search

xrisbarney / Detecting-Cobalt-strike-beaconing

0 stars 0 forks source link

Collect cobaltstrike logs #1

Open xrisbarney opened 2 years ago

xrisbarney commented 2 years ago

MSSE-1337-server

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "XF3TRoABWZBNLY4mxbwe",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\TMP\\\\CreateNamedPipe.exe",
          "processGuid": "{c64152da-f48d-625f-9705-000000000c00}",
          "processId": "7416",
          "utcTime": "2022-04-20 11:54:53.571",
          "eventType": "CreatePipe",
          "pipeName": "\\\\MSSE-1337-server",
          "user": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "17",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2022-04-20 11:54:53.571\r\nProcessGuid: {c64152da-f48d-625f-9705-000000000c00}\r\nProcessId: 7416\r\nPipeName: \\MSSE-1337-server\r\nImage: C:\\TMP\\CreateNamedPipe.exe\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "1",
          "systemTime": "2022-04-20T11:54:53.5717370Z",
          "eventRecordID": "5584",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "17",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"17\",\"version\":\"1\",\"level\":\"4\",\"task\":\"17\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:54:53.5717370Z\",\"eventRecordID\":\"5584\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2022-04-20 11:54:53.571\\r\\nProcessGuid: {c64152da-f48d-625f-9705-000000000c00}\\r\\nProcessId: 7416\\r\\nPipeName: \\\\MSSE-1337-server\\r\\nImage: C:\\\\TMP\\\\CreateNamedPipe.exe\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"eventType\":\"CreatePipe\",\"utcTime\":\"2022-04-20 11:54:53.571\",\"processGuid\":\"{c64152da-f48d-625f-9705-000000000c00}\",\"processId\":\"7416\",\"pipeName\":\"\\\\\\\\MSSE-1337-server\",\"image\":\"C:\\\\\\\\TMP\\\\\\\\CreateNamedPipe.exe\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:23.042Z",
    "location": "EventChannel",
    "id": "1650455723.942410",
    "timestamp": "2022-04-20T11:55:23.042+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:23.042Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:23.042Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ],
    "data.win.system.eventID": [
      "@kibana-highlighted-field@17@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455723042
  ]
}

Rules written.

xrisbarney commented 2 years ago

msagent_fedac123

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "dF3TRoABWZBNLY4m4Lx9",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\TMP\\\\CreateNamedPipe.exe",
          "processGuid": "{c64152da-f492-625f-9c05-000000000c00}",
          "processId": "9092",
          "utcTime": "2022-04-20 11:54:58.579",
          "eventType": "CreatePipe",
          "pipeName": "\\\\msagent_fedac123",
          "user": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "17",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2022-04-20 11:54:58.579\r\nProcessGuid: {c64152da-f492-625f-9c05-000000000c00}\r\nProcessId: 9092\r\nPipeName: \\msagent_fedac123\r\nImage: C:\\TMP\\CreateNamedPipe.exe\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "1",
          "systemTime": "2022-04-20T11:54:58.5799078Z",
          "eventRecordID": "5599",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "17",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"17\",\"version\":\"1\",\"level\":\"4\",\"task\":\"17\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:54:58.5799078Z\",\"eventRecordID\":\"5599\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2022-04-20 11:54:58.579\\r\\nProcessGuid: {c64152da-f492-625f-9c05-000000000c00}\\r\\nProcessId: 9092\\r\\nPipeName: \\\\msagent_fedac123\\r\\nImage: C:\\\\TMP\\\\CreateNamedPipe.exe\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"eventType\":\"CreatePipe\",\"utcTime\":\"2022-04-20 11:54:58.579\",\"processGuid\":\"{c64152da-f492-625f-9c05-000000000c00}\",\"processId\":\"9092\",\"pipeName\":\"\\\\\\\\msagent_fedac123\",\"image\":\"C:\\\\\\\\TMP\\\\\\\\CreateNamedPipe.exe\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:28.592Z",
    "location": "EventChannel",
    "id": "1650455728.942410",
    "timestamp": "2022-04-20T11:55:28.592+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:28.592Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:28.592Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ],
    "data.win.system.eventID": [
      "@kibana-highlighted-field@17@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455728592
  ]
}

Rules written.

xrisbarney commented 2 years ago

postex_ssh_fedac123

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "hl3TRoABWZBNLY4m7Lxf",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\TMP\\\\CreateNamedPipe.exe",
          "processGuid": "{c64152da-f497-625f-a005-000000000c00}",
          "processId": "8548",
          "utcTime": "2022-04-20 11:55:03.377",
          "eventType": "CreatePipe",
          "pipeName": "\\\\postex_ssh_fedac123",
          "user": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "17",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2022-04-20 11:55:03.377\r\nProcessGuid: {c64152da-f497-625f-a005-000000000c00}\r\nProcessId: 8548\r\nPipeName: \\postex_ssh_fedac123\r\nImage: C:\\TMP\\CreateNamedPipe.exe\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "1",
          "systemTime": "2022-04-20T11:55:03.3780002Z",
          "eventRecordID": "5609",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "17",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"17\",\"version\":\"1\",\"level\":\"4\",\"task\":\"17\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:03.3780002Z\",\"eventRecordID\":\"5609\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2022-04-20 11:55:03.377\\r\\nProcessGuid: {c64152da-f497-625f-a005-000000000c00}\\r\\nProcessId: 8548\\r\\nPipeName: \\\\postex_ssh_fedac123\\r\\nImage: C:\\\\TMP\\\\CreateNamedPipe.exe\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"eventType\":\"CreatePipe\",\"utcTime\":\"2022-04-20 11:55:03.377\",\"processGuid\":\"{c64152da-f497-625f-a005-000000000c00}\",\"processId\":\"8548\",\"pipeName\":\"\\\\\\\\postex_ssh_fedac123\",\"image\":\"C:\\\\\\\\TMP\\\\\\\\CreateNamedPipe.exe\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:33.214Z",
    "location": "EventChannel",
    "id": "1650455733.942410",
    "timestamp": "2022-04-20T11:55:33.214+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:33.214Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:33.214Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ],
    "data.win.system.eventID": [
      "@kibana-highlighted-field@17@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455733214
  ]
}

Rules written.

xrisbarney commented 2 years ago

suspicious exec created

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "vV3URoABWZBNLY4mF7zD",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "System",
          "processGuid": "{c64152da-7f8d-625e-eb03-000000000000}",
          "processId": "4",
          "utcTime": "2022-04-20 11:55:16.307",
          "targetFilename": "C:\\\\Windows\\\\b6a1458f396.exe",
          "creationUtcTime": "2022-04-19 10:30:46.233",
          "user": "NT AUTHORITY\\\\SYSTEM"
        },
        "system": {
          "eventID": "11",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"File created:\r\nRuleName: -\r\nUtcTime: 2022-04-20 11:55:16.307\r\nProcessGuid: {c64152da-7f8d-625e-eb03-000000000000}\r\nProcessId: 4\r\nImage: System\r\nTargetFilename: C:\\Windows\\b6a1458f396.exe\r\nCreationUtcTime: 2022-04-19 10:30:46.233\r\nUser: NT AUTHORITY\\SYSTEM\"",
          "version": "2",
          "systemTime": "2022-04-20T11:55:16.3224043Z",
          "eventRecordID": "5648",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "11",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"11\",\"version\":\"2\",\"level\":\"4\",\"task\":\"11\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.3224043Z\",\"eventRecordID\":\"5648\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"File created:\\r\\nRuleName: -\\r\\nUtcTime: 2022-04-20 11:55:16.307\\r\\nProcessGuid: {c64152da-7f8d-625e-eb03-000000000000}\\r\\nProcessId: 4\\r\\nImage: System\\r\\nTargetFilename: C:\\\\Windows\\\\b6a1458f396.exe\\r\\nCreationUtcTime: 2022-04-19 10:30:46.233\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"utcTime\":\"2022-04-20 11:55:16.307\",\"processGuid\":\"{c64152da-7f8d-625e-eb03-000000000000}\",\"processId\":\"4\",\"image\":\"System\",\"targetFilename\":\"C:\\\\\\\\Windows\\\\\\\\b6a1458f396.exe\",\"creationUtcTime\":\"2022-04-19 10:30:46.233\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:45.307Z",
    "location": "EventChannel",
    "id": "1650455745.942410",
    "timestamp": "2022-04-20T11:55:45.307+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:45.307Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:45.307Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455745307
  ]
}
xrisbarney commented 2 years ago

pipe 334455

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "rF3URoABWZBNLY4mE7y7",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\TMP\\\\CreateNamedPipe.exe",
          "processGuid": "{c64152da-f4a2-625f-a905-000000000c00}",
          "processId": "8852",
          "utcTime": "2022-04-20 11:55:14.666",
          "eventType": "CreatePipe",
          "pipeName": "\\\\334485",
          "user": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "17",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2022-04-20 11:55:14.666\r\nProcessGuid: {c64152da-f4a2-625f-a905-000000000c00}\r\nProcessId: 8852\r\nPipeName: \\334485\r\nImage: C:\\TMP\\CreateNamedPipe.exe\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "1",
          "systemTime": "2022-04-20T11:55:14.6665619Z",
          "eventRecordID": "5631",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "17",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"17\",\"version\":\"1\",\"level\":\"4\",\"task\":\"17\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:14.6665619Z\",\"eventRecordID\":\"5631\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2022-04-20 11:55:14.666\\r\\nProcessGuid: {c64152da-f4a2-625f-a905-000000000c00}\\r\\nProcessId: 8852\\r\\nPipeName: \\\\334485\\r\\nImage: C:\\\\TMP\\\\CreateNamedPipe.exe\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"eventType\":\"CreatePipe\",\"utcTime\":\"2022-04-20 11:55:14.666\",\"processGuid\":\"{c64152da-f4a2-625f-a905-000000000c00}\",\"processId\":\"8852\",\"pipeName\":\"\\\\\\\\334485\",\"image\":\"C:\\\\\\\\TMP\\\\\\\\CreateNamedPipe.exe\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:43.440Z",
    "location": "EventChannel",
    "id": "1650455743.942410",
    "timestamp": "2022-04-20T11:55:43.440+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:43.440Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:43.440Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455743440
  ]
}
xrisbarney commented 2 years ago

Service creation

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "vl3URoABWZBNLY4mF7zD",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "originalFileName": "sc.exe",
          "image": "C:\\\\Windows\\\\System32\\\\sc.exe",
          "product": "Microsoft® Windows® Operating System",
          "parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
          "description": "Service Control Manager Configuration Tool",
          "logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
          "parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
          "processGuid": "{c64152da-f4a4-625f-ac05-000000000c00}",
          "logonId": "0x5b1ac",
          "parentProcessId": "8976",
          "processId": "3204",
          "currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
          "utcTime": "2022-04-20 11:55:16.338",
          "hashes": "SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD",
          "parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
          "ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
          "company": "Microsoft Corporation",
          "commandLine": "sc  create tbbd05 binpath= \\\"%%COMSPEC%% /c echo b6a1458f396 > \\\\\\\\.\\\\pipe\\\\334485\\\" DisplayName= \\\"tbbd05\\\" start= demand",
          "integrityLevel": "High",
          "fileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
          "user": "DESKTOP-VAEP8K1\\\\vagrant",
          "terminalSessionId": "1",
          "parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "1",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:16.338\r\nProcessGuid: {c64152da-f4a4-625f-ac05-000000000c00}\r\nProcessId: 3204\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: sc  create tbbd05 binpath= \"%%COMSPEC%% /c echo b6a1458f396 > \\\\.\\pipe\\334485\" DisplayName= \"tbbd05\" start= demand\r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "5",
          "systemTime": "2022-04-20T11:55:16.3433080Z",
          "eventRecordID": "5649",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "1",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.3433080Z\",\"eventRecordID\":\"5649\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:16.338\\r\\nProcessGuid: {c64152da-f4a4-625f-ac05-000000000c00}\\r\\nProcessId: 3204\\r\\nImage: C:\\\\Windows\\\\System32\\\\sc.exe\\r\\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\\r\\nDescription: Service Control Manager Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: sc.exe\\r\\nCommandLine: sc  create tbbd05 binpath= \\\"%%COMSPEC%% /c echo b6a1458f396 > \\\\\\\\.\\\\pipe\\\\334485\\\" DisplayName= \\\"tbbd05\\\" start= demand\\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:16.338\",\"processGuid\":\"{c64152da-f4a4-625f-ac05-000000000c00}\",\"processId\":\"3204\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sc.exe\",\"fileVersion\":\"10.0.19041.1 (WinBuild.160101.0800)\",\"description\":\"Service Control Manager Configuration Tool\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"sc.exe\",\"commandLine\":\"sc  create tbbd05 binpath= \\\\\\\"%%COMSPEC%% /c echo b6a1458f396 > \\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\334485\\\\\\\" DisplayName= \\\\\\\"tbbd05\\\\\\\" start= demand\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:45.332Z",
    "location": "EventChannel",
    "id": "1650455745.942410",
    "timestamp": "2022-04-20T11:55:45.332+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:45.332Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:45.332Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455745332
  ]
}
xrisbarney commented 2 years ago

Service started

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "x13URoABWZBNLY4mG7yu",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "originalFileName": "sc.exe",
          "image": "C:\\\\Windows\\\\System32\\\\sc.exe",
          "product": "Microsoft® Windows® Operating System",
          "parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
          "description": "Service Control Manager Configuration Tool",
          "logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
          "parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
          "processGuid": "{c64152da-f4a4-625f-ad05-000000000c00}",
          "logonId": "0x5b1ac",
          "parentProcessId": "8976",
          "processId": "5760",
          "currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
          "utcTime": "2022-04-20 11:55:16.359",
          "hashes": "SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD",
          "parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
          "ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
          "company": "Microsoft Corporation",
          "commandLine": "sc  start tbbd05",
          "integrityLevel": "High",
          "fileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
          "user": "DESKTOP-VAEP8K1\\\\vagrant",
          "terminalSessionId": "1",
          "parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "1",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:16.359\r\nProcessGuid: {c64152da-f4a4-625f-ad05-000000000c00}\r\nProcessId: 5760\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: sc  start tbbd05 \r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "5",
          "systemTime": "2022-04-20T11:55:16.3609813Z",
          "eventRecordID": "5658",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "1",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.3609813Z\",\"eventRecordID\":\"5658\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:16.359\\r\\nProcessGuid: {c64152da-f4a4-625f-ad05-000000000c00}\\r\\nProcessId: 5760\\r\\nImage: C:\\\\Windows\\\\System32\\\\sc.exe\\r\\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\\r\\nDescription: Service Control Manager Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: sc.exe\\r\\nCommandLine: sc  start tbbd05 \\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:16.359\",\"processGuid\":\"{c64152da-f4a4-625f-ad05-000000000c00}\",\"processId\":\"5760\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sc.exe\",\"fileVersion\":\"10.0.19041.1 (WinBuild.160101.0800)\",\"description\":\"Service Control Manager Configuration Tool\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"sc.exe\",\"commandLine\":\"sc  start tbbd05\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:45.611Z",
    "location": "EventChannel",
    "id": "1650455745.942410",
    "timestamp": "2022-04-20T11:55:45.611+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:45.611Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:45.611Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455745611
  ]
}
xrisbarney commented 2 years ago

Service stopped

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "yF3URoABWZBNLY4mG7yu",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "originalFileName": "sc.exe",
          "image": "C:\\\\Windows\\\\System32\\\\sc.exe",
          "product": "Microsoft® Windows® Operating System",
          "parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
          "description": "Service Control Manager Configuration Tool",
          "logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
          "parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
          "processGuid": "{c64152da-f4a4-625f-af05-000000000c00}",
          "logonId": "0x5b1ac",
          "parentProcessId": "8976",
          "processId": "7452",
          "currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
          "utcTime": "2022-04-20 11:55:16.384",
          "hashes": "SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD",
          "parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
          "ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
          "company": "Microsoft Corporation",
          "commandLine": "sc  stop tbbd05",
          "integrityLevel": "High",
          "fileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
          "user": "DESKTOP-VAEP8K1\\\\vagrant",
          "terminalSessionId": "1",
          "parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "1",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:16.384\r\nProcessGuid: {c64152da-f4a4-625f-af05-000000000c00}\r\nProcessId: 7452\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: sc  stop tbbd05 \r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "5",
          "systemTime": "2022-04-20T11:55:16.3877656Z",
          "eventRecordID": "5659",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "1",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.3877656Z\",\"eventRecordID\":\"5659\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:16.384\\r\\nProcessGuid: {c64152da-f4a4-625f-af05-000000000c00}\\r\\nProcessId: 7452\\r\\nImage: C:\\\\Windows\\\\System32\\\\sc.exe\\r\\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\\r\\nDescription: Service Control Manager Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: sc.exe\\r\\nCommandLine: sc  stop tbbd05 \\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:16.384\",\"processGuid\":\"{c64152da-f4a4-625f-af05-000000000c00}\",\"processId\":\"7452\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sc.exe\",\"fileVersion\":\"10.0.19041.1 (WinBuild.160101.0800)\",\"description\":\"Service Control Manager Configuration Tool\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"sc.exe\",\"commandLine\":\"sc  stop tbbd05\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:45.616Z",
    "location": "EventChannel",
    "id": "1650455745.942410",
    "timestamp": "2022-04-20T11:55:45.616+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:45.616Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:45.616Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455745616
  ]
}
xrisbarney commented 2 years ago

Service deleted.

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "yV3URoABWZBNLY4mG7yu",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "originalFileName": "sc.exe",
          "image": "C:\\\\Windows\\\\System32\\\\sc.exe",
          "product": "Microsoft® Windows® Operating System",
          "parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
          "description": "Service Control Manager Configuration Tool",
          "logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
          "parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
          "processGuid": "{c64152da-f4a4-625f-b005-000000000c00}",
          "logonId": "0x5b1ac",
          "parentProcessId": "8976",
          "processId": "2784",
          "currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
          "utcTime": "2022-04-20 11:55:16.428",
          "hashes": "SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD",
          "parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
          "ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
          "company": "Microsoft Corporation",
          "commandLine": "sc  delete tbbd05",
          "integrityLevel": "High",
          "fileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
          "user": "DESKTOP-VAEP8K1\\\\vagrant",
          "terminalSessionId": "1",
          "parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "1",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:16.428\r\nProcessGuid: {c64152da-f4a4-625f-b005-000000000c00}\r\nProcessId: 2784\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: sc  delete tbbd05 \r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "5",
          "systemTime": "2022-04-20T11:55:16.4304007Z",
          "eventRecordID": "5660",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "1",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:16.4304007Z\",\"eventRecordID\":\"5660\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:16.428\\r\\nProcessGuid: {c64152da-f4a4-625f-b005-000000000c00}\\r\\nProcessId: 2784\\r\\nImage: C:\\\\Windows\\\\System32\\\\sc.exe\\r\\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\\r\\nDescription: Service Control Manager Configuration Tool\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: sc.exe\\r\\nCommandLine: sc  delete tbbd05 \\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:16.428\",\"processGuid\":\"{c64152da-f4a4-625f-b005-000000000c00}\",\"processId\":\"2784\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sc.exe\",\"fileVersion\":\"10.0.19041.1 (WinBuild.160101.0800)\",\"description\":\"Service Control Manager Configuration Tool\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"sc.exe\",\"commandLine\":\"sc  delete tbbd05\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=B4979A9F970029889713D756C3F123643DDE73DA,MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:45.639Z",
    "location": "EventChannel",
    "id": "1650455745.942410",
    "timestamp": "2022-04-20T11:55:45.639+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:45.639Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:45.639Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455745639
  ]
}
xrisbarney commented 2 years ago

Network req

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "4l3URoABWZBNLY4mJ7xp",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\helpers\\\\curl.exe",
          "parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
          "logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
          "parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
          "processGuid": "{c64152da-f4a7-625f-b505-000000000c00}",
          "logonId": "0x5b1ac",
          "parentProcessId": "8976",
          "processId": "1476",
          "currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
          "utcTime": "2022-04-20 11:55:19.566",
          "hashes": "SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6",
          "parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
          "ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
          "commandLine": "\\\"C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\\\helpers\\\\curl.exe\\\"  -s -o /dev/null -I     -H \\\"Accept: */*\\\"     -H \\\"Cookie: cdoWQelsAYyUlsEMuvbfEAfSxSWtkRwhm5OPfZ6K+400BQBsFlxwSSvsZ2IokquiUDKEPTip7MHL5VkYirf74WkZkc29LeJIt38HQA8E79bc2x9wMgnCz7U5mWXTMZLCQPdoc0VNqbpd2ytuxKRm9upFlCgB41h3hu1GrfDt0Q0=\\\"     -A \\\"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)\\\"     -H \\\"Connection: Keep-Alive\\\"     -H \\\"Cache-Control: no-cache\\\"     http://10.0.2.15/pixel.gif",
          "integrityLevel": "High",
          "user": "DESKTOP-VAEP8K1\\\\vagrant",
          "terminalSessionId": "1",
          "parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "1",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 11:55:19.566\r\nProcessGuid: {c64152da-f4a7-625f-b505-000000000c00}\r\nProcessId: 1476\r\nImage: C:\\Users\\vagrant\\simulator\\APTSimulator\\helpers\\curl.exe\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nCommandLine: \"C:\\Users\\vagrant\\simulator\\APTSimulator\\\\helpers\\curl.exe\"  -s -o /dev/null -I     -H \"Accept: */*\"     -H \"Cookie: cdoWQelsAYyUlsEMuvbfEAfSxSWtkRwhm5OPfZ6K+400BQBsFlxwSSvsZ2IokquiUDKEPTip7MHL5VkYirf74WkZkc29LeJIt38HQA8E79bc2x9wMgnCz7U5mWXTMZLCQPdoc0VNqbpd2ytuxKRm9upFlCgB41h3hu1GrfDt0Q0=\"     -A \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)\"     -H \"Connection: Keep-Alive\"     -H \"Cache-Control: no-cache\"     http://10.0.2.15/pixel.gif\r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "5",
          "systemTime": "2022-04-20T11:55:19.6088013Z",
          "eventRecordID": "5673",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "1",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T11:55:19.6088013Z\",\"eventRecordID\":\"5673\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 11:55:19.566\\r\\nProcessGuid: {c64152da-f4a7-625f-b505-000000000c00}\\r\\nProcessId: 1476\\r\\nImage: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\helpers\\\\curl.exe\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nCommandLine: \\\"C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\\\helpers\\\\curl.exe\\\"  -s -o /dev/null -I     -H \\\"Accept: */*\\\"     -H \\\"Cookie: cdoWQelsAYyUlsEMuvbfEAfSxSWtkRwhm5OPfZ6K+400BQBsFlxwSSvsZ2IokquiUDKEPTip7MHL5VkYirf74WkZkc29LeJIt38HQA8E79bc2x9wMgnCz7U5mWXTMZLCQPdoc0VNqbpd2ytuxKRm9upFlCgB41h3hu1GrfDt0Q0=\\\"     -A \\\"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)\\\"     -H \\\"Connection: Keep-Alive\\\"     -H \\\"Cache-Control: no-cache\\\"     http://10.0.2.15/pixel.gif\\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 11:55:19.566\",\"processGuid\":\"{c64152da-f4a7-625f-b505-000000000c00}\",\"processId\":\"1476\",\"image\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\helpers\\\\\\\\curl.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\\\\\\\\helpers\\\\\\\\curl.exe\\\\\\\"  -s -o /dev/null -I     -H \\\\\\\"Accept: */*\\\\\\\"     -H \\\\\\\"Cookie: cdoWQelsAYyUlsEMuvbfEAfSxSWtkRwhm5OPfZ6K+400BQBsFlxwSSvsZ2IokquiUDKEPTip7MHL5VkYirf74WkZkc29LeJIt38HQA8E79bc2x9wMgnCz7U5mWXTMZLCQPdoc0VNqbpd2ytuxKRm9upFlCgB41h3hu1GrfDt0Q0=\\\\\\\"     -A \\\\\\\"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)\\\\\\\"     -H \\\\\\\"Connection: Keep-Alive\\\\\\\"     -H \\\\\\\"Cache-Control: no-cache\\\\\\\"     http://10.0.2.15/pixel.gif\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T11:55:47.753Z",
    "location": "EventChannel",
    "id": "1650455747.951847",
    "timestamp": "2022-04-20T11:55:47.753+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T11:55:47.753Z"
    ],
    "timestamp": [
      "2022-04-20T11:55:47.753Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650455747753
  ]
}
xrisbarney commented 2 years ago

Network request 2

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "dF3gRoABWZBNLY4mRsPc",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\helpers\\\\curl.exe",
          "parentProcessGuid": "{c64152da-8ec8-625e-8a02-000000000c00}",
          "logonGuid": "{c64152da-7fad-625e-acb1-050000000000}",
          "parentCommandLine": "\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"",
          "processGuid": "{c64152da-f7c4-625f-fb05-000000000c00}",
          "logonId": "0x5b1ac",
          "parentProcessId": "8976",
          "processId": "4656",
          "currentDirectory": "C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\",
          "utcTime": "2022-04-20 12:08:36.397",
          "hashes": "SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6",
          "parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
          "ruleName": "technique_id=T1059,technique_name=Command-Line Interface",
          "commandLine": "\\\"C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\\\helpers\\\\curl.exe\\\"  -s -o /dev/null -I     -H \\\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\\"     -H \\\"Cache-Control: no-cache\\\"     -H \\\"Connection: Keep-Alive\\\"     -H \\\"Cookie: __cfduid=gjlAuOSb_vHdOfQwz0K2WU4g6D-a0pERCS6QV0Gur6nvsxFX0hRL7RxeK61hsQgk1uGySuIQxIDU364bLV9YRYQZxgxtkoYBqk2CBlJlqc_gSIm5fxgkUBdLttW19M0Pn7szdQMCLKKbUzAB9QRyG5W0OrUDroCUECuOf3HgwMU\\\"     -H \\\"Referer: http://code.jquery.com/\\\"     -A \\\"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36\\\"     https://operaa.net:443/jquery-3.2.2.min.js",
          "integrityLevel": "High",
          "user": "DESKTOP-VAEP8K1\\\\vagrant",
          "terminalSessionId": "1",
          "parentUser": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "1",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Process Create:\r\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\r\nUtcTime: 2022-04-20 12:08:36.397\r\nProcessGuid: {c64152da-f7c4-625f-fb05-000000000c00}\r\nProcessId: 4656\r\nImage: C:\\Users\\vagrant\\simulator\\APTSimulator\\helpers\\curl.exe\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nCommandLine: \"C:\\Users\\vagrant\\simulator\\APTSimulator\\\\helpers\\curl.exe\"  -s -o /dev/null -I     -H \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"     -H \"Cache-Control: no-cache\"     -H \"Connection: Keep-Alive\"     -H \"Cookie: __cfduid=gjlAuOSb_vHdOfQwz0K2WU4g6D-a0pERCS6QV0Gur6nvsxFX0hRL7RxeK61hsQgk1uGySuIQxIDU364bLV9YRYQZxgxtkoYBqk2CBlJlqc_gSIm5fxgkUBdLttW19M0Pn7szdQMCLKKbUzAB9QRyG5W0OrUDroCUECuOf3HgwMU\"     -H \"Referer: http://code.jquery.com/\"     -A \"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36\"     https://operaa.net:443/jquery-3.2.2.min.js\r\nCurrentDirectory: C:\\Users\\vagrant\\simulator\\APTSimulator\\\r\nUser: DESKTOP-VAEP8K1\\vagrant\r\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\r\nLogonId: 0x5B1AC\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\r\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\r\nParentProcessId: 8976\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"C:\\Windows\\system32\\cmd.exe\" \r\nParentUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "5",
          "systemTime": "2022-04-20T12:08:36.4002847Z",
          "eventRecordID": "5962",
          "threadID": "5384",
          "computer": "DESKTOP-VAEP8K1",
          "task": "1",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T12:08:36.4002847Z\",\"eventRecordID\":\"5962\",\"processID\":\"5964\",\"threadID\":\"5384\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1059,technique_name=Command-Line Interface\\r\\nUtcTime: 2022-04-20 12:08:36.397\\r\\nProcessGuid: {c64152da-f7c4-625f-fb05-000000000c00}\\r\\nProcessId: 4656\\r\\nImage: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\helpers\\\\curl.exe\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nCommandLine: \\\"C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\\\helpers\\\\curl.exe\\\"  -s -o /dev/null -I     -H \\\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\\"     -H \\\"Cache-Control: no-cache\\\"     -H \\\"Connection: Keep-Alive\\\"     -H \\\"Cookie: __cfduid=gjlAuOSb_vHdOfQwz0K2WU4g6D-a0pERCS6QV0Gur6nvsxFX0hRL7RxeK61hsQgk1uGySuIQxIDU364bLV9YRYQZxgxtkoYBqk2CBlJlqc_gSIm5fxgkUBdLttW19M0Pn7szdQMCLKKbUzAB9QRyG5W0OrUDroCUECuOf3HgwMU\\\"     -H \\\"Referer: http://code.jquery.com/\\\"     -A \\\"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36\\\"     https://operaa.net:443/jquery-3.2.2.min.js\\r\\nCurrentDirectory: C:\\\\Users\\\\vagrant\\\\simulator\\\\APTSimulator\\\\\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\r\\nLogonGuid: {c64152da-7fad-625e-acb1-050000000000}\\r\\nLogonId: 0x5B1AC\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\\r\\nParentProcessGuid: {c64152da-8ec8-625e-8a02-000000000c00}\\r\\nParentProcessId: 8976\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\cmd.exe\\r\\nParentCommandLine: \\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" \\r\\nParentUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1059,technique_name=Command-Line Interface\",\"utcTime\":\"2022-04-20 12:08:36.397\",\"processGuid\":\"{c64152da-f7c4-625f-fb05-000000000c00}\",\"processId\":\"4656\",\"image\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\helpers\\\\\\\\curl.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\\\\\\\\helpers\\\\\\\\curl.exe\\\\\\\"  -s -o /dev/null -I     -H \\\\\\\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\\\\\\"     -H \\\\\\\"Cache-Control: no-cache\\\\\\\"     -H \\\\\\\"Connection: Keep-Alive\\\\\\\"     -H \\\\\\\"Cookie: __cfduid=gjlAuOSb_vHdOfQwz0K2WU4g6D-a0pERCS6QV0Gur6nvsxFX0hRL7RxeK61hsQgk1uGySuIQxIDU364bLV9YRYQZxgxtkoYBqk2CBlJlqc_gSIm5fxgkUBdLttW19M0Pn7szdQMCLKKbUzAB9QRyG5W0OrUDroCUECuOf3HgwMU\\\\\\\"     -H \\\\\\\"Referer: http://code.jquery.com/\\\\\\\"     -A \\\\\\\"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36\\\\\\\"     https://operaa.net:443/jquery-3.2.2.min.js\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\simulator\\\\\\\\APTSimulator\\\\\\\\\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\",\"logonGuid\":\"{c64152da-7fad-625e-acb1-050000000000}\",\"logonId\":\"0x5b1ac\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=C852A39B2BD53BE2F9CB35CF07D15D176795F47C,MD5=1673A392AAF4278D2084C224A08ABFF1,SHA256=92A112DEEA36D6D4D1BD265E2E4B200129DAB30AFE918115B77A92F68D38903D,IMPHASH=0B669CDDDC01A874708E074B055741F6\",\"parentProcessGuid\":\"{c64152da-8ec8-625e-8a02-000000000c00}\",\"parentProcessId\":\"8976\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\",\"parentCommandLine\":\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\\\\\"\",\"parentUser\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T12:09:03.206Z",
    "location": "EventChannel",
    "id": "1650456543.1005103",
    "timestamp": "2022-04-20T12:09:03.206+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T12:09:03.206Z"
    ],
    "timestamp": [
      "2022-04-20T12:09:03.206Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650456543206
  ]
}
xrisbarney commented 2 years ago

DNS request by an unknown process

{
  "_index": "wazuh-archives-4.x-2022.04.20",
  "_type": "_doc",
  "_id": "d13gRoABWZBNLY4mUsOi",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "10.0.2.15",
      "name": "DESKTOP-VAEP8K1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-focal"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "<unknown process>",
          "processGuid": "{00000000-0000-0000-0000-000000000000}",
          "queryStatus": "9003",
          "processId": "4656",
          "utcTime": "2022-04-20 12:08:14.567",
          "queryName": "operaa.net",
          "user": "DESKTOP-VAEP8K1\\\\vagrant"
        },
        "system": {
          "eventID": "22",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Dns query:\r\nRuleName: -\r\nUtcTime: 2022-04-20 12:08:14.567\r\nProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nProcessId: 4656\r\nQueryName: operaa.net\r\nQueryStatus: 9003\r\nQueryResults: -\r\nImage: <unknown process>\r\nUser: DESKTOP-VAEP8K1\\vagrant\"",
          "version": "5",
          "systemTime": "2022-04-20T12:08:38.7490769Z",
          "eventRecordID": "5965",
          "threadID": "7544",
          "computer": "DESKTOP-VAEP8K1",
          "task": "22",
          "processID": "5964",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"22\",\"version\":\"5\",\"level\":\"4\",\"task\":\"22\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-04-20T12:08:38.7490769Z\",\"eventRecordID\":\"5965\",\"processID\":\"5964\",\"threadID\":\"7544\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-VAEP8K1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Dns query:\\r\\nRuleName: -\\r\\nUtcTime: 2022-04-20 12:08:14.567\\r\\nProcessGuid: {00000000-0000-0000-0000-000000000000}\\r\\nProcessId: 4656\\r\\nQueryName: operaa.net\\r\\nQueryStatus: 9003\\r\\nQueryResults: -\\r\\nImage: <unknown process>\\r\\nUser: DESKTOP-VAEP8K1\\\\vagrant\\\"\"},\"eventdata\":{\"utcTime\":\"2022-04-20 12:08:14.567\",\"processGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"processId\":\"4656\",\"queryName\":\"operaa.net\",\"queryStatus\":\"9003\",\"image\":\"&lt;unknown process&gt;\",\"user\":\"DESKTOP-VAEP8K1\\\\\\\\vagrant\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-04-20T12:09:05.300Z",
    "location": "EventChannel",
    "id": "1650456545.1005103",
    "timestamp": "2022-04-20T12:09:05.300+0000"
  },
  "fields": {
    "@timestamp": [
      "2022-04-20T12:09:05.300Z"
    ],
    "timestamp": [
      "2022-04-20T12:09:05.300Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@kibana-highlighted-field@001@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1650456545300
  ]
}