158 строки
6.2 KiB
JSON
158 строки
6.2 KiB
JSON
[
|
|
{
|
|
"detectionTime": "2023-02-22T06:00:20Z",
|
|
"endpoint": {
|
|
"name": "MSEDGEWIN10",
|
|
"guid": "fbc58859-5e6b-4912-a6af-4492d6dfdcdc",
|
|
"ips": [
|
|
"fdb2:2c26:f4e4:0:6cbb:3e63:9509:73f3",
|
|
"fdb2:2c26:f4e4:0:c9ef:78d7:da3f:ab80",
|
|
"fe80::6cbb:3e63:9509:73f3",
|
|
"10.211.55.36"
|
|
]
|
|
},
|
|
"filters": [
|
|
{
|
|
"id": "F3965",
|
|
"unique_id": "4574679d-50ee-4422-ba27-0ff86743c5e9",
|
|
"level": "medium",
|
|
"name": "Demo - Copying Of NTDS File",
|
|
"description": "A copy operation of ntds.dit file for possible credential dumping",
|
|
"tactics": [
|
|
"TA0006"
|
|
],
|
|
"techniques": [
|
|
"T1003.003",
|
|
"T1003.002"
|
|
],
|
|
"highlightedObjects": [
|
|
{
|
|
"field": "objectCmd",
|
|
"type": "command_line",
|
|
"value": "C:\\Windows\\System32\\cmd.exe /c echo \"copy C:\\Windows\\NTDS\\ntds.dit C:\\trend-micro-test\\ntds.dit\""
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"entityType": "endpoint",
|
|
"entityName": "MSEDGEWIN10",
|
|
"detail": {
|
|
"endpointHostName": "MSEDGEWIN10",
|
|
"endpointIp": [
|
|
"10.211.55.36"
|
|
],
|
|
"logonUser": [
|
|
"IEUser"
|
|
],
|
|
"processFilePath": "C:\\Windows\\System32\\cmd.exe",
|
|
"processCmd": "C:\\Windows\\System32\\cmd.exe /c \"\"C:\\test\\T1003_Demo_Script\\T1003_Demo_Script.bat\" \"",
|
|
"eventSubId": "TELEMETRY_PROCESS_CREATE",
|
|
"objectFilePath": "C:\\Windows\\System32\\cmd.exe",
|
|
"objectCmd": "C:\\Windows\\System32\\cmd.exe /c echo \"copy C:\\Windows\\NTDS\\ntds.dit C:\\trend-micro-test\\ntds.dit\"",
|
|
"tags": [
|
|
"MITREV9.T1003.003",
|
|
"MITRE.T1003",
|
|
"MITREV9.T1003.002",
|
|
"BAS.TMDEMOKIT",
|
|
"XSAE.F3965"
|
|
],
|
|
"endpointGuid": "fbc58859-5e6b-4912-a6af-4492d6dfdcdc",
|
|
"authId": 386293,
|
|
"endpointMacAddress": [
|
|
"00:16:00:00:d3:bd"
|
|
],
|
|
"eventHashId": 4418125315942032208,
|
|
"eventId": "TELEMETRY_PROCESS",
|
|
"eventTime": 1677045620000,
|
|
"eventTimeDT": "2023-02-22T06:00:20Z",
|
|
"filterRiskLevel": "medium",
|
|
"firstSeen": "2023-02-22T06:00:20Z",
|
|
"integrityLevel": 8192,
|
|
"lastSeen": "2023-02-22T06:00:20Z",
|
|
"objectAuthId": 386293,
|
|
"objectFileCreation": 1536996518122,
|
|
"objectFileHashId": 4782316872209302322,
|
|
"objectFileHashMd5": "0d088f5bcfa8f086fba163647cd80cab",
|
|
"objectFileHashSha1": "08cc2e8dca652bdda1acca9c446560d4bc1bcdf9",
|
|
"objectFileHashSha256": "9023f8aaeda4a1da45ac477a81b5bbe4128e413f19a0abfa3715465ad66ed5cd",
|
|
"objectFileModifiedTime": 1536996518122,
|
|
"objectFileSize": 278528,
|
|
"objectHashId": -2146836458858967096,
|
|
"objectIntegrityLevel": 8192,
|
|
"objectLaunchTime": 1677045620,
|
|
"objectName": "C:\\Windows\\System32\\cmd.exe",
|
|
"objectPid": 9500,
|
|
"objectRunAsLocalAccount": false,
|
|
"objectSessionId": 1,
|
|
"objectSigner": [
|
|
"Microsoft Windows"
|
|
],
|
|
"objectSignerValid": [
|
|
true
|
|
],
|
|
"objectTrueType": 7,
|
|
"objectUser": "IEUser",
|
|
"objectUserDomain": "MSEDGEWIN10",
|
|
"osDescription": "Windows 10 Enterprise Evaluation (64 bit) build 17763",
|
|
"osName": "Windows",
|
|
"osType": "0x00000048",
|
|
"osVer": "10.0.17763",
|
|
"parentAuthId": 386293,
|
|
"parentCmd": "C:\\Windows\\Explorer.EXE",
|
|
"parentFileCreation": 1553132717182,
|
|
"parentFileHashId": 1767110345653159701,
|
|
"parentFileHashMd5": "2f62005fcea7430bb871a56f7700f81c",
|
|
"parentFileHashSha1": "3eb9d6f8f4448cb1fd6478189edebe3d70477ea7",
|
|
"parentFileHashSha256": "b759293373a11d1a972873a902bc64b2c9690ab947ce4a185cd047195521296d",
|
|
"parentFileModifiedTime": 1553132717263,
|
|
"parentFilePath": "C:\\Windows\\explorer.exe",
|
|
"parentFileSize": 4245280,
|
|
"parentHashId": -2921754637389220348,
|
|
"parentIntegrityLevel": 8192,
|
|
"parentLaunchTime": 1677045620,
|
|
"parentName": "C:\\Windows\\explorer.exe",
|
|
"parentPid": 5368,
|
|
"parentSessionId": 1,
|
|
"parentSigner": [
|
|
"Microsoft Windows"
|
|
],
|
|
"parentSignerValid": [
|
|
true
|
|
],
|
|
"parentTrueType": 7,
|
|
"parentUser": "IEUser",
|
|
"parentUserDomain": "MSEDGEWIN10",
|
|
"plang": 1,
|
|
"pname": "751",
|
|
"pplat": 5889,
|
|
"processFileCreation": 1536996518122,
|
|
"processFileHashId": 4782316872209302322,
|
|
"processFileHashMd5": "0d088f5bcfa8f086fba163647cd80cab",
|
|
"processFileHashSha1": "08cc2e8dca652bdda1acca9c446560d4bc1bcdf9",
|
|
"processFileHashSha256": "9023f8aaeda4a1da45ac477a81b5bbe4128e413f19a0abfa3715465ad66ed5cd",
|
|
"processFileModifiedTime": 1536996518122,
|
|
"processFileSize": 278528,
|
|
"processHashId": -663364825149102003,
|
|
"processLaunchTime": 1677045620,
|
|
"processName": "C:\\Windows\\System32\\cmd.exe",
|
|
"processPid": 3612,
|
|
"processSigner": [
|
|
"Microsoft Windows"
|
|
],
|
|
"processSignerValid": [
|
|
true
|
|
],
|
|
"processTrueType": 7,
|
|
"processUser": "IEUser",
|
|
"processUserDomain": "MSEDGEWIN10",
|
|
"productCode": "xes",
|
|
"pver": "1.1.0.1762",
|
|
"sessionId": 1,
|
|
"timezone": "UTC+08:00",
|
|
"userDomain": [
|
|
"MSEDGEWIN10"
|
|
],
|
|
"uuid": "76c2fafc-e810-46cd-a7db-dd4169c2d69a"
|
|
}
|
|
}
|
|
] |