Closed CHRISTENLYNN closed 4 months ago
4.B.2 - powershell.exe downloads smrs.exe from 192.168.0.4
Just file creation event. No correlation to tell that the file might have been downloaded from elsewhere
{"_index":"wazuh-archives-4.x-2021.09.14","_type":"_doc","_id":"7X_f5XsBp_s9Frc2FhG6","_version":1,"_score":null,"_source":{"agent":{"ip":"192.168.0.121","name":"hrmanager","id":"013"},"manager":{"name":"localhost2.localdomain"},"data":{"win":{"eventdata":{"image":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","processGuid":"{4dc16835-fc27-6140-8277-6d0000000000}","processId":"6760","utcTime":"2021-09-14 19:53:24.762","targetFilename":"C:\\\\Users\\\\AtomicRed\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\smrs.exe","creationUtcTime":"2021-09-14 19:53:24.762"},"system":{"eventID":"11","keywords":"0x8000000000000000","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","level":"4","channel":"Microsoft-Windows-Sysmon/Operational","opcode":"0","message":"\"File created:\r\nRuleName: -\r\nUtcTime: 2021-09-14 19:53:24.762\r\nProcessGuid: {4dc16835-fc27-6140-8277-6d0000000000}\r\nProcessId: 6760\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nTargetFilename: C:\\Users\\AtomicRed\\AppData\\Roaming\\TransbaseOdbcDriver\\smrs.exe\r\nCreationUtcTime: 2021-09-14 19:53:24.762\"","version":"2","systemTime":"2021-09-14T19:53:24.7669962Z","eventRecordID":"359844","threadID":"3756","computer":"hrmanager.ExchangeTest.com","task":"11","processID":"2664","severityValue":"INFORMATION","providerName":"Microsoft-Windows-Sysmon"}}},"decoder":{"name":"windows_eventchannel"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"11\",\"version\":\"2\",\"level\":\"4\",\"task\":\"11\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-09-14T19:53:24.7669962Z\",\"eventRecordID\":\"359844\",\"processID\":\"2664\",\"threadID\":\"3756\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"hrmanager.ExchangeTest.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"File created:\\r\\nRuleName: -\\r\\nUtcTime: 2021-09-14 19:53:24.762\\r\\nProcessGuid: {4dc16835-fc27-6140-8277-6d0000000000}\\r\\nProcessId: 6760\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nTargetFilename: C:\\\\Users\\\\AtomicRed\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\smrs.exe\\r\\nCreationUtcTime: 2021-09-14 19:53:24.762\\\"\"},\"eventdata\":{\"utcTime\":\"2021-09-14 19:53:24.762\",\"processGuid\":\"{4dc16835-fc27-6140-8277-6d0000000000}\",\"processId\":\"6760\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"targetFilename\":\"C:\\\\\\\\Users\\\\\\\\AtomicRed\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\smrs.exe\",\"creationUtcTime\":\"2021-09-14 19:53:24.762\"}}}","input":{"type":"log"},"@timestamp":"2021-09-14T19:53:25.428Z","location":"EventChannel","id":"1631649205.584696","timestamp":"2021-09-14T16:53:25.428-0300"},"fields":{"@timestamp":["2021-09-14T19:53:25.428Z"],"timestamp":["2021-09-14T19:53:25.428Z"]},"highlight":{"data.win.eventdata.processId":["@kibana-highlighted-field@6760@/kibana-highlighted-field@"]},"sort":[1631649205428]}
Originally posted by @fabamatic in https://github.com/wazuh/wazuh/issues/9064#issuecomment-919469012
4.B.2 - powershell.exe downloads smrs.exe from 192.168.0.4
Just file creation event. No correlation to tell that the file might have been downloaded from elsewhere
Originally posted by @fabamatic in https://github.com/wazuh/wazuh/issues/9064#issuecomment-919469012