search

firecat53 / urlscan

Mutt and terminal url selector (similar to urlview)
GNU General Public License v2.0
211 stars 36 forks source link

4.B.3 - powershell.exe executes rad353F7.ps1 #150

Closed CHRISTENLYNN closed 2 months ago

CHRISTENLYNN commented 2 months ago

4.B.3 - powershell.exe executes rad353F7.ps1

{"_index":"wazuh-archives-4.x-2021.09.14","_type":"_doc","_id":"RH_s5XsBp_s9Frc2gSMj","_version":1,"_score":null,"_source":{"agent":{"ip":"192.168.0.121","name":"hrmanager","id":"013"},"manager":{"name":"localhost2.localdomain"},"data":{"win":{"eventdata":{"originalFileName":"PowerShell.EXE","image":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","product":"Microsoft® Windows® Operating System","parentProcessGuid":"{4dc16835-fc27-6140-8277-6d0000000000}","description":"Windows PowerShell","logonGuid":"{4dc16835-face-6140-b05f-3d0000000000}","parentCommandLine":"powershell  -ExecutionPolicy Bypass -NoExit .\\\\meta.ps1","processGuid":"{4dc16835-0124-6141-07ac-de0000000000}","logonId":"0x3d5fb0","parentProcessId":"6760","processId":"7152","currentDirectory":"C:\\\\Users\\\\AtomicRed\\\\Downloads\\\\","utcTime":"2021-09-14 20:08:04.834","hashes":"SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7","parentImage":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","ruleName":"technique_id=T1086,technique_name=PowerShell","company":"Microsoft Corporation","commandLine":"powershell.exe -c C:\\\\Users\\\\AtomicRed\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\rad353F7.ps1","integrityLevel":"High","fileVersion":"10.0.19041.546 (WinBuild.160101.0800)","user":"EXCHANGETEST\\\\AtomicRed","terminalSessionId":"2"},"system":{"eventID":"1","keywords":"0x8000000000000000","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","level":"4","channel":"Microsoft-Windows-Sysmon/Operational","opcode":"0","message":"\"Process Create:\r\nRuleName: technique_id=T1086,technique_name=PowerShell\r\nUtcTime: 2021-09-14 20:08:04.834\r\nProcessGuid: {4dc16835-0124-6141-07ac-de0000000000}\r\nProcessId: 7152\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFileVersion: 10.0.19041.546 (WinBuild.160101.0800)\r\nDescription: Windows PowerShell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: PowerShell.EXE\r\nCommandLine: powershell.exe -c C:\\Users\\AtomicRed\\AppData\\Roaming\\TransbaseOdbcDriver\\rad353F7.ps1\r\nCurrentDirectory: C:\\Users\\AtomicRed\\Downloads\\\r\nUser: EXCHANGETEST\\AtomicRed\r\nLogonGuid: {4dc16835-face-6140-b05f-3d0000000000}\r\nLogonId: 0x3D5FB0\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7\r\nParentProcessGuid: {4dc16835-fc27-6140-8277-6d0000000000}\r\nParentProcessId: 6760\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: powershell  -ExecutionPolicy Bypass -NoExit .\\meta.ps1\"","version":"5","systemTime":"2021-09-14T20:08:04.8361828Z","eventRecordID":"360340","threadID":"3756","computer":"hrmanager.ExchangeTest.com","task":"1","processID":"2664","severityValue":"INFORMATION","providerName":"Microsoft-Windows-Sysmon"}}},"decoder":{"name":"windows_eventchannel"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-09-14T20:08:04.8361828Z\",\"eventRecordID\":\"360340\",\"processID\":\"2664\",\"threadID\":\"3756\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"hrmanager.ExchangeTest.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1086,technique_name=PowerShell\\r\\nUtcTime: 2021-09-14 20:08:04.834\\r\\nProcessGuid: {4dc16835-0124-6141-07ac-de0000000000}\\r\\nProcessId: 7152\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nFileVersion: 10.0.19041.546 (WinBuild.160101.0800)\\r\\nDescription: Windows PowerShell\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: PowerShell.EXE\\r\\nCommandLine: powershell.exe -c C:\\\\Users\\\\AtomicRed\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\rad353F7.ps1\\r\\nCurrentDirectory: C:\\\\Users\\\\AtomicRed\\\\Downloads\\\\\\r\\nUser: EXCHANGETEST\\\\AtomicRed\\r\\nLogonGuid: {4dc16835-face-6140-b05f-3d0000000000}\\r\\nLogonId: 0x3D5FB0\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7\\r\\nParentProcessGuid: {4dc16835-fc27-6140-8277-6d0000000000}\\r\\nParentProcessId: 6760\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nParentCommandLine: powershell  -ExecutionPolicy Bypass -NoExit .\\\\meta.ps1\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1086,technique_name=PowerShell\",\"utcTime\":\"2021-09-14 20:08:04.834\",\"processGuid\":\"{4dc16835-0124-6141-07ac-de0000000000}\",\"processId\":\"7152\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"fileVersion\":\"10.0.19041.546 (WinBuild.160101.0800)\",\"description\":\"Windows PowerShell\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"PowerShell.EXE\",\"commandLine\":\"powershell.exe -c C:\\\\\\\\Users\\\\\\\\AtomicRed\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\rad353F7.ps1\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\AtomicRed\\\\\\\\Downloads\\\\\\\\\",\"user\":\"EXCHANGETEST\\\\\\\\AtomicRed\",\"logonGuid\":\"{4dc16835-face-6140-b05f-3d0000000000}\",\"logonId\":\"0x3d5fb0\",\"terminalSessionId\":\"2\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7\",\"parentProcessGuid\":\"{4dc16835-fc27-6140-8277-6d0000000000}\",\"parentProcessId\":\"6760\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"parentCommandLine\":\"powershell  -ExecutionPolicy Bypass -NoExit .\\\\\\\\meta.ps1\"}}}","input":{"type":"log"},"@timestamp":"2021-09-14T20:08:05.509Z","location":"EventChannel","id":"1631650085.1001471","timestamp":"2021-09-14T17:08:05.509-0300"},"fields":{"@timestamp":["2021-09-14T20:08:05.509Z"],"timestamp":["2021-09-14T20:08:05.509Z"]},"highlight":{"full_log":["{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-09-14T20:08:04.8361828Z\",\"eventRecordID\":\"360340\",\"processID\":\"2664\",\"threadID\":\"3756\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"hrmanager.ExchangeTest.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1086,technique_name=PowerShell\\r\\nUtcTime: 2021-09-14 20:08:04.834\\r\\nProcessGuid: {4dc16835-0124-6141-07ac-de0000000000}\\r\\nProcessId: 7152\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nFileVersion: 10.0.19041.546 (WinBuild.160101.0800)\\r\\nDescription: Windows PowerShell\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: PowerShell.EXE\\r\\nCommandLine: powershell.exe -c C:\\\\Users\\\\AtomicRed\\\\AppData\\\\Roaming\\\\TransbaseOdbcDriver\\\\@kibana-highlighted-field@rad353F7@/kibana-highlighted-field@.ps1\\r\\nCurrentDirectory: C:\\\\Users\\\\AtomicRed\\\\Downloads\\\\\\r\\nUser: EXCHANGETEST\\\\AtomicRed\\r\\nLogonGuid: {4dc16835-face-6140-b05f-3d0000000000}\\r\\nLogonId: 0x3D5FB0\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7\\r\\nParentProcessGuid: {4dc16835-fc27-6140-8277-6d0000000000}\\r\\nParentProcessId: 6760\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nParentCommandLine: powershell  -ExecutionPolicy Bypass -NoExit .\\\\meta.ps1\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1086,technique_name=PowerShell\",\"utcTime\":\"2021-09-14 20:08:04.834\",\"processGuid\":\"{4dc16835-0124-6141-07ac-de0000000000}\",\"processId\":\"7152\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"fileVersion\":\"10.0.19041.546 (WinBuild.160101.0800)\",\"description\":\"Windows PowerShell\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"PowerShell.EXE\",\"commandLine\":\"powershell.exe -c C:\\\\\\\\Users\\\\\\\\AtomicRed\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\TransbaseOdbcDriver\\\\\\\\@kibana-highlighted-field@rad353F7@/kibana-highlighted-field@.ps1\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\AtomicRed\\\\\\\\Downloads\\\\\\\\\",\"user\":\"EXCHANGETEST\\\\\\\\AtomicRed\",\"logonGuid\":\"{4dc16835-face-6140-b05f-3d0000000000}\",\"logonId\":\"0x3d5fb0\",\"terminalSessionId\":\"2\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7\",\"parentProcessGuid\":\"{4dc16835-fc27-6140-8277-6d0000000000}\",\"parentProcessId\":\"6760\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"parentCommandLine\":\"powershell  -ExecutionPolicy Bypass -NoExit .\\\\\\\\meta.ps1\"}}}"]},"sort":[1631650085509]}

Originally posted by @fabamatic in https://github.com/wazuh/wazuh/issues/9064#issuecomment-919478349