-
Notifications
You must be signed in to change notification settings - Fork 0
/
babuk launched
86 lines (86 loc) · 6.59 KB
/
babuk launched
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
{
"_index": "wazuh-archives-4.x-2022.10.18",
"_type": "_doc",
"_id": "-rTA6oMBQfNr7JgdycoI",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"ip": "192.168.94.140",
"name": "WindowsAgent",
"id": "002"
},
"manager": {
"name": "wazuh.manager"
},
"data": {
"win": {
"eventdata": {
"image": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\babuk\\\\e_win.exe",
"parentProcessGuid": "{72bcaa84-4aaf-6343-7200-000000001500}",
"logonGuid": "{72bcaa84-4aa4-6343-fbd6-030000000000}",
"parentCommandLine": "C:\\\\Windows\\\\Explorer.EXE",
"processGuid": "{72bcaa84-875b-634e-b209-000000001500}",
"logonId": "0x3d6fb",
"parentProcessId": "5076",
"processId": "7572",
"currentDirectory": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\babuk\\\\",
"utcTime": "2022-10-18 11:00:43.878",
"hashes": "SHA1=84440AF2B8F3DB1303446B1067C0ED4D0295A4C4,MD5=C05B05AFF8880D94C757181CBBDD77CF,SHA256=9BA829497C489B88591EF040D5F4228E5EDDA50F031D654A82EA04DFAE6FCFBC,IMPHASH=202FA14F574C71C2F95878E40A79322D",
"parentImage": "C:\\\\Windows\\\\explorer.exe",
"ruleName": "technique_id=T1204,technique_name=User Execution",
"commandLine": "\\\"C:\\\\Users\\\\Administrator\\\\Desktop\\\\babuk\\\\e_win.exe\\\"",
"integrityLevel": "High",
"user": "WINDOWSAGENT\\\\Administrator",
"terminalSessionId": "1",
"parentUser": "WINDOWSAGENT\\\\Administrator"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1204,technique_name=User Execution\r\nUtcTime: 2022-10-18 11:00:43.878\r\nProcessGuid: {72bcaa84-875b-634e-b209-000000001500}\r\nProcessId: 7572\r\nImage: C:\\Users\\Administrator\\Desktop\\babuk\\e_win.exe\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nCommandLine: \"C:\\Users\\Administrator\\Desktop\\babuk\\e_win.exe\" \r\nCurrentDirectory: C:\\Users\\Administrator\\Desktop\\babuk\\\r\nUser: WINDOWSAGENT\\Administrator\r\nLogonGuid: {72bcaa84-4aa4-6343-fbd6-030000000000}\r\nLogonId: 0x3D6FB\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=84440AF2B8F3DB1303446B1067C0ED4D0295A4C4,MD5=C05B05AFF8880D94C757181CBBDD77CF,SHA256=9BA829497C489B88591EF040D5F4228E5EDDA50F031D654A82EA04DFAE6FCFBC,IMPHASH=202FA14F574C71C2F95878E40A79322D\r\nParentProcessGuid: {72bcaa84-4aaf-6343-7200-000000001500}\r\nParentProcessId: 5076\r\nParentImage: C:\\Windows\\explorer.exe\r\nParentCommandLine: C:\\Windows\\Explorer.EXE\r\nParentUser: WINDOWSAGENT\\Administrator\"",
"version": "5",
"systemTime": "2022-10-18T11:00:43.8914919Z",
"eventRecordID": "404553",
"threadID": "4988",
"computer": "WindowsAgent",
"task": "1",
"processID": "3096",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"decoder": {
"name": "windows_eventchannel"
},
"full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-10-18T11:00:43.8914919Z\",\"eventRecordID\":\"404553\",\"processID\":\"3096\",\"threadID\":\"4988\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"WindowsAgent\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: technique_id=T1204,technique_name=User Execution\\r\\nUtcTime: 2022-10-18 11:00:43.878\\r\\nProcessGuid: {72bcaa84-875b-634e-b209-000000001500}\\r\\nProcessId: 7572\\r\\nImage: C:\\\\Users\\\\Administrator\\\\Desktop\\\\babuk\\\\e_win.exe\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nCommandLine: \\\"C:\\\\Users\\\\Administrator\\\\Desktop\\\\babuk\\\\e_win.exe\\\" \\r\\nCurrentDirectory: C:\\\\Users\\\\Administrator\\\\Desktop\\\\babuk\\\\\\r\\nUser: WINDOWSAGENT\\\\Administrator\\r\\nLogonGuid: {72bcaa84-4aa4-6343-fbd6-030000000000}\\r\\nLogonId: 0x3D6FB\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: High\\r\\nHashes: SHA1=84440AF2B8F3DB1303446B1067C0ED4D0295A4C4,MD5=C05B05AFF8880D94C757181CBBDD77CF,SHA256=9BA829497C489B88591EF040D5F4228E5EDDA50F031D654A82EA04DFAE6FCFBC,IMPHASH=202FA14F574C71C2F95878E40A79322D\\r\\nParentProcessGuid: {72bcaa84-4aaf-6343-7200-000000001500}\\r\\nParentProcessId: 5076\\r\\nParentImage: C:\\\\Windows\\\\explorer.exe\\r\\nParentCommandLine: C:\\\\Windows\\\\Explorer.EXE\\r\\nParentUser: WINDOWSAGENT\\\\Administrator\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1204,technique_name=User Execution\",\"utcTime\":\"2022-10-18 11:00:43.878\",\"processGuid\":\"{72bcaa84-875b-634e-b209-000000001500}\",\"processId\":\"7572\",\"image\":\"C:\\\\\\\\Users\\\\\\\\Administrator\\\\\\\\Desktop\\\\\\\\babuk\\\\\\\\e_win.exe\",\"commandLine\":\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\Administrator\\\\\\\\Desktop\\\\\\\\babuk\\\\\\\\e_win.exe\\\\\\\"\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\Administrator\\\\\\\\Desktop\\\\\\\\babuk\\\\\\\\\",\"user\":\"WINDOWSAGENT\\\\\\\\Administrator\",\"logonGuid\":\"{72bcaa84-4aa4-6343-fbd6-030000000000}\",\"logonId\":\"0x3d6fb\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"High\",\"hashes\":\"SHA1=84440AF2B8F3DB1303446B1067C0ED4D0295A4C4,MD5=C05B05AFF8880D94C757181CBBDD77CF,SHA256=9BA829497C489B88591EF040D5F4228E5EDDA50F031D654A82EA04DFAE6FCFBC,IMPHASH=202FA14F574C71C2F95878E40A79322D\",\"parentProcessGuid\":\"{72bcaa84-4aaf-6343-7200-000000001500}\",\"parentProcessId\":\"5076\",\"parentImage\":\"C:\\\\\\\\Windows\\\\\\\\explorer.exe\",\"parentCommandLine\":\"C:\\\\\\\\Windows\\\\\\\\Explorer.EXE\",\"parentUser\":\"WINDOWSAGENT\\\\\\\\Administrator\"}}}",
"input": {
"type": "log"
},
"@timestamp": "2022-10-18T11:00:44.925Z",
"location": "EventChannel",
"id": "1666090844.3601079",
"timestamp": "2022-10-18T04:00:44.925-0700"
},
"fields": {
"@timestamp": [
"2022-10-18T11:00:44.925Z"
],
"timestamp": [
"2022-10-18T11:00:44.925Z"
]
},
"highlight": {
"agent.name": [
"@opensearch-dashboards-highlighted-field@WindowsAgent@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1666090844925
]
}