From 91a7ab79064042ade79ba086404e6f3fe7af7a81 Mon Sep 17 00:00:00 2001
From: "sekoia-io-cross-repo-comm-app[bot]"
<99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com>
Date: Mon, 13 May 2024 05:17:06 +0000
Subject: [PATCH] Refresh intakes documentation
---
.../40deb162-6bb1-4635-9c99-5c2de7e1d340.md | 1513 +----------------
1 file changed, 18 insertions(+), 1495 deletions(-)
diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md
index 634e9705aa..c053317081 100644
--- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md
+++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md
@@ -58,86 +58,22 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "command_script",
"type": "Command Script"
},
- "file": {
- "location": "Local",
- "type": "UNKNOWN"
- },
"host": {
"os": {
"revision": "19044"
}
},
"process": {
- "counters": {
- "child_process": 1,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 2,
- "module_load": 272,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "ossrc": {
- "parent": {
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": "0",
- "storyline_id": "0F91E6E7AB538ED5",
- "uid": "0E91E6E7AB538ED5"
- }
- },
"parent": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "taskhostw.exe",
"executable": {
"name": "C:\\Windows\\System32\\taskhostw.exe"
- },
- "family": "SYS_WIN32",
- "hash": {
- "md5": "a00bf82660835224cd6606a248321c5d",
- "sha1": "9b77e09375790ea1ea0a9ca9fc1d69e8e32fe597",
- "sha256": "e63709209d09bc0247e785f075ddb28a98c348206109e2b8ba321ad958402728"
- },
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "taskhostw.exe",
- "pid": "6276",
- "root": "True",
- "session_id": 2,
- "start": "2023-03-30T13:46:01.002000Z",
- "storyline_id": "3ED9E6E7AB538ED5",
- "title": "Host Process for Windows Tasks",
- "uid": "3DD9E6E7AB538ED5",
- "user": {
- "name": "desktop-jdoe\\john.doe"
- },
- "working_directory": "C:\\Windows\\System32"
- },
- "root": "False",
- "session_id": 2,
- "storyline_id": "3ED9E6E7AB538ED5",
- "uid": "64D9E6E7AB538ED5"
+ }
+ }
},
"script": {
"app_name": "PowerShell_C:\\Windows\\System32\\sdiagnhost.exe_10.0.19041.1",
- "content": "{(Format-DiskSpaceMB $_.Space) + \"MB\"}",
- "is_complete": true
+ "content": "{(Format-DiskSpaceMB $_.Space) + \"MB\"}"
}
},
"file": {
@@ -272,115 +208,20 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca",
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 2,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 183,
- "net_conn": 2,
- "net_conn_in": 0,
- "net_conn_out": 2,
- "registry_modification": 0
- },
"executable": {
"name": "C:\\Windows\\System32\\backgroundTaskHost.exe"
},
- "family": "SYS_WIN32",
"hash": {
- "md5": "da7063b17dbb8bbb3015351016868006",
- "sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09",
"sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50"
},
- "integrity_level": "LOW",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
"name": "backgroundTaskHost.exe",
- "ossrc": {
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 5,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 215,
- "net_conn": 5,
- "net_conn_in": 0,
- "net_conn_out": 5,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": "0",
- "storyline_id": "5696E5E7AB538ED5",
- "uid": "5596E5E7AB538ED5"
- },
- "root": "True",
- "session_id": "0",
- "storyline_id": "AC96E5E7AB538ED5",
- "uid": "AB96E5E7AB538ED5"
- },
"parent": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "sihost.exe",
"executable": {
"name": "C:\\Windows\\System32\\sihost.exe"
- },
- "family": "SYS_WIN32",
- "hash": {
- "md5": "a21e7719d73d0322e2e7d61802cb8f80",
- "sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb",
- "sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00"
- },
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "sihost.exe",
- "pid": "4164",
- "root": "True",
- "session_id": 2,
- "start": "2023-03-21T10:34:33.882000Z",
- "storyline_id": "BE98E5E7AB538ED5",
- "title": "Shell Infrastructure Host",
- "uid": "BD98E5E7AB538ED5",
- "user": {
- "name": "desktop-jdoe\\john.doe"
- },
- "working_directory": "C:\\Windows\\System32"
- },
- "pid": "3844",
- "root": "True",
- "session_id": 2,
- "start": "2023-03-21T12:38:53.356000Z",
- "storyline_id": "6EB4E5E7AB538ED5",
- "title": "Background Task Host",
- "uid": "6DB4E5E7AB538ED5",
- "user": {
- "name": "desktop-jdoe\\john.doe"
- },
- "working_directory": "C:\\Windows\\System32"
+ }
+ }
}
},
"dns": {
@@ -513,58 +354,16 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"hash": {
"sha1": "2b4e0fc4fb2d2cbf0cc2e86c52e3d6f568c8ad75",
"sha256": "415e3a47fe8655f49e152197e63b3509a816fa584d7b9c6539f1493d6bf779ce"
- },
- "isloadedbeforemonitor": "False",
- "start_code": "7",
- "start_type": "Invalid or unknown",
- "verdict": "BENIGN"
+ }
},
"event": {
"category": "driver",
"type": "Driver Load"
},
- "file": {
- "type": "UNKNOWN"
- },
"host": {
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 2,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 0,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "4735E7E7AB538ED5",
- "uid": "4635E7E7AB538ED5"
- },
- "root": "True",
- "session_id": 0,
- "storyline_id": "4735E7E7AB538ED5",
- "uid": "4635E7E7AB538ED5"
}
},
"file": {
@@ -679,49 +478,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "file",
"type": "File Creation"
},
- "file": {
- "location": "Local",
- "type": "UNKNOWN"
- },
"host": {
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 2,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 2,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 34,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 2,
- "storyline_id": "0447E5E7AB538ED5",
- "uid": "0347E5E7AB538ED5"
- },
- "root": "True",
- "session_id": 2,
- "storyline_id": "DA84E5E7AB538ED5",
- "uid": "D984E5E7AB538ED5"
}
},
"file": {
@@ -840,107 +600,20 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "file",
"type": "File Deletion"
},
- "file": {
- "location": "Local",
- "type": "UNKNOWN"
- },
"host": {
"os": {
"revision": "19044"
}
},
"process": {
- "activecontent": {
- "code_signature": {
- "exists": "false"
- },
- "type": "FILE"
- },
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT CORPORATION"
- },
"command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5",
- "counters": {
- "child_process": 25,
- "cross_process": 606,
- "cross_process_dup_process_handle": 587,
- "cross_process_dup_thread_handle": 19,
- "dns_lookups": 0,
- "file_creation": 235,
- "file_deletion": 60,
- "file_modification": 246,
- "module_load": 755,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 35
- },
"executable": {
"name": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"
},
- "family": "SYS_WIN32",
"hash": {
- "md5": "fbbcd4101d9daa064e2686834b1296be",
- "sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
"sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa"
},
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "msedge.exe",
- "ossrc": {
- "activecontent": {
- "code_signature": {
- "exists": "false"
- },
- "type": "FILE"
- },
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 2,
- "module_load": 89,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 1
- },
- "family": "SYS_WIN32",
- "integrity_level": "LOW",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "False",
- "session_id": "2",
- "storyline_id": "14C2E6E7AB538ED5",
- "uid": "9AC2E6E7AB538ED5"
- },
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 2,
- "storyline_id": "96BFE6E7AB538ED5",
- "uid": "95BFE6E7AB538ED5"
- },
- "pid": "6384",
- "root": "True",
- "session_id": 2,
- "start": "2023-03-30T13:39:45.577000Z",
- "storyline_id": "14C2E6E7AB538ED5",
- "title": "Microsoft Edge",
- "uid": "13C2E6E7AB538ED5",
- "user": {
- "name": "desktop-jdoe\\john.doe"
- },
- "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"
+ "name": "msedge.exe"
}
},
"file": {
@@ -1059,50 +732,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "file",
"type": "File Rename"
},
- "file": {
- "location": "Local",
- "old_path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus.json",
- "type": "UNKNOWN"
- },
"host": {
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 5,
- "cross_process": 5,
- "cross_process_dup_process_handle": 5,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 288,
- "net_conn": 19,
- "net_conn_in": 0,
- "net_conn_out": 19,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "D7D0E5E7AB538ED5",
- "uid": "D6D0E5E7AB538ED5"
- },
- "root": "True",
- "session_id": 0,
- "storyline_id": "85D1E5E7AB538ED5",
- "uid": "84D1E5E7AB538ED5"
}
},
"file": {
@@ -1222,48 +855,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"process": {
"activecontent": {
- "code_signature": {
- "exists": "false"
- },
"hash": {
"sha1": "8b3d7f4397dd79d66b753745a676da89439ed38e"
},
- "path": "C:\\Users\\john.doe\\Desktop\\test.reg",
- "type": "FILE"
- },
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 66,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 3
- },
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 2,
- "storyline_id": "96BFE6E7AB538ED5",
- "uid": "95BFE6E7AB538ED5"
- },
- "root": "True",
- "session_id": 2,
- "storyline_id": "8EE6E6E7AB538ED5",
- "uid": "8DE6E6E7AB538ED5"
+ "path": "C:\\Users\\john.doe\\Desktop\\test.reg"
+ }
}
},
"host": {
@@ -1375,53 +971,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"description": "Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {T1055.012}, Privilege Escalation {T1055.012}",
"metadata": "To Process[ Name: \"msedge.exe\", Pid: \"8064\", UID: \"F328E6E7AB538ED5\", TrueContextID: \"2D1EE6E7AB538ED5\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"",
"name": "PreloadInjection"
- },
- "process": {
- "activecontent": {
- "code_signature": {
- "exists": "false"
- },
- "type": "FILE"
- },
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 3,
- "module_load": 84,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 1
- },
- "family": "SYS_WIN32",
- "integrity_level": "LOW",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "activecontent": {
- "code_signature": {
- "exists": "false"
- },
- "type": "FILE"
- },
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 2,
- "storyline_id": "2D1EE6E7AB538ED5",
- "uid": "2C1EE6E7AB538ED5"
- },
- "root": "False",
- "session_id": 2,
- "storyline_id": "2D1EE6E7AB538ED5",
- "uid": "F328E6E7AB538ED5"
}
},
"host": {
@@ -1530,41 +1079,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 1,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 168,
- "net_conn": 1,
- "net_conn_in": 0,
- "net_conn_out": 1,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "EE96E5E7AB538ED5",
- "uid": "ED96E5E7AB538ED5"
- },
- "root": "False",
- "session_id": 0,
- "storyline_id": "EE96E5E7AB538ED5",
- "uid": "60B6E5E7AB538ED5"
}
},
"destination": {
@@ -1694,41 +1208,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 1,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 290,
- "net_conn": 15,
- "net_conn_in": 15,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "0591E6E7AB538ED5",
- "uid": "0491E6E7AB538ED5"
- },
- "root": "True",
- "session_id": 0,
- "storyline_id": "1B91E6E7AB538ED5",
- "uid": "1A91E6E7AB538ED5"
}
},
"destination": {
@@ -1858,41 +1337,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 1,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 3,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 93,
- "net_conn": 23,
- "net_conn_in": 4,
- "net_conn_out": 19,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "False",
- "session_id": 0,
- "storyline_id": "B491E6E7AB538ED5",
- "uid": "EF92E6E7AB538ED5"
- },
- "root": "False",
- "session_id": 0,
- "storyline_id": "B491E6E7AB538ED5",
- "uid": "F492E6E7AB538ED5"
}
},
"destination": {
@@ -2030,41 +1474,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64"
}
- },
- "process": {
- "counters": {
- "child_process": 1,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 5,
- "module_load": 0,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SUBSYSTEM_UNKNOWN",
- "integrity_level": "INTEGRITY_LEVEL_UNKNOWN",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SUBSYSTEM_UNKNOWN",
- "integrity_level": "INTEGRITY_LEVEL_UNKNOWN",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "False",
- "session_id": 0,
- "storyline_id": "55a4cfe4-1718-2ae2-dc40-bc3f342f0eca",
- "uid": "55a4cfe3-efa4-0d32-96df-11e5be1ac48d"
- },
- "root": "False",
- "session_id": 0,
- "storyline_id": "55a4d014-9141-dea7-0774-371da18a6469",
- "uid": "55a4d014-764d-907e-3edd-f7aa19bbf4af"
}
},
"host": {
@@ -2188,41 +1597,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64"
}
- },
- "process": {
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 2,
- "module_load": 0,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SUBSYSTEM_UNKNOWN",
- "integrity_level": "INTEGRITY_LEVEL_UNKNOWN",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SUBSYSTEM_UNKNOWN",
- "integrity_level": "INTEGRITY_LEVEL_UNKNOWN",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "False",
- "session_id": 0,
- "storyline_id": "55d21a32-95e8-7a56-ad57-a9e6aac5a7bd",
- "uid": "55d21a32-6fa0-ec6b-21df-509b3ca7f0ed"
- },
- "root": "False",
- "session_id": 0,
- "storyline_id": "55d21a33-24e0-2280-8049-e395c2fe0885",
- "uid": "55d21a33-1090-cfe3-3e71-3be4cb5098b8"
}
},
"host": {
@@ -2334,70 +1708,16 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
- "counters": {
- "child_process": 1,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 0,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SUBSYSTEM_UNKNOWN",
- "integrity_level": "INTEGRITY_LEVEL_UNKNOWN",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SUBSYSTEM_UNKNOWN",
- "integrity_level": "INTEGRITY_LEVEL_UNKNOWN",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "False",
- "session_id": 0,
- "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e",
- "uid": "55d21a32-dd64-9b07-6e84-bd923f6d1e08"
- },
- "root": "False",
- "session_id": 0,
- "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e",
"target": {
- "code_signature": {
- "exists": "false"
- },
"command_line": " ip -6 -a -o address",
"executable": "/usr/bin/ip",
- "family": "SUBSYSTEM_UNKNOWN",
"hash": {
"sha1": "3c954614f2c9af7181e4d00e00ab4485e4a9c33f"
},
- "integrity_level": "INTEGRITY_LEVEL_UNKNOWN",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
"name": "ip",
- "pid": 1518,
- "real_user": {
- "id": "0",
- "name": "root"
- },
- "root": "False",
- "session_id": 0,
- "start": "2023-04-12T14:24:34.590000Z",
- "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e",
"title": "ip",
- "uid": "550f55e8-ffb9-9bab-2952-5ef7c734b7d4",
- "user": {
- "id": "0",
- "name": "root"
- },
"working_directory": "/usr/bin"
- },
- "uid": "550f55e1-53a8-e998-adea-61da4ec754de"
+ }
}
},
"host": {
@@ -2522,70 +1842,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "C:\\Windows\\System32\\svchost.exe -k NetworkService",
- "counters": {
- "child_process": 3,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 658,
- "net_conn": 65,
- "net_conn_in": 65,
- "net_conn_out": 0,
- "registry_modification": 0
- },
"executable": {
"name": "C:\\Windows\\System32\\svchost.exe"
},
- "family": "SYS_WIN32",
"hash": {
- "md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
- "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88"
},
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "svchost.exe",
- "ossrc": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": "0",
- "storyline_id": "4A96E5E7AB538ED5",
- "uid": "4996E5E7AB538ED5"
- },
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "4896E5E7AB538ED5",
- "uid": "4796E5E7AB538ED5"
- },
- "pid": "740",
- "root": "True",
- "session_id": 0,
- "start": "2023-03-21T10:33:50.438000Z",
- "storyline_id": "6196E5E7AB538ED5",
- "title": "Host Process for Windows Services",
- "uid": "6096E5E7AB538ED5",
- "user": {
- "name": "NT AUTHORITY\\NETWORK SERVICE"
- },
- "working_directory": "C:\\Windows\\System32"
+ "name": "svchost.exe"
}
},
"host": {
@@ -2722,85 +1986,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
- "counters": {
- "child_process": 90,
- "cross_process": 252,
- "cross_process_dup_process_handle": 19,
- "cross_process_dup_thread_handle": 6,
- "dns_lookups": 40,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 7591,
- "net_conn": 102,
- "net_conn_in": 0,
- "net_conn_out": 102,
- "registry_modification": 0
- },
"executable": {
"name": "C:\\Windows\\System32\\svchost.exe"
},
- "family": "SYS_WIN32",
"hash": {
- "md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
- "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88"
},
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "svchost.exe",
- "ossrc": {
- "counters": {
- "child_process": 0,
- "cross_process": 164,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 124,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": "0",
- "storyline_id": "AD36E7E7AB538ED5",
- "uid": "AC36E7E7AB538ED5"
- },
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "AB36E7E7AB538ED5",
- "uid": "AA36E7E7AB538ED5"
- },
- "pid": "536",
- "root": "True",
- "session_id": 0,
- "start": "2023-04-04T09:47:38.531000Z",
- "storyline_id": "C136E7E7AB538ED5",
- "title": "Host Process for Windows Services",
- "uid": "C036E7E7AB538ED5",
- "user": {
- "name": "NT AUTHORITY\\SYSTEM"
- },
- "working_directory": "C:\\Windows\\System32"
+ "name": "svchost.exe"
}
},
"host": {
@@ -2929,144 +2122,32 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider",
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 93,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
"executable": {
"name": "C:\\Windows\\System32\\backgroundTaskHost.exe"
},
- "family": "SYS_WIN32",
"hash": {
- "md5": "da7063b17dbb8bbb3015351016868006",
- "sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09",
"sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50"
},
- "integrity_level": "LOW",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
"name": "backgroundTaskHost.exe",
- "ossrc": {
- "counters": {
- "child_process": 121,
- "cross_process": 86,
- "cross_process_dup_process_handle": 85,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 199,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": "0",
- "storyline_id": "5696E5E7AB538ED5",
- "uid": "5596E5E7AB538ED5"
- },
- "root": "True",
- "session_id": "0",
- "storyline_id": "5696E5E7AB538ED5",
- "uid": "5596E5E7AB538ED5"
- },
"parent": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "sihost.exe",
"executable": {
"name": "C:\\Windows\\System32\\sihost.exe"
- },
- "family": "SYS_WIN32",
- "hash": {
- "md5": "a21e7719d73d0322e2e7d61802cb8f80",
- "sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb",
- "sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00"
- },
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "sihost.exe",
- "pid": "4164",
- "root": "True",
- "session_id": 2,
- "start": "2023-03-21T10:34:33.882000Z",
- "storyline_id": "BE98E5E7AB538ED5",
- "title": "Shell Infrastructure Host",
- "uid": "BD98E5E7AB538ED5",
- "user": {
- "name": "desktop-jdoe\\john.doe"
- },
- "working_directory": "C:\\Windows\\System32"
+ }
},
- "pid": "2096",
- "root": "True",
- "session_id": 2,
- "start": "2023-03-21T13:39:25.779000Z",
- "storyline_id": "86B6E5E7AB538ED5",
"target": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding",
"executable": "C:\\Windows\\System32\\RuntimeBroker.exe",
- "family": "SYS_WIN32",
"hash": {
"md5": "ba4cfe6461afa1004c52f19c8f2169dc",
"sha1": "ab8539ef6b2a93ff9589dec4b34a0257b6296c92",
"sha256": "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628"
},
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
"name": "RuntimeBroker.exe",
- "pid": 3212,
- "root": "False",
- "session_id": 2,
- "start": "2023-03-21T13:39:25.867000Z",
- "storyline_id": "86B6E5E7AB538ED5",
"title": "Runtime Broker",
- "uid": "87B6E5E7AB538ED5",
- "user": {
- "name": "desktop-jdoe\\john.doe"
- },
"working_directory": "C:\\Windows\\System32"
- },
- "title": "Background Task Host",
- "uid": "85B6E5E7AB538ED5",
- "user": {
- "name": "desktop-jdoe\\john.doe"
- },
- "working_directory": "C:\\Windows\\System32"
+ }
}
},
"host": {
@@ -3181,61 +2262,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
- },
- "process": {
- "activecontent": {
- "code_signature": {
- "exists": "false"
- },
- "type": "FILE"
- },
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 156,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 1
- },
- "family": "SYS_WIN32",
- "integrity_level": "LOW",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "activecontent": {
- "code_signature": {
- "exists": "false"
- },
- "type": "FILE"
- },
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 2,
- "storyline_id": "14C2E6E7AB538ED5",
- "uid": "13C2E6E7AB538ED5"
- },
- "root": "False",
- "session_id": 2,
- "storyline_id": "14C2E6E7AB538ED5",
- "uid": "6DC2E6E7AB538ED5"
- },
- "registry": {
- "old": {
- "data": {
- "bytes": "C9C6A9173C63D90100000000000000000000000002000000",
- "type": "REG_BINARY"
- }
- }
}
},
"host": {
@@ -3354,41 +2380,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 1,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 33,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "B91AE6E7AB538ED5",
- "uid": "B81AE6E7AB538ED5"
- },
- "root": "False",
- "session_id": 0,
- "storyline_id": "B91AE6E7AB538ED5",
- "uid": "081BE6E7AB538ED5"
}
},
"host": {
@@ -3508,85 +2499,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
- "counters": {
- "child_process": 15,
- "cross_process": 14,
- "cross_process_dup_process_handle": 14,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 1,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 447,
- "net_conn": 12,
- "net_conn_in": 0,
- "net_conn_out": 12,
- "registry_modification": 0
- },
"executable": {
"name": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe"
},
- "family": "SYS_WIN32",
"hash": {
- "md5": "ec038f4fd73993de139b889e7bcf2f66",
- "sha1": "68d7290a70ae3a396a0bd5164919694346047384",
"sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9"
},
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "WaAppAgent.exe",
- "ossrc": {
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 172,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": "0",
- "storyline_id": "F31AE6E7AB538ED5",
- "uid": "F21AE6E7AB538ED5"
- },
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "381AE6E7AB538ED5",
- "uid": "371AE6E7AB538ED5"
- },
- "pid": "2308",
- "root": "True",
- "session_id": 0,
- "start": "2023-03-24T09:44:16.550000Z",
- "storyline_id": "B91AE6E7AB538ED5",
- "title": "Microsoft Azure\u00c2\u00ae",
- "uid": "B81AE6E7AB538ED5",
- "user": {
- "name": "NT AUTHORITY\\SYSTEM"
- },
- "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252"
+ "name": "WaAppAgent.exe"
}
},
"host": {
@@ -3704,51 +2624,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 1,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 60,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "381AE6E7AB538ED5",
- "uid": "371AE6E7AB538ED5"
- },
- "root": "True",
- "session_id": 0,
- "storyline_id": "C21AE6E7AB538ED5",
- "uid": "C11AE6E7AB538ED5"
- },
- "registry": {
- "old": {
- "data": {
- "strings": [
- "0x01D95E36B1CF068C"
- ],
- "type": "REG_QWORD"
- }
- }
}
},
"host": {
@@ -3868,85 +2743,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
- },
"command_line": "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\taskschd.msc\" /s",
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 397,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 0
- },
"executable": {
"name": "C:\\Windows\\System32\\mmc.exe"
},
- "family": "SYS_WIN32",
"hash": {
- "md5": "cdbae87d50068565cf2ed20e99246a2e",
- "sha1": "4a8b68a1ad588175d018944aacca6151e2cb4e3c",
"sha256": "3519db09c7d58615c5a5a8ef508e163e63ecb428f113021e0e3cd47fb7f39c9e"
},
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "mmc.exe",
- "ossrc": {
- "counters": {
- "child_process": 73,
- "cross_process": 232,
- "cross_process_dup_process_handle": 9,
- "cross_process_dup_thread_handle": 4,
- "dns_lookups": 28,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 16,
- "module_load": 44431,
- "net_conn": 86,
- "net_conn_in": 0,
- "net_conn_out": 86,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": "0",
- "storyline_id": "4E1AE6E7AB538ED5",
- "uid": "4D1AE6E7AB538ED5"
- },
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 2,
- "storyline_id": "FA1CE6E7AB538ED5",
- "uid": "F91CE6E7AB538ED5"
- },
- "pid": "5228",
- "root": "True",
- "session_id": 2,
- "start": "2023-03-24T14:37:13.169000Z",
- "storyline_id": "5084E6E7AB538ED5",
- "title": "Microsoft Management Console",
- "uid": "4F84E6E7AB538ED5",
- "user": {
- "name": "desktop-jdoe\\john.doe"
- },
- "working_directory": "C:\\Windows\\System32"
+ "name": "mmc.exe"
},
"scheduled_task": {
"name": "\\Task John"
@@ -4051,10 +2855,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "scheduled_task",
"type": "Task Start"
},
- "file": {
- "location": "Local",
- "type": "PE"
- },
"host": {
"os": {
"revision": "19044"
@@ -4062,94 +2862,19 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"process": {
"activecontent": {
- "code_signature": {
- "exists": "true"
- },
"hash": {
"sha1": "4baee77d42bd0b2fa2660852eeac7962aa27a2f1"
},
- "path": "C:\\Windows\\System32\\pcasvc.dll",
- "type": "FILE"
- },
- "code_signature": {
- "exists": "true",
- "subject_name": "MICROSOFT WINDOWS"
+ "path": "C:\\Windows\\System32\\pcasvc.dll"
},
"command_line": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\system32\\PcaSvc.dll,PcaPatchSdbTask",
- "counters": {
- "child_process": 0,
- "cross_process": 0,
- "cross_process_dup_process_handle": 0,
- "cross_process_dup_thread_handle": 0,
- "dns_lookups": 0,
- "file_creation": 1,
- "file_deletion": 0,
- "file_modification": 0,
- "module_load": 53,
- "net_conn": 0,
- "net_conn_in": 0,
- "net_conn_out": 0,
- "registry_modification": 2
- },
"executable": {
"name": "C:\\Windows\\System32\\rundll32.exe"
},
- "family": "SYS_WIN32",
"hash": {
- "md5": "ef3179d498793bf4234f708d3be28633",
- "sha1": "dd399ae46303343f9f0da189aee11c67bd868222",
"sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa"
},
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "name": "rundll32.exe",
- "ossrc": {
- "counters": {
- "child_process": 80,
- "cross_process": 172,
- "cross_process_dup_process_handle": 10,
- "cross_process_dup_thread_handle": 5,
- "dns_lookups": 51,
- "file_creation": 0,
- "file_deletion": 0,
- "file_modification": 59,
- "module_load": 38352,
- "net_conn": 99,
- "net_conn_in": 0,
- "net_conn_out": 99,
- "registry_modification": 0
- },
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": "0",
- "storyline_id": "1F91E6E7AB538ED5",
- "uid": "1E91E6E7AB538ED5"
- },
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "SYSTEM",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 0,
- "storyline_id": "4E1AE6E7AB538ED5",
- "uid": "4D1AE6E7AB538ED5"
- },
- "pid": "5304",
- "root": "True",
- "session_id": 0,
- "start": "2023-03-24T09:47:14.837000Z",
- "storyline_id": "7322E6E7AB538ED5",
- "title": "Windows host process (Rundll32)",
- "uid": "7222E6E7AB538ED5",
- "user": {
- "name": "NT AUTHORITY\\SYSTEM"
- },
- "working_directory": "C:\\Windows\\System32"
+ "name": "rundll32.exe"
},
"scheduled_task": {
"name": "\\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask"
@@ -4281,41 +3006,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
- },
- "process": {
- "counters": {
- "child_process": 14,
- "cross_process": 18,
- "cross_process_dup_process_handle": 13,
- "cross_process_dup_thread_handle": 4,
- "dns_lookups": 2,
- "file_creation": 11,
- "file_deletion": 5,
- "file_modification": 114,
- "module_load": 1652,
- "net_conn": 3,
- "net_conn_in": 0,
- "net_conn_out": 3,
- "registry_modification": 448
- },
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "parent": {
- "family": "SYS_WIN32",
- "integrity_level": "HIGH",
- "is_redirected_command_processor": "False",
- "is_wow64": "False",
- "root": "True",
- "session_id": 2,
- "storyline_id": "F81CE6E7AB538ED5",
- "uid": "F71CE6E7AB538ED5"
- },
- "root": "True",
- "session_id": 2,
- "storyline_id": "FA1CE6E7AB538ED5",
- "uid": "F91CE6E7AB538ED5"
}
},
"host": {
@@ -4429,200 +3119,33 @@ The following table lists the fields that are extracted, normalized under the EC
|`deepvisibility.agent.uuid` | `keyword` | |
|`deepvisibility.driver.hash.sha1` | `keyword` | |
|`deepvisibility.driver.hash.sha256` | `keyword` | |
-|`deepvisibility.driver.isloadedbeforemonitor` | `keyword` | |
-|`deepvisibility.driver.start_code` | `keyword` | |
-|`deepvisibility.driver.verdict` | `keyword` | |
|`deepvisibility.event.category` | `keyword` | |
|`deepvisibility.event.type` | `keyword` | |
-|`deepvisibility.file.location` | `keyword` | |
-|`deepvisibility.file.old_path` | `keyword` | |
-|`deepvisibility.file.type` | `keyword` | |
|`deepvisibility.host.os.revision` | `keyword` | |
|`deepvisibility.indicator.category` | `keyword` | |
|`deepvisibility.indicator.description` | `keyword` | |
|`deepvisibility.indicator.metadata` | `keyword` | |
|`deepvisibility.indicator.name` | `keyword` | |
-|`deepvisibility.process.activecontent.code_signature.exists` | `keyword` | |
|`deepvisibility.process.activecontent.hash.sha1` | `keyword` | |
|`deepvisibility.process.activecontent.path` | `keyword` | |
-|`deepvisibility.process.activecontent.type` | `keyword` | |
-|`deepvisibility.process.code_signature.exists` | `keyword` | |
-|`deepvisibility.process.code_signature.status` | `keyword` | |
-|`deepvisibility.process.code_signature.subject_name` | `keyword` | |
-|`deepvisibility.process.code_signature.valid` | `keyword` | |
|`deepvisibility.process.command_line` | `keyword` | |
-|`deepvisibility.process.counters.child_process` | `long` | |
-|`deepvisibility.process.counters.cross_process` | `long` | |
-|`deepvisibility.process.counters.cross_process_dup_process_handle` | `long` | |
-|`deepvisibility.process.counters.cross_process_dup_thread_handle` | `long` | |
-|`deepvisibility.process.counters.dns_lookups` | `long` | |
-|`deepvisibility.process.counters.file_creation` | `long` | |
-|`deepvisibility.process.counters.file_deletion` | `long` | |
-|`deepvisibility.process.counters.file_modification` | `long` | |
-|`deepvisibility.process.counters.module_load` | `long` | |
-|`deepvisibility.process.counters.net_conn` | `long` | |
-|`deepvisibility.process.counters.net_conn_in` | `long` | |
-|`deepvisibility.process.counters.net_conn_out` | `long` | |
-|`deepvisibility.process.counters.registry_modification` | `long` | |
-|`deepvisibility.process.desired_access` | `long` | Process desired access |
|`deepvisibility.process.executable.name` | `keyword` | |
-|`deepvisibility.process.family` | `keyword` | |
-|`deepvisibility.process.hash.md5` | `keyword` | |
-|`deepvisibility.process.hash.sha1` | `keyword` | |
|`deepvisibility.process.hash.sha256` | `keyword` | |
-|`deepvisibility.process.integrity_level` | `keyword` | |
-|`deepvisibility.process.is_redirected_command_processor` | `keyword` | |
-|`deepvisibility.process.is_wow64` | `keyword` | |
|`deepvisibility.process.name` | `keyword` | |
-|`deepvisibility.process.ossrc.activecontent.code_signature.exists` | `keyword` | |
-|`deepvisibility.process.ossrc.activecontent.hash.sha1` | `keyword` | |
-|`deepvisibility.process.ossrc.activecontent.path` | `keyword` | |
-|`deepvisibility.process.ossrc.activecontent.type` | `keyword` | |
-|`deepvisibility.process.ossrc.counters.child_process` | `long` | |
-|`deepvisibility.process.ossrc.counters.cross_process` | `long` | |
-|`deepvisibility.process.ossrc.counters.cross_process_dup_process_handle` | `long` | |
-|`deepvisibility.process.ossrc.counters.cross_process_dup_thread_handle` | `long` | |
-|`deepvisibility.process.ossrc.counters.dns_lookups` | `long` | |
-|`deepvisibility.process.ossrc.counters.file_creation` | `long` | |
-|`deepvisibility.process.ossrc.counters.file_deletion` | `long` | |
-|`deepvisibility.process.ossrc.counters.file_modification` | `long` | |
-|`deepvisibility.process.ossrc.counters.module_load` | `long` | |
-|`deepvisibility.process.ossrc.counters.net_conn` | `long` | |
-|`deepvisibility.process.ossrc.counters.net_conn_in` | `long` | |
-|`deepvisibility.process.ossrc.counters.net_conn_out` | `long` | |
-|`deepvisibility.process.ossrc.counters.registry_modification` | `long` | |
-|`deepvisibility.process.ossrc.family` | `keyword` | |
-|`deepvisibility.process.ossrc.integrity_level` | `keyword` | |
-|`deepvisibility.process.ossrc.is_redirected_command_processor` | `keyword` | |
-|`deepvisibility.process.ossrc.is_wow64` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.activecontent.code_signature.exists` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.activecontent.hash.sha1` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.activecontent.path` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.activecontent.type` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.counters.child_process` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.cross_process` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.cross_process_dup_process_handle` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.cross_process_dup_thread_handle` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.dns_lookups` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.file_creation` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.file_deletion` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.file_modification` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.module_load` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.net_conn` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.net_conn_in` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.net_conn_out` | `long` | |
-|`deepvisibility.process.ossrc.parent.counters.registry_modification` | `long` | |
-|`deepvisibility.process.ossrc.parent.family` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.integrity_level` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.is_redirected_command_processor` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.is_wow64` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.root` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.session_id` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.storyline_id` | `keyword` | |
-|`deepvisibility.process.ossrc.parent.uid` | `keyword` | |
-|`deepvisibility.process.ossrc.root` | `keyword` | |
-|`deepvisibility.process.ossrc.session_id` | `keyword` | |
-|`deepvisibility.process.ossrc.storyline_id` | `keyword` | |
-|`deepvisibility.process.ossrc.uid` | `keyword` | |
-|`deepvisibility.process.parent.activecontent.code_signature.exists` | `keyword` | |
-|`deepvisibility.process.parent.activecontent.hash.sha1` | `keyword` | |
|`deepvisibility.process.parent.activecontent.path` | `keyword` | |
-|`deepvisibility.process.parent.activecontent.type` | `keyword` | |
-|`deepvisibility.process.parent.code_signature.exists` | `keyword` | |
-|`deepvisibility.process.parent.code_signature.status` | `keyword` | |
-|`deepvisibility.process.parent.code_signature.subject_name` | `keyword` | |
-|`deepvisibility.process.parent.code_signature.valid` | `keyword` | |
|`deepvisibility.process.parent.command_line` | `keyword` | |
-|`deepvisibility.process.parent.counters.child_process` | `long` | |
-|`deepvisibility.process.parent.counters.cross_process` | `long` | |
-|`deepvisibility.process.parent.counters.cross_process_dup_process_handle` | `long` | |
-|`deepvisibility.process.parent.counters.cross_process_dup_thread_handle` | `long` | |
-|`deepvisibility.process.parent.counters.dns_lookups` | `long` | |
-|`deepvisibility.process.parent.counters.file_creation` | `long` | |
-|`deepvisibility.process.parent.counters.file_deletion` | `long` | |
-|`deepvisibility.process.parent.counters.file_modification` | `long` | |
-|`deepvisibility.process.parent.counters.module_load` | `long` | |
-|`deepvisibility.process.parent.counters.net_conn` | `long` | |
-|`deepvisibility.process.parent.counters.net_conn_in` | `long` | |
-|`deepvisibility.process.parent.counters.net_conn_out` | `long` | |
-|`deepvisibility.process.parent.counters.registry_modification` | `long` | |
|`deepvisibility.process.parent.executable.name` | `keyword` | |
-|`deepvisibility.process.parent.family` | `keyword` | |
-|`deepvisibility.process.parent.hash.md5` | `keyword` | |
-|`deepvisibility.process.parent.hash.sha1` | `keyword` | |
-|`deepvisibility.process.parent.hash.sha256` | `keyword` | |
-|`deepvisibility.process.parent.integrity_level` | `keyword` | |
-|`deepvisibility.process.parent.is_redirected_command_processor` | `keyword` | |
-|`deepvisibility.process.parent.is_wow64` | `keyword` | |
-|`deepvisibility.process.parent.name` | `keyword` | |
-|`deepvisibility.process.parent.pid` | `keyword` | |
-|`deepvisibility.process.parent.root` | `keyword` | |
-|`deepvisibility.process.parent.session_id` | `long` | |
-|`deepvisibility.process.parent.start` | `keyword` | |
-|`deepvisibility.process.parent.storyline_id` | `keyword` | |
-|`deepvisibility.process.parent.title` | `keyword` | |
-|`deepvisibility.process.parent.uid` | `keyword` | |
-|`deepvisibility.process.parent.user.name` | `keyword` | |
-|`deepvisibility.process.parent.working_directory` | `keyword` | |
-|`deepvisibility.process.pid` | `keyword` | |
-|`deepvisibility.process.relations` | `keyword` | Relations between source and target |
-|`deepvisibility.process.root` | `keyword` | |
-|`deepvisibility.process.session_id` | `long` | |
-|`deepvisibility.process.start` | `keyword` | |
-|`deepvisibility.process.storyline_id` | `keyword` | |
-|`deepvisibility.process.target.code_signature.exists` | `keyword` | |
-|`deepvisibility.process.target.code_signature.status` | `keyword` | |
-|`deepvisibility.process.target.code_signature.subject_name` | `keyword` | |
-|`deepvisibility.process.target.code_signature.valid` | `keyword` | |
|`deepvisibility.process.target.command_line` | `keyword` | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. |
-|`deepvisibility.process.target.counters.child_process` | `long` | |
-|`deepvisibility.process.target.counters.cross_process` | `long` | |
-|`deepvisibility.process.target.counters.cross_process_dup_process_handle` | `long` | |
-|`deepvisibility.process.target.counters.cross_process_dup_thread_handle` | `long` | |
-|`deepvisibility.process.target.counters.dns_lookups` | `long` | |
-|`deepvisibility.process.target.counters.file_creation` | `long` | |
-|`deepvisibility.process.target.counters.file_deletion` | `long` | |
-|`deepvisibility.process.target.counters.file_modification` | `long` | |
-|`deepvisibility.process.target.counters.module_load` | `long` | |
-|`deepvisibility.process.target.counters.net_conn` | `long` | |
-|`deepvisibility.process.target.counters.net_conn_in` | `long` | |
-|`deepvisibility.process.target.counters.net_conn_out` | `long` | |
-|`deepvisibility.process.target.counters.registry_modification` | `long` | |
|`deepvisibility.process.target.executable` | `keyword` | Absolute path to the process executable. |
-|`deepvisibility.process.target.family` | `keyword` | |
|`deepvisibility.process.target.hash.md5` | `keyword` | MD5 hash. |
|`deepvisibility.process.target.hash.sha1` | `keyword` | SHA1 hash. |
|`deepvisibility.process.target.hash.sha256` | `keyword` | SHA256 hash. |
-|`deepvisibility.process.target.integrity_level` | `keyword` | |
-|`deepvisibility.process.target.is_redirected_command_processor` | `keyword` | |
-|`deepvisibility.process.target.is_wow64` | `keyword` | |
|`deepvisibility.process.target.name` | `keyword` | Process name. |
-|`deepvisibility.process.target.pid` | `long` | Process id. |
-|`deepvisibility.process.target.real_user.id` | `keyword` | The type of the Logon |
-|`deepvisibility.process.target.real_user.name` | `keyword` | The type of the Logon |
-|`deepvisibility.process.target.root` | `keyword` | |
-|`deepvisibility.process.target.session_id` | `long` | |
-|`deepvisibility.process.target.start` | `date` | The time the process started. |
-|`deepvisibility.process.target.storyline_id` | `keyword` | |
|`deepvisibility.process.target.title` | `keyword` | |
-|`deepvisibility.process.target.uid` | `keyword` | |
-|`deepvisibility.process.target.user.id` | `keyword` | The type of the Logon |
-|`deepvisibility.process.target.user.name` | `keyword` | |
|`deepvisibility.process.target.working_directory` | `keyword` | The working directory of the process. |
-|`deepvisibility.process.title` | `keyword` | |
-|`deepvisibility.process.uid` | `keyword` | |
-|`deepvisibility.process.user.name` | `keyword` | |
-|`deepvisibility.process.working_directory` | `keyword` | |
-|`deepvisibility.registry.export_path` | `keyword` | |
-|`deepvisibility.registry.import_path` | `keyword` | |
-|`deepvisibility.registry.old.data.bytes` | `keyword` | |
-|`deepvisibility.registry.old.data.strings` | `keyword` | |
-|`deepvisibility.registry.old.data.type` | `keyword` | |
-|`deepvisibility.registry.security_information` | `long` | |
|`deepvisibility.scheduled_task.name` | `keyword` | Scheduled task name |
|`deepvisibility.script.app_name` | `keyword` | |
|`deepvisibility.script.content` | `keyword` | |
-|`deepvisibility.script.is_complete` | `boolean` | |
|`destination.address` | `keyword` | Destination network address. |
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.port` | `long` | Port of the destination. |