Closed CHRISTENLYNN closed 4 months ago
4.B.5 - fodhelper.exe spawns cmd.exe as a high-integrity process
{"_index":"wazuh-archives-4.x-2021.09.14","_type":"_doc","_id":"Yn_s5XsBp_s9Frc2iSPB","_version":1,"_score":null,"_source":{"agent":{"ip":"192.168.0.121","name":"hrmanager","id":"013"},"manager":{"name":"localhost2.localdomain"},"data":{"win":{"eventdata":{"originalFileName":"Cmd.Exe","image":"C:\\\\Windows\\\\System32\\\\cmd.exe","product":"Microsoft® Windows® Operating System","parentProcessGuid":"{4dc16835-0127-6141-4fd9-de0000000000}","description":"Windows Command Processor","logonGuid":"{4dc16835-face-6140-b05f-3d0000000000}","parentCommandLine":"\\\"C:\\\\Windows\\\\system32\\\\fodhelper.exe\\\"","processGuid":"{4dc16835-0127-6141-68f0-de0000000000}","logonId":"0x3d5fb0","parentProcessId":"6072","processId":"5336","currentDirectory":"C:\\\\Users\\\\AtomicRed\\\\Downloads\\\\","utcTime":"2021-09-14 20:08:07.789","hashes":"SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18","parentImage":"C:\\\\Windows\\\\System32\\\\fodhelper.exe","ruleName":"technique_id=T1548.002,technique_name=Bypass User Access Control","company":"Microsoft Corporation","commandLine":"\\\"cmd.exe\\\" /C C:\\\\Users\\\\kmitnick.FINANCIAL\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\smrs.exe > C:\\\\Users\\\\kmitnick.financial\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\MGsCOxPSNK.txt","integrityLevel":"High","fileVersion":"10.0.19041.746 (WinBuild.160101.0800)","user":"EXCHANGETEST\\\\AtomicRed","terminalSessionId":"2"},"system":{"eventID":"1","keywords":"0x8000000000000000","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","level":"4","channel":"Microsoft-Windows-Sysmon/Operational","opcode":"0","message":"\"Process Create:\r\nRuleName: technique_id=T1548.002,technique_name=Bypass User Access Control\r\nUtcTime: 2021-09-14 20:08:07.789\r\nProcessGuid: {4dc16835-0127-6141-68f0-de0000000000}\r\nProcessId: 5336\r\nImage: C:\\Windows\\System32\\cmd.exe\r\nFileVersion: 10.0.19041.746 (WinBuild.160101.0800)\r\nDescription: Windows Command Processor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: Cmd.Exe\r\nCommandLine: \"cmd.exe\" /C C:\\Users\\kmitnick.FINANCIAL\\AppData\\Roaming\\TransbaseOdbcDriver\\smrs.exe > C:\\Users\\kmitnick.financial\\AppData\\Roaming\\TransbaseOdbcDriver\\MGsCOxPSNK.txt\r\nCurrentDirectory: C:\\Users\\AtomicRed\\Downloads\\\r\nUser: EXCHANGETEST\\AtomicRed\r\nLogonGuid: {4dc16835-face-6140-b05f-3d0000000000}\r\nLogonId: 0x3D5FB0\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18\r\nParentProcessGuid: {4dc16835-0127-6141-4fd9-de0000000000}\r\nParentProcessId: 6072\r\nParentImage: C:\\Windows\\System32\\fodhelper.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\fodhelper.exe\" \"","version":"5","systemTime":"2021-09-14T20:08:07.7990760Z","eventRecordID":"360362","threadID":"3756","computer":"hrmanager.ExchangeTest.com","task":"1","processID":"2664","severityValue":"INFORMATION","providerName":"Microsoft-Windows-Sysmon"}}},"decoder":{"name":"windows_eventchannel"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-09-14T20:08:07.7990760Z\",\"eventRecordID\":\"360362\",\"processID\":\"2664\",\"threadID\":\"3756\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"hrmanager.ExchangeTest.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1548.002,technique_name=Bypass User Access Control\\r\\nUtcTime: 2021-09-14 20:08:07.789\\r\\nProcessGuid: {4dc16835-0127-6141-68f0-de0000000000}\\r\\nProcessId: 5336\\r\\nImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nFileVersion: 10.0.19041.746 (WinBuild.160101.0800)\\r\\nDescription: Windows Command Processor\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: Cmd.Exe\\r\\nCommandLine: \\\"cmd.exe\\\" /C C:\\\\Users\\\\kmitnick.FINANCIAL\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\smrs.exe > C:\\\\Users\\\\kmitnick.financial\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\MGsCOxPSNK.txt\\r\\nCurrentDirectory: C:\\\\Users\\\\AtomicRed\\\\Downloads\\\\\\r\\nUser: EXCHANGETEST\\\\AtomicRed\\r\\nLogonGuid: {4dc16835-face-6140-b05f-3d0000000000}\\r\\nLogonId: 0x3D5FB0\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18\\r\\nParentProcessGuid: {4dc16835-0127-6141-4fd9-de0000000000}\\r\\nParentProcessId: 6072\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\fodhelper.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\fodhelper.exe\\\" \\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1548.002,technique_name=Bypass User Access Control\",\"utcTime\":\"2021-09-14 20:08:07.789\",\"processGuid\":\"{4dc16835-0127-6141-68f0-de0000000000}\",\"processId\":\"5336\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"fileVersion\":\"10.0.19041.746 (WinBuild.160101.0800)\",\"description\":\"Windows Command Processor\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"Cmd.Exe\",\"commandLine\":\"\\\\\\\"cmd.exe\\\\\\\" /C C:\\\\\\\\Users\\\\\\\\kmitnick.FINANCIAL\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\smrs.exe > C:\\\\\\\\Users\\\\\\\\kmitnick.financial\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\MGsCOxPSNK.txt\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\AtomicRed\\\\\\\\Downloads\\\\\\\\\",\"user\":\"EXCHANGETEST\\\\\\\\AtomicRed\",\"logonGuid\":\"{4dc16835-face-6140-b05f-3d0000000000}\",\"logonId\":\"0x3d5fb0\",\"terminalSessionId\":\"2\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18\",\"parentProcessGuid\":\"{4dc16835-0127-6141-4fd9-de0000000000}\",\"parentProcessId\":\"6072\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\fodhelper.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\fodhelper.exe\\\\\\\"\"}}}","input":{"type":"log"},"@timestamp":"2021-09-14T20:08:07.696Z","location":"EventChannel","id":"1631650087.1001913","timestamp":"2021-09-14T17:08:07.696-0300"},"fields":{"@timestamp":["2021-09-14T20:08:07.696Z"],"timestamp":["2021-09-14T20:08:07.696Z"]},"highlight":{"full_log":["{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-09-14T20:08:07.7990760Z\",\"eventRecordID\":\"360362\",\"processID\":\"2664\",\"threadID\":\"3756\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"hrmanager.ExchangeTest.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1548.002,technique_name=Bypass User Access Control\\r\\nUtcTime: 2021-09-14 20:08:07.789\\r\\nProcessGuid: {4dc16835-0127-6141-68f0-de0000000000}\\r\\nProcessId: 5336\\r\\nImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nFileVersion: 10.0.19041.746 (WinBuild.160101.0800)\\r\\nDescription: Windows Command Processor\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: Cmd.Exe\\r\\nCommandLine: \\\"cmd.exe\\\" /C C:\\\\Users\\\\kmitnick.FINANCIAL\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\smrs.exe > C:\\\\Users\\\\kmitnick.financial\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\MGsCOxPSNK.txt\\r\\nCurrentDirectory: C:\\\\Users\\\\AtomicRed\\\\Downloads\\\\\\r\\nUser: EXCHANGETEST\\\\AtomicRed\\r\\nLogonGuid: {4dc16835-face-6140-b05f-3d0000000000}\\r\\nLogonId: 0x3D5FB0\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18\\r\\nParentProcessGuid: {4dc16835-0127-6141-4fd9-de0000000000}\\r\\nParentProcessId: 6072\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\@kibana-highlighted-field@fodhelper.exe@/kibana-highlighted-field@\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\@kibana-highlighted-field@fodhelper.exe@/kibana-highlighted-field@\\\" \\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1548.002,technique_name=Bypass User Access Control\",\"utcTime\":\"2021-09-14 20:08:07.789\",\"processGuid\":\"{4dc16835-0127-6141-68f0-de0000000000}\",\"processId\":\"5336\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"fileVersion\":\"10.0.19041.746 (WinBuild.160101.0800)\",\"description\":\"Windows Command Processor\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"Cmd.Exe\",\"commandLine\":\"\\\\\\\"cmd.exe\\\\\\\" /C C:\\\\\\\\Users\\\\\\\\kmitnick.FINANCIAL\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\smrs.exe > C:\\\\\\\\Users\\\\\\\\kmitnick.financial\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\MGsCOxPSNK.txt\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\AtomicRed\\\\\\\\Downloads\\\\\\\\\",\"user\":\"EXCHANGETEST\\\\\\\\AtomicRed\",\"logonGuid\":\"{4dc16835-face-6140-b05f-3d0000000000}\",\"logonId\":\"0x3d5fb0\",\"terminalSessionId\":\"2\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18\",\"parentProcessGuid\":\"{4dc16835-0127-6141-4fd9-de0000000000}\",\"parentProcessId\":\"6072\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\@kibana-highlighted-field@fodhelper.exe@/kibana-highlighted-field@\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\@kibana-highlighted-field@fodhelper.exe@/kibana-highlighted-field@\\\\\\\"\"}}}"]},"sort":[1631650087696]}
Originally posted by @fabamatic in https://github.com/wazuh/wazuh/issues/9064#issuecomment-919485566
4.B.5 - fodhelper.exe spawns cmd.exe as a high-integrity process
Originally posted by @fabamatic in https://github.com/wazuh/wazuh/issues/9064#issuecomment-919485566