search

sagbeyemi / DLL-Hijacking

0 stars 0 forks source link

rundll32.exe elevated privelege #1

Open sagbeyemi opened 2 years ago

sagbeyemi commented 2 years ago

Executed MSDTC in elevated terminal RUNDLL


{
  "_index": "wazuh-archives-4.x-2022.07.14",
  "_type": "_doc",
  "_id": "NnDT-4EByFMBBPzyxS-s",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "192.168.77.154",
      "name": "DESKTOP-UAUGUD7",
      "id": "008"
    },```
    "manager": {
      "name": "wazuh-server"
    },
    "data": {
      "win": {
        "eventdata": {
          "originalFileName": "RUNDLL32.EXE",
          "image": "C:\\\\Windows\\\\System32\\\\rundll32.exe",
          "product": "Microsoft® Windows® Operating System",
          "parentProcessGuid": "{8782dc1f-d3e3-62cf-0d01-000000001700}",
          "description": "Windows host process (Rundll32)",
          "logonGuid": "{8782dc1f-d212-62cf-e403-000000000000}",
          "parentCommandLine": "C:\\\\Windows\\\\System32\\\\msdtc.exe",
          "processGuid": "{8782dc1f-d3e3-62cf-0e01-000000001700}",
          "logonId": "0x3e4",
          "parentProcessId": "7660",
          "processId": "7456",
          "currentDirectory": "C:\\\\Windows\\\\system32\\\\",
          "utcTime": "2022-07-14 08:29:23.481",
          "hashes": "SHA1=DD399AE46303343F9F0DA189AEE11C67BD868222,MD5=EF3179D498793BF4234F708D3BE28633,SHA256=B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA,IMPHASH=4DB27267734D1576D75C991DC70F68AC",
          "parentImage": "C:\\\\Windows\\\\System32\\\\msdtc.exe",
          "ruleName": "technique_id=T1218.002,technique_name=rundll32.exe",
          "company": "Microsoft Corporation",
          "commandLine": "rundll32.exe",
          "integrityLevel": "System",
          "fileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
          "user": "NT AUTHORITY\\\\NETWORK SERVICE",
          "terminalSessionId": "0",
          "parentUser": "NT AUTHORITY\\\\NETWORK SERVICE"
        },
        "system": {
          "eventID": "1",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Process Create:\r\nRuleName: technique_id=T1218.002,technique_name=rundll32.exe\r\nUtcTime: 2022-07-14 08:29:23.481\r\nProcessGuid: {8782dc1f-d3e3-62cf-0e01-000000001700}\r\nProcessId: 7456\r\nImage: C:\\Windows\\System32\\rundll32.exe\r\nFileVersion: 10.0.19041.746 (WinBuild.160101.0800)\r\nDescription: Windows host process (Rundll32)\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: RUNDLL32.EXE\r\nCommandLine: rundll32.exe\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: NT AUTHORITY\\NETWORK SERVICE\r\nLogonGuid: {8782dc1f-d212-62cf-e403-000000000000}\r\nLogonId: 0x3E4\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA1=DD399AE46303343F9F0DA189AEE11C67BD868222,MD5=EF3179D498793BF4234F708D3BE28633,SHA256=B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA,IMPHASH=4DB27267734D1576D75C991DC70F68AC\r\nParentProcessGuid: {8782dc1f-d3e3-62cf-0d01-000000001700}\r\nParentProcessId: 7660\r\nParentImage: C:\\Windows\\System32\\msdtc.exe\r\nParentCommandLine: C:\\Windows\\System32\\msdtc.exe\r\nParentUser: NT AUTHORITY\\NETWORK SERVICE\"",
          "version": "5",
          "systemTime": "2022-07-14T08:29:23.4833843Z",
          "eventRecordID": "15442",
          "threadID": "4840",
          "computer": "DESKTOP-UAUGUD7",
          "task": "1",
          "processID": "1480",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-07-14T08:29:23.4833843Z\",\"eventRecordID\":\"15442\",\"processID\":\"1480\",\"threadID\":\"4840\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-UAUGUD7\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1218.002,technique_name=rundll32.exe\\r\\nUtcTime: 2022-07-14 08:29:23.481\\r\\nProcessGuid: {8782dc1f-d3e3-62cf-0e01-000000001700}\\r\\nProcessId: 7456\\r\\nImage: C:\\\\Windows\\\\System32\\\\rundll32.exe\\r\\nFileVersion: 10.0.19041.746 (WinBuild.160101.0800)\\r\\nDescription: Windows host process (Rundll32)\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: RUNDLL32.EXE\\r\\nCommandLine: rundll32.exe\\r\\nCurrentDirectory: C:\\\\Windows\\\\system32\\\\\\r\\nUser: NT AUTHORITY\\\\NETWORK SERVICE\\r\\nLogonGuid: {8782dc1f-d212-62cf-e403-000000000000}\\r\\nLogonId: 0x3E4\\r\\nTerminalSessionId: 0\\r\\nIntegrityLevel: System\\r\\nHashes: SHA1=DD399AE46303343F9F0DA189AEE11C67BD868222,MD5=EF3179D498793BF4234F708D3BE28633,SHA256=B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA,IMPHASH=4DB27267734D1576D75C991DC70F68AC\\r\\nParentProcessGuid: {8782dc1f-d3e3-62cf-0d01-000000001700}\\r\\nParentProcessId: 7660\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\msdtc.exe\\r\\nParentCommandLine: C:\\\\Windows\\\\System32\\\\msdtc.exe\\r\\nParentUser: NT AUTHORITY\\\\NETWORK SERVICE\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1218.002,technique_name=rundll32.exe\",\"utcTime\":\"2022-07-14 08:29:23.481\",\"processGuid\":\"{8782dc1f-d3e3-62cf-0e01-000000001700}\",\"processId\":\"7456\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe\",\"fileVersion\":\"10.0.19041.746 (WinBuild.160101.0800)\",\"description\":\"Windows host process (Rundll32)\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"RUNDLL32.EXE\",\"commandLine\":\"rundll32.exe\",\"currentDirectory\":\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\\",\"user\":\"NT AUTHORITY\\\\\\\\NETWORK SERVICE\",\"logonGuid\":\"{8782dc1f-d212-62cf-e403-000000000000}\",\"logonId\":\"0x3e4\",\"terminalSessionId\":\"0\",\"integrityLevel\":\"System\",\"hashes\":\"SHA1=DD399AE46303343F9F0DA189AEE11C67BD868222,MD5=EF3179D498793BF4234F708D3BE28633,SHA256=B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA,IMPHASH=4DB27267734D1576D75C991DC70F68AC\",\"parentProcessGuid\":\"{8782dc1f-d3e3-62cf-0d01-000000001700}\",\"parentProcessId\":\"7660\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msdtc.exe\",\"parentCommandLine\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msdtc.exe\",\"parentUser\":\"NT AUTHORITY\\\\\\\\NETWORK SERVICE\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-07-14T08:29:24.035Z",
    "location": "EventChannel",
    "id": "1657787364.1442774",
    "timestamp": "2022-07-14T08:29:24.035+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-07-14T08:29:24.035Z"
    ],
    "timestamp": [
      "2022-07-14T08:29:24.035Z"
    ]
  },
  "highlight": {
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@DESKTOP-UAUGUD7@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1657787364035
  ]
}
sagbeyemi commented 2 years ago

MSDTC installed on victim cmd terminal


{
"_index": "wazuh-archives-4.x-2022.07.14",
"_type": "_doc",
"_id": "W3DV-4EByFMBBPzyKS9H",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "192.168.77.154",
"name": "DESKTOP-UAUGUD7",
"id": "008"
},
"manager": {
"name": "wazuh-server"
},
"data": {
"win": {
"eventdata": {
"originalFileName": "MSDTC.EXE",
"image": "C:\\Windows\\System32\\msdtc.exe",
"product": "Microsoft® Windows® Operating System",
"parentProcessGuid": "{8782dc1f-d43a-62cf-1101-000000001700}",
"description": "Microsoft Distributed Transaction Coordinator Service",
"logonGuid": "{8782dc1f-d43a-62cf-f360-330000000000}",
"parentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"processGuid": "{8782dc1f-d441-62cf-1301-000000001700}",
"logonId": "0x3360f3",
"parentProcessId": "7072",
"processId": "8440",
"currentDirectory": "C:\\Windows\\system32\\",
"utcTime": "2022-07-14 08:30:57.737",
"hashes": "SHA1=8B4786EB9D864FC78BD99432AE0C78F887049461,MD5=2EF846AC66E181BE820B513DBC15B5D2,SHA256=EDFE71025C352D0DABEC7B9506C5945BB0EC11F8DB540DB8CB1116C2EA1648A8,IMPHASH=51BA43624008AF885335F88516CA2AD3",
"parentImage": "C:\\Windows\\System32\\cmd.exe",
"ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
"company": "Microsoft Corporation",
"commandLine": "msdtc -install",
"integrityLevel": "High",
"fileVersion": "2001.12.10941.16384 (WinBuild.160101.0800)",
"user": "DESKTOP-UAUGUD7\\ASUS PC",
"terminalSessionId": "1",
"parentUser": "DESKTOP-UAUGUD7\\ASUS PC"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": ""Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-07-14 08:30:57.737\r\nProcessGuid: {8782dc1f-d441-62cf-1301-000000001700}\r\nProcessId: 8440\r\nImage: C:\Windows\System32\msdtc.exe\r\nFileVersion: 2001.12.10941.16384 (WinBuild.160101.0800)\r\nDescription: Microsoft Distributed Transaction Coordinator Service\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: MSDTC.EXE\r\nCommandLine: msdtc -install\r\nCurrentDirectory: C:\Windows\system32\\r\nUser: DESKTOP-UAUGUD7\ASUS PC\r\nLogonGuid: {8782dc1f-d43a-62cf-f360-330000000000}\r\nLogonId: 0x3360F3\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=8B4786EB9D864FC78BD99432AE0C78F887049461,MD5=2EF846AC66E181BE820B513DBC15B5D2,SHA256=EDFE71025C352D0DABEC7B9506C5945BB0EC11F8DB540DB8CB1116C2EA1648A8,IMPHASH=51BA43624008AF885335F88516CA2AD3\r\nParentProcessGuid: {8782dc1f-d43a-62cf-1101-000000001700}\r\nParentProcessId: 7072\r\nParentImage: C:\Windows\System32\cmd.exe\r\nParentCommandLine: "C:\Windows\system32\cmd.exe" \r\nParentUser: DESKTOP-UAUGUD7\ASUS PC"",
"version": "5",
"systemTime": "2022-07-14T08:30:57.7397596Z",
"eventRecordID": "15454",
"threadID": "4840",
"computer": "DESKTOP-UAUGUD7",
"task": "1",
"processID": "1480",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-14T08:30:57.7397596Z","eventRecordID":"15454","processID":"1480","threadID":"4840","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-UAUGUD7","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-07-14 08:30:57.737\r\nProcessGuid: {8782dc1f-d441-62cf-1301-000000001700}\r\nProcessId: 8440\r\nImage: C:\\Windows\\System32\\msdtc.exe\r\nFileVersion: 2001.12.10941.16384 (WinBuild.160101.0800)\r\nDescription: Microsoft Distributed Transaction Coordinator Service\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: MSDTC.EXE\r\nCommandLine: msdtc -install\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-UAUGUD7\\ASUS PC\r\nLogonGuid: {8782dc1f-d43a-62cf-f360-330000000000}\r\nLogonId: 0x3360F3\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=8B4786EB9D864FC78BD99432AE0C78F887049461,MD5=2EF846AC66E181BE820B513DBC15B5D2,SHA256=EDFE71025C352D0DABEC7B9506C5945BB0EC11F8DB540DB8CB1116C2EA1648A8,IMPHASH=51BA43624008AF885335F88516CA2AD3\r\nParentProcessGuid: {8782dc1f-d43a-62cf-1101-000000001700}\r\nParentProcessId: 7072\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-UAUGUD7\\ASUS PC\""},"eventdata":{"ruleName":"technique_id=T1059,technique_name=Command-Line Interface","utcTime":"2022-07-14 08:30:57.737","processGuid":"{8782dc1f-d441-62cf-1301-000000001700}","processId":"8440","image":"C:\\\\Windows\\\\System32\\\\msdtc.exe","fileVersion":"2001.12.10941.16384 (WinBuild.160101.0800)","description":"Microsoft Distributed Transaction Coordinator Service","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"MSDTC.EXE","commandLine":"msdtc -install","currentDirectory":"C:\\\\Windows\\\\system32\\\\","user":"DESKTOP-UAUGUD7\\\\ASUS PC","logonGuid":"{8782dc1f-d43a-62cf-f360-330000000000}","logonId":"0x3360f3","terminalSessionId":"1","integrityLevel":"High","hashes":"SHA1=8B4786EB9D864FC78BD99432AE0C78F887049461,MD5=2EF846AC66E181BE820B513DBC15B5D2,SHA256=EDFE71025C352D0DABEC7B9506C5945BB0EC11F8DB540DB8CB1116C2EA1648A8,IMPHASH=51BA43624008AF885335F88516CA2AD3","parentProcessGuid":"{8782dc1f-d43a-62cf-1101-000000001700}","parentProcessId":"7072","parentImage":"C:\\\\Windows\\\\System32\\\\cmd.exe","parentCommandLine":"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"","parentUser":"DESKTOP-UAUGUD7\\\\ASUS PC"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-07-14T08:30:58.314Z",
"location": "EventChannel",
"id": "1657787458.1472134",
"timestamp": "2022-07-14T08:30:58.314+0000"
},
"fields": {
"@timestamp": [
"2022-07-14T08:30:58.314Z"
],
"timestamp": [
"2022-07-14T08:30:58.314Z"
]
},
"highlight": {
"agent.name": [
"@opensearch-dashboards-highlighted-field@DESKTOP-UAUGUD7@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1657787458314
]
}
sagbeyemi commented 2 years ago

MSDTC -install on victim machine executed on elevated RUNDLL


{
"_index": "wazuh-archives-4.x-2022.07.14",
"_type": "_doc",
"_id": "aXDV-4EByFMBBPzyKS9H",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "192.168.77.154",
"name": "DESKTOP-UAUGUD7",
"id": "008"
},
"manager": {
"name": "wazuh-server"
},
"data": {
"win": {
"eventdata": {
"originalFileName": "RUNDLL32.EXE",
"image": "C:\\Windows\\System32\\rundll32.exe",
"product": "Microsoft® Windows® Operating System",
"parentProcessGuid": "{8782dc1f-d441-62cf-1301-000000001700}",
"description": "Windows host process (Rundll32)",
"logonGuid": "{8782dc1f-d43a-62cf-f360-330000000000}",
"parentCommandLine": "msdtc -install",
"processGuid": "{8782dc1f-d441-62cf-1401-000000001700}",
"logonId": "0x3360f3",
"parentProcessId": "8440",
"processId": "3004",
"currentDirectory": "C:\\Windows\\system32\\",
"utcTime": "2022-07-14 08:30:57.869",
"hashes": "SHA1=DD399AE46303343F9F0DA189AEE11C67BD868222,MD5=EF3179D498793BF4234F708D3BE28633,SHA256=B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA,IMPHASH=4DB27267734D1576D75C991DC70F68AC",
"parentImage": "C:\\Windows\\System32\\msdtc.exe",
"ruleName": "technique_id=T1218.002,technique_name=rundll32.exe",
"company": "Microsoft Corporation",
"commandLine": "rundll32.exe",
"integrityLevel": "High",
"fileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"user": "DESKTOP-UAUGUD7\\ASUS PC",
"terminalSessionId": "1",
"parentUser": "DESKTOP-UAUGUD7\\ASUS PC"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": ""Process Create:\r\nRuleName: technique_id=T1218.002,technique_name=rundll32.exe\r\nUtcTime: 2022-07-14 08:30:57.869\r\nProcessGuid: {8782dc1f-d441-62cf-1401-000000001700}\r\nProcessId: 3004\r\nImage: C:\Windows\System32\rundll32.exe\r\nFileVersion: 10.0.19041.746 (WinBuild.160101.0800)\r\nDescription: Windows host process (Rundll32)\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: RUNDLL32.EXE\r\nCommandLine: rundll32.exe\r\nCurrentDirectory: C:\Windows\system32\\r\nUser: DESKTOP-UAUGUD7\ASUS PC\r\nLogonGuid: {8782dc1f-d43a-62cf-f360-330000000000}\r\nLogonId: 0x3360F3\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=DD399AE46303343F9F0DA189AEE11C67BD868222,MD5=EF3179D498793BF4234F708D3BE28633,SHA256=B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA,IMPHASH=4DB27267734D1576D75C991DC70F68AC\r\nParentProcessGuid: {8782dc1f-d441-62cf-1301-000000001700}\r\nParentProcessId: 8440\r\nParentImage: C:\Windows\System32\msdtc.exe\r\nParentCommandLine: msdtc -install\r\nParentUser: DESKTOP-UAUGUD7\ASUS PC"",
"version": "5",
"systemTime": "2022-07-14T08:30:57.8710404Z",
"eventRecordID": "15468",
"threadID": "4840",
"computer": "DESKTOP-UAUGUD7",
"task": "1",
"processID": "1480",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-14T08:30:57.8710404Z","eventRecordID":"15468","processID":"1480","threadID":"4840","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-UAUGUD7","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: technique_id=T1218.002,technique_name=rundll32.exe\r\nUtcTime: 2022-07-14 08:30:57.869\r\nProcessGuid: {8782dc1f-d441-62cf-1401-000000001700}\r\nProcessId: 3004\r\nImage: C:\\Windows\\System32\\rundll32.exe\r\nFileVersion: 10.0.19041.746 (WinBuild.160101.0800)\r\nDescription: Windows host process (Rundll32)\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: RUNDLL32.EXE\r\nCommandLine: rundll32.exe\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-UAUGUD7\\ASUS PC\r\nLogonGuid: {8782dc1f-d43a-62cf-f360-330000000000}\r\nLogonId: 0x3360F3\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=DD399AE46303343F9F0DA189AEE11C67BD868222,MD5=EF3179D498793BF4234F708D3BE28633,SHA256=B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA,IMPHASH=4DB27267734D1576D75C991DC70F68AC\r\nParentProcessGuid: {8782dc1f-d441-62cf-1301-000000001700}\r\nParentProcessId: 8440\r\nParentImage: C:\\Windows\\System32\\msdtc.exe\r\nParentCommandLine: msdtc -install\r\nParentUser: DESKTOP-UAUGUD7\\ASUS PC\""},"eventdata":{"ruleName":"technique_id=T1218.002,technique_name=rundll32.exe","utcTime":"2022-07-14 08:30:57.869","processGuid":"{8782dc1f-d441-62cf-1401-000000001700}","processId":"3004","image":"C:\\\\Windows\\\\System32\\\\rundll32.exe","fileVersion":"10.0.19041.746 (WinBuild.160101.0800)","description":"Windows host process (Rundll32)","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"RUNDLL32.EXE","commandLine":"rundll32.exe","currentDirectory":"C:\\\\Windows\\\\system32\\\\","user":"DESKTOP-UAUGUD7\\\\ASUS PC","logonGuid":"{8782dc1f-d43a-62cf-f360-330000000000}","logonId":"0x3360f3","terminalSessionId":"1","integrityLevel":"High","hashes":"SHA1=DD399AE46303343F9F0DA189AEE11C67BD868222,MD5=EF3179D498793BF4234F708D3BE28633,SHA256=B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA,IMPHASH=4DB27267734D1576D75C991DC70F68AC","parentProcessGuid":"{8782dc1f-d441-62cf-1301-000000001700}","parentProcessId":"8440","parentImage":"C:\\\\Windows\\\\System32\\\\msdtc.exe","parentCommandLine":"msdtc -install","parentUser":"DESKTOP-UAUGUD7\\\\ASUS PC"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-07-14T08:30:58.592Z",
"location": "EventChannel",
"id": "1657787458.1472134",
"timestamp": "2022-07-14T08:30:58.592+0000"
},
"fields": {
"@timestamp": [
"2022-07-14T08:30:58.592Z"
],
"timestamp": [
"2022-07-14T08:30:58.592Z"
]
},
"highlight": {
"agent.name": [
"@opensearch-dashboards-highlighted-field@DESKTOP-UAUGUD7@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1657787458592
]
}
sagbeyemi commented 2 years ago

File created after getting access to admin system


{
"_index": "wazuh-archives-4.x-2022.07.14",
"_type": "_doc",
"_id": "gHDW-4EByFMBBPzyty_D",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "192.168.77.154",
"name": "DESKTOP-UAUGUD7",
"id": "008"
},
"manager": {
"name": "wazuh-server"
},
"data": {
"win": {
"eventdata": {
"image": "C:\\Windows\\system32\\cmd.exe",
"processGuid": "{8782dc1f-d45f-62cf-1501-000000001700}",
"processId": "7372",
"utcTime": "2022-07-14 08:32:36.479",
"targetFilename": "C:\\Users\\ASUS PC\\Downloads\\d.txt",
"creationUtcTime": "2022-07-14 08:32:36.479",
"user": "DESKTOP-UAUGUD7\\ASUS PC"
},
"system": {
"eventID": "11",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": ""File created:\r\nRuleName: -\r\nUtcTime: 2022-07-14 08:32:36.479\r\nProcessGuid: {8782dc1f-d45f-62cf-1501-000000001700}\r\nProcessId: 7372\r\nImage: C:\Windows\system32\cmd.exe\r\nTargetFilename: C:\Users\ASUS PC\Downloads\d.txt\r\nCreationUtcTime: 2022-07-14 08:32:36.479\r\nUser: DESKTOP-UAUGUD7\ASUS PC"",
"version": "2",
"systemTime": "2022-07-14T08:32:36.4824337Z",
"eventRecordID": "15476",
"threadID": "4840",
"computer": "DESKTOP-UAUGUD7",
"task": "11",
"processID": "1480",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-14T08:32:36.4824337Z","eventRecordID":"15476","processID":"1480","threadID":"4840","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-UAUGUD7","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: -\r\nUtcTime: 2022-07-14 08:32:36.479\r\nProcessGuid: {8782dc1f-d45f-62cf-1501-000000001700}\r\nProcessId: 7372\r\nImage: C:\\Windows\\system32\\cmd.exe\r\nTargetFilename: C:\\Users\\ASUS PC\\Downloads\\d.txt\r\nCreationUtcTime: 2022-07-14 08:32:36.479\r\nUser: DESKTOP-UAUGUD7\\ASUS PC\""},"eventdata":{"utcTime":"2022-07-14 08:32:36.479","processGuid":"{8782dc1f-d45f-62cf-1501-000000001700}","processId":"7372","image":"C:\\\\Windows\\\\system32\\\\cmd.exe","targetFilename":"C:\\\\Users\\\\ASUS PC\\\\Downloads\\\\d.txt","creationUtcTime":"2022-07-14 08:32:36.479","user":"DESKTOP-UAUGUD7\\\\ASUS PC"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-07-14T08:32:37.052Z",
"location": "EventChannel",
"id": "1657787557.1479711",
"timestamp": "2022-07-14T08:32:37.052+0000"
},
"fields": {
"@timestamp": [
"2022-07-14T08:32:37.052Z"
],
"timestamp": [
"2022-07-14T08:32:37.052Z"
]
},
"highlight": {
"agent.name": [
"@opensearch-dashboards-highlighted-field@DESKTOP-UAUGUD7@/opensearch-dashboards-highlighted-field@"
],
"full_log": [
"{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-14T08:32:36.4824337Z","eventRecordID":"15476","processID":"1480","threadID":"4840","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-UAUGUD7","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: -\r\nUtcTime: 2022-07-14 08:32:36.479\r\nProcessGuid: {8782dc1f-d45f-62cf-1501-000000001700}\r\nProcessId: 7372\r\nImage: C:\\Windows\\system32\\cmd.exe\r\nTargetFilename: C:\\Users\\ASUS PC\\Downloads\\@opensearch-dashboards-highlighted-field@d.txt@/opensearch-dashboards-highlighted-field@\r\nCreationUtcTime: 2022-07-14 08:32:36.479\r\nUser: DESKTOP-UAUGUD7\\ASUS PC\""},"eventdata":{"utcTime":"2022-07-14 08:32:36.479","processGuid":"{8782dc1f-d45f-62cf-1501-000000001700}","processId":"7372","image":"C:\\\\Windows\\\\system32\\\\cmd.exe","targetFilename":"C:\\\\Users\\\\ASUS PC\\\\Downloads\\\\@opensearch-dashboards-highlighted-field@d.txt@/opensearch-dashboards-highlighted-field@","creationUtcTime":"2022-07-14 08:32:36.479","user":"DESKTOP-UAUGUD7\\\\ASUS PC"}}}"
]
},
"sort": [
1657787557052
]
}