search

tsale / EDR-Telemetry

This project aims to compare and evaluate the telemetry of various EDR products.
1.5k stars 142 forks source link

adding Trellix EDR (mcafee) #5

Closed mthcht closed 1 year ago

tsale commented 1 year ago

Thank you very much for submitting this proposal @mthcht! Could you please include the below information so we can validate before merging?

  1. Does Trellix EDR align with our definition of telemetry?(definition here)
  2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
  3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

Thanks again!

mthcht commented 1 year ago

Thank you very much for submitting this proposal @mthcht! Could you please include the below information so we can validate before merging?

  1. Does Trellix EDR align with our definition of telemetry?(definition here)
  2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
  3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

Thanks again!

  1. Yes Trellix EDR does align with your definition of telemetry
  2. Unfortunately, I wasn't able to obtain EDR documentation from the vendor. However, I did collect the telemetry using Trellix's API, which can be found at https://developer.manage.trellix.com/mvision/apis/searches (where we can find most of the fields)

Here are the EventTypes present in my logs:

  1. If necessary, I can provide logs for the 43 categories, but it will take some time for me to anonymize the content, as almost every field contains sensitive data. Please let me know if you require these logs, and I will get to it.
tsale commented 1 year ago

This is great! Please give me some time to review and I'll reach out if I have any questions 🙂

tsale commented 1 year ago

Hey @mthcht, unfortunately, the link you provided me of the API documentation does not include a definitive answer to the fields we are looking for. It would be great if you can provide some sanitized data to me on a private channel.

I will also try to do some testing myself if I manage to get a trial of the product. I will have to reach out to Trellix for that.

mthcht commented 1 year ago

@tsale here is a raw log extract for each EventType i have:

Account Changed
{"eventType": "Account Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "01eb704f-3b7d-4965-83ec-5c9d725fd0d6", "traceId": "27bbdca8-e76c-4287-8d93-31f9ad0412be", "contextTraceId": "da67763a-854d-412c-a66f-edcca0eeb3d4", "pid": 1076, "it": 1, "time": "2023-04-19T16:08:47.129Z", "uniqueRuleId": 1, "ppid": 1076, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4738, "user": {"adminType": 0, "domain": "HIDDEN22958", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22958$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T16:08:53Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}
Account Created
{"eventType": "Account Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4644b033d0", "traceId": "49054632-69cd-4e34-8292-bd6eb30d4003", "contextTraceId": "8480c6d8-c619-4019-9359-fc7a4a9be425", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.515Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4720, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}
Account Deleted
{"eventType": "Account Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3d6a84b3-91fb-41f0-93b1-aa482bc531f6", "traceId": "c61cbd7a-62bc-4186-8b80-6eead86a4710", "contextTraceId": "87a2f691-5fbb-49b5-8417-ce551000e23d", "pid": 872, "it": 1, "time": "2023-04-19T08:14:25.865Z", "uniqueRuleId": 1, "ppid": 872, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4726, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_kadvAYTV"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:14:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}
Account Disabled
{"eventType": "Account Disabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b08de07d-b15f-441a-b143-78c42cb61a78", "traceId": "9b95b0f5-dee6-487c-aaf6-65af35cf3256", "contextTraceId": "873a8979-6c94-4085-872b-ded4c54ee9a9", "pid": 988, "it": 1, "time": "2023-04-18T08:02:43.593Z", "uniqueRuleId": 1, "ppid": 988, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4725, "user": {"adminType": 0, "domain": "HIDDEN22172", "id": "S-1-5-21-HIDDENSID", "name": "defaultuser0"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22172$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T08:05:18Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}
Account Enabled
{"eventType": "Account Enabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4645b032d0", "traceId": "859ac34b-348e-44e1-8711-a9c306642202", "contextTraceId": "8480c6d8-c619-4019-9459-fc7a4a9be435", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.530Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4722, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}
Api
{"eventType": "Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0318c", "traceId": "ea0cf5f2-0adc-4619-8837-4403a69798cd", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747947b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:52.975Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "api": {"name": "FindFirstFile", "data": "HIDDENDATA", "result": "1952366316400", "moduleName": "", "arguments": [], "targetPid": 0}, "uniqueRuleId": 19120, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.APICall"]}
COM Api
{"eventType": "COM Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b62a-7f9bcdd3c4aa", "traceId": "0c46d2d8-f86d-4c7f-88eb-cb977aa78207", "contextTraceId": "4df162be-c064-4b64-b250-41ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.428Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\\Windows\\System32\\cscript.exe", "uniqueRuleId": 4294967295, "comApis": [{"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.RegWrite", "args": "\"HKCU\\Software\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy\",\"Unrestricted\",\"REG_SZ\"", "result": ""}, {"flags": 3, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.ExpandEnvironmentStrings", "args": "\"%LOCALAPPDATA%\\HIDDEN_VPN\\script.ps1\"", "result": "\"C:\\Users\\HIDDENUSER\\AppData\\Local\\HIDDEN_VPN\\script.ps1\""}, {"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.Run", "args": "\"powershell.exe -nologo -command C:\\Users\\HIDDENUSER\\AppData\\Local\\HIDDEN_VPN\\script.ps1\",0", "result": ""}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}


Code Injected
{"eventType": "Code Injected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-5368-b63a-7f9bcdd3c4aa", "traceId": "52fc84ae-6d72-49fe-bf65-74265c57224d", "contextTraceId": "4df162be-c064-4b64-b850-41ba1493d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\\Windows\\System32\\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "relatedProcess": {"pid": 6620, "cmdLine": "\"cscript.exe\" C:\\Users\\edubois\\AppData\\Local\\HIDDEN_VPN\\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"lastModificationDate": "2021-09-15T10:42:04.643Z", "creationDate": "2021-09-15T10:42:04.640Z", "md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\\Windows\\System32\\cscript.exe", "size": 161280, "fsattrs": 32, "embedFilename": "cscript.exe", "embedFileVersion": "5.812.10240.16384", "embedProductName": "Microsoft \u00ae Windows Script Host", "embedProductVersion": "5.812.10240.16384", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
Code Injection
{"eventType": "Code Injection", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd3c4aa", "traceId": "0e5172ff-98a2-47c8-9d94-3488c6df70c0", "contextTraceId": "4df162be-c064-4b64-b850-42ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\\Windows\\System32\\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "injectedProcessTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd2c4aa", "relatedProcess": {"pid": 6620, "cmdLine": "\"cscript.exe\" C:\\Users\\HIDDENUSER\\AppData\\Local\\HIDDEN_VPN\\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENUSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\\Windows\\System32\\cscript.exe", "size": 161280, "embedFilename": "cscript.exe", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
Context Changed
{"eventType": "Context Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "0e9c4e60-49af-451d-b807-39da4003af3d", "traceId": "3ce0bbe4-92b4-430b-996e-cc32cfe99837", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e3bf69", "pid": 5164, "it": 1, "time": "2023-04-19T18:46:31.739Z", "pSha2": "5A5C59646969CE0D99B05556CEA793F9F89A019BE4D66D8C9A1AF9EED699AC89", "ppid": 5164, "pFullName": "C:\\Windows\\System32\\spoolsv.exe", "reason": 1, "relatedTraceId": "ba434310-89f5-4749-9cc2-b9df78bc18d3", "relatedProcess": {"pid": 5164, "cmdLine": "C:\\WINDOWS\\System32\\spoolsv.exe", "processName": "spoolsv.exe", "integrity": 4, "user": {"domain": "NT AUTHORITY", "id": "S-1-5-18", "name": "NT AUTHORITY\\SYSTEM"}, "procFileAttrs": {"md5": "3BCB8517038CACDF2F2498E1D0F80544", "sha1": "F8D8AC37C3C194F8C8EF052FF46C19CBB65361D5", "sha256": "5A5C59646969CE0D99B05556CEA793F9F89A019BE5D66D8C9A1AF9EED699AC89", "fileType": "PE", "name": "spoolsv.exe", "path": "C:\\Windows\\System32\\spoolsv.exe", "size": 929792, "embedFilename": "spoolsv.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "tdmRuleIds": [112, 100003, 99999], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:47Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
DNS Query
{"eventType": "DNS Query", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c6fc0e114ff7", "traceId": "e76f265c-cb4a-4ab2-9857-b04bfeb0aebb", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.903Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\\Users\\rtadjer\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", "dns": {"name": "HIDDEN.trouter.teams.microsoft.com", "type": 1}, "uniqueRuleId": 19112, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.DNSQuery"]}
Epp File Scan
{"eventType": "Epp File Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "ee75a850-7bf9-44f4-8623-c26aaad762ed", "traceId": "e24fd01c-4eeb-453d-a688-09bbee345095", "contextTraceId": "4df162be-c064-4b64-b850-41ba1495d6d2", "pid": 2256, "it": 1, "time": "2023-04-19T14:22:58.726Z", "pSha2": "20330D3CA71D58F4AEB432676CB6A3D5B97005954E45132FB083E90782EFDD50", "ppid": 2256, "pFullName": "C:\\Windows\\System32\\backgroundTaskHost.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "NativeHostNE.dll", "path": "C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.23022.140.0_x64__8wekyb3d8bbwe\\NativeHostNE.dll", "size": 0}, "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:23:19Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
Epp Process Response
{"eventType": "Epp Process Response", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "a65892eb-990a-407c-89d1-7f4a25aab465", "traceId": "c6e24a8f-004b-4f15-b3d6-aa752b3b2812", "contextTraceId": "0a3768eb-d606-4282-8466-201fd8596be1", "pid": 9492, "time": "2023-04-19T18:36:46.512Z", "pSha2": "FC6BA3C701AFBEB082BA25F677FE47A0D3225465AF02C50E2AC2B10728E9D89E", "ppid": 9492, "pFullName": "C:\\Windows\\CCM\\CcmExec.exe", "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 1, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:36:52Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.EPP_Response"]}
Epp Process Scan
{"eventType": "Epp Process Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e74be1a-90b5-466e-aff3-652aa73d0216", "traceId": "46bfe244-cfa7-41ef-99a8-ec354fdc38f7", "contextTraceId": "300409fb-6c49-4bf0-832d-205265b6d9d1", "pid": 12300, "it": 1, "time": "2023-04-19T18:26:16.293Z", "pSha2": "B5DDC370739579D2EE7C8A1284D4C83F15F4CF662893FDA55854D03B99AA2685", "ppid": 12300, "pFullName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\\TiWorker.exe", "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:26:41Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
File Attribute Changed
{"eventType": "File Attribute Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37434aab53f", "traceId": "337454e9-dbe6-46d6-999d-c6647f406410", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-742957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:40.875Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "uniqueRuleId": 7, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.739Z", "creationDate": "2023-04-19T17:49:40.873Z", "md5": "9D04081293A783441ED1133888E8721C", "sha1": "2F688EFBC6ACEA6B5E6C172EB4AE7A41A2FB3C05", "sha256": "1C3DBA99D46303A00D83DEDDAEEE6988BB9E0E97F8D02925D2270A1B539157D1", "fileType": "PE", "name": "MFC90CHS.DLL", "path": "C:\\$WINDOWS.~BT\\Work\\MachineSpecific\\Working\\agentmgr\\CCSIAgent\\005A53BA\\SxsAsm38\\MFC90CHS.DLL", "size": 35664, "fsattrs": 8224, "fsattrsChanged": 2, "embedFilename": "MFC90CHS.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}
File Created
{"eventType": "File Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-43ec-9659-f37432aab53f", "traceId": "2b98410e-fea4-420d-98da-1220479161fe", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b490d", "pid": 4160, "time": "2023-04-19T17:49:40.861Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.108Z", "creationDate": "2023-04-19T17:49:40.858Z", "md5": "CDBE9690CF2B8409FACAD94FAC9479C9", "sha1": "4BCDFE2C1B354645314A4CE26B55B2B1A0212DB9", "sha256": "8E7FE1A1F3550C479FFD86A77BC9D10686D47F8727025BB891D8F4F0259354C8", "fileType": "PE", "name": "msvcr90.dll", "path": "C:\\$WINDOWS.~BT\\Work\\MachineSpecific\\Working\\agentmgr\\CCSIAgent\\005A54BA\\SxsAsm37\\msvcr90.dll", "size": 653136, "fsattrs": 8224, "embedFilename": "MSVCR90.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}
File Deleted
{"eventType": "File Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "e3c8e545-3d68-4d75-9168-f332c3b72b3e", "traceId": "447205ad-ea41-4ad0-b0ee-a3b1eebd486b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b3c90d", "pid": 3872, "time": "2023-04-19T17:54:22.517Z", "pSha2": "823523E1B4BF1DBFF1CA7E65C67483B2260F13AD4AB61F6131F84D5B8DBE985F", "ppid": 3872, "pFullName": "C:\\Windows\\System32\\drvinst.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-03-11T18:46:14.000Z", "creationDate": "2022-03-11T18:46:14.000Z", "md5": "", "sha1": "", "sha256": "2B7FDFAD42885DD4FFED2BF0EE0FD810FD6D2C3F21567513FB2ACF296CD80016", "fileType": "PE", "name": "igdumdim32.dll", "path": "C:\\Windows\\System32\\DriverStore\\FileRepository\\iigd_dch_d.inf_amd64_07f5935d7ce74872\\igdumdim32.dll", "size": 1569160, "fsattrs": 128}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}
File Executed
{"eventType": "File Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "7eec0405-02a9-4391-a213-3d221308f33e", "traceId": "e89bdf24-e752-487e-a423-a2d55766db0b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c9d", "pid": 4960, "it": 1, "time": "2023-04-19T17:55:18.886Z", "pSha2": "A00790D3844F6A2DC3767945124FECCBBFC15E7654E53C2FD38D660DD1A91733", "ppid": 4960, "pFullName": "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JUNS\\PulseSecureService.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "salib_OSSL.dll", "path": "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JUNS\\salib_OSSL.dll", "size": 0, "fsattrs": 128}, "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 6, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}
File Modified
{"eventType": "File Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "df9f1187-be22-45ba-862e-b678750434af", "traceId": "4974570a-8542-4ef9-b038-850b3503ac7a", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 1388, "time": "2023-04-19T17:50:07.640Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 1388, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T17:42:08.114Z", "creationDate": "2022-08-25T18:56:09.172Z", "md5": "23A09C342E04E45BE828409B39DB0A5D", "sha1": "C1D03FDE664C1EB522EA72BEF31F7DCFC4D20EE0", "sha256": "7846F5D43BBC99701B558E9737E654348855CB7FA6A0403739AEA63908099E7E", "name": "setuperr.log", "path": "C:\\Windows\\setuperr.log", "size": 495, "fsattrs": 32, "mhdr": "efbbbf323032332d"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}
File Moved
{"eventType": "File Moved", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "6efe949e-59ff-4f92-b736-a41e3bfd64c4", "traceId": "d7cf9750-0945-4fa6-99f6-f4ed00988881", "contextTraceId": "c49554af-b28f-4d43-b49a-89b935df02eb", "pid": 14856, "it": 1, "time": "2023-04-19T15:05:54.741Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 14856, "pFullName": "C:\\Users\\HIDDENUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T14:14:48.977Z", "creationDate": "2020-03-17T15:39:36.625Z", "md5": "DFA84FC7A9620554D263AFDE3073753C", "sha1": "BEB95A2255EB67B0A71310156677AAA67926AD7D", "sha256": "B26968E75201C2AE4908ECB3C23CB361B9E08C53780AFAA682F4BDDAD5B4A069", "name": "a55ed4fbb973aefb.customDestinations-ms", "path": "C:\\Users\\HIDDENUSER\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\a54ed4fbb973aefb.customDestinations-ms", "newFilePath": "C:\\Users\\HIDDENUSER\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\a54ed4fbb973aefb.customDestinations-ms~RF6c135fa.TMP", "size": 10512, "fsattrs": 32}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}
File Read
{"eventType": "File Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c20a0218c", "traceId": "ab9be903-4b85-4338-81c0-507c71e1fa7d", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-737957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.548Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "uniqueRuleId": 5, "fileAttributes": {"lastModificationDate": "2023-04-19T17:51:53.544Z", "creationDate": "2023-04-19T17:51:53.543Z", "md5": "D17FE0A3F47BE24A6453E9EF58C94641", "sha1": "6AB83620379FC69F80C0242105DDFFD7D98D5D9D", "sha256": "96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7", "name": "__PSScriptPolicyTest_2yelgbav.p0r.ps1", "path": "C:\\Windows\\Temp\\__PSScriptPolicyTest_2yelgbav.p0r.ps1", "size": 60, "fsattrs": 32, "mhdr": "2320506f77657253"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptCreated"]}
Image Loaded
{"eventType": "Image Loaded", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "722b8348-1566-4315-a160-e37c17b6d06b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-727957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.501Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "uniqueRuleId": 18, "modules": [{"sha256": "0C3793703087C34745609D4DB2683750560FFF7A6BD04D618BC4BD4BC55E5106", "name": "C:\\WINDOWS\\SYSTEM32\\BCRYPT.DLL", "loadTime": "2023-04-19T17:51:53.501Z", "vtpPrivileges": 1, "fsattrs": 32}, {"sha256": "1F996574F38219CDD848375F517F8D86E17542BC84D64CCE63AA0C64CC15F22D", "name": "C:\\WINDOWS\\SYSTEM32\\WS2_32.DLL", "loadTime": "2023-04-19T17:51:53.599Z", "vtpPrivileges": 1, "fsattrs": 32}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoadedDLLs"]}
NamedPipe Connected
{"eventType": "NamedPipe Connected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d7114add-5126-4b2a-893e-20a248182832", "traceId": "35c96280-b766-40b8-9608-74a32387f22e", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b2c90d", "pid": 2104, "it": 1, "time": "2023-04-19T17:55:20.448Z", "pSha2": "27412E8CDEBB7F3E645454ED1BEE0EBB04C976BC8946698EF8CE4C664B63B3C0", "ppid": 2104, "pFullName": "C:\\Program Files\\ForeScout SecureConnector\\SecureConnector.exe", "uniqueRuleId": 4, "pipe": {"name": "\\\\.\\pipe\\_FSA_TMP_6544_643E4C1F_0002PERFORMER_CNTL"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
Network Accessed
{"eventType": "Network Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c4fc0e112ff7", "traceId": "24264358-6a18-43ac-ab02-5d5a89c74bbc", "contextTraceId": "5537a2e8-1a88-44f3-9d1f-747957b6c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.935Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\\Users\\HIDDENUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", "uniqueRuleId": 19103, "network": {"accessType": "connection_opened", "direction": "outbound", "dstIp": "127.0.0.1", "dstPort": 53574, "srcIp": "127.0.0.1", "srcPort": 53573, "protocol": "tcp", "dnsNames": ["gearssdk.HIDDEN.com"]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}
Password Reset
{"eventType": "Password Reset", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "85056462-75dc-4eb9-935d-e22da7674050", "traceId": "cda5b2be-4636-41f3-988f-f009d2697f6d", "contextTraceId": "252fcdc6-95dc-4437-924c-1e1a740f4d03", "pid": 868, "it": 1, "time": "2023-04-14T15:43:09.634Z", "uniqueRuleId": 1, "ppid": 868, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4724, "user": {"adminType": 0, "domain": "HIDDEN230171", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN230171$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-14T15:43:33Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}
Process Accessed
{"eventType": "Process Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "ea0291b7-5854-4235-b710-0a1528849534", "traceId": "2d9ae548-3eda-4e6a-9ae7-829f2a94c55e", "contextTraceId": "c49554af-b28f-4d43-b49a-84b932df02eb", "pid": 18572, "it": 1, "time": "2023-04-19T16:10:31.049Z", "pSha2": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "ppid": 18572, "pFullName": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "uniqueRuleId": 19114, "accessType": 16, "relatedProcess": {"pid": 6448, "cmdLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3944 --field-trial-handle=2252,i,15327557186177104925,6464273188186216104,131072 /prefetch:8", "processName": "msedge.exe", "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "BECC2E4F21743168C59876A6BAD0E74A", "sha1": "9EF706CD46650B807255FE7752599520C7E6BEE4", "sha256": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "fileType": "PE", "name": "msedge.exe", "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "size": 4139936, "embedFilename": "msedge.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "integrity": 1}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T16:11:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
Process Created
{"eventType": "Process Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f65d9571093", "traceId": "df9f1147-be22-45ba-862e-b678730434af", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 1388, "time": "2023-04-19T17:50:07.579Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4180, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\SetupHost.exe", "cmdLine": "\"C:\\$WINDOWS.~BT\\Sources\\mighost.exe\" {HIDDENSID} /InitDoneEvent:MigHost.{HIDDENSID}.Event /ParentPID:4180", "processName": "mighost.exe", "integrity": 4, "user": {"domain": "AUTORITE NT", "id": "S-1-5-18", "name": "Syst\u00e8me"}, "procFileAttrs": {"creationDate": "2023-04-19T17:31:50.338Z", "md5": "A29006724D36A128C8471BC463ECA83A", "sha1": "6518BFC3B22E82E94F6C404B33AD9BE9B5162FB2", "sha256": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "name": "mighost.exe", "path": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "size": 279896, "embedFilename": "MigHost.exe", "embedFileVersion": "10.0.22621.1 (WinBuild.160101.0800)", "embedProductName": "Microsoft\u00ae Windows\u00ae Operating System", "embedProductVersion": "10.0.22621.1", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "parentsTraceId": ["261c5c80-d583-43b2-a1d9-3f65d9571094", "6bbc10bf-abad-4cf2-ba43-c19f415ffb51", "9d81e708-c5db-4b71-a9ca-2f39d1ed77ba", "cf5e5a2f-5f39-45de-b2fc-c07742e1a724", "d9a8593c-49c5-4698-8ea2-f4d554f21358", "afa7552d-7f45-46a0-a590-d2dd01fa9479", "e4c78c17-8878-4c5b-9b93-10c15fa23986"], "tdmRuleIds": [110, 100000, 100003], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ProcessCreated"]}
Process Hollowed
{"eventType": "Process Hollowed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "37e0d41f-dfec-41c0-a36d-9d7310a77bd3", "traceId": "933ab594-0167-4f88-b858-c6c042bf146c", "contextTraceId": "c49554af-b28f-4d43-b49a-89b934df02eb", "pid": 26384, "it": 1, "time": "2023-04-19T20:25:31.329Z", "pSha2": "5BB79BEEF24F2254DBFA1F53078483AF9DD9D4506508FEE886F21847F7DFF504", "ppid": 26384, "pFullName": "C:\\Users\\HIDDENUSER\\AppData\\Local\\Seclore\\FileSecure\\Desktop Client\\X64\\FSDC64.exe", "hollowInfo": {"targetPid": 2488, "targetTraceId": "b7bf6bc1-9eb4-44e1-8fc6-712142573792", "originalIp": 0, "finalIp": 0, "apis": [10, 2, 14]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T20:25:44Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
Process Reputation Changed
{"eventType": "Process Reputation Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "751c64e7-d243-4757-a7dc-5f113e75aa35", "traceId": "8eb5b562-5f6a-4ded-ae5f-bef61a0bbbf2", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 4228, "it": 1, "time": "2023-04-19T17:54:53.574Z", "pSha2": "2198A7B58BCCB758036B969DDAE6CC2ECE07565E2659A7C541A313A0492231A3", "ppid": 4228, "pFullName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "reputation": {"reputation": 85, "productId": 514, "reason": 2, "data": "{\"module_filepath\":\"C:\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\System\\\\4fb9160b27f2daa1ec55050bde519fcc\\\\System.ni.dll\",\"module_reputation\":85,\"process_previous_reputation\":99}\n"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}
RegKey Created
{"eventType": "RegKey Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "d8fd4b5b-6757-467d-b9ea-634dd2be5424", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.420Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "registry": {"regKeyName": "HKLM\\SYSTEM\\SETUP\\UPGRADE\\PNP\\CURRENTCONTROLSET\\CONTROL\\DEVICEMIGRATION\\DEVICES\\USB\\VID_17E9&PID_6015&MI_02\\7&1D07AD4B&0&0002\\INTERFACES\\{HIDDENSID}#PCM_IN_05_00\\DEVICE\\EP\\0"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}
RegKey Deleted
{"eventType": "RegKey Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f34432aab53f", "traceId": "cc3dd5d2-8db2-4822-8032-0948e1f67779", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747457b6c90d", "pid": 4160, "time": "2023-04-19T17:49:34.130Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "registry": {"regKeyName": "HKLM\\SYSTEM\\SETUP\\UPGRADE\\PNP\\TEMP\\NDI\\PARAMS\\UAPSDSUPPORT"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:00Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}
RegKey Read
{"eventType": "RegKey Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b7f8e1db-b86e-4a95-9b0f-360d5b9f6244", "traceId": "e27fb183-897e-49e8-be43-c76ba90f8370", "contextTraceId": "10ab02e8-c043-4ea4-9c2c-41a805ac0a7e", "pid": 22064, "it": 1, "time": "2023-02-15T06:31:52.915Z", "pSha2": "9179048992E0FBB51CFA7E42EF65074661295B6B155BDD60DE47AA684D82F4FD", "ppid": 22064, "pFullName": "C:\\Windows\\System32\\mmc.exe", "registry": {"regKeyName": "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CANARYCERTSTORE\\"}, "response": {"action": 1, "description": "HIDDENDOMAIN\\HIDDENUSERNAME a ex\u00e9cut\u00e9 C:\\Windows\\System32\\mmc.exe, qui tentait d'acc\u00e9der \u00e0 HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CANARYCERTSTORE\\, d'une mani\u00e8re contraire \u00e0 la r\u00e8gle \u00ab Protection essentielle - Prot\u00e9ger les cl\u00e9s et valeurs de Registre McAfee essentielles \u00bb, et a \u00e9t\u00e9 bloqu\u00e9. Pour obtenir de plus amples informations sur la mani\u00e8re de r\u00e9pondre \u00e0 cet \u00e9v\u00e9nement, voir KB85494.", "ruleId": "PROTECT_MCAFEE_REG_VALUE1", "operation": 3, "productId": 513, "reason": 6}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-02-15T06:32:09Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}
RegValue Created
{"eventType": "RegValue Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "5ae2323c-98cc-4020-ad3f-8d0e25de9f95", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.421Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "registry": {"keyName": "HKLM\\SYSTEM\\SETUP\\UPGRADE\\PNP\\CURRENTCONTROLSET\\CONTROL\\DEVICEMIGRATION\\DEVICES\\USB\\VID_17E9&PID_6015&MI_02\\7&1D07AD2B&0&0004\\INTERFACES\\{HIDDENSID}#PCM_IN_05_00\\DEVICE", "keyValueName": "FRIENDLYNAME", "keyValueType": "REG_SZ", "keyValue": "Lenovo USB Audio"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}
RegValue Deleted
{"eventType": "RegValue Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "d162fb4b-1c6b-41e5-9458-a0d5be22deae", "contextTraceId": "5537a2e8-1a38-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:38.131Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "registry": {"keyName": "HKLM\\SYSTEM\\SETUP\\UPGRADE\\PNP\\TEMP", "keyValueName": "DISABLESETUPDICHANGESTATE"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:31Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}
RegValue Modified
{"eventType": "RegValue Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f45d9571094", "traceId": "efff6774-159e-424c-85b3-cd570e3b6d22", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747958b6c90d", "pid": 4180, "time": "2023-04-19T17:50:07.139Z", "pSha2": "7538940533F3B531D2FF8B57D79C01C475BB457FA5103E5A0D4AFADB728702C6", "ppid": 4180, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\SetupHost.exe", "registry": {"keyName": "HKLM\\SYSTEM\\SETUP\\MOSETUP\\VOLATILE", "keyValueName": "SETUPPROGRESS", "keyValueType": "REG_DWORD", "keyValue": "64", "keyOldValue": "51"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}
ScheduledTask Changed
{"eventType": "ScheduledTask Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d57e9fa6-7967-45b5-a54e-468f5c2be4db", "traceId": "b5a8f55e-3d1b-464c-84c8-ac4791366f22", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e4bf69", "pid": 7392, "time": "2023-04-19T18:46:06.775Z", "pSha2": "949BFB5B4C7D58D92F3F9C5F8EC7CA4CEAFFD10EC5F0020F0A987C472D61C54B", "ppid": 7392, "pFullName": "C:\\Windows\\System32\\svchost.exe", "uniqueRuleId": 30, "action": "deleted", "schedtask": {"name": "Microsoft\\Windows\\MemoryDiagnostic\\DecompressionFailureDetector"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScheduledTaskRegistered"]}
Script Executed
{"eventType": "Script Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "5179615b-3a3f-49e4-8e27-2d1966deed68", "contextTraceId": "5537a2e8-1a88-43f3-8d1f-747957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.536Z", "uniqueRuleId": 28001, "ppid": 23856, "pFullName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "scriptType": "powershell", "scripts": [{"timestamp": "2023-04-19T17:51:53.536Z", "length": 391, "hash": "40D27F34C4D18A9A07D13655FFE2738D3B19975A4FAC8192C6ABAE55319A91B9", "intentions": [{"name": "action:Object/Select", "lines": ["[...]52428800') -or ($_.BytesFromPeers -ne '0') -or (($_.BytesFromCacheServer -ne '0') -and ($_.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInforma[...]"]}, {"name": "action:Xml/ConvertTo", "lines": ["[...]cheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInformation"]}, {"name": "observable:network.url.http", "lines": ["Get-DeliveryOptimizationStatus | where-object {($_.Sourceurl -CLike 'http://HIDDEN:8005*') -AND (($_.FileSize -ge '52428800') -or ($_.BytesFromPeers -ne '0') -or (($_.BytesFromCacheServer -ne '0') -and[...]"]}]}], "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:03Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptExecuted"]}
Service Changed
{"eventType": "Service Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "ff683f3a-7433-4122-8478-80560270cf1a", "contextTraceId": "5537a2e8-1a88-43f3-9c1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:12.567Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "uniqueRuleId": 16, "action": "deleted", "service": {"name": "BTHPORT"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:50:56Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ServiceChanged"]}
SysInfo
{"eventType": "SysInfo", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "0a3fc885-44c0-487d-951a-65ac7bdd2ab2", "contextTraceId": "3e1cbf79-f99f-48f8-8db0-6112de4ee587", "time": "2023-04-19T18:55:21.807Z", "os": {"desc": "Windows 11", "major": 10, "minor": 0, "build": 22621, "sp": ""}, "ifaces": [{"name": "Ethernet", "mac": "6c:24:08:HIDDEN", "ip": "169.254.39.215", "type": 6}, {"name": "Connexion au r\u00e9seau local* 1", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.133.182", "type": 71}, {"name": "Wi-Fi", "mac": "54:6c:eb:HIDDEN", "ip": "192.168.1.34", "type": 71}, {"name": "Connexion r\u00e9seau Bluetooth", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.228.207", "type": 6}], "bootTime": "2023-04-19T18:54:53.057Z", "domain": "HIDDENDOMAIN.lan", "cv": 1408, "pv": 0, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:55:54Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "it": 1}
User Login
{"eventType": "User Login", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "8010fadb-6402-4977-9279-db7a61bd8aed", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df02eb", "time": "2023-04-19T15:05:52.023Z", "uniqueRuleId": 1, "eventId": 4624, "success": true, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182954904}, "networkInfo": {"workstationName": "HIDDEN29451", "ipAddress": "127.0.0.1", "ipPort": 0}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}
User Logout
{"eventType": "User Logout", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "91acc5be-d782-4ea9-9181-ada93c91ba45", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df04eb", "time": "2023-04-19T15:05:52.027Z", "uniqueRuleId": 1, "eventId": 4634, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182952904}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}
Username Changed
{"eventType": "Username Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9b0fcb12-5182-4877-98b4-6b0eb9c5d16f", "traceId": "a71c4d2e-1ad5-4d84-bd23-ffe0ff6476fa", "contextTraceId": "cd64419d-1e3d-4576-af0f-32387fce4c71", "pid": 660, "it": 1, "time": "2023-04-18T07:54:28.337Z", "uniqueRuleId": 1, "ppid": 660, "pFullName": "C:\\Windows\\System32\\lsass.exe", "eventId": 4781, "user": {"adminType": 0, "domain": "HIDDEN22703", "id": "S-1-5-21-HIDDEN", "name": "Invit\u00e9", "newName": "HIDDEN_invit\u00e9"}, "userInitiator": {"adminType": 0, "domain": "HIDDEN", "id": "S-1-5-18", "name": "HIDDEN22703$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T07:54:40Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}
WMI Activity
{"eventType": "WMI Activity", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e832285-a165-4126-8d73-fe112095bb60", "traceId": "2611f0a8-8c60-4f94-8f99-6b07b146a45b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c70d", "pid": 15260, "time": "2023-04-19T17:45:09.423Z", "uniqueRuleId": 27000, "wmi": {"type": 1, "operation": "Start IWbemServices::CreateClassEnum - root\\subscription : ", "evid": 11}, "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 15260, "pFullName": "C:\\$WINDOWS.~BT\\Sources\\mighost.exe", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:45:20Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.WMIActivity"]}
mthcht commented 1 year ago

@tsale here is an extract for each EventTypen:

Account Changed {"eventType": "Account Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "01eb704f-3b7d-4965-83ec-5c9d725fd0d6", "traceId": "27bbdca8-e76c-4287-8d93-31f9ad0412be", "contextTraceId": "da67763a-854d-412c-a66f-edcca0eeb3d4", "pid": 1076, "it": 1, "time": "2023-04-19T16:08:47.129Z", "uniqueRuleId": 1, "ppid": 1076, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4738, "user": {"adminType": 0, "domain": "HIDDEN22958", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22958$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T16:08:53Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Created {"eventType": "Account Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4644b033d0", "traceId": "49054632-69cd-4e34-8292-bd6eb30d4003", "contextTraceId": "8480c6d8-c619-4019-9359-fc7a4a9be425", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.515Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4720, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Deleted {"eventType": "Account Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3d6a84b3-91fb-41f0-93b1-aa482bc531f6", "traceId": "c61cbd7a-62bc-4186-8b80-6eead86a4710", "contextTraceId": "87a2f691-5fbb-49b5-8417-ce551000e23d", "pid": 872, "it": 1, "time": "2023-04-19T08:14:25.865Z", "uniqueRuleId": 1, "ppid": 872, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4726, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_kadvAYTV"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:14:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Disabled {"eventType": "Account Disabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b08de07d-b15f-441a-b143-78c42cb61a78", "traceId": "9b95b0f5-dee6-487c-aaf6-65af35cf3256", "contextTraceId": "873a8979-6c94-4085-872b-ded4c54ee9a9", "pid": 988, "it": 1, "time": "2023-04-18T08:02:43.593Z", "uniqueRuleId": 1, "ppid": 988, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4725, "user": {"adminType": 0, "domain": "HIDDEN22172", "id": "S-1-5-21-HIDDENSID", "name": "defaultuser0"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22172$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T08:05:18Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Enabled {"eventType": "Account Enabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4645b032d0", "traceId": "859ac34b-348e-44e1-8711-a9c306642202", "contextTraceId": "8480c6d8-c619-4019-9459-fc7a4a9be435", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.530Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4722, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Api {"eventType": "Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0318c", "traceId": "ea0cf5f2-0adc-4619-8837-4403a69798cd", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747947b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:52.975Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "api": {"name": "FindFirstFile", "data": "HIDDENDATA", "result": "1952366316400", "moduleName": "", "arguments": [], "targetPid": 0}, "uniqueRuleId": 19120, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.APICall"]}

COM Api {"eventType": "COM Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b62a-7f9bcdd3c4aa", "traceId": "0c46d2d8-f86d-4c7f-88eb-cb977aa78207", "contextTraceId": "4df162be-c064-4b64-b250-41ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.428Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "uniqueRuleId": 4294967295, "comApis": [{"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.RegWrite", "args": "\"HKCU\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy\",\"Unrestricted\",\"REG_SZ\"", "result": ""}, {"flags": 3, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.ExpandEnvironmentStrings", "args": "\"%LOCALAPPDATA%\HIDDEN_VPN\script.ps1\"", "result": "\"C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\script.ps1\""}, {"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.Run", "args": "\"powershell.exe -nologo -command C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\script.ps1\",0", "result": ""}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injected {"eventType": "Code Injected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-5368-b63a-7f9bcdd3c4aa", "traceId": "52fc84ae-6d72-49fe-bf65-74265c57224d", "contextTraceId": "4df162be-c064-4b64-b850-41ba1493d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "relatedProcess": {"pid": 6620, "cmdLine": "\"cscript.exe\" C:\Users\edubois\AppData\Local\HIDDEN_VPN\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"lastModificationDate": "2021-09-15T10:42:04.643Z", "creationDate": "2021-09-15T10:42:04.640Z", "md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\Windows\System32\cscript.exe", "size": 161280, "fsattrs": 32, "embedFilename": "cscript.exe", "embedFileVersion": "5.812.10240.16384", "embedProductName": "Microsoft \u00ae Windows Script Host", "embedProductVersion": "5.812.10240.16384", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injection {"eventType": "Code Injection", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd3c4aa", "traceId": "0e5172ff-98a2-47c8-9d94-3488c6df70c0", "contextTraceId": "4df162be-c064-4b64-b850-42ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "injectedProcessTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd2c4aa", "relatedProcess": {"pid": 6620, "cmdLine": "\"cscript.exe\" C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENUSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\Windows\System32\cscript.exe", "size": 161280, "embedFilename": "cscript.exe", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Context Changed {"eventType": "Context Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "0e9c4e60-49af-451d-b807-39da4003af3d", "traceId": "3ce0bbe4-92b4-430b-996e-cc32cfe99837", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e3bf69", "pid": 5164, "it": 1, "time": "2023-04-19T18:46:31.739Z", "pSha2": "5A5C59646969CE0D99B05556CEA793F9F89A019BE4D66D8C9A1AF9EED699AC89", "ppid": 5164, "pFullName": "C:\Windows\System32\spoolsv.exe", "reason": 1, "relatedTraceId": "ba434310-89f5-4749-9cc2-b9df78bc18d3", "relatedProcess": {"pid": 5164, "cmdLine": "C:\WINDOWS\System32\spoolsv.exe", "processName": "spoolsv.exe", "integrity": 4, "user": {"domain": "NT AUTHORITY", "id": "S-1-5-18", "name": "NT AUTHORITY\SYSTEM"}, "procFileAttrs": {"md5": "3BCB8517038CACDF2F2498E1D0F80544", "sha1": "F8D8AC37C3C194F8C8EF052FF46C19CBB65361D5", "sha256": "5A5C59646969CE0D99B05556CEA793F9F89A019BE5D66D8C9A1AF9EED699AC89", "fileType": "PE", "name": "spoolsv.exe", "path": "C:\Windows\System32\spoolsv.exe", "size": 929792, "embedFilename": "spoolsv.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "tdmRuleIds": [112, 100003, 99999], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:47Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

DNS Query {"eventType": "DNS Query", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c6fc0e114ff7", "traceId": "e76f265c-cb4a-4ab2-9857-b04bfeb0aebb", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.903Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\Users\rtadjer\AppData\Local\Microsoft\Teams\current\Teams.exe", "dns": {"name": "HIDDEN.trouter.teams.microsoft.com", "type": 1}, "uniqueRuleId": 19112, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.DNSQuery"]}

Epp File Scan {"eventType": "Epp File Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "ee75a850-7bf9-44f4-8623-c26aaad762ed", "traceId": "e24fd01c-4eeb-453d-a688-09bbee345095", "contextTraceId": "4df162be-c064-4b64-b850-41ba1495d6d2", "pid": 2256, "it": 1, "time": "2023-04-19T14:22:58.726Z", "pSha2": "20330D3CA71D58F4AEB432676CB6A3D5B97005954E45132FB083E90782EFDD50", "ppid": 2256, "pFullName": "C:\Windows\System32\backgroundTaskHost.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "NativeHostNE.dll", "path": "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23022.140.0_x64__8wekyb3d8bbwe\NativeHostNE.dll", "size": 0}, "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:23:19Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Epp Process Response {"eventType": "Epp Process Response", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "a65892eb-990a-407c-89d1-7f4a25aab465", "traceId": "c6e24a8f-004b-4f15-b3d6-aa752b3b2812", "contextTraceId": "0a3768eb-d606-4282-8466-201fd8596be1", "pid": 9492, "time": "2023-04-19T18:36:46.512Z", "pSha2": "FC6BA3C701AFBEB082BA25F677FE47A0D3225465AF02C50E2AC2B10728E9D89E", "ppid": 9492, "pFullName": "C:\Windows\CCM\CcmExec.exe", "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 1, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:36:52Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.EPP_Response"]}

Epp Process Scan {"eventType": "Epp Process Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e74be1a-90b5-466e-aff3-652aa73d0216", "traceId": "46bfe244-cfa7-41ef-99a8-ec354fdc38f7", "contextTraceId": "300409fb-6c49-4bf0-832d-205265b6d9d1", "pid": 12300, "it": 1, "time": "2023-04-19T18:26:16.293Z", "pSha2": "B5DDC370739579D2EE7C8A1284D4C83F15F4CF662893FDA55854D03B99AA2685", "ppid": 12300, "pFullName": "C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\TiWorker.exe", "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:26:41Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

File Attribute Changed {"eventType": "File Attribute Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37434aab53f", "traceId": "337454e9-dbe6-46d6-999d-c6647f406410", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-742957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:40.875Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 7, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.739Z", "creationDate": "2023-04-19T17:49:40.873Z", "md5": "9D04081293A783441ED1133888E8721C", "sha1": "2F688EFBC6ACEA6B5E6C172EB4AE7A41A2FB3C05", "sha256": "1C3DBA99D46303A00D83DEDDAEEE6988BB9E0E97F8D02925D2270A1B539157D1", "fileType": "PE", "name": "MFC90CHS.DLL", "path": "C:\$WINDOWS.~BT\Work\MachineSpecific\Working\agentmgr\CCSIAgent\005A53BA\SxsAsm38\MFC90CHS.DLL", "size": 35664, "fsattrs": 8224, "fsattrsChanged": 2, "embedFilename": "MFC90CHS.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Created {"eventType": "File Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-43ec-9659-f37432aab53f", "traceId": "2b98410e-fea4-420d-98da-1220479161fe", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b490d", "pid": 4160, "time": "2023-04-19T17:49:40.861Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.108Z", "creationDate": "2023-04-19T17:49:40.858Z", "md5": "CDBE9690CF2B8409FACAD94FAC9479C9", "sha1": "4BCDFE2C1B354645314A4CE26B55B2B1A0212DB9", "sha256": "8E7FE1A1F3550C479FFD86A77BC9D10686D47F8727025BB891D8F4F0259354C8", "fileType": "PE", "name": "msvcr90.dll", "path": "C:\$WINDOWS.~BT\Work\MachineSpecific\Working\agentmgr\CCSIAgent\005A54BA\SxsAsm37\msvcr90.dll", "size": 653136, "fsattrs": 8224, "embedFilename": "MSVCR90.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Deleted {"eventType": "File Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "e3c8e545-3d68-4d75-9168-f332c3b72b3e", "traceId": "447205ad-ea41-4ad0-b0ee-a3b1eebd486b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b3c90d", "pid": 3872, "time": "2023-04-19T17:54:22.517Z", "pSha2": "823523E1B4BF1DBFF1CA7E65C67483B2260F13AD4AB61F6131F84D5B8DBE985F", "ppid": 3872, "pFullName": "C:\Windows\System32\drvinst.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-03-11T18:46:14.000Z", "creationDate": "2022-03-11T18:46:14.000Z", "md5": "", "sha1": "", "sha256": "2B7FDFAD42885DD4FFED2BF0EE0FD810FD6D2C3F21567513FB2ACF296CD80016", "fileType": "PE", "name": "igdumdim32.dll", "path": "C:\Windows\System32\DriverStore\FileRepository\iigd_dch_d.inf_amd64_07f5935d7ce74872\igdumdim32.dll", "size": 1569160, "fsattrs": 128}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Executed {"eventType": "File Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "7eec0405-02a9-4391-a213-3d221308f33e", "traceId": "e89bdf24-e752-487e-a423-a2d55766db0b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c9d", "pid": 4960, "it": 1, "time": "2023-04-19T17:55:18.886Z", "pSha2": "A00790D3844F6A2DC3767945124FECCBBFC15E7654E53C2FD38D660DD1A91733", "ppid": 4960, "pFullName": "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "salib_OSSL.dll", "path": "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\salib_OSSL.dll", "size": 0, "fsattrs": 128}, "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 6, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Modified {"eventType": "File Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "df9f1187-be22-45ba-862e-b678750434af", "traceId": "4974570a-8542-4ef9-b038-850b3503ac7a", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 1388, "time": "2023-04-19T17:50:07.640Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 1388, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T17:42:08.114Z", "creationDate": "2022-08-25T18:56:09.172Z", "md5": "23A09C342E04E45BE828409B39DB0A5D", "sha1": "C1D03FDE664C1EB522EA72BEF31F7DCFC4D20EE0", "sha256": "7846F5D43BBC99701B558E9737E654348855CB7FA6A0403739AEA63908099E7E", "name": "setuperr.log", "path": "C:\Windows\setuperr.log", "size": 495, "fsattrs": 32, "mhdr": "efbbbf323032332d"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Moved {"eventType": "File Moved", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "6efe949e-59ff-4f92-b736-a41e3bfd64c4", "traceId": "d7cf9750-0945-4fa6-99f6-f4ed00988881", "contextTraceId": "c49554af-b28f-4d43-b49a-89b935df02eb", "pid": 14856, "it": 1, "time": "2023-04-19T15:05:54.741Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 14856, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T14:14:48.977Z", "creationDate": "2020-03-17T15:39:36.625Z", "md5": "DFA84FC7A9620554D263AFDE3073753C", "sha1": "BEB95A2255EB67B0A71310156677AAA67926AD7D", "sha256": "B26968E75201C2AE4908ECB3C23CB361B9E08C53780AFAA682F4BDDAD5B4A069", "name": "a55ed4fbb973aefb.customDestinations-ms", "path": "C:\Users\HIDDENUSER\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a54ed4fbb973aefb.customDestinations-ms", "newFilePath": "C:\Users\HIDDENUSER\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a54ed4fbb973aefb.customDestinations-ms~RF6c135fa.TMP", "size": 10512, "fsattrs": 32}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Read {"eventType": "File Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c20a0218c", "traceId": "ab9be903-4b85-4338-81c0-507c71e1fa7d", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-737957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.548Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "uniqueRuleId": 5, "fileAttributes": {"lastModificationDate": "2023-04-19T17:51:53.544Z", "creationDate": "2023-04-19T17:51:53.543Z", "md5": "D17FE0A3F47BE24A6453E9EF58C94641", "sha1": "6AB83620379FC69F80C0242105DDFFD7D98D5D9D", "sha256": "96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7", "name": "__PSScriptPolicyTest_2yelgbav.p0r.ps1", "path": "C:\Windows\Temp\__PSScriptPolicyTest_2yelgbav.p0r.ps1", "size": 60, "fsattrs": 32, "mhdr": "2320506f77657253"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptCreated"]}

Image Loaded {"eventType": "Image Loaded", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "722b8348-1566-4315-a160-e37c17b6d06b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-727957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.501Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "uniqueRuleId": 18, "modules": [{"sha256": "0C3793703087C34745609D4DB2683750560FFF7A6BD04D618BC4BD4BC55E5106", "name": "C:\WINDOWS\SYSTEM32\BCRYPT.DLL", "loadTime": "2023-04-19T17:51:53.501Z", "vtpPrivileges": 1, "fsattrs": 32}, {"sha256": "1F996574F38219CDD848375F517F8D86E17542BC84D64CCE63AA0C64CC15F22D", "name": "C:\WINDOWS\SYSTEM32\WS2_32.DLL", "loadTime": "2023-04-19T17:51:53.599Z", "vtpPrivileges": 1, "fsattrs": 32}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoadedDLLs"]}

NamedPipe Connected {"eventType": "NamedPipe Connected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d7114add-5126-4b2a-893e-20a248182832", "traceId": "35c96280-b766-40b8-9608-74a32387f22e", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b2c90d", "pid": 2104, "it": 1, "time": "2023-04-19T17:55:20.448Z", "pSha2": "27412E8CDEBB7F3E645454ED1BEE0EBB04C976BC8946698EF8CE4C664B63B3C0", "ppid": 2104, "pFullName": "C:\Program Files\ForeScout SecureConnector\SecureConnector.exe", "uniqueRuleId": 4, "pipe": {"name": "\\.\pipe\_FSA_TMP_6544_643E4C1F_0002PERFORMER_CNTL"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Network Accessed {"eventType": "Network Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c4fc0e112ff7", "traceId": "24264358-6a18-43ac-ab02-5d5a89c74bbc", "contextTraceId": "5537a2e8-1a88-44f3-9d1f-747957b6c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.935Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "uniqueRuleId": 19103, "network": {"accessType": "connection_opened", "direction": "outbound", "dstIp": "127.0.0.1", "dstPort": 53574, "srcIp": "127.0.0.1", "srcPort": 53573, "protocol": "tcp", "dnsNames": ["gearssdk.HIDDEN.com"]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

Password Reset {"eventType": "Password Reset", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "85056462-75dc-4eb9-935d-e22da7674050", "traceId": "cda5b2be-4636-41f3-988f-f009d2697f6d", "contextTraceId": "252fcdc6-95dc-4437-924c-1e1a740f4d03", "pid": 868, "it": 1, "time": "2023-04-14T15:43:09.634Z", "uniqueRuleId": 1, "ppid": 868, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4724, "user": {"adminType": 0, "domain": "HIDDEN230171", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN230171$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-14T15:43:33Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Process Accessed {"eventType": "Process Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "ea0291b7-5854-4235-b710-0a1528849534", "traceId": "2d9ae548-3eda-4e6a-9ae7-829f2a94c55e", "contextTraceId": "c49554af-b28f-4d43-b49a-84b932df02eb", "pid": 18572, "it": 1, "time": "2023-04-19T16:10:31.049Z", "pSha2": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "ppid": 18572, "pFullName": "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "uniqueRuleId": 19114, "accessType": 16, "relatedProcess": {"pid": 6448, "cmdLine": "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3944 --field-trial-handle=2252,i,15327557186177104925,6464273188186216104,131072 /prefetch:8", "processName": "msedge.exe", "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "BECC2E4F21743168C59876A6BAD0E74A", "sha1": "9EF706CD46650B807255FE7752599520C7E6BEE4", "sha256": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "fileType": "PE", "name": "msedge.exe", "path": "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "size": 4139936, "embedFilename": "msedge.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "integrity": 1}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T16:11:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Created {"eventType": "Process Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f65d9571093", "traceId": "df9f1147-be22-45ba-862e-b678730434af", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 1388, "time": "2023-04-19T17:50:07.579Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4180, "pFullName": "C:\$WINDOWS.~BT\Sources\SetupHost.exe", "cmdLine": "\"C:\$WINDOWS.~BT\Sources\mighost.exe\" {HIDDENSID} /InitDoneEvent:MigHost.{HIDDENSID}.Event /ParentPID:4180", "processName": "mighost.exe", "integrity": 4, "user": {"domain": "AUTORITE NT", "id": "S-1-5-18", "name": "Syst\u00e8me"}, "procFileAttrs": {"creationDate": "2023-04-19T17:31:50.338Z", "md5": "A29006724D36A128C8471BC463ECA83A", "sha1": "6518BFC3B22E82E94F6C404B33AD9BE9B5162FB2", "sha256": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "name": "mighost.exe", "path": "C:\$WINDOWS.~BT\Sources\mighost.exe", "size": 279896, "embedFilename": "MigHost.exe", "embedFileVersion": "10.0.22621.1 (WinBuild.160101.0800)", "embedProductName": "Microsoft\u00ae Windows\u00ae Operating System", "embedProductVersion": "10.0.22621.1", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "parentsTraceId": ["261c5c80-d583-43b2-a1d9-3f65d9571094", "6bbc10bf-abad-4cf2-ba43-c19f415ffb51", "9d81e708-c5db-4b71-a9ca-2f39d1ed77ba", "cf5e5a2f-5f39-45de-b2fc-c07742e1a724", "d9a8593c-49c5-4698-8ea2-f4d554f21358", "afa7552d-7f45-46a0-a590-d2dd01fa9479", "e4c78c17-8878-4c5b-9b93-10c15fa23986"], "tdmRuleIds": [110, 100000, 100003], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ProcessCreated"]}

Process Hollowed {"eventType": "Process Hollowed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "37e0d41f-dfec-41c0-a36d-9d7310a77bd3", "traceId": "933ab594-0167-4f88-b858-c6c042bf146c", "contextTraceId": "c49554af-b28f-4d43-b49a-89b934df02eb", "pid": 26384, "it": 1, "time": "2023-04-19T20:25:31.329Z", "pSha2": "5BB79BEEF24F2254DBFA1F53078483AF9DD9D4506508FEE886F21847F7DFF504", "ppid": 26384, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Seclore\FileSecure\Desktop Client\X64\FSDC64.exe", "hollowInfo": {"targetPid": 2488, "targetTraceId": "b7bf6bc1-9eb4-44e1-8fc6-712142573792", "originalIp": 0, "finalIp": 0, "apis": [10, 2, 14]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T20:25:44Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Reputation Changed {"eventType": "Process Reputation Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "751c64e7-d243-4757-a7dc-5f113e75aa35", "traceId": "8eb5b562-5f6a-4ded-ae5f-bef61a0bbbf2", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 4228, "it": 1, "time": "2023-04-19T17:54:53.574Z", "pSha2": "2198A7B58BCCB758036B969DDAE6CC2ECE07565E2659A7C541A313A0492231A3", "ppid": 4228, "pFullName": "C:\Windows\System32\wbem\WmiPrvSE.exe", "reputation": {"reputation": 85, "productId": 514, "reason": 2, "data": "{\"module_filepath\":\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\4fb9160b27f2daa1ec55050bde519fcc\\System.ni.dll\",\"module_reputation\":85,\"process_previous_reputation\":99}\n"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

RegKey Created {"eventType": "RegKey Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "d8fd4b5b-6757-467d-b9ea-634dd2be5424", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.420Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"regKeyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\CURRENTCONTROLSET\CONTROL\DEVICEMIGRATION\DEVICES\USB\VID_17E9&PID_6015&MI_02\7&1D07AD4B&0&0002\INTERFACES\{HIDDENSID}#PCM_IN_05_00\DEVICE\EP\0"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Deleted {"eventType": "RegKey Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f34432aab53f", "traceId": "cc3dd5d2-8db2-4822-8032-0948e1f67779", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747457b6c90d", "pid": 4160, "time": "2023-04-19T17:49:34.130Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"regKeyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\TEMP\NDI\PARAMS\UAPSDSUPPORT"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:00Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Read {"eventType": "RegKey Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b7f8e1db-b86e-4a95-9b0f-360d5b9f6244", "traceId": "e27fb183-897e-49e8-be43-c76ba90f8370", "contextTraceId": "10ab02e8-c043-4ea4-9c2c-41a805ac0a7e", "pid": 22064, "it": 1, "time": "2023-02-15T06:31:52.915Z", "pSha2": "9179048992E0FBB51CFA7E42EF65074661295B6B155BDD60DE47AA684D82F4FD", "ppid": 22064, "pFullName": "C:\Windows\System32\mmc.exe", "registry": {"regKeyName": "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CANARYCERTSTORE\"}, "response": {"action": 1, "description": "HIDDENDOMAIN\HIDDENUSERNAME a ex\u00e9cut\u00e9 C:\Windows\System32\mmc.exe, qui tentait d'acc\u00e9der \u00e0 HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CANARYCERTSTORE\, d'une mani\u00e8re contraire \u00e0 la r\u00e8gle \u00ab Protection essentielle - Prot\u00e9ger les cl\u00e9s et valeurs de Registre McAfee essentielles \u00bb, et a \u00e9t\u00e9 bloqu\u00e9. Pour obtenir de plus amples informations sur la mani\u00e8re de r\u00e9pondre \u00e0 cet \u00e9v\u00e9nement, voir KB85494.", "ruleId": "PROTECT_MCAFEE_REG_VALUE1", "operation": 3, "productId": 513, "reason": 6}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-02-15T06:32:09Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Created {"eventType": "RegValue Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "5ae2323c-98cc-4020-ad3f-8d0e25de9f95", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.421Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\CURRENTCONTROLSET\CONTROL\DEVICEMIGRATION\DEVICES\USB\VID_17E9&PID_6015&MI_02\7&1D07AD2B&0&0004\INTERFACES\{HIDDENSID}#PCM_IN_05_00\DEVICE", "keyValueName": "FRIENDLYNAME", "keyValueType": "REG_SZ", "keyValue": "Lenovo USB Audio"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Deleted {"eventType": "RegValue Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "d162fb4b-1c6b-41e5-9458-a0d5be22deae", "contextTraceId": "5537a2e8-1a38-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:38.131Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\TEMP", "keyValueName": "DISABLESETUPDICHANGESTATE"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:31Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Modified {"eventType": "RegValue Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f45d9571094", "traceId": "efff6774-159e-424c-85b3-cd570e3b6d22", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747958b6c90d", "pid": 4180, "time": "2023-04-19T17:50:07.139Z", "pSha2": "7538940533F3B531D2FF8B57D79C01C475BB457FA5103E5A0D4AFADB728702C6", "ppid": 4180, "pFullName": "C:\$WINDOWS.~BT\Sources\SetupHost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\MOSETUP\VOLATILE", "keyValueName": "SETUPPROGRESS", "keyValueType": "REG_DWORD", "keyValue": "64", "keyOldValue": "51"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

ScheduledTask Changed {"eventType": "ScheduledTask Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d57e9fa6-7967-45b5-a54e-468f5c2be4db", "traceId": "b5a8f55e-3d1b-464c-84c8-ac4791366f22", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e4bf69", "pid": 7392, "time": "2023-04-19T18:46:06.775Z", "pSha2": "949BFB5B4C7D58D92F3F9C5F8EC7CA4CEAFFD10EC5F0020F0A987C472D61C54B", "ppid": 7392, "pFullName": "C:\Windows\System32\svchost.exe", "uniqueRuleId": 30, "action": "deleted", "schedtask": {"name": "Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScheduledTaskRegistered"]}

Script Executed {"eventType": "Script Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "5179615b-3a3f-49e4-8e27-2d1966deed68", "contextTraceId": "5537a2e8-1a88-43f3-8d1f-747957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.536Z", "uniqueRuleId": 28001, "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "scriptType": "powershell", "scripts": [{"timestamp": "2023-04-19T17:51:53.536Z", "length": 391, "hash": "40D27F34C4D18A9A07D13655FFE2738D3B19975A4FAC8192C6ABAE55319A91B9", "intentions": [{"name": "action:Object/Select", "lines": ["[...]52428800') -or ($.BytesFromPeers -ne '0') -or (($.BytesFromCacheServer -ne '0') -and ($.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInforma[...]"]}, {"name": "action:Xml/ConvertTo", "lines": ["[...]cheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInformation"]}, {"name": "observable:network.url.http", "lines": ["Get-DeliveryOptimizationStatus | where-object {($.Sourceurl -CLike 'http://HIDDEN:8005*') -AND (($.FileSize -ge '52428800') -or ($.BytesFromPeers -ne '0') -or (($_.BytesFromCacheServer -ne '0') -and[...]"]}]}], "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:03Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptExecuted"]}

Service Changed {"eventType": "Service Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "ff683f3a-7433-4122-8478-80560270cf1a", "contextTraceId": "5537a2e8-1a88-43f3-9c1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:12.567Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 16, "action": "deleted", "service": {"name": "BTHPORT"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:50:56Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ServiceChanged"]}

SysInfo {"eventType": "SysInfo", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "0a3fc885-44c0-487d-951a-65ac7bdd2ab2", "contextTraceId": "3e1cbf79-f99f-48f8-8db0-6112de4ee587", "time": "2023-04-19T18:55:21.807Z", "os": {"desc": "Windows 11", "major": 10, "minor": 0, "build": 22621, "sp": ""}, "ifaces": [{"name": "Ethernet", "mac": "6c:24:08:HIDDEN", "ip": "169.254.39.215", "type": 6}, {"name": "Connexion au r\u00e9seau local* 1", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.133.182", "type": 71}, {"name": "Wi-Fi", "mac": "54:6c:eb:HIDDEN", "ip": "192.168.1.34", "type": 71}, {"name": "Connexion r\u00e9seau Bluetooth", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.228.207", "type": 6}], "bootTime": "2023-04-19T18:54:53.057Z", "domain": "HIDDENDOMAIN.lan", "cv": 1408, "pv": 0, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:55:54Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "it": 1}

User Login {"eventType": "User Login", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "8010fadb-6402-4977-9279-db7a61bd8aed", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df02eb", "time": "2023-04-19T15:05:52.023Z", "uniqueRuleId": 1, "eventId": 4624, "success": true, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182954904}, "networkInfo": {"workstationName": "HIDDEN29451", "ipAddress": "127.0.0.1", "ipPort": 0}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

User Logout {"eventType": "User Logout", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "91acc5be-d782-4ea9-9181-ada93c91ba45", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df04eb", "time": "2023-04-19T15:05:52.027Z", "uniqueRuleId": 1, "eventId": 4634, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182952904}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

Username Changed {"eventType": "Username Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9b0fcb12-5182-4877-98b4-6b0eb9c5d16f", "traceId": "a71c4d2e-1ad5-4d84-bd23-ffe0ff6476fa", "contextTraceId": "cd64419d-1e3d-4576-af0f-32387fce4c71", "pid": 660, "it": 1, "time": "2023-04-18T07:54:28.337Z", "uniqueRuleId": 1, "ppid": 660, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4781, "user": {"adminType": 0, "domain": "HIDDEN22703", "id": "S-1-5-21-HIDDEN", "name": "Invit\u00e9", "newName": "HIDDEN_invit\u00e9"}, "userInitiator": {"adminType": 0, "domain": "HIDDEN", "id": "S-1-5-18", "name": "HIDDEN22703$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T07:54:40Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

WMI Activity {"eventType": "WMI Activity", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e832285-a165-4126-8d73-fe112095bb60", "traceId": "2611f0a8-8c60-4f94-8f99-6b07b146a45b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c70d", "pid": 15260, "time": "2023-04-19T17:45:09.423Z", "uniqueRuleId": 27000, "wmi": {"type": 1, "operation": "Start IWbemServices::CreateClassEnum - root\subscription : ", "evid": 11}, "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 15260, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:45:20Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.WMIActivity"]}Account Changed {"eventType": "Account Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "01eb704f-3b7d-4965-83ec-5c9d725fd0d6", "traceId": "27bbdca8-e76c-4287-8d93-31f9ad0412be", "contextTraceId": "da67763a-854d-412c-a66f-edcca0eeb3d4", "pid": 1076, "it": 1, "time": "2023-04-19T16:08:47.129Z", "uniqueRuleId": 1, "ppid": 1076, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4738, "user": {"adminType": 0, "domain": "HIDDEN22958", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22958$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T16:08:53Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Created {"eventType": "Account Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4644b033d0", "traceId": "49054632-69cd-4e34-8292-bd6eb30d4003", "contextTraceId": "8480c6d8-c619-4019-9359-fc7a4a9be425", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.515Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4720, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "accountInfo": {}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Deleted {"eventType": "Account Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3d6a84b3-91fb-41f0-93b1-aa482bc531f6", "traceId": "c61cbd7a-62bc-4186-8b80-6eead86a4710", "contextTraceId": "87a2f691-5fbb-49b5-8417-ce551000e23d", "pid": 872, "it": 1, "time": "2023-04-19T08:14:25.865Z", "uniqueRuleId": 1, "ppid": 872, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4726, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_kadvAYTV"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:14:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Disabled {"eventType": "Account Disabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b08de07d-b15f-441a-b143-78c42cb61a78", "traceId": "9b95b0f5-dee6-487c-aaf6-65af35cf3256", "contextTraceId": "873a8979-6c94-4085-872b-ded4c54ee9a9", "pid": 988, "it": 1, "time": "2023-04-18T08:02:43.593Z", "uniqueRuleId": 1, "ppid": 988, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4725, "user": {"adminType": 0, "domain": "HIDDEN22172", "id": "S-1-5-21-HIDDENSID", "name": "defaultuser0"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22172$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T08:05:18Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Account Enabled {"eventType": "Account Enabled", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f147f604-e869-460d-be55-8f4645b032d0", "traceId": "859ac34b-348e-44e1-8711-a9c306642202", "contextTraceId": "8480c6d8-c619-4019-9459-fc7a4a9be435", "pid": 844, "it": 1, "time": "2023-04-19T08:07:12.530Z", "uniqueRuleId": 1, "ppid": 844, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4722, "user": {"adminType": 0, "domain": "HIDDEN22126", "id": "S-1-5-21-HIDDENSID", "name": "lenovo_tmp_wblgJLFO"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN22126$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T08:07:25Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Api {"eventType": "Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0318c", "traceId": "ea0cf5f2-0adc-4619-8837-4403a69798cd", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747947b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:52.975Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "api": {"name": "FindFirstFile", "data": "HIDDENDATA", "result": "1952366316400", "moduleName": "", "arguments": [], "targetPid": 0}, "uniqueRuleId": 19120, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.APICall"]}

COM Api {"eventType": "COM Api", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b62a-7f9bcdd3c4aa", "traceId": "0c46d2d8-f86d-4c7f-88eb-cb977aa78207", "contextTraceId": "4df162be-c064-4b64-b250-41ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.428Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "uniqueRuleId": 4294967295, "comApis": [{"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.RegWrite", "args": "\"HKCU\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy\",\"Unrestricted\",\"REG_SZ\"", "result": ""}, {"flags": 3, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.ExpandEnvironmentStrings", "args": "\"%LOCALAPPDATA%\HIDDEN_VPN\script.ps1\"", "result": "\"C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\script.ps1\""}, {"flags": 1, "origin": "progid:WScript.Shell.1", "method": "IWshShell3.Run", "args": "\"powershell.exe -nologo -command C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\script.ps1\",0", "result": ""}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injected {"eventType": "Code Injected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-5368-b63a-7f9bcdd3c4aa", "traceId": "52fc84ae-6d72-49fe-bf65-74265c57224d", "contextTraceId": "4df162be-c064-4b64-b850-41ba1493d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "relatedProcess": {"pid": 6620, "cmdLine": "\"cscript.exe\" C:\Users\edubois\AppData\Local\HIDDEN_VPN\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"lastModificationDate": "2021-09-15T10:42:04.643Z", "creationDate": "2021-09-15T10:42:04.640Z", "md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\Windows\System32\cscript.exe", "size": 161280, "fsattrs": 32, "embedFilename": "cscript.exe", "embedFileVersion": "5.812.10240.16384", "embedProductName": "Microsoft \u00ae Windows Script Host", "embedProductVersion": "5.812.10240.16384", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Code Injection {"eventType": "Code Injection", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd3c4aa", "traceId": "0e5172ff-98a2-47c8-9d94-3488c6df70c0", "contextTraceId": "4df162be-c064-4b64-b850-42ba1495d6d2", "pid": 6620, "it": 1, "time": "2023-04-19T14:50:01.097Z", "pSha2": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "ppid": 6620, "pFullName": "C:\Windows\System32\cscript.exe", "relatedApis": [1, 3, 4], "injectionType": 4, "injectedProcessTraceId": "88893b41-3cb2-4368-b63a-7f9bcdd2c4aa", "relatedProcess": {"pid": 6620, "cmdLine": "\"cscript.exe\" C:\Users\HIDDENUSER\AppData\Local\HIDDEN_VPN\HIDDENNAME.vbs", "processName": "cscript.exe", "integrity": 2, "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENUSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "24590BF74BBBBFD7D7AC070F4E3C44FD", "sha1": "CDFE517D07F18623778829AA98D6BBADD3F294CD", "sha256": "AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03", "fileType": "PE", "name": "cscript.exe", "path": "C:\Windows\System32\cscript.exe", "size": 161280, "embedFilename": "cscript.exe", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:50:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Context Changed {"eventType": "Context Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "0e9c4e60-49af-451d-b807-39da4003af3d", "traceId": "3ce0bbe4-92b4-430b-996e-cc32cfe99837", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e3bf69", "pid": 5164, "it": 1, "time": "2023-04-19T18:46:31.739Z", "pSha2": "5A5C59646969CE0D99B05556CEA793F9F89A019BE4D66D8C9A1AF9EED699AC89", "ppid": 5164, "pFullName": "C:\Windows\System32\spoolsv.exe", "reason": 1, "relatedTraceId": "ba434310-89f5-4749-9cc2-b9df78bc18d3", "relatedProcess": {"pid": 5164, "cmdLine": "C:\WINDOWS\System32\spoolsv.exe", "processName": "spoolsv.exe", "integrity": 4, "user": {"domain": "NT AUTHORITY", "id": "S-1-5-18", "name": "NT AUTHORITY\SYSTEM"}, "procFileAttrs": {"md5": "3BCB8517038CACDF2F2498E1D0F80544", "sha1": "F8D8AC37C3C194F8C8EF052FF46C19CBB65361D5", "sha256": "5A5C59646969CE0D99B05556CEA793F9F89A019BE5D66D8C9A1AF9EED699AC89", "fileType": "PE", "name": "spoolsv.exe", "path": "C:\Windows\System32\spoolsv.exe", "size": 929792, "embedFilename": "spoolsv.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}}, "tdmRuleIds": [112, 100003, 99999], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:47Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

DNS Query {"eventType": "DNS Query", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c6fc0e114ff7", "traceId": "e76f265c-cb4a-4ab2-9857-b04bfeb0aebb", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.903Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\Users\rtadjer\AppData\Local\Microsoft\Teams\current\Teams.exe", "dns": {"name": "HIDDEN.trouter.teams.microsoft.com", "type": 1}, "uniqueRuleId": 19112, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.DNSQuery"]}

Epp File Scan {"eventType": "Epp File Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "ee75a850-7bf9-44f4-8623-c26aaad762ed", "traceId": "e24fd01c-4eeb-453d-a688-09bbee345095", "contextTraceId": "4df162be-c064-4b64-b850-41ba1495d6d2", "pid": 2256, "it": 1, "time": "2023-04-19T14:22:58.726Z", "pSha2": "20330D3CA71D58F4AEB432676CB6A3D5B97005954E45132FB083E90782EFDD50", "ppid": 2256, "pFullName": "C:\Windows\System32\backgroundTaskHost.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "NativeHostNE.dll", "path": "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23022.140.0_x64__8wekyb3d8bbwe\NativeHostNE.dll", "size": 0}, "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T14:23:19Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Epp Process Response {"eventType": "Epp Process Response", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "a65892eb-990a-407c-89d1-7f4a25aab465", "traceId": "c6e24a8f-004b-4f15-b3d6-aa752b3b2812", "contextTraceId": "0a3768eb-d606-4282-8466-201fd8596be1", "pid": 9492, "time": "2023-04-19T18:36:46.512Z", "pSha2": "FC6BA3C701AFBEB082BA25F677FE47A0D3225465AF02C50E2AC2B10728E9D89E", "ppid": 9492, "pFullName": "C:\Windows\CCM\CcmExec.exe", "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 1, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:36:52Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.EPP_Response"]}

Epp Process Scan {"eventType": "Epp Process Scan", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e74be1a-90b5-466e-aff3-652aa73d0216", "traceId": "46bfe244-cfa7-41ef-99a8-ec354fdc38f7", "contextTraceId": "300409fb-6c49-4bf0-832d-205265b6d9d1", "pid": 12300, "it": 1, "time": "2023-04-19T18:26:16.293Z", "pSha2": "B5DDC370739579D2EE7C8A1284D4C83F15F4CF662893FDA55854D03B99AA2685", "ppid": 12300, "pFullName": "C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.898_none_6b467c06908d3d29\TiWorker.exe", "detection": {"detectionName": "", "productId": 514, "scannerId": 4113}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:26:41Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

File Attribute Changed {"eventType": "File Attribute Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37434aab53f", "traceId": "337454e9-dbe6-46d6-999d-c6647f406410", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-742957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:40.875Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 7, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.739Z", "creationDate": "2023-04-19T17:49:40.873Z", "md5": "9D04081293A783441ED1133888E8721C", "sha1": "2F688EFBC6ACEA6B5E6C172EB4AE7A41A2FB3C05", "sha256": "1C3DBA99D46303A00D83DEDDAEEE6988BB9E0E97F8D02925D2270A1B539157D1", "fileType": "PE", "name": "MFC90CHS.DLL", "path": "C:\$WINDOWS.~BT\Work\MachineSpecific\Working\agentmgr\CCSIAgent\005A53BA\SxsAsm38\MFC90CHS.DLL", "size": 35664, "fsattrs": 8224, "fsattrsChanged": 2, "embedFilename": "MFC90CHS.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Created {"eventType": "File Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-43ec-9659-f37432aab53f", "traceId": "2b98410e-fea4-420d-98da-1220479161fe", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b490d", "pid": 4160, "time": "2023-04-19T17:49:40.861Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-08-19T10:10:39.108Z", "creationDate": "2023-04-19T17:49:40.858Z", "md5": "CDBE9690CF2B8409FACAD94FAC9479C9", "sha1": "4BCDFE2C1B354645314A4CE26B55B2B1A0212DB9", "sha256": "8E7FE1A1F3550C479FFD86A77BC9D10686D47F8727025BB891D8F4F0259354C8", "fileType": "PE", "name": "msvcr90.dll", "path": "C:\$WINDOWS.~BT\Work\MachineSpecific\Working\agentmgr\CCSIAgent\005A54BA\SxsAsm37\msvcr90.dll", "size": 653136, "fsattrs": 8224, "embedFilename": "MSVCR90.DLL", "embedFileVersion": "9.00.30729.6161", "embedProductName": "Microsoft\u00ae Visual Studio\u00ae 2008", "embedProductVersion": "9.00.30729.6161", "embedVendorName": "Microsoft Corporation"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Deleted {"eventType": "File Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "e3c8e545-3d68-4d75-9168-f332c3b72b3e", "traceId": "447205ad-ea41-4ad0-b0ee-a3b1eebd486b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b3c90d", "pid": 3872, "time": "2023-04-19T17:54:22.517Z", "pSha2": "823523E1B4BF1DBFF1CA7E65C67483B2260F13AD4AB61F6131F84D5B8DBE985F", "ppid": 3872, "pFullName": "C:\Windows\System32\drvinst.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2022-03-11T18:46:14.000Z", "creationDate": "2022-03-11T18:46:14.000Z", "md5": "", "sha1": "", "sha256": "2B7FDFAD42885DD4FFED2BF0EE0FD810FD6D2C3F21567513FB2ACF296CD80016", "fileType": "PE", "name": "igdumdim32.dll", "path": "C:\Windows\System32\DriverStore\FileRepository\iigd_dch_d.inf_amd64_07f5935d7ce74872\igdumdim32.dll", "size": 1569160, "fsattrs": 128}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Executed {"eventType": "File Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "7eec0405-02a9-4391-a213-3d221308f33e", "traceId": "e89bdf24-e752-487e-a423-a2d55766db0b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c9d", "pid": 4960, "it": 1, "time": "2023-04-19T17:55:18.886Z", "pSha2": "A00790D3844F6A2DC3767945124FECCBBFC15E7654E53C2FD38D660DD1A91733", "ppid": 4960, "pFullName": "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe", "fileAttributes": {"md5": "", "sha1": "", "sha256": "", "name": "salib_OSSL.dll", "path": "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\salib_OSSL.dll", "size": 0, "fsattrs": 128}, "response": {"action": 268435464, "description": "Protection adaptative contre les menaces", "operation": 6, "productId": 514, "reason": 3}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.PECreated"]}

File Modified {"eventType": "File Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "df9f1187-be22-45ba-862e-b678750434af", "traceId": "4974570a-8542-4ef9-b038-850b3503ac7a", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b4c90d", "pid": 1388, "time": "2023-04-19T17:50:07.640Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 1388, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T17:42:08.114Z", "creationDate": "2022-08-25T18:56:09.172Z", "md5": "23A09C342E04E45BE828409B39DB0A5D", "sha1": "C1D03FDE664C1EB522EA72BEF31F7DCFC4D20EE0", "sha256": "7846F5D43BBC99701B558E9737E654348855CB7FA6A0403739AEA63908099E7E", "name": "setuperr.log", "path": "C:\Windows\setuperr.log", "size": 495, "fsattrs": 32, "mhdr": "efbbbf323032332d"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Moved {"eventType": "File Moved", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "6efe949e-59ff-4f92-b736-a41e3bfd64c4", "traceId": "d7cf9750-0945-4fa6-99f6-f4ed00988881", "contextTraceId": "c49554af-b28f-4d43-b49a-89b935df02eb", "pid": 14856, "it": 1, "time": "2023-04-19T15:05:54.741Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 14856, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "uniqueRuleId": 21, "fileAttributes": {"lastModificationDate": "2023-04-19T14:14:48.977Z", "creationDate": "2020-03-17T15:39:36.625Z", "md5": "DFA84FC7A9620554D263AFDE3073753C", "sha1": "BEB95A2255EB67B0A71310156677AAA67926AD7D", "sha256": "B26968E75201C2AE4908ECB3C23CB361B9E08C53780AFAA682F4BDDAD5B4A069", "name": "a55ed4fbb973aefb.customDestinations-ms", "path": "C:\Users\HIDDENUSER\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a54ed4fbb973aefb.customDestinations-ms", "newFilePath": "C:\Users\HIDDENUSER\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a54ed4fbb973aefb.customDestinations-ms~RF6c135fa.TMP", "size": 10512, "fsattrs": 32}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NonPECreated"]}

File Read {"eventType": "File Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c20a0218c", "traceId": "ab9be903-4b85-4338-81c0-507c71e1fa7d", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-737957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.548Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "uniqueRuleId": 5, "fileAttributes": {"lastModificationDate": "2023-04-19T17:51:53.544Z", "creationDate": "2023-04-19T17:51:53.543Z", "md5": "D17FE0A3F47BE24A6453E9EF58C94641", "sha1": "6AB83620379FC69F80C0242105DDFFD7D98D5D9D", "sha256": "96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7", "name": "__PSScriptPolicyTest_2yelgbav.p0r.ps1", "path": "C:\Windows\Temp\__PSScriptPolicyTest_2yelgbav.p0r.ps1", "size": 60, "fsattrs": 32, "mhdr": "2320506f77657253"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptCreated"]}

Image Loaded {"eventType": "Image Loaded", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "722b8348-1566-4315-a160-e37c17b6d06b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-727957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.501Z", "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "uniqueRuleId": 18, "modules": [{"sha256": "0C3793703087C34745609D4DB2683750560FFF7A6BD04D618BC4BD4BC55E5106", "name": "C:\WINDOWS\SYSTEM32\BCRYPT.DLL", "loadTime": "2023-04-19T17:51:53.501Z", "vtpPrivileges": 1, "fsattrs": 32}, {"sha256": "1F996574F38219CDD848375F517F8D86E17542BC84D64CCE63AA0C64CC15F22D", "name": "C:\WINDOWS\SYSTEM32\WS2_32.DLL", "loadTime": "2023-04-19T17:51:53.599Z", "vtpPrivileges": 1, "fsattrs": 32}], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoadedDLLs"]}

NamedPipe Connected {"eventType": "NamedPipe Connected", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d7114add-5126-4b2a-893e-20a248182832", "traceId": "35c96280-b766-40b8-9608-74a32387f22e", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b2c90d", "pid": 2104, "it": 1, "time": "2023-04-19T17:55:20.448Z", "pSha2": "27412E8CDEBB7F3E645454ED1BEE0EBB04C976BC8946698EF8CE4C664B63B3C0", "ppid": 2104, "pFullName": "C:\Program Files\ForeScout SecureConnector\SecureConnector.exe", "uniqueRuleId": 4, "pipe": {"name": "\\.\pipe\_FSA_TMP_6544_643E4C1F_0002PERFORMER_CNTL"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Network Accessed {"eventType": "Network Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9d456fe6-c507-4313-8dee-c4fc0e112ff7", "traceId": "24264358-6a18-43ac-ab02-5d5a89c74bbc", "contextTraceId": "5537a2e8-1a88-44f3-9d1f-747957b6c90d", "pid": 12776, "it": 1, "time": "2023-04-19T17:54:09.935Z", "pSha2": "50795485371640D3673663122E82E1A5A08F2B0C56846C29BD65CAAAACE4499C", "ppid": 12776, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Microsoft\Teams\current\Teams.exe", "uniqueRuleId": 19103, "network": {"accessType": "connection_opened", "direction": "outbound", "dstIp": "127.0.0.1", "dstPort": 53574, "srcIp": "127.0.0.1", "srcPort": 53573, "protocol": "tcp", "dnsNames": ["gearssdk.HIDDEN.com"]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:34Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

Password Reset {"eventType": "Password Reset", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "85056462-75dc-4eb9-935d-e22da7674050", "traceId": "cda5b2be-4636-41f3-988f-f009d2697f6d", "contextTraceId": "252fcdc6-95dc-4437-924c-1e1a740f4d03", "pid": 868, "it": 1, "time": "2023-04-14T15:43:09.634Z", "uniqueRuleId": 1, "ppid": 868, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4724, "user": {"adminType": 0, "domain": "HIDDEN230171", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "userInitiator": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-18", "name": "HIDDEN230171$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-14T15:43:33Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

Process Accessed {"eventType": "Process Accessed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "ea0291b7-5854-4235-b710-0a1528849534", "traceId": "2d9ae548-3eda-4e6a-9ae7-829f2a94c55e", "contextTraceId": "c49554af-b28f-4d43-b49a-84b932df02eb", "pid": 18572, "it": 1, "time": "2023-04-19T16:10:31.049Z", "pSha2": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "ppid": 18572, "pFullName": "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "uniqueRuleId": 19114, "accessType": 16, "relatedProcess": {"pid": 6448, "cmdLine": "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3944 --field-trial-handle=2252,i,15327557186177104925,6464273188186216104,131072 /prefetch:8", "processName": "msedge.exe", "user": {"domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDENSID", "name": "HIDDENUSER"}, "procFileAttrs": {"md5": "BECC2E4F21743168C59876A6BAD0E74A", "sha1": "9EF706CD46650B807255FE7752599520C7E6BEE4", "sha256": "5A429208BBAE000EEEBF4BE9E50597D9CE4C077282D55ACAA79E8ADFB1A73D5F", "fileType": "PE", "name": "msedge.exe", "path": "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "size": 4139936, "embedFilename": "msedge.exe", "subsystem": 2, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "integrity": 1}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T16:11:02Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Created {"eventType": "Process Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f65d9571093", "traceId": "df9f1147-be22-45ba-862e-b678730434af", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 1388, "time": "2023-04-19T17:50:07.579Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4180, "pFullName": "C:\$WINDOWS.~BT\Sources\SetupHost.exe", "cmdLine": "\"C:\$WINDOWS.~BT\Sources\mighost.exe\" {HIDDENSID} /InitDoneEvent:MigHost.{HIDDENSID}.Event /ParentPID:4180", "processName": "mighost.exe", "integrity": 4, "user": {"domain": "AUTORITE NT", "id": "S-1-5-18", "name": "Syst\u00e8me"}, "procFileAttrs": {"creationDate": "2023-04-19T17:31:50.338Z", "md5": "A29006724D36A128C8471BC463ECA83A", "sha1": "6518BFC3B22E82E94F6C404B33AD9BE9B5162FB2", "sha256": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "name": "mighost.exe", "path": "C:\$WINDOWS.~BT\Sources\mighost.exe", "size": 279896, "embedFilename": "MigHost.exe", "embedFileVersion": "10.0.22621.1 (WinBuild.160101.0800)", "embedProductName": "Microsoft\u00ae Windows\u00ae Operating System", "embedProductVersion": "10.0.22621.1", "embedVendorName": "Microsoft Corporation", "subsystem": 3, "reputation": {"reputation": 99, "vtpPrivileges": 1}}, "parentsTraceId": ["261c5c80-d583-43b2-a1d9-3f65d9571094", "6bbc10bf-abad-4cf2-ba43-c19f415ffb51", "9d81e708-c5db-4b71-a9ca-2f39d1ed77ba", "cf5e5a2f-5f39-45de-b2fc-c07742e1a724", "d9a8593c-49c5-4698-8ea2-f4d554f21358", "afa7552d-7f45-46a0-a590-d2dd01fa9479", "e4c78c17-8878-4c5b-9b93-10c15fa23986"], "tdmRuleIds": [110, 100000, 100003], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ProcessCreated"]}

Process Hollowed {"eventType": "Process Hollowed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "37e0d41f-dfec-41c0-a36d-9d7310a77bd3", "traceId": "933ab594-0167-4f88-b858-c6c042bf146c", "contextTraceId": "c49554af-b28f-4d43-b49a-89b934df02eb", "pid": 26384, "it": 1, "time": "2023-04-19T20:25:31.329Z", "pSha2": "5BB79BEEF24F2254DBFA1F53078483AF9DD9D4506508FEE886F21847F7DFF504", "ppid": 26384, "pFullName": "C:\Users\HIDDENUSER\AppData\Local\Seclore\FileSecure\Desktop Client\X64\FSDC64.exe", "hollowInfo": {"targetPid": 2488, "targetTraceId": "b7bf6bc1-9eb4-44e1-8fc6-712142573792", "originalIp": 0, "finalIp": 0, "apis": [10, 2, 14]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T20:25:44Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

Process Reputation Changed {"eventType": "Process Reputation Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "751c64e7-d243-4757-a7dc-5f113e75aa35", "traceId": "8eb5b562-5f6a-4ded-ae5f-bef61a0bbbf2", "contextTraceId": "5537a2e8-1a88-45f3-9d1f-747957b6c90d", "pid": 4228, "it": 1, "time": "2023-04-19T17:54:53.574Z", "pSha2": "2198A7B58BCCB758036B969DDAE6CC2ECE07565E2659A7C541A313A0492231A3", "ppid": 4228, "pFullName": "C:\Windows\System32\wbem\WmiPrvSE.exe", "reputation": {"reputation": 85, "productId": 514, "reason": 2, "data": "{\"module_filepath\":\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\4fb9160b27f2daa1ec55050bde519fcc\\System.ni.dll\",\"module_reputation\":85,\"process_previous_reputation\":99}\n"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:01:35Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all"}

RegKey Created {"eventType": "RegKey Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "d8fd4b5b-6757-467d-b9ea-634dd2be5424", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.420Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"regKeyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\CURRENTCONTROLSET\CONTROL\DEVICEMIGRATION\DEVICES\USB\VID_17E9&PID_6015&MI_02\7&1D07AD4B&0&0002\INTERFACES\{HIDDENSID}#PCM_IN_05_00\DEVICE\EP\0"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Deleted {"eventType": "RegKey Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f34432aab53f", "traceId": "cc3dd5d2-8db2-4822-8032-0948e1f67779", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747457b6c90d", "pid": 4160, "time": "2023-04-19T17:49:34.130Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"regKeyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\TEMP\NDI\PARAMS\UAPSDSUPPORT"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:00Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegKey Read {"eventType": "RegKey Read", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "b7f8e1db-b86e-4a95-9b0f-360d5b9f6244", "traceId": "e27fb183-897e-49e8-be43-c76ba90f8370", "contextTraceId": "10ab02e8-c043-4ea4-9c2c-41a805ac0a7e", "pid": 22064, "it": 1, "time": "2023-02-15T06:31:52.915Z", "pSha2": "9179048992E0FBB51CFA7E42EF65074661295B6B155BDD60DE47AA684D82F4FD", "ppid": 22064, "pFullName": "C:\Windows\System32\mmc.exe", "registry": {"regKeyName": "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CANARYCERTSTORE\"}, "response": {"action": 1, "description": "HIDDENDOMAIN\HIDDENUSERNAME a ex\u00e9cut\u00e9 C:\Windows\System32\mmc.exe, qui tentait d'acc\u00e9der \u00e0 HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CANARYCERTSTORE\, d'une mani\u00e8re contraire \u00e0 la r\u00e8gle \u00ab Protection essentielle - Prot\u00e9ger les cl\u00e9s et valeurs de Registre McAfee essentielles \u00bb, et a \u00e9t\u00e9 bloqu\u00e9. Pour obtenir de plus amples informations sur la mani\u00e8re de r\u00e9pondre \u00e0 cet \u00e9v\u00e9nement, voir KB85494.", "ruleId": "PROTECT_MCAFEE_REG_VALUE1", "operation": 3, "productId": 513, "reason": 6}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-02-15T06:32:09Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Created {"eventType": "RegValue Created", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab53f", "traceId": "5ae2323c-98cc-4020-ad3f-8d0e25de9f95", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:31.421Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\CURRENTCONTROLSET\CONTROL\DEVICEMIGRATION\DEVICES\USB\VID_17E9&PID_6015&MI_02\7&1D07AD2B&0&0004\INTERFACES\{HIDDENSID}#PCM_IN_05_00\DEVICE", "keyValueName": "FRIENDLYNAME", "keyValueType": "REG_SZ", "keyValue": "Lenovo USB Audio"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:56:59Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Deleted {"eventType": "RegValue Deleted", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "d162fb4b-1c6b-41e5-9458-a0d5be22deae", "contextTraceId": "5537a2e8-1a38-43f3-9d1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:38.131Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\UPGRADE\PNP\TEMP", "keyValueName": "DISABLESETUPDICHANGESTATE"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:58:31Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

RegValue Modified {"eventType": "RegValue Modified", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "261c5c80-d483-43b2-a1d9-3f45d9571094", "traceId": "efff6774-159e-424c-85b3-cd570e3b6d22", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747958b6c90d", "pid": 4180, "time": "2023-04-19T17:50:07.139Z", "pSha2": "7538940533F3B531D2FF8B57D79C01C475BB457FA5103E5A0D4AFADB728702C6", "ppid": 4180, "pFullName": "C:\$WINDOWS.~BT\Sources\SetupHost.exe", "registry": {"keyName": "HKLM\SYSTEM\SETUP\MOSETUP\VOLATILE", "keyValueName": "SETUPPROGRESS", "keyValueType": "REG_DWORD", "keyValue": "64", "keyOldValue": "51"}, "uniqueRuleId": 9, "ruleTags": ["aseps"], "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:59:32Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ASEPCreatedOrModified"]}

ScheduledTask Changed {"eventType": "ScheduledTask Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "d57e9fa6-7967-45b5-a54e-468f5c2be4db", "traceId": "b5a8f55e-3d1b-464c-84c8-ac4791366f22", "contextTraceId": "f3b8b749-472d-48ab-b23b-20a502e4bf69", "pid": 7392, "time": "2023-04-19T18:46:06.775Z", "pSha2": "949BFB5B4C7D58D92F3F9C5F8EC7CA4CEAFFD10EC5F0020F0A987C472D61C54B", "ppid": 7392, "pFullName": "C:\Windows\System32\svchost.exe", "uniqueRuleId": 30, "action": "deleted", "schedtask": {"name": "Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:46:16Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScheduledTaskRegistered"]}

Script Executed {"eventType": "Script Executed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "943d47ae-52ec-4e25-9c65-8d5c10a0248c", "traceId": "5179615b-3a3f-49e4-8e27-2d1966deed68", "contextTraceId": "5537a2e8-1a88-43f3-8d1f-747957b6c90d", "pid": 23856, "it": 1, "time": "2023-04-19T17:51:53.536Z", "uniqueRuleId": 28001, "ppid": 23856, "pFullName": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "scriptType": "powershell", "scripts": [{"timestamp": "2023-04-19T17:51:53.536Z", "length": 391, "hash": "40D27F34C4D18A9A07D13655FFE2738D3B19975A4FAC8192C6ABAE55319A91B9", "intentions": [{"name": "action:Object/Select", "lines": ["[...]52428800') -or ($.BytesFromPeers -ne '0') -or (($.BytesFromCacheServer -ne '0') -and ($.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInforma[...]"]}, {"name": "action:Xml/ConvertTo", "lines": ["[...]cheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string -NoTypeInformation"]}, {"name": "observable:network.url.http", "lines": ["Get-DeliveryOptimizationStatus | where-object {($.Sourceurl -CLike 'http://HIDDEN:8005*') -AND (($.FileSize -ge '52428800') -or ($.BytesFromPeers -ne '0') -or (($_.BytesFromCacheServer -ne '0') -and[...]"]}]}], "pSha2": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:00:03Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ScriptExecuted"]}

Service Changed {"eventType": "Service Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "f8e3dc72-fb66-47ec-9659-f37432aab43f", "traceId": "ff683f3a-7433-4122-8478-80560270cf1a", "contextTraceId": "5537a2e8-1a88-43f3-9c1f-747957b6c90d", "pid": 4160, "time": "2023-04-19T17:49:12.567Z", "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 4160, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "uniqueRuleId": 16, "action": "deleted", "service": {"name": "BTHPORT"}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:50:56Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.ServiceChanged"]}

SysInfo {"eventType": "SysInfo", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "0a3fc885-44c0-487d-951a-65ac7bdd2ab2", "contextTraceId": "3e1cbf79-f99f-48f8-8db0-6112de4ee587", "time": "2023-04-19T18:55:21.807Z", "os": {"desc": "Windows 11", "major": 10, "minor": 0, "build": 22621, "sp": ""}, "ifaces": [{"name": "Ethernet", "mac": "6c:24:08:HIDDEN", "ip": "169.254.39.215", "type": 6}, {"name": "Connexion au r\u00e9seau local* 1", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.133.182", "type": 71}, {"name": "Wi-Fi", "mac": "54:6c:eb:HIDDEN", "ip": "192.168.1.34", "type": 71}, {"name": "Connexion r\u00e9seau Bluetooth", "mac": "54:6c:eb:HIDDEN", "ip": "169.254.228.207", "type": 6}], "bootTime": "2023-04-19T18:54:53.057Z", "domain": "HIDDENDOMAIN.lan", "cv": 1408, "pv": 0, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T18:55:54Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "it": 1}

User Login {"eventType": "User Login", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "8010fadb-6402-4977-9279-db7a61bd8aed", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df02eb", "time": "2023-04-19T15:05:52.023Z", "uniqueRuleId": 1, "eventId": 4624, "success": true, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182954904}, "networkInfo": {"workstationName": "HIDDEN29451", "ipAddress": "127.0.0.1", "ipPort": 0}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

User Logout {"eventType": "User Logout", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "91acc5be-d782-4ea9-9181-ada93c91ba45", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df04eb", "time": "2023-04-19T15:05:52.027Z", "uniqueRuleId": 1, "eventId": 4634, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182952904}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

Username Changed {"eventType": "Username Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "9b0fcb12-5182-4877-98b4-6b0eb9c5d16f", "traceId": "a71c4d2e-1ad5-4d84-bd23-ffe0ff6476fa", "contextTraceId": "cd64419d-1e3d-4576-af0f-32387fce4c71", "pid": 660, "it": 1, "time": "2023-04-18T07:54:28.337Z", "uniqueRuleId": 1, "ppid": 660, "pFullName": "C:\Windows\System32\lsass.exe", "eventId": 4781, "user": {"adminType": 0, "domain": "HIDDEN22703", "id": "S-1-5-21-HIDDEN", "name": "Invit\u00e9", "newName": "HIDDEN_invit\u00e9"}, "userInitiator": {"adminType": 0, "domain": "HIDDEN", "id": "S-1-5-18", "name": "HIDDEN22703$", "logonId": 999}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-18T07:54:40Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.UserAccount"]}

WMI Activity {"eventType": "WMI Activity", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "3e832285-a165-4126-8d73-fe112095bb60", "traceId": "2611f0a8-8c60-4f94-8f99-6b07b146a45b", "contextTraceId": "5537a2e8-1a88-43f3-9d1f-747957b6c70d", "pid": 15260, "time": "2023-04-19T17:45:09.423Z", "uniqueRuleId": 27000, "wmi": {"type": 1, "operation": "Start IWbemServices::CreateClassEnum - root\subscription : ", "evid": 11}, "pSha2": "09C1C1C485622E42AF3A3360D164247A847B1FC14CDC82D1DBB0FF663E30B353", "ppid": 15260, "pFullName": "C:\$WINDOWS.~BT\Sources\mighost.exe", "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-19T17:45:20Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.WMIActivity"]}

inodee commented 1 year ago

Hey @mthcht,

Thanks for that!

Are you also considering the value 'Via Windows Eventlogs' (WEL) besides the Yes/No? For example:

User Login {"eventType": "User Login", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1104, "parentTraceId": "00000000-0000-0000-0000-000000000000", "traceId": "8010fadb-6402-4977-9279-db7a61bd8aed", "contextTraceId": "c49554af-b28f-4d43-b49a-89b932df02eb", "time": "2023-04-19T15:05:52.023Z", "uniqueRuleId": 1, "eventId": 4624, "success": true, "user": {"adminType": 0, "domain": "HIDDENDOMAIN", "id": "S-1-5-21-HIDDEN", "logonType": "Unlock", "name": "HIDDENUSERNAME", "logonId": 182954904}, "networkInfo": {"workstationName": "HIDDEN29451", "ipAddress": "127.0.0.1", "ipPort": 0}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-19T15:06:24Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.LoginLogout"]}

If that relies on WEL, is the agent automatically taking care of necessary audit policy changes?

mthcht commented 1 year ago

@inodee i was thinking of this category Via Windows Eventlogs as a log we can add with the EDR capabilities... for example Crowdstrike has the ability to add any eventlog we want to the collect (like a splunk input) that is not collected by default.

I hadn't considered this category as the method through which the EDR generates the log, using the Windows event logs behind the scenes by default, so it could fall into this category for logs displaying "eventid"

I believe that there might be other EDR solutions generating numerous logs via Windows EventLogs by default without clearly indicating it in the log like trellix does. It can be difficult to know without examining the EDR internals.

As for the policy on the agent, it is done automatically, nothing to configure on our end.

tsale commented 1 year ago

That is awesome @mthcht, thank you very much for all the info much appreciated!

It will take me some time to go through and validate. I will reach out with any questions, if any.

tsale commented 1 year ago

@mthcht, I reviewed the submission and I have some questions regarding some of the sub-categories. See below:

  1. I cannot see evidence for the UDP Connection, URL, Driver Loaded and Group Policy Modification. Could you please provide some info on those?
  2. Under EDR SysOps, are you waiting for confirmation from the vendor?
  3. As @inodee mentioned above, we will have to change the values that are depending on the Windows Event Logs to reflect that. Just giving you a heads up on that.

Looking forward to the info, thanks again!

We will soon be releasing a tool that will make telemetry generation easy 🙂.

mthcht commented 1 year ago

@mthcht, I reviewed the submission and I have some questions regarding some of the sub-categories. See below:

  1. I cannot see evidence for the UDP Connection, URL, Driver Loaded and Group Policy Modification. Could you please provide some info on those?
  2. Under EDR SysOps, are you waiting for confirmation from the vendor?
  3. As @inodee mentioned above, we will have to change the values that are depending on the Windows Event Logs to reflect that. Just giving you a heads up on that.

Looking forward to the info, thanks again!

We will soon be releasing a tool that will make telemetry generation easy 🙂.

the url requests from process are logged in the Network Accessed eventtype

here is a sample:

{"eventType": "Network Accessed", "maGuid": "648926D2-ADEC-11ED-1387-3C18A016CD51", "host": "HIDDENHOST2428", "rv": 1408, "parentTraceId": "9fd5c9e7-7fab-4917-9f69-7da865155df2", "traceId": "006c5067-fd34-4b8e-9c98-55158b504fde", "contextTraceId": "bcb714a9-3df6-40ac-b1e7-911e84869cac", "pid": 3116, "it": 1, "time": "2023-04-26T13:21:09.366Z", "pSha2": "45A66726915893E4B0BD56ABA177C244B13DA3344949377140A29DF8E7C9BA13", "ppid": 3116, "pFullName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", "uniqueRuleId": 29000, "network": {"accessType": "connection_opened", "direction": "outbound", "dstIp": "52.111.231.17", "dstPort": 443, "srcIp": "127.0.0.1", "srcPort": 65129, "protocol": "https", "bRec": 68, "layer7": {"url": "https://statics.teams.microsoft.com/evergreen-assets/emails/email_tracker_hidden.png", "httpRequestHeaders": "GET /evergreen-assets/emails/email_tracker_hidden.png HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nConnection: Keep-Alive\r\nHost: statics.teams.microsoft.com\r\n\r\n", "httpResponseHeaders": "HTTP/1.1 200 \r\ncache-control: public, max-age=604800\r\ncontent-length: 68\r\ncontent-type: image/png\r\ncontent-md5: l4wb7knXrV/BpNgBmbE+GA==\r\nlast-modified: Tue, 09 May 2017 17:24:03 GMT\r\naccept-ranges: bytes\r\netag: \"0x8D495003054D68E\"\r\nx-cache: TCP_HIT\r\nx-ms-request-id: 36ce57e8-801e-0073-22bb-757bea000000\r\nx-ms-version: 2014-02-14\r\nx-ms-lease-status: unlocked\r\nx-ms-lease-state: available\r\nx-ms-blob-type: BlockBlob\r\naccess-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-lease-state,x-ms-blob-type,Accept-Ranges,Content-Length,Date,Transfer-Encoding\r\naccess-control-allow-origin: *\r\nx-azure-ref-originshield: Ref A: 50B5A73AD3B545F8969D80D9055F75B1 Ref B: AMS221021014023 Ref C: 2023-04-26T00:36:20Z\r\nnel: {\"report_to\":\"NelMSTeams\",\"max_age\":604800,\"failure_fraction\":0.2,\"success_fraction\":0.001}\r\nreport-to: {\"group\":\"NelMSTeams\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://teams.nel.measure.office.net/api/report?cat=teams\"}]}\r\nx-msedge-ref: Ref A: 35D4F161A45E431391F961C3DFE08B04 Ref B: PRAEDGE2018 Ref C: 2023-04-26T13:21:04Z\r\ndate: Wed, 26 Apr 2023 13:21:03 GMT\r\n\r\n"}}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_4.0.0.1408", "detectionDate": "2023-04-26T13:21:36Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

same for UDP requests, another sample:

{"eventType": "Network Accessed", "maGuid": "B6DB8120-86FE-11EB-1676-482AE3A1B8E2", "host": "HIDDENHOST0234", "rv": 1104, "parentTraceId": "2bcb5dbe-86c5-4430-8e63-ed086d431532", "traceId": "9de74698-400b-4e56-aa26-531e1e94a3c3", "contextTraceId": "da8033c2-af45-4d5b-8d90-0cca58aec00b", "pid": 4656, "time": "2023-04-26T16:18:39.251Z", "pSha2": "ADD683A6910ABBBF0E28B557FAD0BA998166394932AE2ACA069D9AA19EA8FE88", "ppid": 4656, "pFullName": "C:\\Windows\\System32\\svchost.exe", "uniqueRuleId": 19000, "network": {"accessType": "connection_opened", "direction": "inbound", "dstIp": "192.168.1.1", "dstPort": 1900, "srcIp": "192.168.1.155", "srcPort": 59811, "protocol": "udp", "dnsNames": [""]}, "dtsType": "all", "h_version": "3.0", "h_tp": "mar_3.5.2.1100", "detectionDate": "2023-04-26T16:18:52Z", "dtsId": "EDR", "h_os": "windows", "version": "3.0", "h_traceType": "all", "tags": ["@AC.NetworkConnection"]}

Driver Loaded is not logged, my mistake. And it appears i do not collect Group Policy Modifications, it seems to be categorized under a different API endpoint that i do not use. i updated the commit to set these to 'false'.

For the EDR SysOps logs it seems that some events are logged locally on each machine but i did not found them with the API Endpoint EDR events, there are a lots of API endpoint so i am not sure if it is also available with another API endpoint)

tsale commented 1 year ago

Thanks for the info @mthcht! For the EDR SysOps, logged locally is acceptable as well. You could edit the commit to include what you see in regards to it and I’ll approve it.

mthcht commented 1 year ago

Thanks for the info @mthcht! For the EDR SysOps, logged locally is acceptable as well. You could edit the commit to include what you see in regards to it and I’ll approve it.

ok i added what i saw, will make another PR if i find a way to collect more with the API

bolzy1 commented 1 year ago

a few things i would like to add/correct around the trellix EDR solution, the correct link to the user/product guide is located here https://docs.trellix.com/en/bundle/mvision-endpoint-detection-and-response-landing/page/GUID-571E9972-9D54-49D3-BAC8-6197FFFB02C9.html. With regards to agent monitoring, the agent is monitored via ePO (separate management plane).

mthcht commented 1 year ago

a few things i would like to add/correct around the trellix EDR solution, the correct link to the user/product guide is located here https://docs.trellix.com/en/bundle/mvision-endpoint-detection-and-response-landing/page/GUID-571E9972-9D54-49D3-BAC8-6197FFFB02C9.html. With regards to agent monitoring, the agent is monitored via ePO (separate management plane).

Thank you. I am also collecting McAfee ePO syslogs and have not come across any events related to EDR agent monitoring. Could you confirm if you have seen such events on your end and provide some samples for reference?

bolzy1 commented 1 year ago

a few things i would like to add/correct around the trellix EDR solution, the correct link to the user/product guide is located here https://docs.trellix.com/en/bundle/mvision-endpoint-detection-and-response-landing/page/GUID-571E9972-9D54-49D3-BAC8-6197FFFB02C9.html. With regards to agent monitoring, the agent is monitored via ePO (separate management plane).

Thank you. I am also collecting McAfee ePO syslogs and have not come across any events related to EDR agent monitoring. Could you confirm if you have seen such events on your end and provide some samples for reference?

Epo won't have logs of this, it's reflected in the dashboard - if you filter the system tree view to show last agent communication is one way, the other way is to build a report with the data out of the sql database to show last agent communications. Hope this help.