Persistence

{
  "_index": "wazuh-archives-4.x-2022.10.30",
  "_type": "_doc",
  "_id": "8yZXKoQBwOwON5V3ihEA",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "ip": "192.168.94.140",
      "name": "WindowsAgent",
      "id": "005"
    },
    "manager": {
      "name": "wazuh.manager"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\Chaos Malware\\\\Windows\\\\Chaos.exe",
          "targetObject": "HKU\\\\S-1-5-21-1605714558-552561641-297346831-500\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Administrator",
          "processGuid": "{72bcaa84-bd56-635e-6809-000000001500}",
          "processId": "7192",
          "utcTime": "2022-10-30 18:07:18.888",
          "ruleName": "technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder",
          "details": "C:\\\\ProgramData\\\\Microsoft\\\\csrss.exe",
          "eventType": "SetValue",
          "user": "WINDOWSAGENT\\\\Administrator"
        },
        "system": {
          "eventID": "13",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Registry value set:\r\nRuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder\r\nEventType: SetValue\r\nUtcTime: 2022-10-30 18:07:18.888\r\nProcessGuid: {72bcaa84-bd56-635e-6809-000000001500}\r\nProcessId: 7192\r\nImage: C:\\Users\\Administrator\\Desktop\\Chaos Malware\\Windows\\Chaos.exe\r\nTargetObject: HKU\\S-1-5-21-1605714558-552561641-297346831-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Administrator\r\nDetails: C:\\ProgramData\\Microsoft\\csrss.exe\r\nUser: WINDOWSAGENT\\Administrator\"",
          "version": "2",
          "systemTime": "2022-10-30T18:07:18.8972484Z",
          "eventRecordID": "404488",
          "threadID": "4988",
          "computer": "WindowsAgent",
          "task": "13",
          "processID": "3096",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"13\",\"version\":\"2\",\"level\":\"4\",\"task\":\"13\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-10-30T18:07:18.8972484Z\",\"eventRecordID\":\"404488\",\"processID\":\"3096\",\"threadID\":\"4988\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"WindowsAgent\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry value set:\\r\\nRuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder\\r\\nEventType: SetValue\\r\\nUtcTime: 2022-10-30 18:07:18.888\\r\\nProcessGuid: {72bcaa84-bd56-635e-6809-000000001500}\\r\\nProcessId: 7192\\r\\nImage: C:\\\\Users\\\\Administrator\\\\Desktop\\\\Chaos Malware\\\\Windows\\\\Chaos.exe\\r\\nTargetObject: HKU\\\\S-1-5-21-1605714558-552561641-297346831-500\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Administrator\\r\\nDetails: C:\\\\ProgramData\\\\Microsoft\\\\csrss.exe\\r\\nUser: WINDOWSAGENT\\\\Administrator\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder\",\"eventType\":\"SetValue\",\"utcTime\":\"2022-10-30 18:07:18.888\",\"processGuid\":\"{72bcaa84-bd56-635e-6809-000000001500}\",\"processId\":\"7192\",\"image\":\"C:\\\\\\\\Users\\\\\\\\Administrator\\\\\\\\Desktop\\\\\\\\Chaos Malware\\\\\\\\Windows\\\\\\\\Chaos.exe\",\"targetObject\":\"HKU\\\\\\\\S-1-5-21-1605714558-552561641-297346831-500\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Administrator\",\"details\":\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\csrss.exe\",\"user\":\"WINDOWSAGENT\\\\\\\\Administrator\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2022-10-30T19:21:29.143Z",
    "location": "EventChannel",
    "id": "1667157689.4197624",
    "timestamp": "2022-10-30T20:21:29.143+0100"
  },
  "fields": {
    "@timestamp": [
      "2022-10-30T19:21:29.143Z"
    ],
    "timestamp": [
      "2022-10-30T19:21:29.143Z"
    ]
  },
  "highlight": {
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@WindowsAgent@/opensearch-dashboards-highlighted-field@"
    ],
    "full_log": [
      "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"13\",\"version\":\"2\",\"level\":\"4\",\"task\":\"13\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-10-30T18:07:18.8972484Z\",\"eventRecordID\":\"404488\",\"processID\":\"3096\",\"threadID\":\"4988\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"WindowsAgent\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry value set:\\r\\nRuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder\\r\\nEventType: SetValue\\r\\nUtcTime: 2022-10-30 18:07:18.888\\r\\nProcessGuid: {72bcaa84-bd56-635e-6809-000000001500}\\r\\nProcessId: 7192\\r\\nImage: C:\\\\Users\\\\Administrator\\\\Desktop\\\\Chaos Malware\\\\Windows\\\\Chaos.exe\\r\\nTargetObject: HKU\\\\S-1-5-21-1605714558-552561641-297346831-500\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Administrator\\r\\nDetails: C:\\\\ProgramData\\\\Microsoft\\\\@opensearch-dashboards-highlighted-field@csrss.exe@/opensearch-dashboards-highlighted-field@\\r\\nUser: WINDOWSAGENT\\\\Administrator\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder\",\"eventType\":\"SetValue\",\"utcTime\":\"2022-10-30 18:07:18.888\",\"processGuid\":\"{72bcaa84-bd56-635e-6809-000000001500}\",\"processId\":\"7192\",\"image\":\"C:\\\\\\\\Users\\\\\\\\Administrator\\\\\\\\Desktop\\\\\\\\Chaos Malware\\\\\\\\Windows\\\\\\\\Chaos.exe\",\"targetObject\":\"HKU\\\\\\\\S-1-5-21-1605714558-552561641-297346831-500\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Administrator\",\"details\":\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\@opensearch-dashboards-highlighted-field@csrss.exe@/opensearch-dashboards-highlighted-field@\",\"user\":\"WINDOWSAGENT\\\\\\\\Administrator\"}}}"
    ]
  },
  "sort": [
    1667157689143
  ]
}