args\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"md5\": \"d8e577bf078c45954f4531885478d5a9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"parent\": {\n \"args\": \"wininit.exe\",\n \"cwd\": null,\n \"file\": {\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"md5\": \"3588c1ac44dce86a043310b07679c508\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n },\n \"name\": \"C:\\\\Windows\\\\System32\\\\wininit.exe\",\n \"parent\": {\n \"pid\": null\n },\n \"pid\": 576,\n \"ppid\": 496,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7581750616344332456\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 668,\n \"ppid\": 576,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"4485425484471701646\",\n \"start_time\": \"2022-08-23T03:17:25Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 3284,\n \"ppid\": 668,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"-4759971972373353766\",\n \"start_time\": \"2022-08-23T03:17:32Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n },\n \"pid\": 6980,\n \"ppid\": 3284,\n \"recorder_table_id\": null,\n \"recorder_unique_id\": \"7956726007600511581\",\n \"start_time\": \"2022-09-09T10:37:13Z\",\n \"user\": \"NT AUTHORITY\\\\SYSTEM\"\n}", "Match_Details_finding_artifact_artifact_hash_s": "", "Match_Details_finding_artifact_instance_hash_s": "", "Match_Details_finding_artifact_windows_defender_event_event_s": "", "Match_Details_finding_artifact_windows_defender_event_timestamp_ms_s": "", "Match_Details_finding_description_s": "", "Match_Details_finding_first_seen_t [UTC]": "", "Match_Details_finding_hunt_id_s": "", "Match_Details_finding_intel_id_s": "", "Match_Details_finding_last_seen_t [UTC]": "", "Match_Details_finding_source_name_s": "", "Match_Details_finding_threat_id_s": "", "Match_Details_finding_whats_s": "", "Match_Details_match_properties_file_md5_s": "", "Match_Details_match_properties_md5_g": "", "Match_Details_match_properties_parent_start_time_t [UTC]": "9/9/2022, 10:37:25.000 AM", "Match_Details_match_properties_start_time_t [UTC]": "9/9/2022, 10:37:53.000 AM", "Timestamp_s": "", "Alert_Id_g": "b05c5cf6-ca12-42c2-b3ec-fcd76a5b2ba6", "Computer_IP_s": "10.0.0.7", "Computer_Name_s": "Windows10-03", "Impact_Score_d": "", "Intel_Id_d": "218", "Intel_Labels_s": "Beta,Discovery,Windows", "Intel_Name_s": "Netsh WLAN Discovery", "Intel_Type_s": "tanium-signal", "MITRE_Techniques_s": "[\"T1018\",\"T1016\"]", "Match_Details_finding_system_info_bits_d": "64", "Match_Details_finding_system_info_build_number_s": "19044", "Match_Details_finding_system_info_os_s": "Microsoft Windows 10 Pro", "Match_Details_finding_system_info_patch_level_s": "10.0.19044.0.0", "Match_Details_finding_system_info_platform_s": "Windows", "Match_Details_hash_d": "", "Match_Details_match_contexts_s": "[\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038447425\",\n \"uniqueProcessId\": \"-6785500880938882005\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038447425\",\n \"uniqueProcessId\": \"-6785500880938882005\"\n }\n },\n {\n \"event\": {},\n \"process\": {\n \"uniqueEventId\": \"72057594038447425\",\n \"uniqueProcessId\": \"-6785500880938882005\"\n }\n }\n]", "Match_Details_match_hash_d": "432794013", "Match_Details_match_properties_args_s": "\"C:\\Windows\\system32\\netsh.exe\" wlan show profiles", "Match_Details_match_properties_cwd_s": "", "Match_Details_match_properties_file_fullpath_s": "C:\\Windows\\System32\\netsh.exe", "Match_Details_match_properties_file_md5_g": "6f1e6dd6-8881-8bc3-d139-1d0cc7d597eb", "Match_Details_match_properties_fullpath_s": "", "Match_Details_match_properties_md5_s": "", "Match_Details_match_properties_name_s": "C:\\Windows\\System32\\netsh.exe", "Match_Details_match_properties_parent_args_s": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\8099.7816591.0.7816591-086d6612f6cd55108ad5725a0f11912b841da429\\43757d5a-50e1-49d2-8977-94dbc97b1271.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\8099.7816591.0.7816591-086d6612f6cd55108ad5725a0f11912b841da429\\43757d5a-50e1-49d2-8977-94dbc97b1271.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '3b6f6d9d53d180e0c837c71f7fc645509e8c8924f22ff0d3413958cbfd5acad6')) { exit 323;}; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\8099.7816591.0.7816591-086d6612f6cd55108ad5725a0f11912b841da429\\43757d5a-50e1-49d2-8977-94dbc97b1271.ps1' }\"", "Match_Details_match_properties_parent_file_s": "{\n \"fullpath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n \"md5\": \"04029e121a0cfa5991749937dd22a1d9\",\n \"sha1\": null,\n \"sha256\": null,\n \"size\": null\n}", "Match_Details_match_properties_parent_name_s": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "Match_Details_match_properties_parent_pid_d": "7532", "Match_Details_match_properties_parent_ppid_d": "6980", "Match_Details_match_properties_parent_recorder_unique_id_s": "-4257645994146856134", "Match_Details_match_properties_parent_start_time_s": "", "Match_Details_match_properties_parent_user_s": "NT AUTHORITY\\SYSTEM", "Match_Details_match_properties_pid_d": "7484", "Match_Details_match_properties_ppid_d": "7532", "Match_Details_match_properties_recorder_unique_id_s": "-6785500880938882005", "Match_Details_match_properties_sha1_s": "", "Match_Details_match_properties_sha256_s": "", "Match_Details_match_properties_size_d": "", "Match_Details_match_properties_start_time_s": "", "Match_Details_match_properties_user_s": "NT AUTHORITY\\SYSTEM", "Match_Details_match_source_s": "signals", "Match_Details_match_type_s": "process", "Match_Details_match_version_d": "1", "Match_Details_service_id_g": "40f73c85-3576-4ed3-b451-37af3f5daa62", "Timestamp_t [UTC]": "9/9/2022, 10:38:01.000 AM", "fake_b": "", "Type": "TaniumThreatResponse_CL", "_ResourceId": ""}
|
|
]
|