Closed shahrokhnik closed 2 years ago
Hello everyone
indextime ((sysmon event_id=1) OR (windows-security event_id=4688)) (process_name="CMSTP.exe") | eval mitre_category="Defense_Evasion,Execution" | eval mitre_technique="CMSTP"| eval mitre_technique_id="T1191" | eval hash_sha256= lower(hash_sha256) | process_create_whitelist | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid parent_user_name mitre_category mitre_technique mitre_technique_id hunting_trigger | collect threathunting_index
indextime
sysmon
windows-security
process_create_whitelist
threathunting_index
| eval mitre_technique="CMSTP"| eval mitre_technique_id="T1191" need to edit please delete \ after "CMSTP"\ before | eval
fixing it now, thanks!
olafhartong
commented
2 years ago olafhartong
commented
2 years ago
Hello everyone
indextime((sysmonevent_id=1) OR (windows-securityevent_id=4688)) (process_name="CMSTP.exe") | eval mitre_category="Defense_Evasion,Execution" | eval mitre_technique="CMSTP"| eval mitre_technique_id="T1191" | eval hash_sha256= lower(hash_sha256) |process_create_whitelist| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid parent_user_name mitre_category mitre_technique mitre_technique_id hunting_trigger | collectthreathunting_index| eval mitre_technique="CMSTP"| eval mitre_technique_id="T1191" need to edit please delete \ after "CMSTP"\ before | eval